malware took other my computer

matson · May 8, 2011

after checking in google, That bigseekpro thing get installed after installation of the add-on IMTOO in firefox. the thing is I did not install any of them...
so I am being used!!!! big time...

ken545 · May 8, 2011

Not sure about the keyboard icon, did this happen prior to us fixing your computer after one of the fixes ?

Open up Internet Explorer and go to Tools > Manage addons and look thru there for BigSeekPro , click on it to highlight and select disable

Open up Firefox and go to Tools > Addons and do the same thing

Then do this

Backup Your Registry with ERUNT:

Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.

Note: to restore your registry, go to the backup folder and start ERDNT.exe

Open OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code:

:processes
killallprocesses

:OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bigseekpro.com/anyvideo2dvd/{72451267-22A7-4C23-9DCE-A7E772A37893}
IE - HKU\S-1-5-21-967964055-2490943435-3194060227-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bigseekpro.com/anyvideo2dvd/{72451267-22A7-4C23-9DCE-A7E772A37893}
FF - prefs.js..keyword.URL: "http://www.bigseekpro.com/search/toolbar/anyvideo2dvd/{5BC4B17D-66A1-4F00-BE33-AF17ECDA68F1}?q="
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {338B4DFE-2E2C-4338-9E41-E176D497299E} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {338B4DFE-2E2C-4338-9E41-E176D497299E} - No CLSID value found.
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jin...ndows-i586.cab (Java Plug-in 1.5.0_06)
[2011-04-28 09:08:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Toolbar4
[2011-04-21 03:22:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Application Data\Toolbar4
[2011-04-21 03:22:48 | 000,000,000 | ---D | C] -- C:\Program Files\Any Video To DVD DB Toolbar


:Services

:Reg

:Files
ipconfig /release /c
ipconfig /renew /c
ipconfig /flushdns /c





:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

matson · May 8, 2011

I think the keyboard icon went away after one of the fixes...

I am doing the back up of the registry and the scan
the log are coming next

matson · May 8, 2011

Ken545 I have a question:

I disable IE as my main internet browser. the problem is I can't find it anymore to go delete the add-on...
How and where can I find the ie icon to start internet explorer?

matson · May 8, 2011

Bigssekpro is not installed in firefox add-ons.
I don't see it in the firefox add-ons.
I am a bit confuse

ken545 · May 8, 2011

I disable IE as my main internet browser. I dont think I am following you , I did not say to disable IE, just BigSeekPro in the addons tab

Just go ahead and run the OTL fix

matson · May 8, 2011

I just checked IE add-ons, I don't see bigseekpro there too.
I just realized that I have a program named "any video to DVD"
I think I never installed that program. it's really suspicious because I don't convert video to DVD.

I am running the scan, but what do I do about Bigseekpro?

matson · May 8, 2011

here is the OTL log after the runfix with the code

All processes killed
========== PROCESSES ==========
========== OTL ==========
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
HKU\S-1-5-21-967964055-2490943435-3194060227-1006\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
Prefs.js: "http://www.bigseekpro.com/search/toolbar/anyvideo2dvd/{5BC4B17D-66A1-4F00-BE33-AF17ECDA68F1}?q=" removed from keyword.URL
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{338B4DFE-2E2C-4338-9E41-E176D497299E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{338B4DFE-2E2C-4338-9E41-E176D497299E}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{338B4DFE-2E2C-4338-9E41-E176D497299E} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{338B4DFE-2E2C-4338-9E41-E176D497299E}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
C:\Documents and Settings\NetworkService\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\include_files folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E} folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Toolbar4 folder moved successfully.
C:\Documents and Settings\NICOU\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\include_files folder moved successfully.
C:\Documents and Settings\NICOU\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\cache folder moved successfully.
C:\Documents and Settings\NICOU\Application Data\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E} folder moved successfully.
C:\Documents and Settings\NICOU\Application Data\Toolbar4 folder moved successfully.
C:\Program Files\Any Video To DVD DB Toolbar folder moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /release /c >
Windows IP Configuration
No operation can be performed on Wireless Network Connection 2 while it has its media disconnected.
Ethernet adapter Wireless Network Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
C:\Documents and Settings\NICOU\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\NICOU\Desktop\cmd.txt deleted successfully.
< ipconfig /renew /c >
Windows IP Configuration
No operation can be performed on Wireless Network Connection 2 while it has its media disconnected.
Ethernet adapter Wireless Network Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : no-domain-set.bellcanada
IP Address. . . . . . . . . . . . : 192.168.2.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
C:\Documents and Settings\NICOU\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\NICOU\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\NICOU\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\NICOU\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 245894 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 1259 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 1513 bytes

