Sign in to follow this  
Followers 0
ken2010

MalwareBytes (And Others) Won't Run

26 posts in this topic

Hi -

I am losing the battle here against the Malware on this Windows XP System. It seems like the main Malware on this system is Antivirus Pro 2010 or Advanced Virus Remover but there has got to be more based on how aggressive this is.

I am currently unable to run MalwareBytes/Spybot/Combofix/HijackThis etc. I have tried all of the tricks that I know such as renaming the .exe etc.

When I am finally able to get MalwareBytes to start running (After reinstall) it closes within a few seconds and it seems to be deleted as you can't run it a second time. The same behavior exactly with Spybot. et

Even in Safe Mode logged in as administrator I get the same behaviour with the programs closing etc ...

Running RKILL has not helped.

Can anyone help me step through this ??

Thanks in Advance !

Share this post


Link to post
Share on other sites

Hello and :)

  • My name is xixo_12 and I will guide you.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • You may wish to print them off or copy the instruction into Notepad.
  • If you have any question please don't hesitate to ask.
  • The instructions that I will give to you are specific to your current problem and shouldn't be used on other systems.
  • If you are receiving help or have received help on this problem elsewhere, please let us know.
  • Keep interact with me until your computer is clean.

Please! If you need more time to do all the instructions, let me know before 72hours is done. Otherwise, your thread will be closed

First,

exeHelper by raktor

Please download from HERE and save to the desktop.

  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Next,

Malwarebytes' Anti-Malware - Run

  • Double-click Malwarebytes' Anti-Malware to run the program.
  • Click on Update tab > Check for Updates.
  • Once done, click on Scanner tab, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
    mbam1.png
  • Refer to above image and then click Remove Selected to proceed.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply

Note:

  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.

Next,

Checklist.

Please post.

  • Content of exehelperlog.txt
  • Content of MBAM log

Share this post


Link to post
Share on other sites
Hello and :D

  • My name is xixo_12 and I will guide you.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • You may wish to print them off or copy the instruction into Notepad.
  • If you have any question please don't hesitate to ask.
  • The instructions that I will give to you are specific to your current problem and shouldn't be used on other systems.
  • If you are receiving help or have received help on this problem elsewhere, please let us know.
  • Keep interact with me until your computer is clean.

Please! If you need more time to do all the instructions, let me know before 72hours is done. Otherwise, your thread will be closed

First,

exeHelper by raktor

Please download from HERE and save to the desktop.

  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Next,

Malwarebytes' Anti-Malware - Run

  • Double-click Malwarebytes' Anti-Malware to run the program.
  • Click on Update tab > Check for Updates.
  • Once done, click on Scanner tab, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
    mbam1.png
  • Refer to above image and then click Remove Selected to proceed.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply

Note:

  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.

Next,

Checklist.

Please post.

  • Content of exehelperlog.txt
  • Content of MBAM log

Thank You For Your Assistance -

Here are the contents of the exehelperlog.txt

exeHelper by Raktor

Build 20100329

Run at 14:45:10 on 04/08/10

Now searching...

Checking for numerical processes...

Checking for sysguard processes...

Checking for bad processes...

Checking for bad files...

Deleting file C:\WINDOWS\system32\~.exe

Deleting file C:\WINDOWS\system32\41.exe

Deleting file C:\WINDOWS\system32\critical_warning.html

Deleting file C:\WINDOWS\system32\winupdate.exe

Deleting file C:\WINDOWS\system32\winhelper.dll

Deleting file C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe

Deleting file C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.cfg

Deleting file C:\Program Files\AdvancedVirusRemover\PAVRM.exe

Checking for bad registry entries...

Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antivirus Pro 2010

Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate.exe

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

We are unable to run MalwareBytes here is what happens -

1. Program is launched and Scan selected

2. After a few Seconds program is automatically closed

3. Program will not run again unless re-installed

Additional Notes -

We have even tried renaming the .exe - This did not help

Spybot behaves the same way when attempted

Share this post


Link to post
Share on other sites

Hi, :D

Ok, no worries,

Try this one.

First

ExeFix.

Please download from HERE and save to the desktop.

  • Double-click the file to run it.
  • Click No when prompt to visit webpage.

Next,

ComboFix

Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links)

Save as Combo-Fix.com <<Please have a look on file name. You have to change.

Link 1

Link 2

**IMPORTANT !!! Save Combo-Fix.com to your Desktop**

  • Disable your AntiVirus/AntiSpyware/Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on Combo-Fix.com & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Query_RC.gif

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

Next,

Checklist.

Please post.

  • Content of ComboFix.txt

Share this post


Link to post
Share on other sites
Hi, :)

Ok, no worries,

Try this one.

First

ExeFix.

Please download from HERE and save to the desktop.

  • Double-click the file to run it.
  • Click No when prompt to visit webpage.

Next,

ComboFix

Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links)

Save as Combo-Fix.com <<Please have a look on file name. You have to change.

Link 1

Link 2

**IMPORTANT !!! Save Combo-Fix.com to your Desktop**

  • Disable your AntiVirus/AntiSpyware/Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on Combo-Fix.com & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Query_RC.gif

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

Next,

Checklist.

Please post.

  • Content of ComboFix.txt

Hi -

I won't have this system available to me until Monday April 12th. I plan un running the Combofix then. Please leave this thread open and I will

work this all the way through with you next week.

Thanks,

Ken

Share this post


Link to post
Share on other sites
Ok, noted :)

Hi - Here is the latest Update

- I have run the exefix as you requested

- I have run the combofix

- I am not currently connecting the infected laptop to the network so I was not able to install recovery console. Let me know if

there is an offline way to install this and I will do that.

- Right now I am downloading the fixes from a good computer to a USB Key and moving them to the infected system

Here are the Results from the ComboFix log -

ComboFix 10-04-11.01 - Angel 04/12/2010 9:21.1.1 - x86

Running from: c:\documents and settings\Angel\Desktop\Combo-Fix.com

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\afuqr.exe

C:\aIx30.tmp

C:\avjelge.exe

c:\documents and settings\All Users\Application Data\ipesovyr.reg

c:\documents and settings\All Users\Documents\lecurif._sy

c:\documents and settings\Angel\Application Data\gawezetuzu.exe

c:\documents and settings\Angel\Application Data\iniasd.txt

c:\documents and settings\Angel\Application Data\lizkavd.exe

c:\documents and settings\Angel\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk

c:\documents and settings\Angel\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk

c:\documents and settings\Angel\Application Data\seres.exe

c:\documents and settings\Angel\Application Data\svcst.exe

c:\documents and settings\Angel\Cookies\azysub.pif

c:\documents and settings\Angel\Cookies\ebycyqy.com

c:\documents and settings\Angel\Cookies\ebype.com

c:\documents and settings\Angel\Cookies\efopoxo._sy

c:\documents and settings\Angel\Cookies\givydora.exe

c:\documents and settings\Angel\Cookies\pawideqo.vbs

c:\documents and settings\Angel\Cookies\uzezifaz.com

c:\documents and settings\Angel\Cookies\vynekihy.inf

c:\documents and settings\Angel\Cookies\xugujumel.sys

c:\documents and settings\Angel\Cookies\yvik.com

c:\documents and settings\Angel\Desktop\AntivirusPro_2010.lnk

c:\documents and settings\Angel\Local Settings\Application Data\anulocup.bin

c:\documents and settings\Angel\Local Settings\Application Data\fifyzoqehy.reg

c:\documents and settings\Angel\Local Settings\Application Data\hufixaf.inf

c:\documents and settings\Angel\Local Settings\Application Data\kojacop.inf

c:\documents and settings\Angel\Local Settings\Temporary Internet Files\asima.dat

c:\documents and settings\Angel\Local Settings\Temporary Internet Files\syfucyku.exe

c:\documents and settings\Angel\Local Settings\Temporary Internet Files\ubavequvec.com

c:\documents and settings\Angel\Start Menu\Advanced Virus Remover.lnk

c:\documents and settings\Angel\Start Menu\Programs\AntivirusPro_2010

c:\documents and settings\Angel\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk

c:\documents and settings\Angel\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk

C:\ekffax.exe

C:\hrngen.exe

c:\program files\AdvancedVirusRemover

c:\program files\AntivirusPro_2010

c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg

c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe

c:\program files\Common Files\tilamilivi.dll

C:\qgferewy.exe

C:\qtpjjuur.exe

C:\vklebc.exe

c:\windows\desktop

c:\windows\Downloaded Program Files\poPCaploader.dll

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\elificabid.scr

c:\windows\fomo.dll

c:\windows\himosuxu.reg

c:\windows\sosaw.sys

c:\windows\system32\_scui.cpl

c:\windows\system32\10672.exe

c:\windows\system32\10937.exe

c:\windows\system32\11460.exe

c:\windows\system32\1174.exe

c:\windows\system32\11765.exe

c:\windows\system32\13481.exe

c:\windows\system32\13829.exe

c:\windows\system32\14163.exe

c:\windows\system32\15173.exe

c:\windows\system32\16158.exe

c:\windows\system32\17085.exe

c:\windows\system32\17192.exe

c:\windows\system32\17367.exe

c:\windows\system32\19642.exe

c:\windows\system32\19942.exe

c:\windows\system32\21698.exe

c:\windows\system32\24590.exe

c:\windows\system32\25540.exe

c:\windows\system32\28194.exe

c:\windows\system32\28557.exe

c:\windows\system32\31960.exe

c:\windows\system32\3321.exe

c:\windows\system32\4030.exe

c:\windows\system32\4361.exe

c:\windows\system32\4396.exe

c:\windows\system32\4582.exe

c:\windows\system32\4796.exe

c:\windows\system32\5801.exe

c:\windows\system32\6022.exe

c:\windows\system32\664.exe

c:\windows\system32\6751.exe

c:\windows\system32\6991.exe

c:\windows\system32\9353.exe

c:\windows\system32\drivers\gasfkygrkltpun.sys

c:\windows\system32\ehilahit._dl

c:\windows\system32\gasfkyaxijnamt.dat

c:\windows\system32\gasfkybodsxwko.dll

c:\windows\system32\gasfkygtxhuabx.dll

c:\windows\system32\gasfkykipxudev.dat

c:\windows\system32\gasfkynembgqxt.dll

c:\windows\system32\gasfkyypjbogfi.dll

c:\windows\system32\kelarozo.dll

c:\windows\system32\raromozo.dll

c:\windows\system32\wbem\proquota.exe

c:\windows\uwob.exe

c:\windows\ypuly._dl

c:\windows\zaribi.dl

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\eventlog.dll

c:\windows\system32\proquota.exe . . . is missing!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_gasfkyltoboulq

-------\Legacy_gasfkyltoboulq

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))

.

