Sign in to follow this  
djs

Trojan-BNK.Win32.Keylogger.gen/XP Home Security 2012

Recommended Posts

It is not the eMule file that is involved in the current infection but other files that Eset's scanner found.

Probably netbt.sys has been changed by the infection and we need to replace it with an uninfected file.

Copy all lines in the box:
[code]
Killall::
FCopy::
C:\WINDOWS\ServicePackFiles\i386\netbt.sys | C:\WINDOWS\system32\drivers\netbt.sys
File::
C:\Documents and Settings\Richard\Local Settings\Application Data\usrMainPlay\smpUserUsb.dll
DirLook::
C:\Documents and Settings\Richard\Local Settings\Application Data\usrMainPlay
[/code]
and paste into Notepad.
Save the file on the desktop with the name CFScript.

Prepare the computer according to the instructions for running ComboFix.
Drag CFScript with the mouse and drop it on top of the ComboFix icon on the Desktop, the program will start in a special way.
Paste the new ComboFix log into your answer.

Share this post


Link to post
Share on other sites
Got it with netbt.sys. Here is the ComboFix log.

ComboFix 12-01-05.04 - Richard 01/06/2012 8:31.9.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1471.972 [GMT -5:00]
Running from: c:\documents and settings\Richard\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Richard\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
FILE ::
"c:\documents and settings\Richard\Local Settings\Application Data\usrMainPlay\smpUserUsb.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Richard\Local Settings\Application Data\usrMainPlay\smpUserUsb.dll
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\netbt.sys --> c:\windows\system32\drivers\netbt.sys
.
((((((((((((((((((((((((( Files Created from 2011-12-06 to 2012-01-06 )))))))))))))))))))))))))))))))
.
.
2012-01-05 14:06 . 2012-01-05 14:06 -------- d-----w- c:\program files\ESET
2012-01-04 15:18 . 2012-01-04 15:18 -------- d-----w- c:\documents and settings\Richard\Local Settings\Application Data\PCHealth
2011-12-18 00:09 . 2011-12-18 00:09 -------- dc----w- C:\ERDNT
2011-12-14 23:51 . 2011-12-14 23:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-12-10 18:52 . 2011-12-10 19:03 -------- d-----w- c:\documents and settings\Administrator
2011-12-10 00:15 . 2011-12-10 00:15 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-12-09 22:36 . 2011-12-10 00:15 -------- d-----w- c:\documents and settings\NetworkService\Application Data\adawaretb
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-27 15:24 . 2011-05-21 12:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-02 18:27 . 2011-12-01 12:26 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-11-23 13:25 . 2001-08-18 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2004-01-08 19:23 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2001-08-18 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2001-08-18 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 17:06 . 2011-05-20 17:19 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-11-01 16:07 . 2006-10-02 20:03 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2001-08-18 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2001-08-18 12:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2001-08-17 13:48 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-04 07:56 186880 ------w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2006-07-12 20:21 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Richard\Local Settings\Application Data\usrMainPlay ----
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2011-10-21 09:10 87440 ----a-w- c:\program files\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-10-21 87440]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Richard\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Richard\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Richard\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Richard\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" [2008-08-28 13145448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2011-10-21 198032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Richard\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Richard\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-1-18 41041]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Richard\\Desktop\\utorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Richard\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\adawaretb\\dtUser.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:*:Disabled:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:*:Disabled:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:*:Disabled:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:*:Disabled:Adobe Version Cue CS4 Server
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4
"3306:TCP"= 3306:TCP:MySQL
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/20/2011 12:19 PM 64512]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2/27/2006 12:00 AM 34880]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2/20/2006 1:01 AM 29056]
R2 dev5_ap1;dev5_ap1;c:\phpdev5\Apache\Apache.exe [8/23/2010 1:50 PM 20480]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [11/3/2011 12:06 PM 2152152]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [4/19/2011 1:44 AM 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [4/19/2011 1:44 AM 399416]
R3 AGR1310_51;Agere Systems ET-131x PCI-E Gigabit Ethernet Adapter XP Driver;c:\windows\system32\drivers\AGR1310_51.sys [12/14/2009 6:26 PM 70144]
R3 Pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [10/25/2006 7:16 PM 47360]
S2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [1/18/2008 12:37 AM 24635]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 4:46 AM 284016]
S3 Ktp3;Elantech TouchPad;c:\windows\system32\drivers\Ktp3.sys [4/20/2005 4:47 PM 24704]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/3/2011 12:06 PM 15232]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [4/1/2010 9:37 AM 14424]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-11-03 17:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {4F4D2E63-0377-4188-8B70-52934FA8A101} - hxxp://www.leadstoloans.com/activex/fafile.dll
DPF: {4F4D2E63-0377-4188-8B70-52934FA8A201} - hxxp://www.leadstoloans.com/activex/faprint.dll
DPF: {4F4D2E63-0377-4188-8B70-52934FA8A301} - hxxp://www.leadstoloans.com/activex/fagrid.dll
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=utf-8&mssrc=ms_kwd&mstb=adawaretb&q=
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - c:\program files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Delicious Bookmarks: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} - %profile%\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: IE Tab 2 (FF 3.6+): {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} - %profile%\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
FF - Ext: Ad-Aware Security Toolbar: {87934c42-161d-45bc-8cef-ef18abe2a30c} - %profile%\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-06 08:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e8,d7,df,87,8a,8e,27,40,a2,1b,df,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e8,d7,df,87,8a,8e,27,40,a2,1b,df,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\æHõwæ*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="???\11?\17?\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.5"
"DeviceInstanceIds"=multi:"c:\\docume~1\\richard\\locals~1\\temp\\wzse0.tmp\\sbdrv\\smbus\\smbusati.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(500)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
- - - - - - - > 'explorer.exe'(2764)
c:\windows\system32\WININET.dll
c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.dll
c:\documents and settings\Richard\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
c:\windows\system32\o2flash.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system32\msiexec.exe
c:\windows\System32\wbem\wmiapsrv.exe
c:\windows\system32\MsiExec.exe
.
**************************************************************************
.
Completion time: 2012-01-06 09:02:18 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-06 14:02
ComboFix2.txt 2012-01-05 02:05
ComboFix3.txt 2012-01-04 03:49
ComboFix4.txt 2012-01-03 22:42
ComboFix5.txt 2012-01-06 13:09
.
Pre-Run: 6,688,280,576 bytes free
Post-Run: 6,694,871,040 bytes free
.
- - End Of File - - 98A88C25E8228114C0984151E7026F85