User: NICOU
->Temp folder emptied: 1616 bytes
->Temporary Internet Files folder emptied: 76804 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 48086617 bytes
->Flash cache emptied: 582 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 103141376 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 907986 bytes

Total Files Cleaned = 145,00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 05082011_164823

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

matson · May 8, 2011

New OTL log after reboot and fix

OTL logfile created on: 2011-05-08 16:56:16 - Run 3
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\NICOU\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C0C | Country: Canada | Language: FRC | Date Format: yyyy-MM-dd

2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 76,00% Memory free
4,00 Gb Paging File | 4,00 Gb Available in Paging File | 92,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 35,01 Gb Total Space | 17,86 Gb Free Space | 51,01% Space Free | Partition Type: NTFS
Drive D: | 8,26 Gb Total Space | 1,25 Gb Free Space | 15,10% Space Free | Partition Type: FAT32
Drive F: | 19,53 Gb Total Space | 17,97 Gb Free Space | 91,98% Space Free | Partition Type: NTFS
Drive G: | 47,97 Gb Total Space | 13,82 Gb Free Space | 28,81% Space Free | Partition Type: NTFS

Computer Name: MOHICAN | User Name: NICOU | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\NICOU\Desktop\OTL.exe (OldTimer Tools)
PRC - F:\Programmes\Alcohol 52\StarWind\StarWindServiceAE.exe (StarWind Software)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\Mctray.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\naPrdMgr.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
PRC - C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe (Hewlett-Packard )
PRC - C:\Program Files\HPQ\shared\HpqToaster.exe ()
PRC - C:\WINDOWS\system32\HPZipm12.exe (HP)
PRC - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe ()

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\NICOU\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (StarWindServiceAE) -- F:\Programmes\Alcohol 52\StarWind\StarWindServiceAE.exe (StarWind Software)
SRV - (McShield) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)
SRV - (McTaskManager) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)
SRV - (McAfeeFramework) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (MA_CMIDI_InstallerService) -- C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe ()
SRV - (MSSQL$SONY_MEDIAMGR) -- G:\Sony\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (Microsoft Corporation)
SRV - (SQLAgent$SONY_MEDIAMGR) -- G:\Sony\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys (Duplex Secure Ltd.)
DRV - (epmntdrv) -- C:\WINDOWS\system32\epmntdrv.sys ()
DRV - (EuGdiDrv) -- C:\WINDOWS\system32\EuGdiDrv.sys ()
DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (mfetdik) -- C:\WINDOWS\system32\drivers\mfetdik.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mferkdk) -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys (McAfee, Inc.)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (tifm21) -- C:\WINDOWS\system32\drivers\tifm21.sys (Texas Instruments)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSFHWATI) -- C:\WINDOWS\system32\drivers\HSFHWATI.sys (Conexant Systems, Inc.)
DRV - (BTWUSB) -- C:\WINDOWS\system32\drivers\btwusb.sys (Broadcom Corporation.)
DRV - (CAMCHALA) -- C:\WINDOWS\system32\drivers\camc6hal.sys (Conexant Systems Inc.)
DRV - (CAMCAUD) -- C:\WINDOWS\system32\drivers\camc6aud.sys (Conexant Systems Inc.)
DRV - (MA_CMIDI) -- C:\WINDOWS\system32\drivers\ma_cmidi.sys (M-Audio)
DRV - (eabfiltr) -- C:\WINDOWS\system32\drivers\eabfiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (eabusb) -- C:\WINDOWS\system32\drivers\EabUsb.sys (Hewlett-Packard Development Company, L.P.)
DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)
DRV - (RDID1044) -- C:\WINDOWS\system32\drivers\rdwm1044.sys (Roland Corporation)
DRV - (SMCIRDA) -- C:\WINDOWS\system32\drivers\smcirda.sys (SMC)
DRV - (Cubase32) -- C:\WINDOWS\System32\drivers\Cubase32.sys (Microsoft Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.ca/"

FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011-04-29 02:18:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011-04-02 03:01:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\NICOU\Application Data\Mozilla\Extensions
[2011-04-28 23:43:08 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\NICOU\Application Data\Mozilla\Firefox\Profiles\mtc5e0vx.default\extensions
[2011-04-28 23:43:08 | 000,000,000 | ---D | M] (BitDefender QuickScan) -- C:\Documents and Settings\NICOU\Application Data\Mozilla\Firefox\Profiles\mtc5e0vx.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
[2011-04-21 13:39:04 | 000,002,382 | ---- | M] () -- C:\Documents and Settings\NICOU\Application Data\Mozilla\Firefox\Profiles\mtc5e0vx.default\searchplugins\search.xml
[2011-04-02 20:51:43 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011-04-02 20:51:43 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
File not found (No name found) --
[2011-04-02 20:51:30 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011-04-29 02:18:39 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010-01-01 05:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011-05-08 16:48:53 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\ScriptCl.dll (McAfee, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 192.168.2.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Blue Sonic.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Blue Sonic.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2001-07-28 02:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011-05-08 16:46:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Desktop\2011-05-08
[2011-05-08 16:30:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Desktop\Erunt
[2011-05-07 21:53:38 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\NICOU\Desktop\OTL.exe
[2011-05-07 21:52:55 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011-05-07 20:26:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011-05-07 15:29:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2011-05-07 15:29:00 | 000,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2011-05-07 15:28:46 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2011-05-07 15:28:12 | 001,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpssvcs.dll
[2011-05-07 15:28:12 | 001,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpssvcs.dll
[2011-05-07 15:28:12 | 000,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe
[2011-05-07 15:28:12 | 000,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpsshhdr.dll
[2011-05-07 15:28:12 | 000,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prntvpt.dll
[2011-05-07 15:28:12 | 000,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll
[2011-05-07 15:28:11 | 000,000,000 | ---D | C] -- C:\ce10f287d9ee23a3100d2f7320fdee
[2011-05-07 15:10:41 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\NICOU\Desktop\ATF-Cleaner.exe
[2011-05-06 16:15:17 | 000,589,632 | ---- | C] (AVAST Software) -- C:\Documents and Settings\NICOU\Desktop\aswMBR.exe
[2011-05-02 16:29:51 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011-05-02 16:28:44 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\NICOU\Desktop\esetsmartinstaller_enu.exe
[2011-05-02 16:07:36 | 000,000,000 | ---D | C] -- C:\_OTL
[2011-04-29 20:45:13 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011-04-29 20:41:53 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011-04-29 20:41:53 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011-04-29 20:41:53 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011-04-29 20:41:53 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011-04-29 20:41:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011-04-29 20:40:57 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011-04-29 18:43:10 | 001,377,112 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\NICOU\Desktop\TDSSKiller.exe
[2011-04-29 14:41:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011-04-28 22:26:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011-04-28 22:26:11 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011-04-28 22:26:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011-04-28 22:19:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011-04-28 21:47:50 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\NICOU\Recent
[2011-04-28 17:20:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2011-04-28 17:20:08 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011-04-28 09:05:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2011-04-28 01:50:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011-04-28 00:43:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011-04-28 00:30:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011-04-21 03:22:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Local Settings\Application Data\Somoto
[2011-04-20 01:04:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Desktop\AVIAddXSubs
[2011-04-12 14:32:59 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NICOU\IECompatCache
[2011-04-12 01:49:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Application Data\OpenOffice.org
[2011-04-12 01:46:20 | 000,000,000 | --SD | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\OpenOffice.org 3.3
[2011-04-12 01:43:50 | 000,000,000 | ---D | C] -- C:\Program Files\OpenOffice.org 3
[2011-04-11 15:51:07 | 000,161,422 | R--- | C] (Roland Corporation) -- C:\WINDOWS\System32\drivers\rdwm1044.sys
