TrojanBNK.Win32.Keylogger.gen/XP Home Security 2012
My laptop started to get pop ups saying that I have the above referenced items. Now I cannot get on the internet so I'm writing from a different computer. I ran OTL (maybe an older version from previous fixes because the virus/malware will not allow me to download per the link provided) but the .txt logs never appeared. Can you please help? Thanks!
0
-
Ran full scan with AdAware (took like 5 hours). Here is the OTL log. Thanks for your help.
OTL logfile created on: 12/15/2011 11:40:06 PM - Run 3
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Richard\Desktop\Computer Maintenece
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 38.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 67.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.64 Gb Total Space | 5.98 Gb Free Space | 8.58% Space Free | Partition Type: NTFS
Computer Name: LABTOP | User Name: Richard | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
[color=#E56717]========== Processes (SafeList) ==========[/color]
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft Limited)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft Limited)
PRC - C:\Documents and Settings\Richard\Desktop\Computer Maintenece\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Secunia\PSI\psia.exe (Secunia)
PRC - C:\Program Files\Secunia\PSI\sua.exe (Secunia)
PRC - C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
PRC - C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe (Adobe Systems, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe ()
PRC - C:\WINDOWS\system32\o2flash.exe ()
[color=#E56717]========== Modules (SafeList) ==========[/color]
MOD - C:\Documents and Settings\Richard\Desktop\Computer Maintenece\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
[color=#E56717]========== Win32 Services (SafeList) ==========[/color]
SRV - (Roxio Upnp Server 9) -- File not found
SRV - (Roxio UPnP Renderer 9) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (ACDaemon) -- File not found
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft Limited)
SRV - (Secunia PSI Agent) -- C:\Program Files\Secunia\PSI\PSIA.exe (Secunia)
SRV - (Secunia Update Agent) -- C:\Program Files\Secunia\PSI\sua.exe (Secunia)
SRV - (dev5_ap1) -- C:\phpdev5\apache\Apache.exe ()
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)
SRV - (Adobe Version Cue CS4) -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe (Adobe Systems Incorporated)
SRV - (MySQL) -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe ()
SRV - (O2Flash) -- C:\WINDOWS\system32\o2flash.exe ()
[color=#E56717]========== Driver Services (SafeList) ==========[/color]
DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (Lavasoft Kernexplorer) -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys ()
DRV - (PSI) -- C:\WINDOWS\system32\drivers\psi_mf.sys (Secunia)
DRV - (pbfilter) -- C:\Program Files\PeerBlock\pbfilter.sys ()
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.)
DRV - (pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (O2MDRDR) -- C:\WINDOWS\System32\DRIVERS\o2media.sys (O2Micro )
DRV - (O2SDRDR) -- C:\WINDOWS\System32\DRIVERS\o2sd.sys (O2Micro )
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (RT61) -- C:\WINDOWS\system32\drivers\rt61.sys (Ralink Technology Inc.)
DRV - (AGR1310_51) -- C:\WINDOWS\system32\drivers\AGR1310_51.sys (Agere Systems)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (Ktp3) -- C:\WINDOWS\system32\drivers\Ktp3.sys (Elantech Devices Corp.)
DRV - (ASPI32) -- C:\WINDOWS\System32\drivers\ASPI32.SYS (Adaptec)
[color=#E56717]========== Standard Registry (SafeList) ==========[/color]
[color=#E56717]========== Internet Explorer ==========[/color]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
[color=#E56717]========== FireFox ==========[/color]
FF - prefs.js..browser.search.selectedEngine: "Search the Web"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9}:5.0
FF - prefs.js..extensions.enabledItems: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}:2.1.106
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.10
FF - prefs.js..extensions.enabledItems: {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}:2.12.21.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {87934c42-161d-45bc-8cef-ef18abe2a30c}:0.9
FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=utf-8&mssrc=ms_kwd&mstb=adawaretb&q="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.type: 1
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/26 18:19:54 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/22 08:14:27 | 000,000,000 | ---D | M]
[2009/04/19 20:52:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Extensions
[2011/12/01 17:26:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions
[2011/05/04 11:48:31 | 000,000,000 | ---D | M] (IE Tab 2 (FF 3.6+)) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
[2010/12/28 12:30:28 | 000,000,000 | ---D | M] ("Delicious Bookmarks") -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}
[2011/11/30 23:00:34 | 000,000,000 | ---D | M] (Ad-Aware Security Toolbar) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
[2011/05/04 11:48:33 | 000,000,000 | ---D | M] (FireFTP) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
[2011/11/30 23:10:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/16 09:27:46 | 000,000,000 | ---D | M] (Adobe Contribute Toolbar) -- C:\Program Files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}
[2011/05/21 07:29:32 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2008/09/10 00:09:32 | 000,079,216 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npContribute.dll
[2011/05/21 07:29:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2011/10/17 13:14:28 | 000,002,149 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\adawaretb.xml
Hosts file not found
O2 - BHO: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Ad-Aware Browsing Protection] C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft)
O4 - HKCU..\Run: [AdobeBridge] C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
O4 - Startup: C:\Documents and Settings\Richard\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Richard\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - File not found
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A101} http://www.leadstoloans.com/activex/fafile.dll (First American File Control)
O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A201} http://www.leadstoloans.com/activex/faprint.dll (First American Print Control)
O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A301} http://www.leadstoloans.com/activex/fagrid.dll (First American Grid Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159818431983 (WUWebControl Class)
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.systemrequirementslab.com/sysreqlab2.cab (System Requirements Lab Class)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159818421170 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab (RIM AxLoader)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O16 - DPF: Web-Based Email Tools http://email.secureserver.net/Download.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/11 10:43:27 | 000,000,000 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]
[2011/12/14 21:58:09 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Richard\Desktop\aswMBR.exe
[2011/12/14 18:51:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2011/12/13 20:30:13 | 000,302,080 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Richard\Local Settings\Application Data\ptw.exe
[2011/12/13 20:28:23 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/12/13 20:25:45 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/12/11 17:31:56 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/12/11 17:31:56 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/12/11 17:31:56 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/12/11 17:31:17 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/12/11 17:30:59 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Richard\Start Menu\Programs\Administrative Tools
[2011/12/11 17:29:15 | 004,337,036 | R--- | C] (Swearware) -- C:\Documents and Settings\Richard\Desktop\ComboFix.exe
[2011/12/09 19:08:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/12/09 19:08:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/12/09 17:36:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\adawaretb
[2011/11/30 23:00:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Richard\Local Settings\Application Data\adaware
[2011/11/30 23:00:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection
[2011/11/30 23:00:35 | 000,000,000 | ---D | C] -- C:\Program Files\Toolbar Cleaner
[2011/11/30 23:00:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Richard\Application Data\adawaretb
[2011/11/30 23:00:29 | 000,000,000 | ---D | C] -- C:\Program Files\adawaretb
[2011/11/29 09:46:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Richard\My Documents\Adobe Scripts
[2011/11/28 20:48:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Richard\Local Settings\Application Data\usrMainPlay
[2007/11/10 23:30:24 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Richard\Application Data\pcouffin.sys
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]
[2011/12/15 15:17:51 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/12/15 09:08:32 | 000,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/15 09:07:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/14 22:00:57 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\MBR.dat
[2011/12/14 21:58:24 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Richard\Desktop\aswMBR.exe
[2011/12/14 21:23:16 | 001,557,791 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\tdsskiller.zip
[2011/12/14 21:10:26 | 002,848,024 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/12/14 19:07:40 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/12/13 20:30:13 | 000,302,080 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Richard\Local Settings\Application Data\ptw.exe
[2011/12/13 20:30:12 | 000,000,668 | ---- | M] () -- C:\Documents and Settings\Richard\Application Data\vso_ts_preview.xml
[2011/12/13 20:30:11 | 000,079,872 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\2oDh5GCX.exe
[2011/12/13 07:41:53 | 000,011,977 | ---- | M] () -- C:\Documents and Settings\Richard\all
[2011/12/11 17:29:25 | 004,337,036 | R--- | M] (Swearware) -- C:\Documents and Settings\Richard\Desktop\ComboFix.exe
[2011/12/11 16:08:56 | 000,000,139 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\rk-proxy.reg
[2011/12/11 16:02:16 | 001,008,120 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\iExplore.exe
[2011/12/11 15:47:56 | 000,001,205 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\FixNCR.reg
[2011/12/11 15:43:05 | 000,014,316 | -HS- | M] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\ywrueq5u4qhe1dyx0coe5q142c6o
[2011/12/11 15:43:05 | 000,014,316 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\ywrueq5u4qhe1dyx0coe5q142c6o
[2011/12/09 18:47:47 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\gbreeJ.com.b
[2011/12/09 18:47:46 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1L4652v.dat
[2011/12/09 18:47:45 | 000,079,872 | ---- | M] () -- C:\WINDOWS\System32\gbreeJ.com_
[2011/12/09 18:47:45 | 000,079,872 | ---- | M] () -- C:\WINDOWS\System32\gbreeJ.com
[2011/12/09 18:47:45 | 000,079,872 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\2oDh5GCX.exe_
[2011/12/09 17:43:52 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\2oDh5GCX.exe.b
[2011/12/09 13:24:38 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/12/09 13:24:38 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/12/02 13:27:31 | 000,016,432 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2011/11/30 23:00:24 | 000,000,797 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2011/11/23 13:00:52 | 000,156,672 | ---- | M] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/11/23 08:25:32 | 001,859,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\win32k.sys
[2011/11/23 08:25:32 | 001,859,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\win32k.sys
[2011/11/18 14:33:14 | 000,000,189 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\hordersRus (E).lnk
[2011/11/16 11:41:54 | 001,765,063 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\lab-school-cookiedrop.psd
[2011/11/16 10:14:02 | 000,042,997 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\parachute-icon.png
[2011/11/16 08:03:48 | 000,466,782 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/11/16 08:03:47 | 000,081,574 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[color=#E56717]========== Files Created - No Company Name ==========[/color]
[2011/12/14 22:00:57 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\MBR.dat
[2011/12/14 21:23:03 | 001,557,791 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\tdsskiller.zip
[2011/12/13 20:30:12 | 000,000,668 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\vso_ts_preview.xml
[2011/12/13 20:29:04 | 000,079,872 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\2oDh5GCX.exe_
[2011/12/13 20:29:04 | 000,079,872 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\2oDh5GCX.exe
[2011/12/13 17:46:00 | 000,079,872 | ---- | C] () -- C:\WINDOWS\System32\gbreeJ.com
[2011/12/13 07:28:31 | 000,011,977 | ---- | C] () -- C:\Documents and Settings\Richard\all
[2011/12/11 17:31:56 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/12/11 17:31:56 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/12/11 17:31:56 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/12/11 17:31:56 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/12/11 17:31:56 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/12/11 16:08:56 | 000,000,139 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\rk-proxy.reg
[2011/12/11 16:02:14 | 001,008,120 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\iExplore.exe
[2011/12/11 15:59:41 | 000,001,205 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\FixNCR.reg