2010-04-12 13:26 . 2010-04-12 13:26 -------- d-----w- c:\windows\LastGood.Tmp

2010-04-05 17:22 . 2010-04-05 17:22 -------- d-----w- c:\documents and settings\Administrator.ANGEL-BD3F088EE.001

2010-04-05 16:36 . 2010-04-08 18:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-05 16:15 . 2010-03-29 19:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-05 16:15 . 2010-04-05 16:34 -------- d-----w- c:\program files\catch

2010-04-05 16:15 . 2010-04-05 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-04-05 16:15 . 2010-03-29 19:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-12 13:37 . 2007-04-06 19:44 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-04-12 12:04 . 2010-04-12 12:04 15614 ----a-w- c:\program files\Common Files\facymyni.db

2010-04-12 12:01 . 2009-10-01 02:00 0 ----a-r- c:\windows\win32k.sys

2010-04-05 18:21 . 2010-04-05 18:21 -------- d-----w- c:\documents and settings\Administrator.ANGEL-BD3F088EE.001\Application Data\Template

2010-04-05 17:45 . 2010-04-05 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-04-05 17:44 . 2010-04-05 17:44 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-04-05 17:33 . 2010-04-05 17:27 -------- d-----w- c:\program files\catchmal

2010-04-05 17:29 . 2010-04-05 17:29 -------- d-----w- c:\documents and settings\Administrator.ANGEL-BD3F088EE.001\Application Data\Malwarebytes

2009-10-01 02:04 . 2009-10-01 02:04 19642 ----a-w- c:\program files\Common Files\qopenycys.com

2009-10-01 02:04 . 2009-10-01 02:04 11972 ----a-w- c:\program files\Common Files\sylymo.lib

2007-06-21 22:45 . 2007-06-21 22:45 774144 ----a-w- c:\program files\RngInterstitial.dll

2007-04-06 19:46 . 2007-04-06 19:46 32 --sha-w- c:\windows\{3FC0BA97-60FB-4C58-A782-154D472F8B61}.dat

2007-04-06 19:46 . 2007-04-06 19:46 32 --sha-w- c:\windows\system32\{A45C1FC4-4467-418A-8B1B-3ACA19C2EEE8}.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-09 68856]

"NCLaunch"="c:\windows\NCLAUNCH.EXe" [2007-05-16 40960]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-10-18 135168]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-08-20 50880]

"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-20 34504]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-05-16 323584]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-07 29744]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-19 149280]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-09 68856]

"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

R3 fa120;NETGEAR FA120 Adapter;c:\windows\system32\DRIVERS\fa120.sys [2002-12-23 10496]

R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-07 29744]

.

Contents of the 'Scheduled Tasks' folder

2009-07-11 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job

- c:\progra~1\NORTON~1\NAVW32.exe [2002-08-20 00:31]

2009-07-10 c:\windows\Tasks\Norton Security Scan.job

- c:\program files\Norton Security Scan\Nss.exe [2007-04-20 20:12]

2010-04-12 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-04-06 13:04]

2010-04-12 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-06-05 02:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-12 09:37

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3016)

c:\windows\system32\shdoclc.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Norton AntiVirus\navapsvc.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

.

**************************************************************************

.

Completion time: 2010-04-12 09:43:21 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-12 13:43

Pre-Run: 38,121,021,440 bytes free

Post-Run: 38,694,662,144 bytes free

- - End Of File - - 41C2BC49E62C693259131CEE4A976553

Thank you for your continued assistance -

Share this post


Link to post
Share on other sites

Hi,

Let's proceed.

First,

ComboFix - Installing recovery console

Is there some reason you did not install the Recovery Console. With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Go to Microsoft's website => http://support.microsoft.com/kb/310994
  • Scroll down to Step 1 (where it says: Step 1: Download the Setup disk program), & select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.
    Note: If you have SP3, use the SP2 package.
  • Save the file to the desktop of your computer
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    RC1-4.gif
  • Drag the setup package onto ComboFix.exe and drop it
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console
    whatnext.png
  • At the next prompt, click No to exit

Next,

Now, please proceed connect to the network.

Next,

ExeFix..

Run again this tool.

Please download from HERE and save to the desktop.

  • Double-click the file to run it.
  • Click No when prompt to visit webpage.

Next,

Malwarebytes' Anti-Malware

Please uninstall the previous version after you have download the new version. Proceed to install it and follow the rest of instructions.

Download Malwarebytes' Anti-Malware here and save to the desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
    mbam1.png
  • Refer to above image and then click Remove Selected to proceed.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply

Note:

  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.

Next,

Checklist.

Please post.

  • Content of MBAM log

Share this post


Link to post
Share on other sites
Hi,

Let's proceed.

First,

ComboFix - Installing recovery console

Is there some reason you did not install the Recovery Console. With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Go to Microsoft's website => http://support.microsoft.com/kb/310994
  • Scroll down to Step 1 (where it says: Step 1: Download the Setup disk program), & select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.
    Note: If you have SP3, use the SP2 package.
  • Save the file to the desktop of your computer
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    RC1-4.gif
  • Drag the setup package onto ComboFix.exe and drop it
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console
    whatnext.png
  • At the next prompt, click No to exit

Next,

Now, please proceed connect to the network.

Next,

ExeFix..

Run again this tool.

Next,

Malwarebytes' Anti-Malware

Please uninstall the previous version after you have download the new version. Proceed to install it and follow the rest of instructions.

Next,

Checklist.

Please post.

  • Content of MBAM log

Hi -

I am still unable to get the Recovery Console Installed. I understand the procedure but it is not working. I drag and drop the package

onto ComboxFix and Combox will launch but I get the error you will see in the doc that I uploaded about ccscript.

I understand how to get to the recovery console manually if needed by booting to an XP CD.

I ran the exefix again as you requested.

I was able to run MalwareBytes for the first time. I was not able to Update it first. Do you have a link where I can download the latest

mbam-rules.ref and install it manually ? Database Version right now is 3/29/2010 . I suppose it may be the latest.

Here is the contents of the MBAM.log

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

4/12/2010 1:06:55 PM

mbam-log-2010-04-12 (13-06-55).txt

Scan type: Full scan (C:\|)

Objects scanned: 183724

Time elapsed: 56 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 19

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\aefxixl.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\aIx30.tmp.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\afuqr.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\avjelge.exe.vir (Trojan.Harnig) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\ekffax.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\hrngen.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\qgferewy.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\qtpjjuur.exe.vir (Trojan.Antavmu) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\vklebc.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Documents and Settings\Angel\Application Data\lizkavd.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkybodsxwko.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkygtxhuabx.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkynembgqxt.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkyypjbogfi.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gasfkygrkltpun.sys.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\fasodajo.reg (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.

C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.

Thanks - I will wait for your next instructions

Doc1.doc

Share this post


Link to post
Share on other sites

Hi,

First,

Discussion.

So far, how is your system?

In the next instruction, please minimize the exposure to the website, just connect it to the network.

Next,

RSIT by random/random.

Please download from HERE and save to the desktop.

  • Double-click on RSIT.exe to run the tool.
  • Click Continue at the disclaimer screen.
  • Once it finishes, two logs will open.
    • log.txt will be opened maximized
    • info.txt will be opened minimized

    [*]Please post the contents of both logs in your next post.

***You can find manually the log at C:\rsit

Next,

GMER.

Please download from HERE and save to the desktop.

  • Unzip/extract the file to its own folder.
  • Disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan,click NO.
  • Click on >>> symbol and choose on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"

Important! Please do not select the "Show all" checkbox during the scan..

Next,

Analyze file(s).

Please visit Jotti.

Click on browse > copy below link (one by one) and paste on the File name box > Click Open:

c:\program files\Common Files\facymyni.db

c:\program files\Common Files\qopenycys.com

c:\program files\Common Files\sylymo.lib

c:\windows\{3FC0BA97-60FB-4C58-A782-154D472F8B61}.dat

c:\windows\system32\{A45C1FC4-4467-418A-8B1B-3ACA19C2EEE8}.dat

  • Press Submit file - this will submit the file for testing.
  • Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.

Example of web address :

58701951.jpg

Next,

Checklist.

Please post.

  • Respond to our discussion
  • Content of log.txt and info.txt (Find both in c:\rsit)
  • Content of GMER.txt
  • Web links (total = 5)

Share this post


Link to post
Share on other sites
Hi,

First,

Discussion.

So far, how is your system?

In the next instruction, please minimize the exposure to the website, just connect it to the network.

Next,

RSIT by random/random.

Please download from HERE and save to the desktop.

  • Double-click on RSIT.exe to run the tool.
  • Click Continue at the disclaimer screen.
  • Once it finishes, two logs will open.
    • log.txt will be opened maximized
    • info.txt will be opened minimized

    [*]Please post the contents of both logs in your next post.

***You can find manually the log at C:\rsit

Next,

GMER.

Please download from HERE and save to the desktop.

  • Unzip/extract the file to its own folder.
  • Disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan,click NO.
  • Click on >>> symbol and choose on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"

Important! Please do not select the "Show all" checkbox during the scan..