[2011-04-11 15:51:07 | 000,081,920 | R--- | C] (Roland Corporation) -- C:\WINDOWS\System32\rdas1044.dll
[2011-04-11 15:51:06 | 000,229,376 | R--- | C] (Roland Corporation) -- C:\WINDOWS\System32\RDDP1044.DAT
[2011-04-11 15:51:05 | 000,051,644 | R--- | C] (Roland Corporation) -- C:\WINDOWS\System32\rddv1044.dll
[2011-04-11 15:09:54 | 000,060,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbaudio.sys
[2011-04-11 15:08:30 | 000,085,504 | ---- | C] (M-Audio) -- C:\WINDOWS\System32\ma_cmidn.dll
[2011-04-11 15:08:29 | 000,021,888 | ---- | C] (M-Audio) -- C:\WINDOWS\System32\drivers\ma_cmidi.sys
[2011-04-11 15:08:29 | 000,017,920 | ---- | C] (M-Audio) -- C:\WINDOWS\System32\MA_CMIDI.DLL
[2011-04-11 15:08:29 | 000,014,176 | ---- | C] (M-Audio) -- C:\WINDOWS\System32\MA_CMIDI.DRV
[2011-04-11 15:08:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\M-Audio MA_CMIDI
[2011-04-11 15:08:10 | 000,000,000 | ---D | C] -- C:\Program Files\M-Audio MA_CMIDI
[2011-04-11 06:04:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\AAY-Audio
[2011-04-11 06:00:56 | 000,000,000 | ---D | C] -- C:\Program Files\D16 Group
[2011-04-11 05:51:41 | 000,000,000 | ---D | C] -- C:\Program Files\Solid State Logic
[2011-04-11 05:49:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\Solid State Logic
[2011-04-11 05:44:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\Leslie Sanford
[2011-04-11 05:33:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PSPaudioware
[2011-04-11 05:28:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\G-Sonique
[2011-04-11 05:19:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\DubStation VST plug-in
[2011-04-11 05:16:48 | 000,765,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp71d.dll
[2011-04-11 05:16:48 | 000,544,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr71d.dll
[2011-04-11 05:16:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Nomad Factory
[2011-04-11 05:16:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\My Documents\Nomad Factory
[2011-04-11 05:16:44 | 000,000,000 | ---D | C] -- C:\Program Files\Nomad Factory
[2011-04-11 05:08:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\SoundFonts.it GS-201 Tape Echo v1.0
[2011-04-11 04:42:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\Spectral Design
[2011-04-11 04:35:09 | 000,011,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\Cubase32.sys
[2011-04-11 04:30:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\WOK
[2011-04-11 04:07:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\discoDSP
[2011-04-11 04:03:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\Steinberg
[2011-04-11 04:00:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Bias
[2011-04-11 02:23:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Application Data\Blue Cat Audio
[2011-04-11 02:01:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\My Documents\KeyToSound Preferences
[2011-04-11 01:08:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Application Data\Daichi
[2011-04-10 21:29:07 | 000,000,000 | ---D | C] -- C:\Program Files\FXpansion
[2011-04-10 21:29:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Application Data\FXpansion
[2011-04-10 18:51:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\JXPlugins
[2011-04-10 18:39:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\ReFX Junox2 VSTi v1.4
[2011-04-10 18:36:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Sylenth1
[2011-04-10 17:45:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Local Settings\Application Data\Identities
[2011-04-10 05:28:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\EDIROL
[2011-04-10 05:26:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\DashSignature
[2011-04-10 05:19:44 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NICOU\PrivacIE
[2011-04-10 04:54:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\LinPlug Instruments
[2011-04-10 04:50:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\Native Instruments FM7
[2011-04-10 03:50:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Application Data\Smartelectronix
[2011-04-10 03:46:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\My Documents\iZotope iDrum Content
[2011-04-10 01:46:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\AdmiralQuality
[2011-04-10 01:13:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\LUXONIX
[2011-04-10 01:08:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Rob Papen Predator
[2011-04-10 01:02:20 | 000,000,000 | ---D | C] -- C:\Program Files\GForce
[2011-04-10 01:02:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\GForce
[2011-04-10 00:56:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\Timeworks
[2011-04-10 00:51:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Start Menu\Programs\Synapse
[2011-04-09 23:33:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\T-RackS 24
[2011-04-09 21:54:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\My Documents\Native Instruments
[2011-04-09 21:54:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Local Settings\Application Data\Native Instruments
[2011-04-09 21:45:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\IK Multimedia
[2011-04-09 21:43:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\IK Multimedia
[2011-04-09 21:43:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NICOU\Application Data\InstallShield