[2011/12/09 18:47:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\gbreeJ.com.b
[2011/12/09 17:43:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\2oDh5GCX.exe.b
[2011/12/09 17:36:54 | 000,079,872 | ---- | C] () -- C:\WINDOWS\System32\gbreeJ.com_
[2011/12/09 17:36:54 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1L4652v.dat
[2011/12/09 17:23:16 | 000,014,316 | -HS- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\ywrueq5u4qhe1dyx0coe5q142c6o
[2011/12/09 17:23:16 | 000,014,316 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\ywrueq5u4qhe1dyx0coe5q142c6o
[2011/12/01 07:26:06 | 000,016,432 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2011/11/18 14:32:51 | 000,000,189 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\hordersRus (E).lnk
[2011/11/16 11:41:50 | 001,765,063 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\lab-school-cookiedrop.psd
[2011/11/16 10:14:01 | 000,042,997 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\parachute-icon.png
[2011/05/27 11:06:06 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/05/27 11:06:06 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2010/10/21 20:49:22 | 000,207,982 | ---- | C] () -- C:\WINDOWS\hpoins43.dat
[2010/10/21 20:49:22 | 000,000,601 | ---- | C] () -- C:\WINDOWS\hpomdl43.dat
[2010/08/23 13:51:19 | 000,000,027 | ---- | C] () -- C:\WINDOWS\phpdev.ini
[2010/08/05 09:57:49 | 000,134,272 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/03/22 11:25:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2009/10/08 07:52:17 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/07/27 14:35:07 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/04/30 15:08:59 | 000,000,256 | ---- | C] () -- C:\WINDOWS\System32\pool.bin
[2009/04/24 13:27:55 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Font Book
[2009/03/12 18:56:25 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\winscp.rnd
[2008/10/09 15:25:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2008/10/09 11:27:00 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008/08/30 08:29:49 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2008/08/30 08:29:49 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\Galaxy Swirl
[2008/05/20 23:05:59 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2008/04/04 10:05:12 | 000,021,312 | ---- | C] () -- C:\WINDOWS\choice.exe
[2008/01/06 14:13:49 | 000,000,054 | ---- | C] () -- C:\WINDOWS\winpoint.ini
[2007/11/10 23:30:24 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\pcouffin.cat
[2007/11/10 23:30:24 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\pcouffin.inf
[2007/11/09 21:48:20 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\FoxImager.dll
[2007/04/30 13:53:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\CPC10Q.INI
[2007/04/28 07:23:41 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2007/04/17 14:28:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/03/05 13:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2006/11/26 16:40:52 | 000,000,050 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/11/17 23:35:53 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\hndlt.ini
[2006/11/17 23:34:41 | 000,000,057 | ---- | C] () -- C:\WINDOWS\System32\windll.ini
[2006/11/08 19:59:54 | 000,000,004 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/10/09 11:00:34 | 000,156,672 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/10/04 11:35:52 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/10/02 19:50:46 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/10/02 19:33:26 | 000,000,030 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/10/02 15:29:01 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/10/02 14:32:15 | 000,020,333 | ---- | C] () -- C:\WINDOWS\cmaudio.ini
[2006/10/02 09:56:30 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\FASTWiz.html
[2006/09/30 14:26:44 | 000,000,058 | ---- | C] () -- C:\WINDOWS\mchguid.ini
[2006/09/29 19:10:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/07/18 13:31:20 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\fusioncache.dat
[2006/07/12 15:26:06 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/07/12 15:20:46 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/07/12 07:41:10 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/07/12 07:40:05 | 002,848,024 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/01/27 01:33:58 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\o2flash.exe
[2005/01/20 21:02:28 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\RMDevice.dll
[2003/09/16 10:52:28 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2003/09/16 10:43:31 | 000,884,736 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2003/09/16 10:41:43 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/18 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/18 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/18 07:00:00 | 000,466,782 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/18 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/18 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/18 07:00:00 | 000,081,574 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/18 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/18 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/18 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/18 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/18 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[color=#E56717]========== LOP Check ==========[/color]
[2011/12/15 09:08:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection
[2007/11/09 21:35:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2008/08/30 08:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EnterNHelp
[2008/04/05 08:52:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Jes-Soft
[2007/01/26 15:12:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
[2008/06/15 09:53:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OLYMPUS
[2009/07/17 17:29:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2008/08/30 08:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ultima_T15
[2010/06/15 08:56:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2007/11/11 07:29:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vsosdk
[2009/06/01 10:29:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2011/02/05 11:11:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2008/03/24 16:53:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\acccore
[2011/12/12 20:10:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\adawaretb
[2008/01/06 12:12:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Aim
[2011/03/22 08:08:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Amazon
[2010/03/08 09:29:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Azureus
[2009/05/17 10:40:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Blackberry Desktop
[2010/09/23 10:13:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\com.adobe.ExMan
[2010/11/16 16:45:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\com.adobe.WidgetBrowser.E7BED6E5DDA59983786DD72EBFA46B1598278E07.1
[2007/07/18 16:19:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\CTS
[2011/12/15 09:08:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Dropbox
[2009/03/12 18:43:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\FileZilla
[2010/05/09 12:09:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\foobar2000
[2007/03/12 15:24:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Investintech
[2007/06/24 09:57:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Leadertech
[2008/08/30 08:33:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Nikon
[2008/04/02 20:40:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\OfficeUpdate12
[2009/05/20 07:50:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Research In Motion
[2010/05/28 11:41:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Subversion
[2007/01/18 12:32:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Viewpoint
[2011/10/06 18:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Vso
[2011/12/15 15:17:51 | 000,000,486 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[color=#E56717]========== Purity Check ==========[/color]
< End of report >0 -
Please, download and run OTL again, djs. Paste the logs and I will see if I can see anything about rundll32 in them. 0 -
I was able to get the computer back online and download/run the OTL from the link provided by this site. OTL says "scan complete" but no logs appeared. I think the malware is preventing the logs from popping up. Please help. Thanks! 0 -
Hi djs,
This infection changes settings on your computer so that when you start a program, it will instead start the infection. To fix this you must change a registry settings. From a clean computer, please download the following file and save it to a CD/DVD, external Drive, or USB flash drive.
FixNCR.reg (http://download.bleepingcomputer.com/reg/FixNCR.reg)
Save the file on the external device and move it to the infected computer. Double-click on the FixNCR.reg file to fix the Registry on your infected computer.
Download RKill by Grinler to your Desktop:
On the page [url=http://www.bleepingcomputer.com/download/anti-virus/rkill]http://www.bleepingcomputer.com/download/anti-virus/rkill[/url] click the link [b]iExplore.exe Download Link[/b] and save it to your desktop, please.
Double-click on the iExplore.exe icon to start RKill. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step.
If you get a message that RKill is an infection, that is a fake warning given by the infection. The trick is to leave the warning on the screen and then run RKill again.
Run RKill five times.
If you continue having problems running RKill, you can download the other renamed versions of RKill from the rkill download page. All of the files are renamed copies of RKill, which you can try instead.
Please, try to run OTL again.0 -
Cecelia B. - Thanks for your help. From your instructions I was able to get the following OTL log.
OTL logfile created on: 12/11/2011 4:23:50 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Richard\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1.44 Gb Total Physical Memory | 0.83 Gb Available Physical Memory | 57.51% Memory free
1.95 Gb Paging File | 1.45 Gb Available in Paging File | 74.34% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.64 Gb Total Space | 3.88 Gb Free Space | 5.57% Space Free | Partition Type: NTFS
Computer Name: LABTOP | User Name: Richard | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
[color=#E56717]========== Processes (SafeList) ==========[/color]
PRC - C:\Documents and Settings\Richard\My Documents\Downloads\OTL(2).exe (OldTimer Tools)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft Limited)
PRC - C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft)
PRC - C:\Documents and Settings\Richard\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
PRC - C:\Program Files\Secunia\PSI\psia.exe (Secunia)
PRC - C:\Program Files\Secunia\PSI\sua.exe (Secunia)
PRC - C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
PRC - C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe (Adobe Systems, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe ()
PRC - C:\WINDOWS\system32\o2flash.exe ()
[color=#E56717]========== Modules (No Company Name) ==========[/color]
MOD - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Defs\Extended\libMachoUniv.dll ()
MOD - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Defs\Extended\libBase64.dll ()
MOD - C:\Program Files\Lavasoft\Ad-Aware\RPAPI.dll ()
MOD - C:\Program Files\Lavasoft\Ad-Aware\Viprebridge.dll ()
MOD - C:\Program Files\Lavasoft\Ad-Aware\Vipre.dll ()
MOD - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Defs\thorax.aaw ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Adobe\Adobe Bridge CS4\FileInfo.dll ()
MOD - C:\Program Files\Adobe\Adobe Bridge CS4\AdobeXMPFiles.dll ()
MOD - C:\Program Files\Adobe\Adobe Bridge CS4\AdobeXMP.dll ()
MOD - C:\Program Files\Adobe\Adobe Bridge CS4\Symlib.dll ()
MOD - C:\Program Files\Adobe\Adobe Bridge CS4\libmysqld.dll ()
MOD - \\?\globalroot\systemroot\system32\mswsock.dll ()
MOD - \\.\globalroot\systemroot\system32\mswsock.dll ()
MOD - C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe ()
MOD - C:\WINDOWS\system32\o2flash.exe ()
[color=#E56717]========== Win32 Services (SafeList) ==========[/color]
SRV - (Roxio Upnp Server 9) -- File not found
SRV - (Roxio UPnP Renderer 9) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (ACDaemon) -- File not found
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft Limited)
SRV - (Secunia PSI Agent) -- C:\Program Files\Secunia\PSI\PSIA.exe (Secunia)
SRV - (Secunia Update Agent) -- C:\Program Files\Secunia\PSI\sua.exe (Secunia)
SRV - (dev5_ap1) -- C:\phpdev5\apache\Apache.exe ()
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)
SRV - (Adobe Version Cue CS4) -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe (Adobe Systems Incorporated)
SRV - (MySQL) -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe ()
SRV - (O2Flash) -- C:\WINDOWS\system32\o2flash.exe ()
[color=#E56717]========== Driver Services (SafeList) ==========[/color]
DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (Lavasoft Kernexplorer) -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys ()
DRV - (PSI) -- C:\WINDOWS\system32\drivers\psi_mf.sys (Secunia)
DRV - (pbfilter) -- C:\Program Files\PeerBlock\pbfilter.sys ()
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.)
DRV - (pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (O2MDRDR) -- C:\WINDOWS\System32\DRIVERS\o2media.sys (O2Micro )
DRV - (O2SDRDR) -- C:\WINDOWS\System32\DRIVERS\o2sd.sys (O2Micro )
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (RT61) -- C:\WINDOWS\system32\drivers\rt61.sys (Ralink Technology Inc.)
DRV - (AGR1310_51) -- C:\WINDOWS\system32\drivers\AGR1310_51.sys (Agere Systems)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (Ktp3) -- C:\WINDOWS\system32\drivers\Ktp3.sys (Elantech Devices Corp.)