Next,

Analyze file(s).

Please visit Jotti.

Click on browse > copy below link (one by one) and paste on the File name box > Click Open:

  • Press Submit file - this will submit the file for testing.
  • Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.

Example of web address :

58701951.jpg

Next,

Checklist.

Please post.

  • Respond to our discussion
  • Content of log.txt and info.txt (Find both in c:\rsit)
  • Content of GMER.txt
  • Web links (total = 5)

Hi -

The system is running better. No pop-ups nothing running in the System Tray. It feels better but still

a bit sluggish.

I was unable to run the RSIT - I was getting the following error

AutoIt Error

Line -1

Error: Varible used without being declared

Here is the contents of the gmer.txt

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-04-13 21:01:17

Windows 5.1.2600 Service Pack 2

Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1.001\LOCALS~1\Temp\awtyapob.sys

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib@Last Counter 7612

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib@Last Help 7613

---- EOF - GMER 1.0.15 ----

***************************************************

I went to the jotti site and it processed the first three files. The final two "Were Not Found" They did not find anything here -

http://virusscan.jotti.org/en/scanresult/0...dc0c898777a875f

http://virusscan.jotti.org/en/scanresult/9...420c94e5278666d

http://virusscan.jotti.org/en/scanresult/a...3ea0e5190c9213a

I will wait for your next instruction -

Thanks

Share this post


Link to post
Share on other sites

H,

Let's proceed.

First,

ERUNT by Lars Hederer

Download ERUNT and save to the desktop.

  • Double click on erunt-setup.exe to install the program.
  • Follow the prompts > uncheck Create NTREGOPT desktop icon at the Additional Tasks screen.
  • Click No when you are prompted about creating an ERUNT entry in the startup folder.
  • Next screen, uncheck Show documentation and check Launch ERUNT.
  • If ERUNT doesnt start by itself, launch it from the desktop shortcut.
  • At the configuration screen, make sure all 3 checkboxes are checked
  • Click Ok to run the backup process

Note:

The backups can be restored from here:

C:\windows\ERDNT\<todays date>\ERDNT.exe

Next,

MBAM - clean

  • Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
  • Restart your computer <-Important.
  • Download from HERE and run the utility.
  • It will ask to restart your computer (please allow it to).

Next,

Malwarebytes' Anti-Malware

Download Malwarebytes' Anti-Malware here and save to the desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
    mbam1.png
  • Refer to above image and then click Remove Selected to proceed.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply

Note:

  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.

Next,

TDSSKiller

  • Download the file TDSSKiller.zip and save it on your desktop.
  • Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop
  • Next double-click the tdsskiller Folder on your desktop.
  • Next right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy the text in the codebox below.
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"


  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • Wait for the scan and disinfection process to be over.
  • Open tdsskiller.txt on your desktop and post the contents in your next reply

Next,

Checklist.

Please post.

  • Content of MBAM log
  • Content of tdsskiller.txt

Share this post


Link to post
Share on other sites
H,

Let's proceed.

First,

ERUNT by Lars Hederer

Download ERUNT and save to the desktop.

  • Double click on erunt-setup.exe to install the program.
  • Follow the prompts > uncheck Create NTREGOPT desktop icon at the Additional Tasks screen.
  • Click No when you are prompted about creating an ERUNT entry in the startup folder.
  • Next screen, uncheck Show documentation and check Launch ERUNT.
  • If ERUNT doesnt start by itself, launch it from the desktop shortcut.
  • At the configuration screen, make sure all 3 checkboxes are checked
  • Click Ok to run the backup process

Note:

The backups can be restored from here:

C:\windows\ERDNT\<todays date>\ERDNT.exe

Next,

MBAM - clean

  • Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
  • Restart your computer <-Important.
  • Download from HERE and run the utility.
  • It will ask to restart your computer (please allow it to).

Next,

Malwarebytes' Anti-Malware

Download Malwarebytes' Anti-Malware here and save to the desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
    mbam1.png
  • Refer to above image and then click Remove Selected to proceed.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply

Note:

  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.

Next,

TDSSKiller

  • Download the file TDSSKiller.zip and save it on your desktop.
  • Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop
  • Next double-click the tdsskiller Folder on your desktop.
  • Next right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy the text in the codebox below.
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"


  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • Wait for the scan and disinfection process to be over.
  • Open tdsskiller.txt on your desktop and post the contents in your next reply

Next,

Checklist.

Please post.

  • Content of MBAM log
  • Content of tdsskiller.txt

Hi - I was able to complete all of the tasks -

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3985

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

4/13/2010 10:35:23 PM

mbam-log-2010-04-13 (22-35-23).txt

Scan type: Full scan (C:\|)

Objects scanned: 180966

Time elapsed: 57 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

*******************************************

21:46:16:852 1136 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04

21:46:16:852 1136 ================================================================================

21:46:16:852 1136 SystemInfo:

21:46:16:852 1136 OS Version: 5.1.2600 ServicePack: 2.0

21:46:16:852 1136 Product type: Workstation

21:46:16:852 1136 ComputerName: ANGEL-BD3F088EE

21:46:16:852 1136 UserName: Angel

21:46:16:852 1136 Windows directory: C:\WINDOWS

21:46:16:852 1136 Processor architecture: Intel x86

21:46:16:852 1136 Number of processors: 1

21:46:16:852 1136 Page size: 0x1000

21:46:16:852 1136 Boot type: Normal boot

21:46:16:852 1136 ================================================================================

21:46:16:862 1136 UnloadDriverW: NtUnloadDriver error 2

21:46:16:862 1136 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

21:46:16:912 1136 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

21:46:16:912 1136 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

21:46:16:912 1136 wfopen_ex: Trying to KLMD file open

21:46:16:912 1136 wfopen_ex: File opened ok (Flags 2)

21:46:16:912 1136 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

21:46:16:912 1136 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

21:46:16:912 1136 wfopen_ex: Trying to KLMD file open

21:46:16:912 1136 wfopen_ex: File opened ok (Flags 2)

21:46:16:912 1136 Initialize success

21:46:16:912 1136

21:46:16:912 1136 Scanning Services ...

21:46:17:623 1136 Raw services enum returned 326 services

21:46:17:643 1136

21:46:17:643 1136 Scanning Kernel memory ...