========== Files - Modified Within 30 Days ==========

[2011-05-08 16:49:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011-05-08 16:49:54 | 2145,636,352 | -HS- | M] () -- C:\hiberfil.sys
[2011-05-08 16:48:53 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011-05-08 16:26:53 | 000,513,320 | ---- | M] () -- C:\Documents and Settings\NICOU\Desktop\erunt.zip
[2011-05-08 15:16:20 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\NICOU\Desktop\MBR.dat
[2011-05-08 14:12:07 | 000,459,522 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011-05-08 14:12:07 | 000,079,146 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011-05-07 21:53:40 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\NICOU\Desktop\OTL.exe
[2011-05-07 20:18:01 | 004,343,224 | R--- | M] () -- C:\Documents and Settings\NICOU\Desktop\ComboFix.exe
[2011-05-07 15:35:17 | 001,569,920 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011-05-07 15:15:46 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011-05-07 15:10:43 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\NICOU\Desktop\ATF-Cleaner.exe
[2011-05-06 16:24:02 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011-05-06 16:15:40 | 000,589,632 | ---- | M] (AVAST Software) -- C:\Documents and Settings\NICOU\Desktop\aswMBR.exe
[2011-05-02 16:28:47 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\NICOU\Desktop\esetsmartinstaller_enu.exe
[2011-04-30 16:22:51 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011-04-29 22:46:32 | 000,011,142 | ---- | M] () -- C:\Documents and Settings\NICOU\Desktop\Attach.zip
[2011-04-29 22:16:59 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\NICOU\defogger_reenable
[2011-04-29 22:12:32 | 000,301,568 | ---- | M] () -- C:\Documents and Settings\NICOU\Desktop\2b4tegls.exe
[2011-04-29 22:11:54 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\NICOU\Desktop\dds.scr
[2011-04-29 22:11:26 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\NICOU\Desktop\Defogger.exe
[2011-04-29 20:45:21 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011-04-29 19:34:49 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\NICOU\Desktop\RKUnhookerLE.EXE
[2011-04-29 18:32:31 | 000,044,313 | ---- | M] () -- C:\Documents and Settings\NICOU\Desktop\Lettre Yvon.pdf
[2011-04-29 18:32:12 | 000,015,475 | ---- | M] () -- C:\Documents and Settings\NICOU\Desktop\Lettre Yvon.odt
[2011-04-29 13:24:53 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\NICOU\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011-04-28 22:26:18 | 000,000,951 | ---- | M] () -- C:\Documents and Settings\NICOU\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011-04-28 22:26:18 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\NICOU\Desktop\Spybot - Search & Destroy.lnk
[2011-04-28 18:25:11 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Ihuhogewusuy.dat
[2011-04-28 17:20:12 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011-04-28 09:06:54 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\6AY3WTf.dat
[2011-04-28 00:21:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Xgihetiy.bin
[2011-04-28 00:20:39 | 000,157,184 | RHS- | M] () -- C:\WINDOWS\System32\MsPMSPU.dll
[2011-04-28 00:20:39 | 000,157,184 | RHS- | M] () -- C:\WINDOWS\System32\dispexv.dll
[2011-04-28 00:20:39 | 000,157,184 | RHS- | M] () -- C:\WINDOWS\System32\confmspl.dll
[2011-04-27 03:32:34 | 000,480,149 | ---- | M] () -- C:\Documents and Settings\NICOU\Desktop\3l.pdf
[2011-04-20 01:08:27 | 000,007,168 | ---- | M] () -- C:\Documents and Settings\NICOU\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011-04-20 00:11:38 | 000,064,553 | ---- | M] () -- C:\Documents and Settings\NICOU\Desktop\1.jpg
[2011-04-12 14:37:24 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2011-04-12 01:46:20 | 000,000,885 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\OpenOffice.org 3.3.lnk
[2011-04-11 23:02:46 | 000,000,016 | ---- | M] () -- C:\WINDOWS\System32\w3data.vss
[2011-04-11 23:02:46 | 000,000,016 | ---- | M] () -- C:\WINDOWS\msocreg32.dat
[2011-04-09 23:33:12 | 000,000,470 | ---- | M] () -- C:\Documents and Settings\NICOU\Desktop\T-RackS 24.lnk
[2011-04-09 22:12:35 | 000,000,219 | ---- | M] () -- C:\WINDOWS\System32\lsprst7.tgz
[2011-04-09 22:12:35 | 000,000,087 | ---- | M] () -- C:\WINDOWS\System32\ssprs.tgz
[2011-04-09 21:55:01 | 000,001,025 | ---- | M] () -- C:\WINDOWS\System32\sysprs7.tgz
[2011-04-09 21:55:01 | 000,001,025 | ---- | M] () -- C:\WINDOWS\System32\sysprs7.dll
[2011-04-09 21:55:01 | 000,001,025 | ---- | M] () -- C:\WINDOWS\System32\clauth2.dll
[2011-04-09 21:55:01 | 000,001,025 | ---- | M] () -- C:\WINDOWS\System32\clauth1.dll