Share this post


Link to post
Share on other sites
Good!

Please, restart the computer and run Eset's scanner again, but this time it is enough if you let it scan the folder c:\windows. If anything is found, post the log.

Run OTL and post its log, please.

Share this post


Link to post
Share on other sites
ESET Results...

[email protected] as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=ed39eb1f15e8534f8da4287f0575bd09
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-05 06:23:32
# local_time=2012-01-05 01:23:32 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=184249
# found=10
# cleaned=0
# scan_time=14936
C:\Documents and Settings\Richard\Local Settings\Application Data\usrMainPlay\smpUserUsb.dll a variant of Win32/Sefnit.CC trojan (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\eMule\Incoming\Adobe Creative Suite CS3 Master Collection.iso probably a variant of Win32/TrojanDropper.Agent.FNFWXNO trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Richard\Local Settings\Application Data\mwq.exe.vir a variant of Win32/Kryptik.YGH trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Richard\My Documents\YaFqMaI.exe.vir a variant of Win32/Kryptik.YGH trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP12\A0003566.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP12\A0003580.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP12\A0003589.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP12\A0003599.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP13\A0003725.exe a variant of Win32/Kryptik.YGH trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\system32\drivers\netbt.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
[email protected] as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=ed39eb1f15e8534f8da4287f0575bd09
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-07 04:35:21
# local_time=2012-01-06 11:35:21 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=184811
# found=11
# cleaned=0
# scan_time=7006
C:\Qoobox\Quarantine\C\Documents and Settings\Richard\Local Settings\Application Data\mwq.exe.vir a variant of Win32/Kryptik.YGH trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Richard\Local Settings\Application Data\usrMainPlay\smpUserUsb.dll.vir a variant of Win32/Sefnit.CC trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Richard\My Documents\YaFqMaI.exe.vir a variant of Win32/Kryptik.YGH trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\netbt.sys.vir Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP12\A0003566.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP12\A0003580.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP12\A0003589.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP12\A0003599.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP13\A0003725.exe a variant of Win32/Kryptik.YGH trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP16\A0005498.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D6839138-4786-403E-B1D5-36BBB2A42890}\RP16\A0005504.dll a variant of Win32/Sefnit.CC trojan (unable to clean) 00000000000000000000000000000000 I

Share this post


Link to post
Share on other sites
OTL Log...

OTL logfile created on: 1/7/2012 9:22:44 AM - Run 4
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Richard\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.44 Gb Total Physical Memory | 0.65 Gb Available Physical Memory | 45.12% Memory free
1.95 Gb Paging File | 1.41 Gb Available in Paging File | 72.17% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.64 Gb Total Space | 5.97 Gb Free Space | 8.58% Space Free | Partition Type: NTFS

Computer Name: LABTOP | User Name: Richard | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

[color=#E56717]========== Processes (SafeList) ==========[/color]