21:46:17:643 1136 Devices to scan: 2

21:46:17:643 1136

21:46:17:643 1136 Driver Name: Disk

21:46:17:643 1136 IRP_MJ_CREATE : F754DC30

21:46:17:643 1136 IRP_MJ_CREATE_NAMED_PIPE : 804FB8EE

21:46:17:643 1136 IRP_MJ_CLOSE : F754DC30

21:46:17:643 1136 IRP_MJ_READ : F7547D9B

21:46:17:643 1136 IRP_MJ_WRITE : F7547D9B

21:46:17:643 1136 IRP_MJ_QUERY_INFORMATION : 804FB8EE

21:46:17:643 1136 IRP_MJ_SET_INFORMATION : 804FB8EE

21:46:17:643 1136 IRP_MJ_QUERY_EA : 804FB8EE

21:46:17:643 1136 IRP_MJ_SET_EA : 804FB8EE

21:46:17:643 1136 IRP_MJ_FLUSH_BUFFERS : F7548366

21:46:17:643 1136 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FB8EE

21:46:17:643 1136 IRP_MJ_SET_VOLUME_INFORMATION : 804FB8EE

21:46:17:643 1136 IRP_MJ_DIRECTORY_CONTROL : 804FB8EE

21:46:17:643 1136 IRP_MJ_FILE_SYSTEM_CONTROL : 804FB8EE

21:46:17:643 1136 IRP_MJ_DEVICE_CONTROL : F754844D

21:46:17:643 1136 IRP_MJ_INTERNAL_DEVICE_CONTROL : F754BFC3

21:46:17:643 1136 IRP_MJ_SHUTDOWN : F7548366

21:46:17:643 1136 IRP_MJ_LOCK_CONTROL : 804FB8EE

21:46:17:643 1136 IRP_MJ_CLEANUP : 804FB8EE

21:46:17:643 1136 IRP_MJ_CREATE_MAILSLOT : 804FB8EE

21:46:17:643 1136 IRP_MJ_QUERY_SECURITY : 804FB8EE

21:46:17:643 1136 IRP_MJ_SET_SECURITY : 804FB8EE

21:46:17:643 1136 IRP_MJ_POWER : F7549EF3

21:46:17:643 1136 IRP_MJ_SYSTEM_CONTROL : F754EA24

21:46:17:643 1136 IRP_MJ_DEVICE_CHANGE : 804FB8EE

21:46:17:643 1136 IRP_MJ_QUERY_QUOTA : 804FB8EE

21:46:17:643 1136 IRP_MJ_SET_QUOTA : 804FB8EE

21:46:17:663 1136 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

21:46:17:663 1136

21:46:17:663 1136 Driver Name: atapi

21:46:17:663 1136 IRP_MJ_CREATE : F7416572

21:46:17:663 1136 IRP_MJ_CREATE_NAMED_PIPE : 804FB8EE

21:46:17:663 1136 IRP_MJ_CLOSE : F7416572

21:46:17:663 1136 IRP_MJ_READ : 804FB8EE

21:46:17:663 1136 IRP_MJ_WRITE : 804FB8EE

21:46:17:663 1136 IRP_MJ_QUERY_INFORMATION : 804FB8EE

21:46:17:663 1136 IRP_MJ_SET_INFORMATION : 804FB8EE

21:46:17:663 1136 IRP_MJ_QUERY_EA : 804FB8EE

21:46:17:663 1136 IRP_MJ_SET_EA : 804FB8EE

21:46:17:663 1136 IRP_MJ_FLUSH_BUFFERS : 804FB8EE

21:46:17:663 1136 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FB8EE

21:46:17:663 1136 IRP_MJ_SET_VOLUME_INFORMATION : 804FB8EE

21:46:17:663 1136 IRP_MJ_DIRECTORY_CONTROL : 804FB8EE

21:46:17:663 1136 IRP_MJ_FILE_SYSTEM_CONTROL : 804FB8EE

21:46:17:663 1136 IRP_MJ_DEVICE_CONTROL : F7416592

21:46:17:663 1136 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74127B4

21:46:17:663 1136 IRP_MJ_SHUTDOWN : 804FB8EE

21:46:17:663 1136 IRP_MJ_LOCK_CONTROL : 804FB8EE

21:46:17:663 1136 IRP_MJ_CLEANUP : 804FB8EE

21:46:17:663 1136 IRP_MJ_CREATE_MAILSLOT : 804FB8EE

21:46:17:663 1136 IRP_MJ_QUERY_SECURITY : 804FB8EE

21:46:17:663 1136 IRP_MJ_SET_SECURITY : 804FB8EE

21:46:17:663 1136 IRP_MJ_POWER : F74165BC

21:46:17:663 1136 IRP_MJ_SYSTEM_CONTROL : F741D164

21:46:17:663 1136 IRP_MJ_DEVICE_CHANGE : 804FB8EE

21:46:17:663 1136 IRP_MJ_QUERY_QUOTA : 804FB8EE

21:46:17:663 1136 IRP_MJ_SET_QUOTA : 804FB8EE

21:46:17:683 1136 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1

21:46:17:683 1136

21:46:17:683 1136 Completed

21:46:17:683 1136

21:46:17:683 1136 Results:

21:46:17:683 1136 Memory objects infected / cured / cured on reboot: 0 / 0 / 0

21:46:17:683 1136 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

21:46:17:683 1136 File objects infected / cured / cured on reboot: 0 / 0 / 0

21:46:17:683 1136

21:46:17:683 1136 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

21:46:17:683 1136 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

21:46:17:693 1136 KLMD(ARK) unloaded successfully

Share this post


Link to post
Share on other sites

Hi,

Try this.

First,

DDS by sUBs.

Please download from HERE and save to the desktop.

Note : Please disable any anti-malware program that will block scripts from running before running DDS.

dds_scr.gif

  • Double-Click on dds.scr to run it and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt

    [*]Follow the instruction that appear on How to post the logs

    Note : Please save the logs on your desktop.

Next,

Checklist.

Please post.

  • Content of DDS.txt and Attach.txt

Share this post


Link to post
Share on other sites
Hi,

Try this.

First,

DDS by sUBs.

Please download from HERE and save to the desktop.

Note : Please disable any anti-malware program that will block scripts from running before running DDS.

dds_scr.gif

  • Double-Click on dds.scr to run it and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt

    [*]Follow the instruction that appear on How to post the logs

    Note : Please save the logs on your desktop.

Next,

Checklist.

Please post.

  • Content of DDS.txt and Attach.txt

Hi Again -

Here are the contents of the DDS.txt. I am attaching the attach.txt via a zip file as requested.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Angel at 14:53:53.47 on Fri 04/16/2010

Internet Explorer: 6.0.2900.2180

============== Running Processes ===============

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

uRun: [NCLaunch] c:\windows\NCLAUNCH.EXe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

mRun: [sunKistEM] c:\program files\digital media reader\shwiconem.exe

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe

StartupFolder: c:\docume~1\angel\startm~1\programs\startup\adobem~1.lnk - c:\program files\adobe media player\Adobe Media Player.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175878324527

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2010-04-13 22:53:59 0 d-----w- C:\GMER

2010-04-12 15:39:50 0 d-----w- c:\docume~1\angel\applic~1\Malwarebytes

2010-04-12 13:58:09 0 d-----w- c:\windows\system32\appmgmt

2010-04-12 13:11:37 98816 ----a-w- c:\windows\sed.exe

2010-04-12 13:11:37 77312 ----a-w- c:\windows\MBR.exe

2010-04-12 13:11:37 261632 ----a-w- c:\windows\PEV.exe

2010-04-12 13:11:37 161792 ----a-w- c:\windows\SWREG.exe

2010-04-05 17:44:31 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-04-05 17:44:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-04-05 17:27:37 0 d-----w- c:\program files\catchmal

2010-04-05 16:36:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-05 16:15:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-05 16:15:49 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-05 16:15:49 0 d-----w- c:\program files\catch

2010-04-05 16:15:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2010-04-12 12:04:22 15614 ----a-w- c:\program files\common files\facymyni.db

2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll

2010-02-26 06:05:09 668672 ----a-w- c:\windows\system32\wininet.dll

2010-02-26 06:05:05 81920 ----a-w- c:\windows\system32\ieencode.dll

2010-02-24 12:31:30 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 13:19:55 2181376 ------w- c:\windows\system32\ntoskrnl.exe

2010-02-16 12:39:04 2058368 ------w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll

2009-10-01 02:04:55 19642 ----a-w- c:\program files\common files\qopenycys.com

2009-10-01 02:04:55 11972 ----a-w- c:\program files\common files\sylymo.lib

2007-06-21 22:45:31 774144 ----a-w- c:\program files\RngInterstitial.dll

============= FINISH: 14:54:47.19 ===============

Attach.zip.zip

Share this post


Link to post
Share on other sites

Hi,

Let's proceed.

First,

Uninstall Combofix

  • Click on Start >> Run...
  • Now type in ComboFix /Uninstall into the and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
    CF-Uninstall.png

Next,

ComboFix

Please have a look properly. I'm ask you to save as .exe extension. Previously we deal with .com extension. Please connect to the network as we will installing the Recovery console.

Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links)

Save as Combo-Fix.exe <<Please have a look on file name. You have to change.

Link 1

Link 2

**IMPORTANT !!! Save Combo-Fix.exe to your Desktop**

  • Disable your AntiVirus/AntiSpyware/Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on Combo-Fix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Query_RC.gif

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

Next,

OTL by Old Timer

Please download from HERE save to the Desktop.

  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

    [*]Please post the contents of these 2 Notepad files in your next reply.

Next,

Checklist.

Please post.

  • Content of ComboFix.txt
  • Content of OTListIt.txt and Extra.txt
  • Please post if you still have any visible problem

Share this post


Link to post
Share on other sites

Hello :),

Reminder.

It's 48 hours since my last reply.

Please let me know if you have any problems to understand my instructions or you need an extra time.

In order to maintain our policy,

You have, next 24 hours to reply at this topic, otherwise it will be closed as inactive.

Regards,

xixo_12

Share this post


Link to post
Share on other sites
Hello :),

Reminder.

It's 48 hours since my last reply.

Please let me know if you have any problems to understand my instructions or you need an extra time.

In order to maintain our policy,

You have, next 24 hours to reply at this topic, otherwise it will be closed as inactive.

Regards,

xixo_12

Hi - I need some extra time. I will respond this evening with the results.

Share this post


Link to post
Share on other sites

Ok noted! :)

[/quote

No Visible Problems at this point -

Combo-fix log ----

ComboFix 10-04-18.04 - Angel 04/19/2010 21:40:49.2.1 - x86

Running from: c:\documents and settings\Angel\Desktop\Combo-Fix.exe

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Angel\System

c:\documents and settings\Angel\System\win_qs8.jqx

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.

((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 )))))))))))))))))))))))))))))))

.

2010-04-20 01:48 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe

2010-04-20 01:48 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2010-04-20 00:45 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-04-20 00:45 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll

2010-04-20 00:45 . 2010-04-20 00:45 -------- d-----w- c:\windows\LastGood

2010-04-17 00:03 . 2010-02-24 14:16 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-04-17 00:00 . 2010-04-17 00:00 -------- d-----w- c:\program files\Microsoft Security Essentials

2010-04-16 23:50 . 2010-04-16 23:50 -------- d-----w- c:\program files\Common Files\Java

2010-04-16 23:48 . 2010-04-16 23:48 503808 ----a-w- c:\documents and settings\Angel\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-49b0d19c-n\msvcp71.dll

2010-04-16 23:48 . 2010-04-16 23:48 499712 ----a-w- c:\documents and settings\Angel\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-49b0d19c-n\jmc.dll

2010-04-16 23:48 . 2010-04-16 23:48 348160 ----a-w- c:\documents and settings\Angel\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-49b0d19c-n\msvcr71.dll

2010-04-16 23:48 . 2010-04-16 23:48 61440 ----a-w- c:\documents and settings\Angel\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-60e97c96-n\decora-sse.dll

2010-04-16 23:48 . 2010-04-16 23:48 12800 ----a-w- c:\documents and settings\Angel\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-60e97c96-n\decora-d3d.dll

2010-04-16 23:47 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-16 22:15 . 2010-04-16 22:15 -------- d--h--w- c:\windows\PIF

2010-04-16 22:07 . 2010-04-16 22:07 -------- d-sh--w- c:\documents and settings\Administrator.ANGEL-BD3F088EE.001\IETldCache

2010-04-16 22:01 . 2010-04-16 22:01 -------- d-sh--w- c:\documents and settings\Angel\IECompatCache

2010-04-16 22:00 . 2010-04-16 22:00 10043336 ----a-w- C:\tac.exe

2010-04-16 21:07 . 2010-04-16 21:09 -------- d-----w- c:\program files\Spybot - Search & Destroy-new

2010-04-16 20:28 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll

2010-04-16 20:28 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll

2010-04-16 20:28 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe

2010-04-16 20:27 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll

2010-04-16 20:27 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll

2010-04-16 20:27 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

2010-04-16 20:27 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll

2010-04-16 20:27 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll

2010-04-16 20:03 . 2010-04-16 20:03 -------- d-sh--w- c:\documents and settings\Angel\PrivacIE

2010-04-16 20:01 . 2010-04-16 20:01 -------- d-sh--w- c:\documents and settings\Angel\IETldCache