========== Files Created - No Company Name ==========

[2011-05-08 16:26:51 | 000,513,320 | ---- | C] () -- C:\Documents and Settings\NICOU\Desktop\erunt.zip
[2011-05-07 20:17:16 | 004,343,224 | R--- | C] () -- C:\Documents and Settings\NICOU\Desktop\ComboFix.exe
[2011-05-07 15:10:28 | 000,001,355 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2011-05-06 16:17:07 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\NICOU\Desktop\MBR.dat
[2011-04-29 22:46:32 | 000,011,142 | ---- | C] () -- C:\Documents and Settings\NICOU\Desktop\Attach.zip
[2011-04-29 22:16:47 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\NICOU\defogger_reenable
[2011-04-29 22:12:21 | 000,301,568 | ---- | C] () -- C:\Documents and Settings\NICOU\Desktop\2b4tegls.exe
[2011-04-29 22:11:54 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\NICOU\Desktop\dds.scr
[2011-04-29 22:11:26 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\NICOU\Desktop\Defogger.exe
[2011-04-29 20:45:20 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011-04-29 20:45:16 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011-04-29 20:41:53 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011-04-29 20:41:53 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011-04-29 20:41:53 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011-04-29 20:41:53 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011-04-29 20:41:53 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011-04-29 19:34:49 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\NICOU\Desktop\RKUnhookerLE.EXE
[2011-04-29 18:32:30 | 000,044,313 | ---- | C] () -- C:\Documents and Settings\NICOU\Desktop\Lettre Yvon.pdf
[2011-04-29 17:44:49 | 000,015,475 | ---- | C] () -- C:\Documents and Settings\NICOU\Desktop\Lettre Yvon.odt
[2011-04-29 13:24:53 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\NICOU\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011-04-28 22:26:18 | 000,000,951 | ---- | C] () -- C:\Documents and Settings\NICOU\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011-04-28 22:26:18 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\NICOU\Desktop\Spybot - Search & Destroy.lnk
[2011-04-28 22:19:20 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011-04-28 17:20:12 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011-04-28 09:06:54 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\6AY3WTf.dat
[2011-04-28 00:21:56 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Ihuhogewusuy.dat
[2011-04-28 00:21:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Xgihetiy.bin
[2011-04-28 00:20:39 | 000,157,184 | RHS- | C] () -- C:\WINDOWS\System32\MsPMSPU.dll
[2011-04-28 00:20:39 | 000,157,184 | RHS- | C] () -- C:\WINDOWS\System32\dispexv.dll
[2011-04-28 00:20:39 | 000,157,184 | RHS- | C] () -- C:\WINDOWS\System32\confmspl.dll
[2011-04-27 03:32:34 | 000,480,149 | ---- | C] () -- C:\Documents and Settings\NICOU\Desktop\3l.pdf
[2011-04-12 02:11:44 | 000,064,553 | ---- | C] () -- C:\Documents and Settings\NICOU\Desktop\1.jpg
[2011-04-12 01:46:20 | 000,000,885 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\OpenOffice.org 3.3.lnk
[2011-04-11 15:51:08 | 000,038,401 | R--- | C] () -- C:\WINDOWS\System32\RdCi1044.dll
[2011-04-11 15:51:06 | 000,057,344 | R--- | C] () -- C:\WINDOWS\System32\RDCP1044.CPL
[2011-04-11 15:51:05 | 000,004,088 | R--- | C] () -- C:\WINDOWS\System32\Rd4t1044.DAT
[2011-04-11 15:08:29 | 000,007,282 | ---- | C] () -- C:\WINDOWS\System32\MA_CMIDI.VXD
[2011-04-11 04:42:37 | 000,129,024 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2011-04-11 04:35:09 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\wavlbsys.dll
[2011-04-10 18:36:12 | 000,002,240 | ---- | C] () -- C:\WINDOWS\LENDIG.sys
[2011-04-10 00:56:20 | 000,950,000 | ---- | C] () -- C:\WINDOWS\SH1001YAPA.dat
[2011-04-09 23:33:12 | 000,000,470 | ---- | C] () -- C:\Documents and Settings\NICOU\Desktop\T-RackS 24.lnk
[2011-04-09 21:55:14 | 000,000,016 | ---- | C] () -- C:\WINDOWS\System32\w3data.vss
[2011-04-09 21:55:14 | 000,000,016 | ---- | C] () -- C:\WINDOWS\msocreg32.dat
[2011-04-09 21:55:01 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.tgz
[2011-04-09 21:55:01 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2011-04-09 21:55:01 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2011-04-09 21:55:01 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2011-04-09 21:55:01 | 000,000,219 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.tgz
[2011-04-09 21:55:01 | 000,000,087 | ---- | C] () -- C:\WINDOWS\System32\ssprs.tgz
[2011-04-09 21:45:49 | 000,000,539 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\SampleTank 2.5.lnk
[2011-04-08 02:51:33 | 000,319,487 | ---- | C] () -- C:\WINDOWS\LOOP.exe
[2011-04-08 00:20:08 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\FDlg.dll
[2011-04-06 20:18:25 | 000,012,484 | -HS- | C] () -- C:\Documents and Settings\NICOU\Local Settings\Application Data\d370ib50k8d5s35bk41t72fyy28xc84
[2011-04-06 20:18:25 | 000,012,484 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\d370ib50k8d5s35bk41t72fyy28xc84
[2011-04-06 17:30:38 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2011-04-05 03:19:02 | 002,340,992 | ---- | C] () -- C:\WINDOWS\System32\BootMan.exe
[2011-04-05 03:19:02 | 000,086,408 | ---- | C] () -- C:\WINDOWS\System32\setupempdrv03.exe
[2011-04-05 03:19:02 | 000,018,048 | ---- | C] () -- C:\WINDOWS\System32\EuEpmGdi.dll
[2011-04-05 03:19:02 | 000,008,456 | ---- | C] () -- C:\WINDOWS\System32\EuGdiDrv.sys
[2011-04-05 03:19:01 | 000,013,192 | ---- | C] () -- C:\WINDOWS\System32\epmntdrv.sys
[2011-04-04 19:42:04 | 000,018,782 | -HS- | C] () -- C:\Documents and Settings\NICOU\Local Settings\Application Data\t66lx23lpui6t55uvc8xwnfy34833kkwq
[2011-04-04 19:42:04 | 000,018,782 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\t66lx23lpui6t55uvc8xwnfy34833kkwq
[2011-04-04 17:55:56 | 000,118,641 | ---- | C] () -- C:\WINDOWS\hpoins09.dat
[2011-04-04 17:55:47 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2011-04-02 23:07:31 | 000,007,168 | ---- | C] () -- C:\Documents and Settings\NICOU\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011-04-02 03:01:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011-04-02 01:56:43 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\NICOU\Local Settings\Application Data\fusioncache.dat
[2011-04-02 00:49:14 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
[2007-10-02 07:50:14 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\FxShared.dll
[2007-10-02 07:50:12 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\com.fxpansion.fxshared.dll
[2006-04-26 01:53:49 | 000,045,929 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.EXE
[2006-04-26 01:53:49 | 000,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
[2006-04-26 01:39:43 | 000,000,056 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006-04-26 01:19:13 | 000,087,275 | ---- | C] () -- C:\WINDOWS\hpqins69.dat
[2006-03-09 14:28:40 | 000,011,645 | ---- | C] () -- C:\WINDOWS\hpomdl09.dat
[2005-12-02 07:09:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005-11-08 14:49:00 | 000,112,456 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2004-08-07 10:16:54 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004-08-07 10:16:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004-08-07 10:10:30 | 000,459,522 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004-08-07 10:10:30 | 000,079,146 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004-08-07 10:10:08 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004-08-07 10:02:54 | 001,569,920 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004-08-07 09:57:54 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004-08-07 09:54:58 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004-08-04 05:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004-08-04 05:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004-08-04 05:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004-08-04 05:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004-08-04 05:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004-08-04 05:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004-08-04 05:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004-08-04 05:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003-09-02 11:17:40 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\ArtFfct.dll
[2002-05-28 05:55:42 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002-05-28 05:54:40 | 000,004,605 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001-07-07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