DRV - (ASPI32) -- C:\WINDOWS\System32\drivers\ASPI32.SYS (Adaptec)
[color=#E56717]========== Standard Registry (SafeList) ==========[/color]
[color=#E56717]========== Internet Explorer ==========[/color]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
[color=#E56717]========== FireFox ==========[/color]
FF - prefs.js..browser.search.selectedEngine: "Search the Web"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9}:5.0
FF - prefs.js..extensions.enabledItems: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}:2.1.106
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.10
FF - prefs.js..extensions.enabledItems: {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}:2.12.21.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {87934c42-161d-45bc-8cef-ef18abe2a30c}:0.9
FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=utf-8&mssrc=ms_kwd&mstb=adawaretb&q="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.type: 1
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: File not found
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/26 18:19:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/22 08:14:27 | 000,000,000 | ---D | M]
[2009/04/19 20:52:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Extensions
[2011/12/01 17:26:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions
[2011/05/04 11:48:31 | 000,000,000 | ---D | M] (IE Tab 2 (FF 3.6+)) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
[2010/12/28 12:30:28 | 000,000,000 | ---D | M] ("Delicious Bookmarks") -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}
[2011/11/30 23:00:34 | 000,000,000 | ---D | M] (Ad-Aware Security Toolbar) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
[2011/05/04 11:48:33 | 000,000,000 | ---D | M] (FireFTP) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
[2011/11/30 23:10:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/16 09:27:46 | 000,000,000 | ---D | M] (Adobe Contribute Toolbar) -- C:\Program Files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}
[2011/05/21 07:29:32 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2008/09/10 00:09:32 | 000,079,216 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npContribute.dll
[2011/05/21 07:29:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/10/17 13:14:28 | 000,002,149 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\adawaretb.xml
O1 HOSTS File: ([2008/04/04 06:33:45 | 000,231,164 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 .supercocklol.com
O1 - Hosts: 127.0.0.1 www..webloyalty.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 1001-search.info
O1 - Hosts: 127.0.0.1 www.1001-search.info
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 8104 more lines...
O2 - BHO: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Ad-Aware Browsing Protection] C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft)
O4 - HKCU..\Run: [AdobeBridge] C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
O4 - Startup: C:\Documents and Settings\Richard\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Richard\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - mswsock.dll File not found
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A101} http://www.leadstoloans.com/activex/fafile.dll (First American File Control)
O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A201} http://www.leadstoloans.com/activex/faprint.dll (First American Print Control)
O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A301} http://www.leadstoloans.com/activex/fagrid.dll (First American Grid Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159818431983 (WUWebControl Class)
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.systemrequirementslab.com/sysreqlab2.cab (System Requirements Lab Class)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159818421170 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab (RIM AxLoader)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O16 - DPF: Web-Based Email Tools http://email.secureserver.net/Download.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0D182252-A0DB-4D93-8F57-EA9893617957}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (C:\WINDOWS\Cursors\lsass.exe) - File not found
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/11 10:43:27 | 000,000,000 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{1437abea-50b9-11db-9ab9-e826ec70053c}\Shell - "" = AutoRun
O33 - MountPoints2\{1437abea-50b9-11db-9ab9-e826ec70053c}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1437abea-50b9-11db-9ab9-e826ec70053c}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{51b3cf53-ec11-11de-a856-0013d36ff7e5}\Shell\AutoRun\command - "" = G:\MI.exe
O33 - MountPoints2\{a6051972-19b5-11df-a89b-0013d36ff7e5}\Shell\AutoRun\command - "" = slacker.synclauncher.exe
O33 - MountPoints2\{a6051972-19b5-11df-a89b-0013d36ff7e5}\Shell\slacker\command - "" = slacker.synclauncher.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (lsdelete)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]
[2011/12/09 19:08:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/12/09 19:08:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/12/09 17:36:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\adawaretb
[2011/12/09 17:23:14 | 000,302,080 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Richard\Local Settings\Application Data\ptw.exe
[2011/11/30 23:00:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Richard\Local Settings\Application Data\adaware
[2011/11/30 23:00:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection
[2011/11/30 23:00:35 | 000,000,000 | ---D | C] -- C:\Program Files\Toolbar Cleaner
[2011/11/30 23:00:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Richard\Application Data\adawaretb
[2011/11/30 23:00:29 | 000,000,000 | ---D | C] -- C:\Program Files\adawaretb
[2011/11/29 09:46:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Richard\My Documents\Adobe Scripts
[2011/11/28 20:48:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Richard\Local Settings\Application Data\usrMainPlay
[2007/11/10 23:30:24 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Richard\Application Data\pcouffin.sys
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]
[2011/12/11 16:22:09 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/12/11 16:22:02 | 000,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/11 16:21:06 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/12/11 16:20:45 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/11 16:08:56 | 000,000,139 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\rk-proxy.reg
[2011/12/11 16:02:16 | 001,008,120 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\iExplore.exe
[2011/12/11 15:47:56 | 000,001,205 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\FixNCR.reg
[2011/12/11 15:47:52 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At31.job
[2011/12/11 15:46:26 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At32.job
[2011/12/11 15:43:05 | 000,014,316 | -HS- | M] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\ywrueq5u4qhe1dyx0coe5q142c6o
[2011/12/11 15:43:05 | 000,014,316 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\ywrueq5u4qhe1dyx0coe5q142c6o
[2011/12/11 14:46:32 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At30.job
[2011/12/11 14:46:27 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At29.job
[2011/12/11 13:47:48 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At28.job
[2011/12/11 13:47:34 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At27.job
[2011/12/11 12:47:31 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
[2011/12/11 12:46:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
[2011/12/11 11:46:31 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2011/12/11 11:46:29 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2011/12/11 10:46:42 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2011/12/11 10:46:35 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2011/12/11 10:02:44 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2011/12/11 10:00:42 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2011/12/10 23:46:41 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At48.job
[2011/12/10 23:46:35 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At47.job
[2011/12/10 22:46:31 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At46.job
[2011/12/10 22:46:25 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At45.job
[2011/12/10 21:46:41 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
[2011/12/10 21:46:36 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At43.job
[2011/12/10 20:46:46 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At42.job
[2011/12/10 20:46:35 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At41.job
[2011/12/10 19:46:41 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At39.job
[2011/12/10 19:46:25 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At40.job
[2011/12/10 18:46:41 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At37.job
[2011/12/10 18:46:35 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At38.job
[2011/12/10 18:20:19 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At35.job
[2011/12/10 18:18:19 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At36.job
[2011/12/10 16:52:25 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At34.job
[2011/12/10 16:46:25 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At33.job
[2011/12/09 18:47:47 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\gbreeJ.com.b
[2011/12/09 18:47:46 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1L4652v.dat
[2011/12/09 18:47:45 | 000,079,872 | ---- | M] () -- C:\WINDOWS\System32\gbreeJ.com_
[2011/12/09 17:43:52 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\2oDh5GCX.exe.b
[2011/12/09 17:43:51 | 000,079,872 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\2oDh5GCX.exe
[2011/12/09 17:36:54 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2011/12/09 17:23:14 | 000,302,080 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Richard\Local Settings\Application Data\ptw.exe
[2011/12/09 13:24:38 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/12/09 13:24:38 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/12/02 13:27:31 | 000,016,432 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2011/11/30 23:00:24 | 000,000,797 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2011/11/30 08:22:13 | 002,848,024 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/11/23 13:00:52 | 000,156,672 | ---- | M] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/11/18 14:33:14 | 000,000,189 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\hordersRus (E).lnk
[2011/11/16 11:41:54 | 001,765,063 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\lab-school-cookiedrop.psd
[2011/11/16 10:14:02 | 000,042,997 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\parachute-icon.png
[2011/11/16 08:03:48 | 000,466,782 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/11/16 08:03:47 | 000,081,574 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[color=#E56717]========== Files Created - No Company Name ==========[/color]
[2011/12/11 16:08:56 | 000,000,139 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\rk-proxy.reg
[2011/12/11 16:02:14 | 001,008,120 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\iExplore.exe
[2011/12/11 15:59:41 | 000,001,205 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\FixNCR.reg
[2011/12/09 18:47:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\gbreeJ.com.b
[2011/12/09 17:43:52 | 000,079,872 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\2oDh5GCX.exe
[2011/12/09 17:43:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\2oDh5GCX.exe.b
[2011/12/09 17:36:54 | 000,079,872 | ---- | C] () -- C:\WINDOWS\System32\gbreeJ.com_
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At48.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At46.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At44.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At42.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At40.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At38.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At36.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At34.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At32.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At30.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At28.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At26.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At47.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At45.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At43.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At41.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At39.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At37.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At35.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At33.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At31.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At29.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At27.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At25.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2011/12/09 17:36:54 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1L4652v.dat
[2011/12/09 17:23:16 | 000,014,316 | -HS- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\ywrueq5u4qhe1dyx0coe5q142c6o
[2011/12/09 17:23:16 | 000,014,316 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\ywrueq5u4qhe1dyx0coe5q142c6o
[2011/12/01 07:26:06 | 000,016,432 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2011/11/18 14:32:51 | 000,000,189 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\hordersRus (E).lnk
[2011/11/16 11:41:50 | 001,765,063 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\lab-school-cookiedrop.psd
[2011/11/16 10:14:01 | 000,042,997 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\parachute-icon.png
[2011/05/27 11:06:06 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/05/27 11:06:06 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2010/10/21 20:49:22 | 000,207,982 | ---- | C] () -- C:\WINDOWS\hpoins43.dat
[2010/10/21 20:49:22 | 000,000,601 | ---- | C] () -- C:\WINDOWS\hpomdl43.dat
[2010/08/23 13:51:19 | 000,000,027 | ---- | C] () -- C:\WINDOWS\phpdev.ini
[2010/08/05 09:57:49 | 000,134,272 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/03/22 11:25:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2009/10/08 07:52:17 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/07/27 14:35:07 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/04/30 15:08:59 | 000,000,256 | ---- | C] () -- C:\WINDOWS\System32\pool.bin
[2009/04/24 13:27:55 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Font Book
[2009/03/12 18:56:25 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\winscp.rnd
[2008/11/12 19:55:08 | 000,000,668 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\vso_ts_preview.xml
[2008/10/09 15:25:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2008/10/09 11:27:00 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008/08/30 08:29:49 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2008/08/30 08:29:49 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\Galaxy Swirl
[2008/05/20 23:05:59 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2008/04/04 10:05:12 | 000,021,312 | ---- | C] () -- C:\WINDOWS\choice.exe
[2008/01/06 14:13:49 | 000,000,054 | ---- | C] () -- C:\WINDOWS\winpoint.ini
[2007/11/10 23:30:24 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\pcouffin.cat
[2007/11/10 23:30:24 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\pcouffin.inf
[2007/11/09 21:48:20 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\FoxImager.dll
[2007/04/30 13:53:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\CPC10Q.INI