2010-04-16 19:58 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-04-16 19:58 . 2010-02-25 06:24 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2010-04-16 19:58 . 2010-02-25 06:24 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-04-16 19:58 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-04-16 19:58 . 2010-02-25 06:24 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2010-04-16 19:58 . 2010-02-25 15:54 11070976 -c----w- c:\windows\system32\dllcache\ieframe.dll

2010-04-16 19:58 . 2010-04-16 19:58 -------- d-----w- c:\windows\ie8updates

2010-04-16 19:56 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-04-16 19:54 . 2010-04-16 19:55 -------- dc-h--w- c:\windows\ie8

2010-04-16 19:50 . 2006-02-28 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll

2010-04-16 19:29 . 2010-04-16 19:29 -------- d-----w- c:\windows\system32\scripting

2010-04-16 19:29 . 2010-04-16 19:29 -------- d-----w- c:\windows\l2schemas

2010-04-16 19:29 . 2010-04-16 19:29 -------- d-----w- c:\windows\system32\en

2010-04-16 19:29 . 2010-04-16 19:29 -------- d-----w- c:\windows\system32\bits

2010-04-16 18:49 . 2010-04-16 18:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp

2010-04-15 01:51 . 2010-04-15 01:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2010-04-13 23:02 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2010-04-13 22:53 . 2010-04-13 22:54 -------- d-----w- C:\GMER

2010-04-13 22:52 . 2010-04-13 22:52 -------- d-----w- C:\rsit

2010-04-12 15:39 . 2010-04-12 15:39 -------- d-----w- c:\documents and settings\Angel\Application Data\Malwarebytes

2010-04-05 18:21 . 2010-04-05 18:21 -------- d-----w- c:\documents and settings\Administrator.ANGEL-BD3F088EE.001\Application Data\Template

2010-04-05 17:44 . 2010-04-16 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-04-05 17:44 . 2010-04-16 21:05 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-04-05 17:29 . 2010-04-05 17:29 -------- d-----w- c:\documents and settings\Administrator.ANGEL-BD3F088EE.001\Application Data\Malwarebytes

2010-04-05 17:27 . 2010-04-05 17:33 -------- d-----w- c:\program files\catchmal

2010-04-05 16:36 . 2010-04-12 17:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-05 16:15 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-05 16:15 . 2010-04-05 16:34 -------- d-----w- c:\program files\catch

2010-04-05 16:15 . 2010-04-05 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-04-05 16:15 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-17 00:00 . 2007-04-06 16:30 53352 ----a-w- c:\documents and settings\Angel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-16 23:46 . 2009-08-19 03:38 -------- d-----w- c:\program files\Java

2010-04-16 19:32 . 2007-04-06 16:19 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-04-16 19:04 . 2007-04-07 20:07 -------- d-----w- c:\program files\Google

2010-04-12 20:28 . 2007-04-06 19:44 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-04-12 20:23 . 2009-07-28 23:51 -------- d-----w- c:\program files\Yahoo!

2010-04-12 18:42 . 2007-04-12 01:18 -------- d-----w- c:\program files\Absolute Poker

2010-04-12 17:45 . 2007-04-07 20:26 -------- d-----w- c:\program files\Hewlett-Packard

2010-04-12 13:58 . 2007-11-15 03:48 -------- d-----w- c:\program files\Norton Security Scan

2010-04-12 13:54 . 2007-04-06 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2010-04-12 13:54 . 2007-04-06 19:45 -------- d-----w- c:\program files\Symantec

2010-04-12 13:52 . 2007-06-12 04:14 -------- d-----w- c:\program files\Full Tilt Poker.Net

2010-04-12 13:52 . 2007-04-06 17:12 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-04-12 12:04 . 2010-04-12 12:04 15614 ----a-w- c:\program files\Common Files\facymyni.db

2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-17 13:10 . 2006-02-28 12:00 2189952 ------w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-03 22:59 2066816 ------w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33 . 2006-02-28 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2006-02-28 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2009-10-01 02:04 . 2009-10-01 02:04 19642 ----a-w- c:\program files\Common Files\qopenycys.com

2009-10-01 02:04 . 2009-10-01 02:04 11972 ----a-w- c:\program files\Common Files\sylymo.lib

2007-06-21 22:45 . 2007-06-21 22:45 774144 ----a-w- c:\program files\RngInterstitial.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NCLaunch"="c:\windows\NCLAUNCH.EXe" [2007-05-16 40960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-10-18 135168]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-05-16 323584]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 ylmdg;ylmdg;c:\windows\System32\drivers\kktfqail.sys [x]

R3 fa120;NETGEAR FA120 Adapter;c:\windows\system32\DRIVERS\fa120.sys [2002-12-23 10496]

.

Contents of the 'Scheduled Tasks' folder

2010-04-20 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 22:02]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-19 21:49

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2010-04-19 21:53:40

ComboFix-quarantined-files.txt 2010-04-20 01:53

Pre-Run: 38,871,785,472 bytes free

Post-Run: 38,964,965,376 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 6446B15FEEB000F24A06A48314DF4A53

----------

otl.txt

-------------

OTL logfile created on: 4/19/2010 9:22:48 PM - Run 1

OTL by OldTimer - Version 3.2.1.3 Folder = C:\Documents and Settings\Angel\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.00 Mb Total Physical Memory | 196.00 Mb Available Physical Memory | 44.00% Memory free

1.00 Gb Paging File | 1.00 Gb Available in Paging File | 60.00% Paging File free

Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 55.88 Gb Total Space | 36.28 Gb Free Space | 64.91% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: ANGEL-BD3F088EE

Current User Name: Angel

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Angel\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)

PRC - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)

PRC - C:\WINDOWS\NCLAUNCH.EXe (Northcode Inc.)

PRC - C:\Program Files\Digital Media Reader\shwiconEM.exe (Alcor Micro, Corp.)

PRC - C:\WINDOWS\system32\HPZipm12.exe (HP)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Angel\Desktop\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)

SRV - (QBCFMonitorService) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)

SRV - (QBFCService) -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe (Intuit Inc.)

SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)

========== Driver Services (SafeList) ==========

DRV - (MpFilter) -- C:\WINDOWS\system32\drivers\MpFilter.sys (Microsoft Corporation)

DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)

DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)

DRV - (BrUsbSer) -- C:\WINDOWS\system32\drivers\BrUsbSer.sys (Brother Industries Ltd.)

DRV - (BrSerIf) -- C:\WINDOWS\system32\drivers\BrSerIf.sys (Brother Industries Ltd.)

DRV - (rt2500usb) DWL-G122(rev.<_< -- C:\WINDOWS\system32\drivers\rt2500usb.sys (Ralink Technology Inc.)

DRV - (SunkFilt) -- C:\WINDOWS\system32\drivers\Sunkfilt.sys (Alcor Micro Corp.)

DRV - (SunkFilt39) -- C:\WINDOWS\system32\drivers\Sunkfilt39.sys (Alcor Micro Corp.)

DRV - (TPkd) -- C:\WINDOWS\system32\drivers\TPkd.sys (PACE Anti-Piracy, Inc.)

DRV - (aliadwdm) -- C:\WINDOWS\system32\drivers\ac97ali.sys (Acer Laboratories Inc.)

DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)

DRV - (StreamDispatcher) -- C:\WINDOWS\system32\drivers\strmdisp.sys (Conexant Systems, Inc.)

DRV - (HSFHWALI) -- C:\WINDOWS\system32\drivers\HSFHWALI.sys (Conexant Systems, Inc.)

DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)

DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)

DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)

DRV - (fa120) -- C:\WINDOWS\system32\drivers\fa120.sys (NETGEAR Inc.)

DRV - (caboagp) -- C:\WINDOWS\system32\DRIVERS\atisgkaf.sys (ATI Technologies Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1960408961-842925246-854245398-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-21-1960408961-842925246-854245398-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKU\S-1-5-21-1960408961-842925246-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2010/04/12 09:35:09 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.

O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.

O3 - HKU\S-1-5-21-1960408961-842925246-854245398-1003\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.

O3 - HKU\S-1-5-21-1960408961-842925246-854245398-1003\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.

O3 - HKU\S-1-5-21-1960408961-842925246-854245398-1003\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.

O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)

O4 - HKLM..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconEM.exe (Alcor Micro, Corp.)

O4 - HKU\.DEFAULT..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe File not found

O4 - HKU\.DEFAULT..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe File not found

O4 - HKU\S-1-5-18..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe File not found

O4 - HKU\S-1-5-18..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe File not found

O4 - HKU\S-1-5-21-1960408961-842925246-854245398-1003..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe (Northcode Inc.)