< End of report >

ken545 · May 8, 2011

Matson,

Your logs look fine. Let me tell you, when you first posted your computer was very seriously infected with a nasty nasty nasty rootkit, infections like this are not to be taken lightly. Sometimes when removing this garbage it may effect some other things.

Why dont you go to Add Remove Programs in the Control Panel and uninstall the software for your keyboard and then use the set up disk that came with it and reinstall it. If you have problems with this let me know and I can direct you to a good windows forum that can help you.

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the

button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
1. Click on
  
  to download the ESET Smart Installer. Save it to your desktop.
2. Double click on the
  
  icon on your desktop.
Check
Click the

button.
Accept any security warnings from your browser.
Check
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push

, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the

button.
Push

Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

matson · May 9, 2011

log of eset scan

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0002492.exe probably a variant of Win32/Agent.EDQCSRE trojan

matson · May 9, 2011

about the keyboard icon, this the language icon of windows which usually stays next to the system tray.
if i reload the recovery DVD, I'll have to reinstall the whole system I think..

ken545 · May 9, 2011

Hi,

What ESET found was in your System Restore program, lets flush it all out and create a new restore point

System Restore is a component of Microsoft's Windows Me, Windows XP, Windows Vista and Windows 7 operating systems that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of malfunctioning or failure. Old restore points can be a source of re-infection.

Please follow the steps below to create a clean restore point:

Click Start > Run > copy and paste the following into the run box:

%SystemRoot%\System32\restore\rstrui.exe
Press OK. Choose Create a Restore Point then click Next.
Name it (something you'll remember) and click Create.
When the confirmation screen shows the restore point has been created click Close.