[2007/04/28 07:23:41 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2007/04/17 14:28:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/03/05 13:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2006/11/26 16:40:52 | 000,000,050 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/11/17 23:35:53 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\hndlt.ini
[2006/11/17 23:34:41 | 000,000,057 | ---- | C] () -- C:\WINDOWS\System32\windll.ini
[2006/11/08 19:59:54 | 000,000,004 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/10/09 11:00:34 | 000,156,672 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/10/04 11:35:52 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/10/02 19:50:46 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/10/02 19:33:26 | 000,000,030 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/10/02 15:29:01 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/10/02 14:32:15 | 000,020,333 | ---- | C] () -- C:\WINDOWS\cmaudio.ini
[2006/10/02 09:56:30 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\FASTWiz.html
[2006/09/30 14:26:44 | 000,000,058 | ---- | C] () -- C:\WINDOWS\mchguid.ini
[2006/09/29 19:10:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/07/18 13:31:20 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\fusioncache.dat
[2006/07/12 15:26:06 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/07/12 15:20:46 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/07/12 07:41:10 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/07/12 07:40:05 | 002,848,024 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/01/27 01:33:58 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\o2flash.exe
[2005/01/20 21:02:28 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\RMDevice.dll
[2003/09/16 10:52:28 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2003/09/16 10:43:31 | 000,884,736 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2003/09/16 10:41:43 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/18 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/18 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/18 07:00:00 | 000,466,782 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/18 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/18 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/18 07:00:00 | 000,081,574 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/18 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/18 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/18 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/18 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/18 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[color=#E56717]========== LOP Check ==========[/color]
[2011/12/11 16:22:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection
[2007/11/09 21:35:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2008/08/30 08:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EnterNHelp
[2008/04/05 08:52:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Jes-Soft
[2007/01/26 15:12:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
[2008/06/15 09:53:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OLYMPUS
[2009/07/17 17:29:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2010/01/02 13:54:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/08/30 08:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ultima_T15
[2010/06/15 08:56:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2007/11/11 07:29:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vsosdk
[2009/06/01 10:29:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2011/02/05 11:11:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2008/03/24 16:53:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\acccore
[2011/12/09 19:40:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\adawaretb
[2008/01/06 12:12:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Aim
[2011/03/22 08:08:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Amazon
[2010/03/08 09:29:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Azureus
[2009/05/17 10:40:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Blackberry Desktop
[2010/09/23 10:13:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\com.adobe.ExMan
[2010/11/16 16:45:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\com.adobe.WidgetBrowser.E7BED6E5DDA59983786DD72EBFA46B1598278E07.1
[2007/07/18 16:19:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\CTS
[2011/12/11 16:21:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Dropbox
[2009/03/12 18:43:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\FileZilla
[2010/05/09 12:09:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\foobar2000
[2007/03/12 15:24:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Investintech
[2007/06/24 09:57:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Leadertech
[2008/08/30 08:33:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Nikon
[2008/04/02 20:40:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\OfficeUpdate12
[2009/05/20 07:50:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Research In Motion
[2010/05/28 11:41:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Subversion
[2007/01/18 12:32:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Viewpoint
[2011/10/06 18:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Vso
[2011/12/11 16:22:09 | 000,000,486 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2011/12/09 17:36:54 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At10.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At11.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At12.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At13.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At14.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At15.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At16.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At17.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At18.job
[2011/12/11 10:00:42 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At19.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
[2011/12/11 10:02:44 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At20.job
[2011/12/11 10:46:35 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At21.job
[2011/12/11 10:46:42 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At22.job
[2011/12/11 11:46:31 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At23.job
[2011/12/11 11:46:29 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At24.job
[2011/12/11 12:46:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At25.job
[2011/12/11 12:47:31 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At26.job
[2011/12/11 13:47:34 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At27.job
[2011/12/11 13:47:48 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At28.job
[2011/12/11 14:46:27 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At29.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At3.job
[2011/12/11 14:46:32 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At30.job
[2011/12/11 15:47:52 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At31.job
[2011/12/11 15:46:26 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At32.job
[2011/12/10 16:46:25 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At33.job
[2011/12/10 16:52:25 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At34.job
[2011/12/10 18:20:19 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At35.job
[2011/12/10 18:18:19 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At36.job
[2011/12/10 18:46:41 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At37.job
[2011/12/10 18:46:35 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At38.job
[2011/12/10 19:46:41 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At39.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At4.job
[2011/12/10 19:46:25 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At40.job
[2011/12/10 20:46:35 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At41.job
[2011/12/10 20:46:46 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At42.job
[2011/12/10 21:46:36 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At43.job
[2011/12/10 21:46:41 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At44.job
[2011/12/10 22:46:25 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At45.job
[2011/12/10 22:46:31 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At46.job
[2011/12/10 23:46:35 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At47.job
[2011/12/10 23:46:41 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At48.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At5.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At6.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At7.job
[2011/12/09 17:36:54 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\At8.job
[2011/12/09 17:36:54 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\At9.job
[color=#E56717]========== Purity Check ==========[/color]
[color=#E56717]========== Alternate Data Streams ==========[/color]
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B835CF2D
< End of report >0 -
You are welcome /smile.png' class='bbc_emoticon' alt=':)' />
Please, follow the instructions on http://www.bleepingcomputer.com/combofix/how-to-use-combofix for installing and running ComboFix.
Read carefully and note the "Disclaimer of warranty"!
Paste the content of the log into your answer.0 -
I'm sorry to hear that you lost the wireless connection. Please, run the downloaded version of RKill five times, in case it is the malware that interacts.
Can you move the ComboFix log to a computer with working internet connection? Or even better if you can zip the C:\Qoobox folder and move that to another computer and upload it here. The log, and even more the folder, will show what ComboFix did.
Is it possible for you to use an Ethernet cable instead of the wireless connection?
Can you reinstall the driver for the wireless network card?
Please, check if the connection is working better if you restart the computer in "safe mode with network".0 -
Cecelia - I ran Combofix as directed, however now my wireless internet connection has limited or no connectivity. I have restarted several times and tried to repair/re-establish the connection with no luck. It seems that this arose from the run of Combofix. Please help. Thanks! 0 -
Here is the attachment! 0 -
Cecilia - Here is the Qoobox file compressed as a rar file. I have yet to get the laptop online, however I will spend some time this evening to re-install the drivers. Thanks! 0 -
Cecilia - I don't know if I have any network settings that are not default. My system should be pretty standard....Verizon Fios wireless router with a network key (yes I have updated the network key on the machine with issues to make sure ComboFix didn't somehow change the saved key). I've completed your instructions for re-establishing the connection, but I am still not able to get on the internet. Also, I cannot upload the files to www.virustotal.com until I can get the internet issue resolved. Thanks! 0 -
Do you know if you have any network settings that are not common/default?
Start 'Command Prompt' (Start - All programs - Accessories) and enter the following commands:
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
Restart the computer and then check the internet connection. If still no connection continue with the rest.
We try to restore those parts of what ComboFix removed that has to do with network connections.
Please, go to C:\Qoobox\Quarantine\Registry_backups
Rename this file:
AddRemove-D3EF3AED75646A3F17097FE6095D2DA7936A766A.reg.dat
to:
AddRemove-D3EF3AED75646A3F17097FE6095D2DA7936A766A.reg
Double-click the file and let Windows merge it into the registry.
Double-click this file:
C:\Qoobox\Quarantine\Registry_backups\tcpip.reg.dat
and let Windows merge it into the registry
Restart the computer and then check the internet connection.
If that isn't enough I will let you restore more.
Please, upload these files, one by one, to http://www.virustotal.com/ using the "Upload a file" function and post back the links to the scan reports:
c:\windows\system32\gbreeJ.com
c:\windows\system32\gbreeJ.com_0 -
Laptop is back online.....here is the file requested. 0 -
How did you do when you got the internet connection working between post #1 and #2 in this topic?
Then you have to restore everything that ComboFix changed, even the malicious files and settings.
Run Rkill 5 times.
Copy all lines in the box:
[code]
Killall::
DeQuarantine::
C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB45303$\_1179978550_.zip
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\2oDh5GCX.exe.vir
C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB45303$\390768573\lsflt7.ver.vir
C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB45303$\390768573\keywords.vir
C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB45303$\390768573\kwrd.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB45303$\390768573\bckfg.tmp.vir
C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB45303$\390768573\@.vir
C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB45303$\390768573\cfg.ini.vir
C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB45303$\390768573\L\akygdmgo.vir
C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB45303$\390768573\Desktop.ini.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Richard\Local Settings\Application Data\ptw.exe.vir
C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB45303$\390768573\U\00000001.@.vir
C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB45303$\390768573\U\80000032.@.vir
C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB45303$\390768573\U\00000002.@.vir
C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB45303$\390768573\U\80000004.@.vir
C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB45303$\390768573\U\00000004.@.vir
C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB45303$\390768573\U\80000000.@.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Richard\Application Data\vso_ts_preview.xml.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\etc\hosts.txt.vir
C:\Qoobox\Quarantine\C\WINDOWS\dasetup.log.vir
C:\Qoobox\Quarantine\C\WINDOWS\tsoc.log.vir
Quit::
[/code]
and paste into Notepad.
Save the file on the desktop with the name CFScript.
Prepare the computer according to the instructions for running ComboFix.
Drag CFScript with the mouse and drop it on top of the ComboFix icon on the Desktop, the program will start in a special way.
Please, go to C:\Qoobox\Quarantine\Registry_backups.
Remove the extension ".dat" from all the files by renaming them.
Double-click each file (including the two you already have merged) and let Windows merge it into the registry.
Restart the computer.
Run RKill 5 times.
Post the contents of c:\DeQuarantine.txt log.0 -
Run RKill 5 times whenever you restart the computer.
1.
Please, upload these files, one by one, to http://www.virustotal.com/ using the "Upload a file" function and post back the links to the scan reports:
c:\windows\system32\gbreeJ.com
c:\windows\system32\gbreeJ.com_
2.
Go to the folder C:\WINDOWS\tasks and delete all files starting with At and then followed by a number, for example At8.job, At48.job.
2.
Save TDSSKiller on the Desktop:
[url=http://support.kaspersky.com/downloads/utils/tdsskiller.zip]http://support.kaspersky.com/downloads/utils/tdsskiller.zip[/url]
Right-click and select [b]Extract all[/b]. Remember the location of the extracted file.
Turn off all programs.
Run the program TDSSKiller.exe which is the file you extracted.
Click on [b]Start Scan[/b].
If any threats are found select [b]Cure [/b]and click [b]Continue[/b]. If [b]Cure [/b]isn't available select [b]Skip. [/b]Do NOT select Quarantine or Delete.
The computer might need a restart.
Paste the content of the TDSSKiller log which is located in the folder C:\ with the name TDSSKiller followed by version and time.
3.
Restart the computer.