O4 - Startup: C:\Documents and Settings\Angel\Start Menu\Programs\Startup\Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe File not found

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-1960408961-842925246-854245398-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-1960408961-842925246-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-1960408961-842925246-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-21-1960408961-842925246-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Reg Error: Key error.)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1175878324527 (WUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62

O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Angel\My Documents\My Pictures\blackchicken.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2007/04/06 12:20:38 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/04/19 21:19:37 | 000,562,176 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Angel\Desktop\OTL.exe

[2010/04/19 21:14:49 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW

[2010/04/19 20:45:06 | 000,274,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll

[2010/04/19 20:45:06 | 000,016,736 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll.mui

[2010/04/19 20:45:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood

[2010/04/16 20:03:36 | 000,181,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe

[2010/04/16 20:00:05 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials

[2010/04/16 19:58:25 | 011,862,896 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Angel\Desktop\mssefullinstall-x86fre-en-us-xp.exe

[2010/04/16 19:50:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun

[2010/04/16 19:50:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

[2010/04/16 19:47:36 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll

[2010/04/16 19:47:36 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2010/04/16 19:47:36 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2010/04/16 19:47:36 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2010/04/16 18:15:56 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF

[2010/04/16 18:13:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\SoftwareDistribution

[2010/04/16 18:01:22 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Angel\IECompatCache

[2010/04/16 18:00:42 | 010,043,336 | ---- | C] (Microsoft Corporation) -- C:\tac.exe

[2010/04/16 17:07:37 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy-new

[2010/04/16 16:03:07 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Angel\PrivacIE

[2010/04/16 16:01:00 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Angel\IETldCache

[2010/04/16 15:58:24 | 000,594,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll

[2010/04/16 15:58:24 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll

[2010/04/16 15:58:23 | 001,985,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll

[2010/04/16 15:58:22 | 011,070,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll

[2010/04/16 15:58:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates

[2010/04/16 15:56:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google

[2010/04/16 15:56:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\WBEM

[2010/04/16 15:54:16 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8

[2010/04/16 15:49:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

[2010/04/16 15:49:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch

[2010/04/16 15:29:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting

[2010/04/16 15:29:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas

[2010/04/16 15:29:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en

[2010/04/16 15:29:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits

[2010/04/16 15:21:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic

[2010/04/16 15:13:02 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$

[2010/04/16 14:50:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Temp

[2010/04/16 14:49:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google

[2010/04/14 21:51:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google

[2010/04/13 19:02:08 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll

[2010/04/13 18:53:59 | 000,000,000 | ---D | C] -- C:\GMER

[2010/04/13 18:52:25 | 000,000,000 | ---D | C] -- C:\rsit

[2010/04/12 11:39:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Angel\Application Data\Malwarebytes

[2010/04/12 11:30:36 | 000,000,000 | -HSD | C] -- C:\RECYCLER

[2010/04/12 09:58:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt

[2010/04/12 09:11:37 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010/04/12 09:11:37 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010/04/12 09:11:37 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010/04/12 09:10:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/04/12 08:34:36 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/04/05 13:44:31 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy

[2010/04/05 13:44:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

[2010/04/05 13:27:37 | 000,000,000 | ---D | C] -- C:\Program Files\catchmal

[2010/04/05 12:36:35 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/04/05 12:15:51 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/04/05 12:15:49 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/04/05 12:15:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/04/05 12:15:49 | 000,000,000 | ---D | C] -- C:\Program Files\catch

[2008/07/01 22:07:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Google

[2008/03/31 22:12:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Symantec

[2008/01/13 15:12:02 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

[2008/01/13 14:54:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Intuit

[2007/06/21 18:45:36 | 000,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll

[2007/04/06 12:26:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

[2007/04/06 12:20:31 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/19 21:23:10 | 003,407,872 | -H-- | M] () -- C:\Documents and Settings\Angel\NTUSER.DAT

[2010/04/19 21:19:49 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Angel\Desktop\OTL.exe

[2010/04/19 20:54:47 | 000,521,942 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/04/19 20:54:47 | 000,441,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/04/19 20:54:47 | 000,071,462 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/04/19 20:52:27 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/04/19 20:48:53 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2010/04/19 20:43:27 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/04/19 20:43:13 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/04/16 22:26:34 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Angel\ntuser.ini

[2010/04/16 22:26:15 | 001,579,860 | -H-- | M] () -- C:\Documents and Settings\Angel\Local Settings\Application Data\IconCache.db

[2010/04/16 21:53:40 | 000,000,383 | ---- | M] () -- C:\WINDOWS\tgpfiles.INI

[2010/04/16 21:53:26 | 000,000,753 | ---- | M] () -- C:\WINDOWS\win.ini

[2010/04/16 20:00:48 | 000,053,352 | ---- | M] () -- C:\Documents and Settings\Angel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2010/04/16 20:00:06 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk

[2010/04/16 19:59:12 | 011,862,896 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Angel\Desktop\mssefullinstall-x86fre-en-us-xp.exe

[2010/04/16 19:34:26 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Angel\Local Settings\Application Data\housecall.guid.cache

[2010/04/16 18:00:47 | 010,043,336 | ---- | M] (Microsoft Corporation) -- C:\tac.exe

[2010/04/16 17:00:55 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Angel\Desktop\Microsoft Office Word 2003.lnk

[2010/04/16 16:33:02 | 000,223,224 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/04/16 16:31:28 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010/04/16 15:46:27 | 002,064,998 | ---- | M] () -- C:\WINDOWS\iis6.BAK

[2010/04/16 15:21:18 | 000,250,048 | RHS- | M] () -- C:\ntldr

[2010/04/12 17:29:27 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2010/04/12 17:29:26 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2010/04/12 17:29:25 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll

[2010/04/12 15:19:02 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl

[2010/04/12 11:58:07 | 000,029,696 | ---- | M] () -- C:\Documents and Settings\Angel\Desktop\script.doc

[2010/04/12 09:35:22 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/04/12 09:35:09 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010/04/12 08:04:22 | 000,018,733 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\digyh.lib

[2010/04/12 08:04:22 | 000,015,614 | ---- | M] () -- C:\Program Files\Common Files\facymyni.db

[2010/04/12 08:04:22 | 000,012,627 | ---- | M] () -- C:\Documents and Settings\Angel\Application Data\okynope.db

[2010/04/12 08:04:22 | 000,011,795 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\upod.db

[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/16 20:05:28 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2010/04/16 20:00:06 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk

[2010/04/16 19:34:26 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Angel\Local Settings\Application Data\housecall.guid.cache

[2010/04/12 11:58:04 | 000,029,696 | ---- | C] () -- C:\Documents and Settings\Angel\Desktop\script.doc

[2010/04/12 09:11:37 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2010/04/12 09:11:37 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2010/04/12 09:11:37 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2010/04/12 09:11:37 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010/04/12 09:11:37 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2010/04/12 08:04:22 | 000,018,733 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\digyh.lib

[2010/04/12 08:04:22 | 000,015,614 | ---- | C] () -- C:\Program Files\Common Files\facymyni.db

[2010/04/12 08:04:22 | 000,012,627 | ---- | C] () -- C:\Documents and Settings\Angel\Application Data\okynope.db

[2010/04/12 08:04:22 | 000,011,795 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\upod.db

[2009/09/30 22:04:55 | 000,019,642 | ---- | C] () -- C:\Program Files\Common Files\qopenycys.com

[2009/09/30 22:04:55 | 000,019,110 | ---- | C] () -- C:\Documents and Settings\Angel\Application Data\xuvitav.inf

[2009/09/30 22:04:55 | 000,017,865 | ---- | C] () -- C:\Documents and Settings\Angel\Local Settings\Application Data\fapube.bin

[2009/09/30 22:04:55 | 000,017,014 | ---- | C] () -- C:\Documents and Settings\Angel\Application Data\gejum.pif

[2009/09/30 22:04:55 | 000,011,972 | ---- | C] () -- C:\Program Files\Common Files\sylymo.lib

[2009/09/30 22:04:55 | 000,010,736 | ---- | C] () -- C:\Documents and Settings\Angel\Application Data\marykasy.dl

[2009/09/30 22:04:55 | 000,010,459 | ---- | C] () -- C:\Documents and Settings\Angel\Application Data\juvusuka._dl

[2008/02/07 10:32:36 | 000,000,029 | ---- | C] () -- C:\WINDOWS\Atw.INI

[2008/01/21 21:20:16 | 000,000,533 | ---- | C] () -- C:\WINDOWS\cbook.INI

[2008/01/21 21:19:38 | 000,000,104 | ---- | C] () -- C:\WINDOWS\process.INI

[2008/01/21 21:18:21 | 000,000,137 | ---- | C] () -- C:\WINDOWS\cvbrws.INI

[2008/01/21 21:18:18 | 000,000,138 | ---- | C] () -- C:\WINDOWS\invbrws.INI

[2008/01/21 21:17:57 | 000,000,100 | ---- | C] () -- C:\WINDOWS\richedit.INI

[2008/01/21 21:17:31 | 000,000,134 | ---- | C] () -- C:\WINDOWS\sceduler.INI

[2008/01/21 21:17:07 | 000,000,632 | ---- | C] () -- C:\WINDOWS\pts.INI

[2008/01/21 21:12:25 | 000,000,383 | ---- | C] () -- C:\WINDOWS\tgpfiles.INI

[2008/01/13 14:28:36 | 000,007,168 | ---- | C] () -- C:\Documents and Settings\Angel\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2008/01/07 11:59:47 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI

[2007/12/05 21:27:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pp.ini

[2007/04/18 22:27:22 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2007/04/07 17:52:15 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Angel\Local Settings\Application Data\fusioncache.dat

[2007/04/07 16:18:50 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log

[2007/04/06 15:01:27 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2007/04/06 14:37:45 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\ntuser.dat

[2007/04/06 14:37:45 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\ntuser.dat.LOG

[2007/04/06 12:28:34 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Angel\ntuser.dat.LOG

[2007/04/06 12:28:34 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Angel\ntuser.ini

[2007/04/06 12:28:32 | 003,407,872 | -H-- | C] () -- C:\Documents and Settings\Angel\NTUSER.DAT

[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 1092 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:5IXYdFVnWu5fyxXwaVgjy

@Alternate Data Stream - 1057 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:IzPfq1CAnBhFcKYj66idUg2KHmQ3

< End of report >

-------------------------------

otl.txt

------------------------------

OTL logfile created on: 4/19/2010 9:22:48 PM - Run 1

OTL by OldTimer - Version 3.2.1.3 Folder = C:\Documents and Settings\Angel\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.00 Mb Total Physical Memory | 196.00 Mb Available Physical Memory | 44.00% Memory free

1.00 Gb Paging File | 1.00 Gb Available in Paging File | 60.00% Paging File free

Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 55.88 Gb Total Space | 36.28 Gb Free Space | 64.91% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: ANGEL-BD3F088EE

Current User Name: Angel

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Angel\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)

PRC - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)

PRC - C:\WINDOWS\NCLAUNCH.EXe (Northcode Inc.)