Then remove all previous Restore Points

Click Start > Run > copy and paste the following into the run box:

cleanmgr
Choose to scan drive C:\ (if C:\ is your main drive).
At the top, click on More Options tab. Click the Clean up... button in the System Restore box.
Click on the Yes button.
When finished, click on Cancel button to exit.

We need to uninstall previous versions of Java and install the latest one, this will help making your computer more secure

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

1. Click Start > Settings > Control Panel.
2. Double-click the Java Plug-in icon in the control panel.
3. Click the Cache tab.
4. Click Clear A confirmation dialog box appears.
5. Click Yes to confirm.
6. Click Apply.

As far as you Icon for your Keyboard, why dont you post here in there windows forum, we all work together so you can link them to this thread if you wish so they can see what we have done.
http://forums.whatthetech.com/index.php?showforum=119

Combofix <---Is not a general cleaning tool, just run it with supervision or you can damage your system

Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups

How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
WhattheTech
Grinler BleepingComputer
GeeksTo Go
Dslreports

Safe Surfn
Ken

matson · May 9, 2011

I did exactly what you told me to do.
Technically, the virus is gone. I'll monitor the behavior of the computer the next hours to be sure.

OTL did not remove everything. for example, aswmbr.exe, ATF-cleaner.exe, RKHunhookerLE.exe, are still on the desktop. I think I'll just delete them.

ESET installed some component, so do I have to do another scan and when he asks me what to do I check the uninstall component after scan box, in order to uninstall ESET on the computer?

I remembered that I used defogger to disable some thing, but I don't remember what. do I have to reinstall defogger in order to unable whatever he disabled?

about the keyboard icon, I don't know how but it is back in place, here a small pic to let you see what I meant

To avoid these type of root-kit, do I have to have a real-time anti-spyware?
I am getting rid of McAfee, I want to install avira or avast, what is the best between these two? what will you recommend?

Thank You very much ken545!!!!!!

matson · May 9, 2011

One more thing can you please have a look at this scan from RogueKiller
before I use to have a host file (some 125....) now this is Yp1. is it bad?

RogueKiller V4.3.7 by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: NICOU [Admin rights]
Mode: Scan -- Date : 05/09/2011 17:17:09

Bad processes: 0

Registry Entries: 0

HOSTS File:
ÿþ1

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

the previous log from 3 days ago

RogueKiller V4.3.7 by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: NICOU [Admin rights]
Mode: Scan -- Date : 05/06/2011 17:09:01

Bad processes: 0

Registry Entries: 0

HOSTS File:

Finished : << RKreport[1].txt >>
RKreport[1].txt

ken545 · May 9, 2011

Well, when we ran the OTL fix we reset your hosts file back to Microsoft defaults, so thats fine

As far as Anti Virus software, whatever your comfortable with and like, what one scan finds another may not, there is no silver bullet. But you should only have one so if you install one of the other ones you posted about you need to uninstall McAfee

You can uninstall ESET via Add Remove Programs in the Control Panel

To re-enable your Emulation drivers, double click DeFogger to run the tool.

The application window will appear
Click the Re-enable button to re-enable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

The rest you can just drag to the trash

Anymore questions please post back

matson · May 9, 2011

ok you answered all the questions except that one:

"I remembered that I used defogger to disable some thing, but I don't remember what. do I have to reinstall defogger in order to unable whatever he disabled?"

other that that so far, everything runs smooth and I'll install one antivirus only.

ken545 · May 9, 2011

We crossed post, the enable defogger is in my prior post

Glad all is well :bigthumb:

matson · May 10, 2011

So the emulation driver is enable, thank you.
i ran spybot and again, click.giftload. I am so afraid I took no action.
I am still sick? I mean the computer, beside that, no redirect so far and no excessive process of svchost

here is the log (it is so long that i can't paste it here but this is the result)

--- Search result list ---
Click.GiftLoad: [SBI $89783858] User settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe

ken545 · May 10, 2011

Do this

Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.

REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION]
"svchost.exe"=-

If you saved the file correctly it should look like this

Run Spybot again and it should be gone

malware took other my computer

Guest

Emeritus-Security Expert

Guest

Guest

Guest

Emeritus-Security Expert

Guest

Guest

Guest

Emeritus-Security Expert

Guest

Guest

Emeritus-Security Expert

Guest

Guest

Emeritus-Security Expert

Guest

Emeritus-Security Expert

Guest

Emeritus-Security Expert