Please, let aswMBR scan the computer, see <a href='http://public.avast.com/~gmerek/aswMBR.htm' class='bbc_url' title='External link' rel='nofollow external'>http://public.avast....erek/aswMBR.htm</a>
Follow only the first section, "How to scan", and don't try to fix anything. Post its log and tell me which lines (if any) that are red and if it would be possible to click the "Fix" button.0 -
21:24:41.0578 3588 TDSS rootkit removing tool 2.6.23.0 Dec 13 2011 10:39:31
21:24:41.0953 3588 ============================================================
21:24:41.0953 3588 Current date / time: 2011/12/14 21:24:41.0953
21:24:41.0953 3588 SystemInfo:
21:24:41.0953 3588
21:24:41.0953 3588 OS Version: 5.1.2600 ServicePack: 3.0
21:24:41.0953 3588 Product type: Workstation
21:24:41.0953 3588 ComputerName: LABTOP
21:24:41.0953 3588 UserName: Richard
21:24:41.0953 3588 Windows directory: C:\WINDOWS
21:24:41.0953 3588 System windows directory: C:\WINDOWS
21:24:41.0953 3588 Processor architecture: Intel x86
21:24:41.0953 3588 Number of processors: 1
21:24:41.0953 3588 Page size: 0x1000
21:24:41.0953 3588 Boot type: Normal boot
21:24:41.0953 3588 ============================================================
21:24:44.0109 3588 Initialize success
21:24:53.0875 3784 ============================================================
21:24:53.0875 3784 Scan started
21:24:53.0875 3784 Mode: Manual;
21:24:53.0875 3784 ============================================================
21:24:55.0671 3784 Abiosdsk - ok
21:24:55.0718 3784 abp480n5 - ok
21:24:55.0796 3784 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:24:55.0812 3784 ACPI - ok
21:24:55.0921 3784 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
21:24:55.0921 3784 ACPIEC - ok
21:24:56.0015 3784 adfs (6d7f09cd92a9fef3a8efce66231fdd79) C:\WINDOWS\system32\drivers\adfs.sys
21:24:56.0031 3784 adfs - ok
21:24:56.0140 3784 adpu160m - ok
21:24:56.0187 3784 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
21:24:56.0187 3784 aec - ok
21:24:56.0250 3784 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\WINDOWS\system32\drivers\Afc.sys
21:24:56.0265 3784 Afc - ok
21:24:56.0343 3784 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
21:24:56.0343 3784 AFD - ok
21:24:56.0671 3784 AgereSoftModem (9c7b1314d5e1212bd3d654177c06e24d) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
21:24:56.0718 3784 AgereSoftModem - ok
21:24:56.0890 3784 AGR1310_51 (6bb51fe523dda91cc4924f98032295a8) C:\WINDOWS\system32\DRIVERS\AGR1310_51.sys
21:24:56.0890 3784 AGR1310_51 - ok
21:24:56.0906 3784 Aha154x - ok
21:24:56.0953 3784 aic78u2 - ok
21:24:56.0984 3784 aic78xx - ok
21:24:57.0046 3784 AliIde - ok
21:24:57.0093 3784 amsint - ok
21:24:57.0203 3784 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
21:24:57.0203 3784 Arp1394 - ok
21:24:57.0234 3784 asc - ok
21:24:57.0281 3784 asc3350p - ok
21:24:57.0328 3784 asc3550 - ok
21:24:57.0421 3784 ASPI32 (b979979ab8027f7f53fb16ec4229b7db) C:\WINDOWS\system32\drivers\ASPI32.sys
21:24:57.0421 3784 ASPI32 - ok
21:24:57.0484 3784 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:24:57.0484 3784 AsyncMac - ok
21:24:57.0546 3784 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
21:24:57.0546 3784 atapi - ok
21:24:57.0593 3784 Atdisk - ok
21:24:57.0812 3784 ati2mtag (0c2ca1c294938139829b1983a0c38b31) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
21:24:57.0859 3784 ati2mtag - ok
21:24:58.0109 3784 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:24:58.0109 3784 Atmarpc - ok
21:24:58.0187 3784 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
21:24:58.0187 3784 audstub - ok
21:24:58.0296 3784 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
21:24:58.0296 3784 Beep - ok
21:24:58.0343 3784 BOCDRIVE - ok
21:24:58.0421 3784 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
21:24:58.0421 3784 Bridge - ok
21:24:58.0468 3784 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
21:24:58.0468 3784 BridgeMP - ok
21:24:58.0593 3784 catchme - ok
21:24:58.0781 3784 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
21:24:58.0781 3784 cbidf2k - ok
21:24:58.0796 3784 cd20xrnt - ok
21:24:58.0859 3784 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
21:24:58.0859 3784 Cdaudio - ok
21:24:58.0937 3784 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
21:24:58.0937 3784 Cdfs - ok
21:24:59.0000 3784 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:24:59.0000 3784 Cdrom - ok
21:24:59.0031 3784 Changer - ok
21:24:59.0093 3784 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
21:24:59.0093 3784 CmBatt - ok
21:24:59.0250 3784 CmdIde - ok
21:24:59.0281 3784 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
21:24:59.0296 3784 Compbatt - ok
21:24:59.0328 3784 Cpqarray - ok
21:24:59.0375 3784 dac2w2k - ok
21:24:59.0406 3784 dac960nt - ok
21:24:59.0453 3784 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
21:24:59.0453 3784 Disk - ok
21:24:59.0578 3784 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
21:24:59.0593 3784 dmboot - ok
21:24:59.0781 3784 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
21:24:59.0781 3784 dmio - ok
21:24:59.0843 3784 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
21:24:59.0843 3784 dmload - ok
21:24:59.0968 3784 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
21:24:59.0968 3784 DMusic - ok
21:25:00.0000 3784 dpti2o - ok
21:25:00.0078 3784 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
21:25:00.0078 3784 drmkaud - ok
21:25:00.0156 3784 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
21:25:00.0156 3784 Fastfat - ok
21:25:00.0187 3784 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
21:25:00.0203 3784 Fdc - ok
21:25:00.0234 3784 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
21:25:00.0234 3784 Fips - ok
21:25:00.0421 3784 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
21:25:00.0421 3784 Flpydisk - ok
21:25:00.0453 3784 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
21:25:00.0453 3784 FltMgr - ok
21:25:00.0546 3784 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:25:00.0546 3784 Fs_Rec - ok
21:25:00.0578 3784 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:25:00.0593 3784 Ftdisk - ok
21:25:00.0656 3784 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
21:25:00.0656 3784 GEARAspiWDM - ok
21:25:00.0703 3784 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:25:00.0703 3784 Gpc - ok
21:25:00.0750 3784 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
21:25:00.0750 3784 HDAudBus - ok
21:25:00.0796 3784 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:25:00.0812 3784 HidUsb - ok
21:25:00.0843 3784 hpn - ok
21:25:01.0031 3784 hpt3xx - ok
21:25:01.0109 3784 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
21:25:01.0125 3784 HTTP - ok
21:25:01.0156 3784 i2omgmt - ok
21:25:01.0171 3784 i2omp - ok
21:25:01.0218 3784 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:25:01.0218 3784 i8042prt - ok
21:25:01.0265 3784 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
21:25:01.0265 3784 Imapi - ok
21:25:01.0312 3784 ini910u - ok
21:25:01.0625 3784 IntcAzAudAddService (b12a9fc49cd2765a43829d834f518aed) C:\WINDOWS\system32\drivers\RtkHDAud.sys
21:25:01.0875 3784 IntcAzAudAddService - ok
21:25:02.0015 3784 IntelIde - ok
21:25:02.0078 3784 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
21:25:02.0078 3784 ip6fw - ok
21:25:02.0156 3784 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:25:02.0156 3784 IpFilterDriver - ok
21:25:02.0203 3784 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:25:02.0218 3784 IpInIp - ok
21:25:02.0265 3784 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:25:02.0265 3784 IpNat - ok
21:25:02.0390 3784 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:25:02.0390 3784 IPSec - ok
21:25:02.0437 3784 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
21:25:02.0437 3784 IRENUM - ok
21:25:02.0593 3784 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:25:02.0593 3784 isapnp - ok
21:25:02.0656 3784 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:25:02.0656 3784 Kbdclass - ok
21:25:02.0703 3784 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
21:25:02.0703 3784 kbdhid - ok
21:25:02.0750 3784 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
21:25:02.0750 3784 kmixer - ok
21:25:02.0828 3784 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
21:25:02.0828 3784 KSecDD - ok
21:25:02.0890 3784 Ktp3 (ce585b27af145d7a5067526eb1ef4a7a) C:\WINDOWS\system32\DRIVERS\Ktp3.sys
21:25:02.0890 3784 Ktp3 - ok
21:25:03.0078 3784 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
21:25:03.0078 3784 Lavasoft Kernexplorer - ok
21:25:03.0281 3784 Lbd (336abe8721cbc3110f1c6426da633417) C:\WINDOWS\system32\DRIVERS\Lbd.sys
21:25:03.0296 3784 Lbd - ok
21:25:03.0312 3784 lbrtfdc - ok
21:25:03.0421 3784 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
21:25:03.0421 3784 mnmdd - ok
21:25:03.0468 3784 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
21:25:03.0484 3784 Modem - ok
21:25:03.0515 3784 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:25:03.0515 3784 Mouclass - ok
21:25:03.0609 3784 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:25:03.0609 3784 mouhid - ok
21:25:03.0656 3784 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
21:25:03.0656 3784 MountMgr - ok
21:25:03.0671 3784 mraid35x - ok
21:25:03.0765 3784 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:25:03.0828 3784 MRxDAV - ok
21:25:04.0156 3784 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:25:04.0171 3784 MRxSmb - ok
21:25:04.0265 3784 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
21:25:04.0265 3784 Msfs - ok
21:25:04.0312 3784 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:25:04.0312 3784 MSKSSRV - ok
21:25:04.0343 3784 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:25:04.0343 3784 MSPCLOCK - ok
21:25:04.0375 3784 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
21:25:04.0375 3784 MSPQM - ok
21:25:04.0421 3784 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:25:04.0421 3784 mssmbios - ok
21:25:04.0609 3784 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
21:25:04.0609 3784 Mup - ok
21:25:04.0671 3784 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
21:25:04.0671 3784 NDIS - ok
21:25:04.0734 3784 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:25:04.0734 3784 NdisTapi - ok
21:25:04.0765 3784 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:25:04.0765 3784 Ndisuio - ok
21:25:04.0843 3784 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:25:04.0875 3784 NdisWan - ok
21:25:04.0953 3784 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
21:25:04.0953 3784 NDProxy - ok
21:25:05.0000 3784 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
21:25:05.0000 3784 NetBIOS - ok
21:25:05.0171 3784 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
21:25:05.0171 3784 NetBT - ok
21:25:05.0265 3784 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
21:25:05.0281 3784 NIC1394 - ok
21:25:05.0359 3784 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
21:25:05.0359 3784 Npfs - ok
21:25:05.0437 3784 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
21:25:05.0437 3784 Ntfs - ok
21:25:05.0625 3784 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
21:25:05.0625 3784 Null - ok
21:25:05.0656 3784 nvport - ok
21:25:05.0703 3784 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:25:05.0703 3784 NwlnkFlt - ok
21:25:05.0750 3784 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:25:05.0750 3784 NwlnkFwd - ok
21:25:05.0781 3784 O2MDRDR (9be9afaf92f5f46d109694bbe33c3bda) C:\WINDOWS\system32\DRIVERS\o2media.sys
21:25:05.0796 3784 O2MDRDR - ok
21:25:05.0812 3784 O2SDRDR (12a6d826a1a27818170552f2495a567a) C:\WINDOWS\system32\DRIVERS\o2sd.sys
21:25:05.0812 3784 O2SDRDR - ok
21:25:05.0890 3784 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
21:25:05.0906 3784 ohci1394 - ok
21:25:05.0968 3784 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
21:25:05.0968 3784 Parport - ok
21:25:06.0000 3784 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
21:25:06.0000 3784 PartMgr - ok
21:25:06.0046 3784 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
21:25:06.0046 3784 ParVdm - ok
21:25:06.0156 3784 pbfilter (65fb0c4aa30d84849e0e4c97cb5501ce) C:\Program Files\PeerBlock\pbfilter.sys
21:25:06.0171 3784 pbfilter - ok
21:25:06.0406 3784 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
21:25:06.0406 3784 PCI - ok
21:25:06.0437 3784 PCIDump - ok
21:25:06.0515 3784 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
21:25:06.0515 3784 PCIIde - ok
21:25:06.0593 3784 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
21:25:06.0593 3784 Pcmcia - ok
21:25:06.0656 3784 Pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\Pcouffin.sys
21:25:06.0671 3784 Pcouffin - ok
21:25:06.0687 3784 PDCOMP - ok
21:25:06.0718 3784 PDFRAME - ok
21:25:06.0734 3784 PDRELI - ok
21:25:06.0765 3784 PDRFRAME - ok