PRC - C:\Program Files\Digital Media Reader\shwiconEM.exe (Alcor Micro, Corp.)

PRC - C:\WINDOWS\system32\HPZipm12.exe (HP)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Angel\Desktop\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)

SRV - (QBCFMonitorService) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)

SRV - (QBFCService) -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe (Intuit Inc.)

SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)

========== Driver Services (SafeList) ==========

DRV - (MpFilter) -- C:\WINDOWS\system32\drivers\MpFilter.sys (Microsoft Corporation)

DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)

DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)

DRV - (BrUsbSer) -- C:\WINDOWS\system32\drivers\BrUsbSer.sys (Brother Industries Ltd.)

DRV - (BrSerIf) -- C:\WINDOWS\system32\drivers\BrSerIf.sys (Brother Industries Ltd.)

DRV - (rt2500usb) DWL-G122(rev.:mellow: -- C:\WINDOWS\system32\drivers\rt2500usb.sys (Ralink Technology Inc.)

DRV - (SunkFilt) -- C:\WINDOWS\system32\drivers\Sunkfilt.sys (Alcor Micro Corp.)

DRV - (SunkFilt39) -- C:\WINDOWS\system32\drivers\Sunkfilt39.sys (Alcor Micro Corp.)

DRV - (TPkd) -- C:\WINDOWS\system32\drivers\TPkd.sys (PACE Anti-Piracy, Inc.)

DRV - (aliadwdm) -- C:\WINDOWS\system32\drivers\ac97ali.sys (Acer Laboratories Inc.)

DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)

DRV - (StreamDispatcher) -- C:\WINDOWS\system32\drivers\strmdisp.sys (Conexant Systems, Inc.)

DRV - (HSFHWALI) -- C:\WINDOWS\system32\drivers\HSFHWALI.sys (Conexant Systems, Inc.)

DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)

DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)

DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)

DRV - (fa120) -- C:\WINDOWS\system32\drivers\fa120.sys (NETGEAR Inc.)

DRV - (caboagp) -- C:\WINDOWS\system32\DRIVERS\atisgkaf.sys (ATI Technologies Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1960408961-842925246-854245398-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-21-1960408961-842925246-854245398-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKU\S-1-5-21-1960408961-842925246-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2010/04/12 09:35:09 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.

O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.

O3 - HKU\S-1-5-21-1960408961-842925246-854245398-1003\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.

O3 - HKU\S-1-5-21-1960408961-842925246-854245398-1003\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.

O3 - HKU\S-1-5-21-1960408961-842925246-854245398-1003\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.

O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)

O4 - HKLM..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconEM.exe (Alcor Micro, Corp.)

O4 - HKU\.DEFAULT..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe File not found

O4 - HKU\.DEFAULT..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe File not found

O4 - HKU\S-1-5-18..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe File not found

O4 - HKU\S-1-5-18..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe File not found

O4 - HKU\S-1-5-21-1960408961-842925246-854245398-1003..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe (Northcode Inc.)

O4 - Startup: C:\Documents and Settings\Angel\Start Menu\Programs\Startup\Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe File not found

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-1960408961-842925246-854245398-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-1960408961-842925246-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-1960408961-842925246-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-21-1960408961-842925246-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Reg Error: Key error.)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1175878324527 (WUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62

O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Angel\My Documents\My Pictures\blackchicken.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2007/04/06 12:20:38 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/04/19 21:19:37 | 000,562,176 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Angel\Desktop\OTL.exe

[2010/04/19 21:14:49 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW

[2010/04/19 20:45:06 | 000,274,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll

[2010/04/19 20:45:06 | 000,016,736 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll.mui

[2010/04/19 20:45:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood

[2010/04/16 20:03:36 | 000,181,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe

[2010/04/16 20:00:05 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials

[2010/04/16 19:58:25 | 011,862,896 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Angel\Desktop\mssefullinstall-x86fre-en-us-xp.exe

[2010/04/16 19:50:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun

[2010/04/16 19:50:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

[2010/04/16 19:47:36 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll

[2010/04/16 19:47:36 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2010/04/16 19:47:36 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2010/04/16 19:47:36 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2010/04/16 18:15:56 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF

[2010/04/16 18:13:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\SoftwareDistribution

[2010/04/16 18:01:22 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Angel\IECompatCache

[2010/04/16 18:00:42 | 010,043,336 | ---- | C] (Microsoft Corporation) -- C:\tac.exe

[2010/04/16 17:07:37 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy-new

[2010/04/16 16:03:07 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Angel\PrivacIE

[2010/04/16 16:01:00 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Angel\IETldCache

[2010/04/16 15:58:24 | 000,594,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll

[2010/04/16 15:58:24 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll

[2010/04/16 15:58:23 | 001,985,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll

[2010/04/16 15:58:22 | 011,070,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll

[2010/04/16 15:58:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates

[2010/04/16 15:56:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google

[2010/04/16 15:56:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\WBEM

[2010/04/16 15:54:16 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8

[2010/04/16 15:49:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

[2010/04/16 15:49:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch

[2010/04/16 15:29:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting

[2010/04/16 15:29:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas

[2010/04/16 15:29:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en

[2010/04/16 15:29:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits

[2010/04/16 15:21:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic

[2010/04/16 15:13:02 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$

[2010/04/16 14:50:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Temp

[2010/04/16 14:49:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google

[2010/04/14 21:51:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google

[2010/04/13 19:02:08 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll

[2010/04/13 18:53:59 | 000,000,000 | ---D | C] -- C:\GMER

[2010/04/13 18:52:25 | 000,000,000 | ---D | C] -- C:\rsit

[2010/04/12 11:39:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Angel\Application Data\Malwarebytes

[2010/04/12 11:30:36 | 000,000,000 | -HSD | C] -- C:\RECYCLER

[2010/04/12 09:58:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt

[2010/04/12 09:11:37 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010/04/12 09:11:37 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010/04/12 09:11:37 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010/04/12 09:10:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/04/12 08:34:36 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/04/05 13:44:31 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy

[2010/04/05 13:44:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

[2010/04/05 13:27:37 | 000,000,000 | ---D | C] -- C:\Program Files\catchmal

[2010/04/05 12:36:35 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/04/05 12:15:51 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/04/05 12:15:49 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/04/05 12:15:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/04/05 12:15:49 | 000,000,000 | ---D | C] -- C:\Program Files\catch

[2008/07/01 22:07:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Google

[2008/03/31 22:12:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Symantec

[2008/01/13 15:12:02 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

[2008/01/13 14:54:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Intuit

[2007/06/21 18:45:36 | 000,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll

[2007/04/06 12:26:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

[2007/04/06 12:20:31 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/19 21:23:10 | 003,407,872 | -H-- | M] () -- C:\Documents and Settings\Angel\NTUSER.DAT

[2010/04/19 21:19:49 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Angel\Desktop\OTL.exe

[2010/04/19 20:54:47 | 000,521,942 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/04/19 20:54:47 | 000,441,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/04/19 20:54:47 | 000,071,462 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/04/19 20:52:27 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/04/19 20:48:53 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2010/04/19 20:43:27 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/04/19 20:43:13 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/04/16 22:26:34 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Angel\ntuser.ini

[2010/04/16 22:26:15 | 001,579,860 | -H-- | M] () -- C:\Documents and Settings\Angel\Local Settings\Application Data\IconCache.db

[2010/04/16 21:53:40 | 000,000,383 | ---- | M] () -- C:\WINDOWS\tgpfiles.INI

[2010/04/16 21:53:26 | 000,000,753 | ---- | M] () -- C:\WINDOWS\win.ini

[2010/04/16 20:00:48 | 000,053,352 | ---- | M] () -- C:\Documents and Settings\Angel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2010/04/16 20:00:06 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk

[2010/04/16 19:59:12 | 011,862,896 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Angel\Desktop\mssefullinstall-x86fre-en-us-xp.exe

[2010/04/16 19:34:26 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Angel\Local Settings\Application Data\housecall.guid.cache

[2010/04/16 18:00:47 | 010,043,336 | ---- | M] (Microsoft Corporation) -- C:\tac.exe

[2010/04/16 17:00:55 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Angel\Desktop\Microsoft Office Word 2003.lnk

[2010/04/16 16:33:02 | 000,223,224 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/04/16 16:31:28 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010/04/16 15:46:27 | 002,064,998 | ---- | M] () -- C:\WINDOWS\iis6.BAK

[2010/04/16 15:21:18 | 000,250,048 | RHS- | M] () -- C:\ntldr

[2010/04/12 17:29:27 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2010/04/12 17:29:26 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2010/04/12 17:29:25 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll

[2010/04/12 15:19:02 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl

[2010/04/12 11:58:07 | 000,029,696 | ---- | M] () -- C:\Documents and Settings\Angel\Desktop\script.doc

[2010/04/12 09:35:22 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/04/12 09:35:09 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010/04/12 08:04:22 | 000,018,733 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\digyh.lib

[2010/04/12 08:04:22 | 000,015,614 | ---- | M] () -- C:\Program Files\Common Files\facymyni.db

[2010/04/12 08:04:22 | 000,012,627 | ---- | M] () -- C:\Documents and Settings\Angel\Application Data\okynope.db

[2010/04/12 08:04:22 | 000,011,795 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\upod.db

[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/16 20:05:28 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2010/04/16 20:00:06 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk

[2010/04/16 19:34:26 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Angel\Local Settings\Application Data\housecall.guid.cache

[2010/04/12 11:58:04 | 000,029,696 | ---- | C] () -- C:\Documents and Settings\Angel\Desktop\script.doc

[2010/04/12 09:11:37 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2010/04/12 09:11:37 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2010/04/12 09:11:37 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2010/04/12 09:11:37 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010/04/12 09:11:37 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2010/04/12 08:04:22 | 000,018,733 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\digyh.lib