21:25:06.0781 3784 perc2 - ok
21:25:06.0812 3784 perc2hib - ok
21:25:06.0937 3784 pfc (da86016f0672ada925f589ede715f185) C:\WINDOWS\system32\drivers\pfc.sys
21:25:06.0937 3784 pfc - ok
21:25:07.0125 3784 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:25:07.0125 3784 PptpMiniport - ok
21:25:07.0156 3784 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
21:25:07.0156 3784 Processor - ok
21:25:07.0203 3784 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
21:25:07.0203 3784 PSched - ok
21:25:07.0281 3784 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
21:25:07.0281 3784 PSI - ok
21:25:07.0359 3784 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:25:07.0359 3784 Ptilink - ok
21:25:07.0437 3784 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
21:25:07.0437 3784 PxHelp20 - ok
21:25:07.0468 3784 ql1080 - ok
21:25:07.0515 3784 Ql10wnt - ok
21:25:07.0546 3784 ql12160 - ok
21:25:07.0578 3784 ql1240 - ok
21:25:07.0593 3784 ql1280 - ok
21:25:07.0625 3784 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:25:07.0625 3784 RasAcd - ok
21:25:07.0703 3784 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:25:07.0703 3784 Rasl2tp - ok
21:25:07.0890 3784 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:25:07.0890 3784 RasPppoe - ok
21:25:07.0921 3784 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
21:25:07.0921 3784 Raspti - ok
21:25:07.0984 3784 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:25:07.0984 3784 Rdbss - ok
21:25:08.0015 3784 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:25:08.0015 3784 RDPCDD - ok
21:25:08.0093 3784 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
21:25:08.0093 3784 RDPWD - ok
21:25:08.0156 3784 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
21:25:08.0156 3784 redbook - ok
21:25:08.0250 3784 RimUsb (0f6756ef8bda6dfa7be50465c83132bb) C:\WINDOWS\system32\Drivers\RimUsb.sys
21:25:08.0250 3784 RimUsb - ok
21:25:08.0281 3784 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
21:25:08.0296 3784 RimVSerPort - ok
21:25:08.0359 3784 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
21:25:08.0359 3784 ROOTMODEM - ok
21:25:08.0687 3784 RT61 (581e74880aeb1dba1cb5ac8e6e6c0a69) C:\WINDOWS\system32\DRIVERS\RT61.sys
21:25:08.0703 3784 RT61 - ok
21:25:08.0796 3784 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:25:08.0812 3784 Secdrv - ok
21:25:08.0906 3784 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
21:25:08.0906 3784 Serial - ok
21:25:09.0093 3784 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
21:25:09.0093 3784 Sfloppy - ok
21:25:09.0125 3784 Simbad - ok
21:25:09.0187 3784 Sparrow - ok
21:25:09.0218 3784 spcstb - ok
21:25:09.0250 3784 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
21:25:09.0250 3784 splitter - ok
21:25:09.0312 3784 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
21:25:09.0312 3784 sr - ok
21:25:09.0406 3784 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
21:25:09.0421 3784 Srv - ok
21:25:09.0546 3784 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
21:25:09.0546 3784 StillCam - ok
21:25:09.0625 3784 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
21:25:09.0625 3784 swenum - ok
21:25:09.0781 3784 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
21:25:09.0796 3784 swmidi - ok
21:25:09.0828 3784 symc810 - ok
21:25:09.0843 3784 symc8xx - ok
21:25:09.0875 3784 sym_hi - ok
21:25:09.0906 3784 sym_u3 - ok
21:25:09.0953 3784 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
21:25:09.0953 3784 sysaudio - ok
21:25:10.0062 3784 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:25:10.0062 3784 Tcpip - ok
21:25:10.0187 3784 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
21:25:10.0187 3784 TDPIPE - ok
21:25:10.0312 3784 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
21:25:10.0312 3784 TDTCP - ok
21:25:10.0359 3784 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
21:25:10.0359 3784 TermDD - ok
21:25:10.0406 3784 TosIde - ok
21:25:10.0453 3784 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
21:25:10.0468 3784 Udfs - ok
21:25:10.0484 3784 ultra - ok
21:25:10.0546 3784 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
21:25:10.0546 3784 Update - ok
21:25:10.0671 3784 USBAAPL - ok
21:25:10.0750 3784 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:25:10.0750 3784 usbccgp - ok
21:25:10.0796 3784 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:25:10.0796 3784 usbehci - ok
21:25:10.0890 3784 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:25:10.0906 3784 usbhub - ok
21:25:10.0953 3784 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
21:25:10.0953 3784 usbohci - ok
21:25:11.0046 3784 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:25:11.0046 3784 usbprint - ok
21:25:11.0093 3784 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
21:25:11.0093 3784 usbscan - ok
21:25:11.0140 3784 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:25:11.0140 3784 USBSTOR - ok
21:25:11.0296 3784 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
21:25:11.0296 3784 VgaSave - ok
21:25:11.0312 3784 ViaIde - ok
21:25:11.0359 3784 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
21:25:11.0359 3784 VolSnap - ok
21:25:11.0500 3784 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:25:11.0500 3784 Wanarp - ok
21:25:11.0515 3784 wanatw - ok
21:25:11.0546 3784 WDICA - ok
21:25:11.0578 3784 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
21:25:11.0578 3784 wdmaud - ok
21:25:11.0734 3784 WpdUsb (c60dc16d4e406810fad54b98dc92d5ec) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
21:25:11.0750 3784 WpdUsb - ok
21:25:11.0890 3784 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
21:25:11.0890 3784 WudfPf - ok
21:25:11.0968 3784 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
21:25:12.0171 3784 \Device\Harddisk0\DR0 - ok
21:25:12.0171 3784 Boot (0x1200) (df96755a8cc4b9afd666e4e35f64261c) \Device\Harddisk0\DR0\Partition0
21:25:12.0171 3784 \Device\Harddisk0\DR0\Partition0 - ok
21:25:12.0187 3784 ============================================================
21:25:12.0187 3784 Scan finished
21:25:12.0187 3784 ============================================================
21:25:12.0203 3392 Detected object count: 0
21:25:12.0203 3392 Actual detected object count: 0
21:25:38.0453 3576 Deinitialize success0 -
Good, no rootkit at least.
Does Ad-Aware work?
In that case, please run a Full scan and let it move all found files to quarantine.
In any way, run OTL and paste OTL.txt so I have a fresh log before starting to remove files.0 -
Cecilia B. - Here is the aswMBR results. The fix button button was operational but nothing was red. I look forward to your input. Thanks!
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-14 21:59:16
-----------------------------
21:59:16.156 OS Version: Windows 5.1.2600 Service Pack 3
21:59:16.156 Number of processors: 1 586 0x2C02
21:59:16.156 ComputerName: LABTOP UserName:
21:59:16.828 Initialize success
21:59:42.718 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:59:42.718 Disk 0 Vendor: HTS421280H9AT00 HA3OA70G Size: 76319MB BusType: 3
21:59:44.750 Disk 0 MBR read successfully
21:59:44.750 Disk 0 MBR scan
21:59:44.750 Disk 0 Windows XP default MBR code
21:59:44.750 Disk 0 scanning sectors +156296385
21:59:44.796 Disk 0 scanning C:\WINDOWS\system32\drivers
21:59:54.281 Service scanning
21:59:56.296 Modules scanning
22:00:22.093 Disk 0 trace - called modules:
22:00:22.125 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
22:00:22.125 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a5e6ab8]
22:00:22.125 3 CLASSPNP.SYS[ba118fd7] -> nt!IofCallDriver -> \Device\00000080[0x8a6726c8]
22:00:22.125 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a5ec940]
22:00:22.453 Scan finished successfully
22:00:57.187 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Richard\Desktop\MBR.dat"
22:00:57.187 The log file has been saved successfully to "C:\Documents and Settings\Richard\Desktop\aswMBR.txt"0 -
Please, create a new system restore point that you can restore from in case your internet connection disappears again.
Are you familiar with the leadstoloans.com web site?
Close all programs including antivirus programs and other similar programs. Otherwise they might stop OTL.
How? See http://www.bleepingcomputer.com/forums/topic114351.html
Start the program OTL.
Copy all the lines in the box:
[code]
:OTL
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - File not found
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symant...ex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} Reg Error: Value error. (Reg Error: Key error.)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
[2011/12/13 20:30:13 | 000,302,080 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Richard\Local Settings\Application Data\ptw.exe
[2011/12/13 20:29:04 | 000,079,872 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\2oDh5GCX.exe_
[2011/12/13 20:29:04 | 000,079,872 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\2oDh5GCX.exe
[2011/12/09 18:47:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\gbreeJ.com.b
[2011/12/09 17:43:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\2oDh5GCX.exe.b
[2011/12/09 17:36:54 | 000,079,872 | ---- | C] () -- C:\WINDOWS\System32\gbreeJ.com_
[2011/12/09 17:36:54 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1L4652v.dat
[2011/12/09 17:23:16 | 000,014,316 | -HS- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\ywrueq5u4qhe1dyx0coe5q142c6o
[2011/12/09 17:23:16 | 000,014,316 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\ywrueq5u4qhe1dyx0coe5q142c6o
:Reg
:Files
c:\windows\$NtUninstallKB45303$
:Commands
[CREATERESTOREPOINT]
[EMPTYTEMP]
[REBOOT]
[/code]
Paste them into the field Custom Scans/Fixes.
Click on Run Fix.
If you are asked to restart the computer do that.
Notepad will pop-up with a log. Copy it and paste it into your answer.
If it is not pop-upped, you can find it in the folder c:\_OTL\Moved Files and its name contains the date and time for when OTL was run.
Be sure that antivirus programs etc. are active before connecting to internet.
Please, run OTL in the normal way and paste that log, too.0 -
OTL logfile created on: 12/17/2011 8:37:43 AM - Run 4
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Richard\Desktop\Computer Maintenece
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 50.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.64 Gb Total Space | 5.96 Gb Free Space | 8.56% Space Free | Partition Type: NTFS
Drive E: | 1.89 Gb Total Space | 1.88 Gb Free Space | 99.67% Space Free | Partition Type: FAT
Computer Name: LABTOP | User Name: Richard | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
[color=#E56717]========== Processes (SafeList) ==========[/color]
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft Limited)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft Limited)
PRC - C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft)
PRC - C:\Documents and Settings\Richard\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
PRC - C:\Documents and Settings\Richard\Desktop\Computer Maintenece\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Secunia\PSI\psia.exe (Secunia)
PRC - C:\Program Files\Secunia\PSI\sua.exe (Secunia)
PRC - C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
PRC - C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe (Adobe Systems, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe ()
PRC - C:\WINDOWS\system32\o2flash.exe ()
[color=#E56717]========== Modules (SafeList) ==========[/color]
MOD - C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.dll (Lavasoft)
MOD - C:\Documents and Settings\Richard\Desktop\Computer Maintenece\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
[color=#E56717]========== Win32 Services (SafeList) ==========[/color]
SRV - (Roxio Upnp Server 9) -- File not found
SRV - (Roxio UPnP Renderer 9) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (ACDaemon) -- File not found
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft Limited)
SRV - (Secunia PSI Agent) -- C:\Program Files\Secunia\PSI\PSIA.exe (Secunia)
SRV - (Secunia Update Agent) -- C:\Program Files\Secunia\PSI\sua.exe (Secunia)
SRV - (dev5_ap1) -- C:\phpdev5\apache\Apache.exe ()
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)
SRV - (Adobe Version Cue CS4) -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe (Adobe Systems Incorporated)
SRV - (MySQL) -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe ()
SRV - (O2Flash) -- C:\WINDOWS\system32\o2flash.exe ()
[color=#E56717]========== Driver Services (SafeList) ==========[/color]
DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (Lavasoft Kernexplorer) -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys ()
DRV - (PSI) -- C:\WINDOWS\system32\drivers\psi_mf.sys (Secunia)
DRV - (pbfilter) -- C:\Program Files\PeerBlock\pbfilter.sys ()
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.)
DRV - (pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (O2MDRDR) -- C:\WINDOWS\System32\DRIVERS\o2media.sys (O2Micro )
DRV - (O2SDRDR) -- C:\WINDOWS\System32\DRIVERS\o2sd.sys (O2Micro )
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (RT61) -- C:\WINDOWS\system32\drivers\rt61.sys (Ralink Technology Inc.)
DRV - (AGR1310_51) -- C:\WINDOWS\system32\drivers\AGR1310_51.sys (Agere Systems)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (Ktp3) -- C:\WINDOWS\system32\drivers\Ktp3.sys (Elantech Devices Corp.)
DRV - (ASPI32) -- C:\WINDOWS\System32\drivers\ASPI32.SYS (Adaptec)
[color=#E56717]========== Standard Registry (SafeList) ==========[/color]
[color=#E56717]========== Internet Explorer ==========[/color]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
[color=#E56717]========== FireFox ==========[/color]
FF - prefs.js..browser.search.selectedEngine: "Search the Web"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9}:5.0
FF - prefs.js..extensions.enabledItems: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}:2.1.106
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.10
FF - prefs.js..extensions.enabledItems: {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}:2.12.21.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {87934c42-161d-45bc-8cef-ef18abe2a30c}:0.9
FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=utf-8&mssrc=ms_kwd&mstb=adawaretb&q="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.type: 1
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/26 18:19:54 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/22 08:14:27 | 000,000,000 | ---D | M]
[2009/04/19 20:52:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Extensions
[2011/12/01 17:26:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions
[2011/05/04 11:48:31 | 000,000,000 | ---D | M] (IE Tab 2 (FF 3.6+)) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
[2010/12/28 12:30:28 | 000,000,000 | ---D | M] ("Delicious Bookmarks") -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}
[2011/11/30 23:00:34 | 000,000,000 | ---D | M] (Ad-Aware Security Toolbar) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
[2011/05/04 11:48:33 | 000,000,000 | ---D | M] (FireFTP) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
[2011/11/30 23:10:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/16 09:27:46 | 000,000,000 | ---D | M] (Adobe Contribute Toolbar) -- C:\Program Files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}
[2011/05/21 07:29:32 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2008/09/10 00:09:32 | 000,079,216 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npContribute.dll
[2011/05/21 07:29:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2011/10/17 13:14:28 | 000,002,149 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\adawaretb.xml
Hosts file not found
O2 - BHO: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Ad-Aware Browsing Protection] C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft)
O4 - HKCU..\Run: [AdobeBridge] C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
O4 - Startup: C:\Documents and Settings\Richard\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Richard\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A101} http://www.leadstoloans.com/activex/fafile.dll (First American File Control)
O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A201} http://www.leadstoloans.com/activex/faprint.dll (First American Print Control)
O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A301} http://www.leadstoloans.com/activex/fagrid.dll (First American Grid Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159818431983 (WUWebControl Class)
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.systemrequirementslab.com/sysreqlab2.cab (System Requirements Lab Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159818421170 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab (RIM AxLoader)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O16 - DPF: Web-Based Email Tools http://email.secureserver.net/Download.CAB (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/11 10:43:27 | 000,000,000 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]
[2011/12/17 08:24:19 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/12/14 21:58:09 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Richard\Desktop\aswMBR.exe
[2011/12/14 18:51:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2011/12/13 20:28:23 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/12/13 20:25:45 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/12/11 17:31:56 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/12/11 17:31:56 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/12/11 17:31:56 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/12/11 17:31:17 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/12/11 17:30:59 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Richard\Start Menu\Programs\Administrative Tools
[2011/12/11 17:29:15 | 004,337,036 | R--- | C] (Swearware) -- C:\Documents and Settings\Richard\Desktop\ComboFix.exe
[2011/12/09 19:08:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/12/09 19:08:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/12/09 17:36:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\adawaretb
[2011/11/30 23:00:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Richard\Local Settings\Application Data\adaware
[2011/11/30 23:00:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection
[2011/11/30 23:00:35 | 000,000,000 | ---D | C] -- C:\Program Files\Toolbar Cleaner
[2011/11/30 23:00:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Richard\Application Data\adawaretb
[2011/11/30 23:00:29 | 000,000,000 | ---D | C] -- C:\Program Files\adawaretb
[2011/11/29 09:46:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Richard\My Documents\Adobe Scripts
[2011/11/28 20:48:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Richard\Local Settings\Application Data\usrMainPlay
[2007/11/10 23:30:24 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Richard\Application Data\pcouffin.sys
[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]
[2011/12/17 08:28:42 | 000,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/17 08:28:25 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/12/17 08:27:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/16 13:25:23 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/12/16 13:25:23 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/12/14 22:00:57 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\MBR.dat
[2011/12/14 21:58:24 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Richard\Desktop\aswMBR.exe
[2011/12/14 21:23:16 | 001,557,791 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\tdsskiller.zip
[2011/12/14 21:10:26 | 002,848,024 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/12/14 19:07:40 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/12/13 20:30:12 | 000,000,668 | ---- | M] () -- C:\Documents and Settings\Richard\Application Data\vso_ts_preview.xml
[2011/12/13 07:41:53 | 000,011,977 | ---- | M] () -- C:\Documents and Settings\Richard\all
[2011/12/11 17:29:25 | 004,337,036 | R--- | M] (Swearware) -- C:\Documents and Settings\Richard\Desktop\ComboFix.exe
[2011/12/11 16:08:56 | 000,000,139 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\rk-proxy.reg
[2011/12/11 16:02:16 | 001,008,120 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\iExplore.exe
[2011/12/11 15:47:56 | 000,001,205 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\FixNCR.reg
[2011/12/09 18:47:45 | 000,079,872 | ---- | M] () -- C:\WINDOWS\System32\gbreeJ.com
[2011/12/02 13:27:31 | 000,016,432 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2011/11/30 23:00:24 | 000,000,797 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2011/11/23 13:00:52 | 000,156,672 | ---- | M] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/11/23 08:25:32 | 001,859,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\win32k.sys
[2011/11/23 08:25:32 | 001,859,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\win32k.sys
[2011/11/18 14:33:14 | 000,000,189 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\hordersRus (E).lnk
[color=#E56717]========== Files Created - No Company Name ==========[/color]
[2011/12/14 22:00:57 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\MBR.dat
[2011/12/14 21:23:03 | 001,557,791 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\tdsskiller.zip
[2011/12/13 20:30:12 | 000,000,668 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\vso_ts_preview.xml
[2011/12/13 17:46:00 | 000,079,872 | ---- | C] () -- C:\WINDOWS\System32\gbreeJ.com
[2011/12/13 07:28:31 | 000,011,977 | ---- | C] () -- C:\Documents and Settings\Richard\all
[2011/12/11 17:31:56 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/12/11 17:31:56 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/12/11 17:31:56 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/12/11 17:31:56 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/12/11 17:31:56 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/12/11 16:08:56 | 000,000,139 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\rk-proxy.reg
[2011/12/11 16:02:14 | 001,008,120 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\iExplore.exe
[2011/12/11 15:59:41 | 000,001,205 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\FixNCR.reg
[2011/12/01 07:26:06 | 000,016,432 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2011/11/18 14:32:51 | 000,000,189 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\hordersRus (E).lnk
[2011/05/27 11:06:06 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/05/27 11:06:06 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2010/10/21 20:49:22 | 000,207,982 | ---- | C] () -- C:\WINDOWS\hpoins43.dat
[2010/10/21 20:49:22 | 000,000,601 | ---- | C] () -- C:\WINDOWS\hpomdl43.dat
[2010/08/23 13:51:19 | 000,000,027 | ---- | C] () -- C:\WINDOWS\phpdev.ini
[2010/08/05 09:57:49 | 000,134,272 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/03/22 11:25:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2009/10/08 07:52:17 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/07/27 14:35:07 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/04/30 15:08:59 | 000,000,256 | ---- | C] () -- C:\WINDOWS\System32\pool.bin
[2009/04/24 13:27:55 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Font Book
[2009/03/12 18:56:25 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\winscp.rnd
[2008/10/09 15:25:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2008/10/09 11:27:00 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008/08/30 08:29:49 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2008/08/30 08:29:49 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\Galaxy Swirl
[2008/05/20 23:05:59 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2008/04/04 10:05:12 | 000,021,312 | ---- | C] () -- C:\WINDOWS\choice.exe
[2008/01/06 14:13:49 | 000,000,054 | ---- | C] () -- C:\WINDOWS\winpoint.ini
[2007/11/10 23:30:24 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\pcouffin.cat
[2007/11/10 23:30:24 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\pcouffin.inf
[2007/11/09 21:48:20 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\FoxImager.dll
[2007/04/30 13:53:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\CPC10Q.INI
[2007/04/28 07:23:41 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2007/04/17 14:28:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/03/05 13:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2006/11/26 16:40:52 | 000,000,050 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/11/17 23:35:53 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\hndlt.ini
[2006/11/17 23:34:41 | 000,000,057 | ---- | C] () -- C:\WINDOWS\System32\windll.ini
[2006/11/08 19:59:54 | 000,000,004 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/10/09 11:00:34 | 000,156,672 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/10/04 11:35:52 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/10/02 19:50:46 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/10/02 19:33:26 | 000,000,030 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/10/02 15:29:01 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/10/02 14:32:15 | 000,020,333 | ---- | C] () -- C:\WINDOWS\cmaudio.ini
[2006/10/02 09:56:30 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\FASTWiz.html
[2006/09/30 14:26:44 | 000,000,058 | ---- | C] () -- C:\WINDOWS\mchguid.ini
[2006/09/29 19:10:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/07/18 13:31:20 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\fusioncache.dat
[2006/07/12 15:26:06 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/07/12 15:20:46 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/07/12 07:41:10 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/07/12 07:40:05 | 002,848,024 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/01/27 01:33:58 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\o2flash.exe
[2005/01/20 21:02:28 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\RMDevice.dll
[2003/09/16 10:52:28 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2003/09/16 10:43:31 | 000,884,736 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2003/09/16 10:41:43 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/18 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/18 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/18 07:00:00 | 000,466,782 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/18 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/18 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/18 07:00:00 | 000,081,574 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/18 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/18 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/18 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/18 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/18 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[color=#E56717]========== LOP Check ==========[/color]
[2011/12/15 09:08:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection
[2007/11/09 21:35:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2008/08/30 08:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EnterNHelp
[2008/04/05 08:52:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Jes-Soft
[2007/01/26 15:12:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
[2008/06/15 09:53:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OLYMPUS
[2009/07/17 17:29:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2008/08/30 08:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ultima_T15
[2010/06/15 08:56:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2007/11/11 07:29:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vsosdk
[2009/06/01 10:29:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2011/02/05 11:11:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2008/03/24 16:53:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\acccore
[2011/12/12 20:10:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\adawaretb
[2008/01/06 12:12:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Aim
[2011/03/22 08:08:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Amazon
[2010/03/08 09:29:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Azureus
[2009/05/17 10:40:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Blackberry Desktop
[2010/09/23 10:13:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\com.adobe.ExMan
[2010/11/16 16:45:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\com.adobe.WidgetBrowser.E7BED6E5DDA59983786DD72EBFA46B1598278E07.1
[2007/07/18 16:19:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\CTS
[2011/12/15 09:08:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Dropbox
[2009/03/12 18:43:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\FileZilla
[2010/05/09 12:09:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\foobar2000
[2007/03/12 15:24:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Investintech
[2007/06/24 09:57:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Leadertech
[2008/08/30 08:33:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Nikon
[2008/04/02 20:40:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\OfficeUpdate12
[2009/05/20 07:50:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Research In Motion
[2010/05/28 11:41:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Subversion
[2007/01/18 12:32:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Viewpoint
[2011/10/06 18:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Vso
[2011/12/17 08:28:25 | 000,000,486 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[color=#E56717]========== Purity Check ==========[/color]
< End of report >0 -
Cecilia - Thanks for your help. I know the website leadstoloans.com, I used it many years ago for work. I have completed the steps and guess what....the computer is back offline stating, "limited or no connectivity". Should I restore to the point I established before running the OTL fix? In any case, here are the logs that I transferred to another computer to post. Thanks!