[2010/04/12 08:04:22 | 000,015,614 | ---- | C] () -- C:\Program Files\Common Files\facymyni.db

[2010/04/12 08:04:22 | 000,012,627 | ---- | C] () -- C:\Documents and Settings\Angel\Application Data\okynope.db

[2010/04/12 08:04:22 | 000,011,795 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\upod.db

[2009/09/30 22:04:55 | 000,019,642 | ---- | C] () -- C:\Program Files\Common Files\qopenycys.com

[2009/09/30 22:04:55 | 000,019,110 | ---- | C] () -- C:\Documents and Settings\Angel\Application Data\xuvitav.inf

[2009/09/30 22:04:55 | 000,017,865 | ---- | C] () -- C:\Documents and Settings\Angel\Local Settings\Application Data\fapube.bin

[2009/09/30 22:04:55 | 000,017,014 | ---- | C] () -- C:\Documents and Settings\Angel\Application Data\gejum.pif

[2009/09/30 22:04:55 | 000,011,972 | ---- | C] () -- C:\Program Files\Common Files\sylymo.lib

[2009/09/30 22:04:55 | 000,010,736 | ---- | C] () -- C:\Documents and Settings\Angel\Application Data\marykasy.dl

[2009/09/30 22:04:55 | 000,010,459 | ---- | C] () -- C:\Documents and Settings\Angel\Application Data\juvusuka._dl

[2008/02/07 10:32:36 | 000,000,029 | ---- | C] () -- C:\WINDOWS\Atw.INI

[2008/01/21 21:20:16 | 000,000,533 | ---- | C] () -- C:\WINDOWS\cbook.INI

[2008/01/21 21:19:38 | 000,000,104 | ---- | C] () -- C:\WINDOWS\process.INI

[2008/01/21 21:18:21 | 000,000,137 | ---- | C] () -- C:\WINDOWS\cvbrws.INI

[2008/01/21 21:18:18 | 000,000,138 | ---- | C] () -- C:\WINDOWS\invbrws.INI

[2008/01/21 21:17:57 | 000,000,100 | ---- | C] () -- C:\WINDOWS\richedit.INI

[2008/01/21 21:17:31 | 000,000,134 | ---- | C] () -- C:\WINDOWS\sceduler.INI

[2008/01/21 21:17:07 | 000,000,632 | ---- | C] () -- C:\WINDOWS\pts.INI

[2008/01/21 21:12:25 | 000,000,383 | ---- | C] () -- C:\WINDOWS\tgpfiles.INI

[2008/01/13 14:28:36 | 000,007,168 | ---- | C] () -- C:\Documents and Settings\Angel\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2008/01/07 11:59:47 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI

[2007/12/05 21:27:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pp.ini

[2007/04/18 22:27:22 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2007/04/07 17:52:15 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Angel\Local Settings\Application Data\fusioncache.dat

[2007/04/07 16:18:50 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log

[2007/04/06 15:01:27 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2007/04/06 14:37:45 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\ntuser.dat

[2007/04/06 14:37:45 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\ntuser.dat.LOG

[2007/04/06 12:28:34 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Angel\ntuser.dat.LOG

[2007/04/06 12:28:34 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Angel\ntuser.ini

[2007/04/06 12:28:32 | 003,407,872 | -H-- | C] () -- C:\Documents and Settings\Angel\NTUSER.DAT

[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 1092 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:5IXYdFVnWu5fyxXwaVgjy

@Alternate Data Stream - 1057 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:IzPfq1CAnBhFcKYj66idUg2KHmQ3

< End of report >

OTL Extras logfile created on: 4/19/2010 9:22:48 PM - Run 1

OTL by OldTimer - Version 3.2.1.3 Folder = C:\Documents and Settings\Angel\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.00 Mb Total Physical Memory | 196.00 Mb Available Physical Memory | 44.00% Memory free

1.00 Gb Paging File | 1.00 Gb Available in Paging File | 60.00% Paging File free

Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 55.88 Gb Total Space | 36.28 Gb Free Space | 64.91% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: ANGEL-BD3F088EE

Current User Name: Angel

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager -- (iAnywhere Solutions, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel

"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan

"{0E31CA83-8E2B-4B0D-A84D-F561B6CD482D}" = QBFC 5.0

"{0FF18B53-CA57-40BB-B562-21A27B662005}" = 1600

"{14BEB6DF-A499-4A38-8E06-E173BCD5C087}" = ScannerCopy

"{15D91706-6ADF-44CF-9D7D-FF2D8ACD2C6F}" = LS_HSI

"{17293791-C82E-476C-9997-9A0FF234A19B}" = HP Product Assistant

"{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax

"{1AD5F465-8282-4DAD-B957-E09C0B783D18}" = InstantShare

"{1B680FBA-E317-4E93-AF43-3B59798A4BE0}" = Copy

"{20FBC0A0-3160-4F14-83ED-3A74BB6B8C31}" = TrayApp

"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java 6 Update 20

"{272EC8BA-5A08-4ea1-A189-684466A06B02}" = cp_dwShrek2Albums1

"{2E8428AD-6CD2-4031-916A-3CF9BBF2DEC9}" = Unload

"{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3762DB2D-71BD-421F-9E55-C74DA7DF4D07}" = CueTour

"{391E18CE-7D3B-45E9-A8F0-34E77F14F47A}" = ProductContext

"{40FCE4CC-6115-49ED-B6E2-36C99330F930}" = Crystal Reports 9 .NET Server

"{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe

Share this post


Link to post
Share on other sites

Hi,

Let's proceed.

There is a lot of unknown file. This will consume a lot of time to do. Be patient.

Let's have this result first.

First,

ATF by Atribune

Please download HERE and save to the desktop. Double-click ATF Cleaner.exe to open it.

Under Main choose:

  • choose: Select All
    Click the Empty Selected button.

if you use Firefox:

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

if you use Opera:

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program

Next,

Kaspersky Online AV Scan

Note: Internet Explorer should be used.

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases

    [*]Click on My Computer under Scan and then put the kettle on!

    [*]Once the scan is complete, it will display the results. Click on View Scan Report.

    [*]You will see a list of infected items there. Click on Save Report As....

    [*]Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.

    [*]Copy and paste the report into your next.

Next,

Checklist.

Please post.

  • Content of Kaspersky scan log

Share this post


Link to post
Share on other sites
Hi,

Let's proceed.

There is a lot of unknown file. This will consume a lot of time to do. Be patient.

Let's have this result first.

First,

ATF by Atribune

Please download HERE and save to the desktop. Double-click ATF Cleaner.exe to open it.

Under Main choose:

  • choose: Select All
    Click the Empty Selected button.

if you use Firefox:

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

if you use Opera:

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program

Next,

Kaspersky Online AV Scan

Note: Internet Explorer should be used.

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases

    [*]Click on My Computer under Scan and then put the kettle on!

    [*]Once the scan is complete, it will display the results. Click on View Scan Report.

    [*]You will see a list of infected items there. Click on Save Report As....

    [*]Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.

    [*]Copy and paste the report into your next.

Next,

Checklist.

Please post.

  • Content of Kaspersky scan log

Hi -

Ran the ATF with no issues.

Ran the Kapersky online scanner and it did not find anything. Before I had a chance to save the log for you the system

went into a power safe and I was not able to retain the log.

Let me know if you need me to run this again but I did visually see it complete.

The System seems to be running back to normal.

Is there anything else we need to try ?

Share this post


Link to post
Share on other sites

Good! :(

Your system now is clean.

Let's do some cleaning and management.

First,

Uninstall Combofix

  • Click on Start >> Run...
  • Now type in ComboFix /Uninstall into the and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
    CF-Uninstall.png

Next,

You can proceed to delete all tools that involved in this process of removal.

Additional Information :

SpywareBlaster.

  • SpywareBlaster help your Internet Explorer more strong as it will help to block known malicious ActiveX
  • A tutorial on installing & using this product can be found HERE

Antivirus.

  • Antivirus help you to give the maximum protection for the system.
  • You are advice to have only ONE antivirus running on the system.
  • Please keep it update regurlarly.

WinPatrol.

  • Unwanted things always occur behind your knowledge. Let's this software take the snapshot of it.
  • For more information and installation can be found HERE

Windows/Program Update.

Please make sure to have your Windows Automatic Update turn ON or you can do it manually.

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.

To update Windows

  • Go to Start > All Programs > Windows Update

To update Office

  • Open up any Office program.
  • Go to Help > Check for Updates

You always can refer at both website to check either any updates are needed for your system.

Safe surfing! B)

Share this post


Link to post
Share on other sites
Good! :(

Your system now is clean.

Let's do some cleaning and management.

First,

Uninstall Combofix

  • Click on Start >> Run...
  • Now type in ComboFix /Uninstall into the and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
    CF-Uninstall.png

Next,

You can proceed to delete all tools that involved in this process of removal.

Additional Information :

SpywareBlaster.

  • SpywareBlaster help your Internet Explorer more strong as it will help to block known malicious ActiveX
  • A tutorial on installing & using this product can be found HERE

Antivirus.

  • Antivirus help you to give the maximum protection for the system.
  • You are advice to have only ONE antivirus running on the system.
  • Please keep it update regurlarly.

WinPatrol.

  • Unwanted things always occur behind your knowledge. Let's this software take the snapshot of it.
  • For more information and installation can be found HERE

Windows/Program Update.

Please make sure to have your Windows Automatic Update turn ON or you can do it manually.

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.

To update Windows

  • Go to Start > All Programs > Windows Update

To update Office

  • Open up any Office program.
  • Go to Help > Check for Updates

You always can refer at both website to check either any updates are needed for your system.

Safe surfing! :(

Thanks -

I installed "Microsoft Security Essentials" but it seems to weigh very heavy on system resources.

Do you have any suggestions on a lightweight Antivirus program that will run on this older

computer.

I have completed all of the cleanup tasks.

Thanks for all of your help !

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.