All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020\ deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\aol.com\objects\ deleted successfully.
Starting removal of ActiveX control {6A344D34-5231-452A-8A57-D064AC9B7862}
C:\WINDOWS\Downloaded Program Files\symdlmgr.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{6A344D34-5231-452A-8A57-D064AC9B7862}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6A344D34-5231-452A-8A57-D064AC9B7862}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6A344D34-5231-452A-8A57-D064AC9B7862}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6A344D34-5231-452A-8A57-D064AC9B7862}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon\ deleted successfully.
C:\Documents and Settings\Richard\Local Settings\Application Data\ptw.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\2oDh5GCX.exe_ moved successfully.
C:\Documents and Settings\All Users\Application Data\2oDh5GCX.exe moved successfully.
C:\WINDOWS\system32\gbreeJ.com.b moved successfully.
C:\Documents and Settings\All Users\Application Data\2oDh5GCX.exe.b moved successfully.
C:\WINDOWS\system32\gbreeJ.com_ moved successfully.
C:\Documents and Settings\All Users\Application Data\1L4652v.dat moved successfully.
C:\Documents and Settings\Richard\Local Settings\Application Data\ywrueq5u4qhe1dyx0coe5q142c6o moved successfully.
C:\Documents and Settings\All Users\Application Data\ywrueq5u4qhe1dyx0coe5q142c6o moved successfully.
========== REGISTRY ==========
========== FILES ==========
c:\windows\$NtUninstallKB45303$\390768573\U folder moved successfully.
c:\windows\$NtUninstallKB45303$\390768573\L folder moved successfully.
c:\windows\$NtUninstallKB45303$\390768573 folder moved successfully.
c:\windows\$NtUninstallKB45303$ folder moved successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point (0)
[EMPTYTEMP]0 -
You are welcome /smile.png' class='bbc_emoticon' alt=':)' />
There must be a bad file that has "hijacked" your internet connection. I missed one file in the script so before doing the system restore see if it helps to delete that one. The script will be very short this time so I think you can write it directly into the text field of OTL.
Close all programs including antivirus programs and other similar programs. Otherwise they might stop OTL.
How? See http://www.bleepingcomputer.com/forums/topic114351.html
Start the program OTL.
Write the following lines in the box:
[code]
:Files
C:\WINDOWS\System32\gbreeJ.com
[/code]
Paste them into the field Custom Scans/Fixes.
Click on Run Fix.
Restart the computer and check the internet connection.0 -
Nope....internet still down after using the new script. /sad.png' class='bbc_emoticon' alt=':(' /> 0 -
Let us try some common fixes for internet connection issues before the system restore. Restart and test internet connection after each program, and if it works you can stop there.
1. See if Winsock Fix can do some repair:
http://majorgeeks.com/WinSock_XP_Fix_d4372.html
The link is under the header DOWNLOAD LOCATIONS.
2. Start 'Command Prompt' (Start - All programs - Accessories) and enter the following commands:
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
3. Start 'Command Prompt' and enter:
ipconfig /all
Copy the content and paste into Notepad. Save the file and transfer it to the other computer so you can paste it here.0 -
Good news....Winsock Fix appears to have fixed the connectivity issue. I'll wait for your next instructions. Thanks so much! 0 -
Cecilia - I uninstalled and reinstalled ComboFix. Here is the log from the scan....
ComboFix 11-12-17.05 - Richard 12/18/2011 8:24.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1471.797 [GMT -5:00]
Running from: c:\documents and settings\Richard\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Richard\Application Data\vso_ts_preview.xml
c:\windows\dasetup.log
c:\windows\system32\drivers\etc\hosts.txt
c:\windows\tsoc.log
.
.
((((((((((((((((((((((((( Files Created from 2011-11-18 to 2011-12-18 )))))))))))))))))))))))))))))))
.
.
2011-12-18 00:09 . 2011-12-18 00:09 -------- dc----w- C:\ERDNT
2011-12-17 13:24 . 2011-12-17 13:24 -------- dc----w- C:\_OTL
2011-12-14 23:51 . 2011-12-14 23:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-12-10 18:52 . 2011-12-10 19:03 -------- d-----w- c:\documents and settings\Administrator
2011-12-10 00:15 . 2011-12-10 00:15 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-12-09 22:36 . 2011-12-10 00:15 -------- d-----w- c:\documents and settings\NetworkService\Application Data\adawaretb
2011-12-01 12:26 . 2011-12-02 18:27 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-12-01 04:00 . 2011-12-01 04:00 -------- d-----w- c:\documents and settings\Richard\Local Settings\Application Data\adaware
2011-12-01 04:00 . 2011-12-18 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection
2011-12-01 04:00 . 2011-12-01 04:00 -------- d-----w- c:\program files\Toolbar Cleaner
2011-12-01 04:00 . 2011-12-13 01:10 -------- d-----w- c:\documents and settings\Richard\Application Data\adawaretb
2011-12-01 04:00 . 2011-12-01 04:00 -------- d-----w- c:\program files\adawaretb
2011-11-29 01:48 . 2011-11-29 01:48 -------- d-----w- c:\documents and settings\Richard\Local Settings\Application Data\usrMainPlay
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2001-08-18 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2004-01-08 19:23 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2001-08-18 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2001-08-18 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 17:06 . 2011-05-20 17:19 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-11-01 16:07 . 2006-10-02 20:03 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2001-08-18 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2001-08-18 12:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2001-08-17 13:48 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-19 12:46 . 2011-05-21 12:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-18 11:13 . 2004-08-04 07:56 186880 ------w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2006-07-12 20:21 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2002-09-23 19:10 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2001-08-18 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2001-08-18 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2011-10-21 09:10 87440 ----a-w- c:\program files\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-10-21 87440]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Richard\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Richard\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Richard\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Richard\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" [2008-08-28 13145448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2011-10-21 198032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Richard\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Richard\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-1-18 41041]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Richard\\Desktop\\utorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Richard\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\adawaretb\\dtUser.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:*:Disabled:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:*:Disabled:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:*:Disabled:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:*:Disabled:Adobe Version Cue CS4 Server
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4
"3306:TCP"= 3306:TCP:MySQL
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/20/2011 12:19 PM 64512]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2/27/2006 12:00 AM 34880]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2/20/2006 1:01 AM 29056]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [4/19/2011 1:44 AM 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [4/19/2011 1:44 AM 399416]
R3 AGR1310_51;Agere Systems ET-131x PCI-E Gigabit Ethernet Adapter XP Driver;c:\windows\system32\drivers\AGR1310_51.sys [12/14/2009 6:26 PM 70144]
R3 Pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [10/25/2006 7:16 PM 47360]
S2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [1/18/2008 12:37 AM 24635]
S2 dev5_ap1;dev5_ap1;c:\phpdev5\Apache\Apache.exe [8/23/2010 1:50 PM 20480]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [11/3/2011 12:06 PM 2152152]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 4:46 AM 284016]
S3 Ktp3;Elantech TouchPad;c:\windows\system32\drivers\Ktp3.sys [4/20/2005 4:47 PM 24704]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [4/1/2010 9:37 AM 14424]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-11-03 17:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {4F4D2E63-0377-4188-8B70-52934FA8A101} - hxxp://www.leadstoloans.com/activex/fafile.dll
DPF: {4F4D2E63-0377-4188-8B70-52934FA8A201} - hxxp://www.leadstoloans.com/activex/faprint.dll
DPF: {4F4D2E63-0377-4188-8B70-52934FA8A301} - hxxp://www.leadstoloans.com/activex/fagrid.dll
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=utf-8&mssrc=ms_kwd&mstb=adawaretb&q=
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - c:\program files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Delicious Bookmarks: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} - %profile%\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: IE Tab 2 (FF 3.6+): {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} - %profile%\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
FF - Ext: Ad-Aware Security Toolbar: {87934c42-161d-45bc-8cef-ef18abe2a30c} - %profile%\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-Azureus Vuze - c:\program files\Azureus\uninstall.exe
AddRemove-D3EF3AED75646A3F17097FE6095D2DA7936A766A - c:\progra~1\DIFX\DPInst.exe
AddRemove-MeridianLink Site Security Certificate - c:\progra~1\SITECH~1\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-18 08:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e8,d7,df,87,8a,8e,27,40,a2,1b,df,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e8,d7,df,87,8a,8e,27,40,a2,1b,df,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\æHõwæ*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="???\11?\17?\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.5"
"DeviceInstanceIds"=multi:"c:\\docume~1\\richard\\locals~1\\temp\\wzse0.tmp\\sbdrv\\smbus\\smbusati.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(500)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2011-12-18 08:40:59
ComboFix-quarantined-files.txt 2011-12-18 13:40
.
Pre-Run: 8,044,933,120 bytes free
Post-Run: 8,030,658,560 bytes free
.
- - End Of File - - F97010F38219BC8B4312B6BE25B0CCFB0 -
You are welcome /smile.png' class='bbc_emoticon' alt=':)' />
Good, please delete your current ComboFix, download a new ComboFix and run it according to the instructions.0 -
Cecilia...the computer seems to be working fine. Thanks so much. Is there anything left to do? 0 -
Does the computer behave normally now?
In that case it is time for the final stuff.0
Please sign in to leave a comment.
Comments
61 comments