PRC - [2011/12/31 19:27:40 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Richard\Desktop\OTL(3).exe
PRC - [2011/11/03 12:06:56 | 002,152,152 | ---- | M] (Lavasoft Limited) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2011/11/03 12:06:56 | 001,187,072 | ---- | M] (Lavasoft Limited) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2011/10/21 04:09:36 | 000,198,032 | ---- | M] (Lavasoft) -- C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
PRC - [2011/05/25 15:07:14 | 024,176,560 | ---- | M] (Dropbox, Inc.) -- C:\Documents and Settings\Richard\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2011/04/19 01:44:40 | 000,993,848 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psia.exe
PRC - [2011/04/19 01:44:40 | 000,399,416 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\sua.exe
PRC - [2011/04/19 01:44:40 | 000,291,896 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psi_tray.exe
PRC - [2010/08/23 13:50:32 | 000,020,480 | ---- | M] () -- C:\phpdev5\Apache\Apache.exe
PRC - [2008/08/28 18:34:14 | 013,145,448 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/18 16:57:54 | 005,750,784 | ---- | M] () -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
PRC - [2005/01/27 01:33:58 | 000,036,864 | ---- | M] () -- C:\WINDOWS\system32\o2flash.exe


[color=#E56717]========== Modules (No Company Name) ==========[/color]

MOD - [2011/12/05 12:55:56 | 000,193,904 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Defs\Extended\libMachoUniv.dll
MOD - [2011/12/05 12:54:51 | 000,210,288 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Defs\Extended\libBase64.dll
MOD - [2011/11/03 12:06:56 | 000,591,232 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\RPAPI.dll
MOD - [2011/11/03 12:06:56 | 000,430,568 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\Viprebridge.dll
MOD - [2011/11/03 12:06:56 | 000,308,560 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\Vipre.dll
MOD - [2011/06/07 04:44:50 | 000,508,776 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Defs\thorax.aaw
MOD - [2010/08/23 13:50:54 | 001,089,536 | ---- | M] () -- c:\phpdev5\php\sapi\php4ts.dll
MOD - [2010/08/23 13:50:54 | 000,024,576 | ---- | M] () -- c:\phpdev5\php\sapi\php4apache.dll
MOD - [2010/08/23 13:50:36 | 000,045,056 | ---- | M] () -- c:\phpdev5\Apache\modules\mod_rewrite.so
MOD - [2010/08/23 13:50:36 | 000,028,672 | ---- | M] () -- c:\phpdev5\Apache\modules\mod_status.so
MOD - [2010/08/23 13:50:36 | 000,020,480 | ---- | M] () -- C:\phpdev5\Apache\Win9xConHook.dll
MOD - [2010/08/23 13:50:35 | 000,024,576 | ---- | M] () -- c:\phpdev5\Apache\modules\mod_info.so
MOD - [2010/08/23 13:50:35 | 000,020,480 | ---- | M] () -- c:\phpdev5\Apache\modules\mod_headers.so
MOD - [2010/08/23 13:50:32 | 000,335,872 | ---- | M] () -- C:\phpdev5\Apache\ApacheCore.dll
MOD - [2010/08/23 13:50:32 | 000,020,480 | ---- | M] () -- C:\phpdev5\Apache\Apache.exe
MOD - [2008/08/28 15:54:56 | 000,891,904 | ---- | M] () -- C:\Program Files\Adobe\Adobe Bridge CS4\FileInfo.dll
MOD - [2008/08/28 15:54:56 | 000,502,272 | ---- | M] () -- C:\Program Files\Adobe\Adobe Bridge CS4\AdobeXMPFiles.dll
MOD - [2008/08/28 15:54:56 | 000,424,960 | ---- | M] () -- C:\Program Files\Adobe\Adobe Bridge CS4\AdobeXMP.dll
MOD - [2008/08/28 15:53:58 | 000,073,728 | ---- | M] () -- C:\Program Files\Adobe\Adobe Bridge CS4\Symlib.dll
MOD - [2008/08/28 15:47:50 | 002,748,416 | ---- | M] () -- C:\Program Files\Adobe\Adobe Bridge CS4\libmysqld.dll
MOD - [2008/01/18 16:57:54 | 005,750,784 | ---- | M] () -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
MOD - [2005/01/27 01:33:58 | 000,036,864 | ---- | M] () -- C:\WINDOWS\system32\o2flash.exe


[color=#E56717]========== Win32 Services (SafeList) ==========[/color]

SRV - File not found [Auto | Stopped] -- -- (Roxio Upnp Server 9)
SRV - File not found [On_Demand | Stopped] -- -- (Roxio UPnP Renderer 9)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - File not found [On_Demand | Stopped] -- -- (ACDaemon)
SRV - [2011/11/03 12:06:56 | 002,152,152 | ---- | M] (Lavasoft Limited) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2011/04/19 01:44:40 | 000,993,848 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\PSIA.exe -- (Secunia PSI Agent)
SRV - [2011/04/19 01:44:40 | 000,399,416 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\sua.exe -- (Secunia Update Agent)
SRV - [2010/08/23 13:50:32 | 000,020,480 | ---- | M] () [Auto | Running] -- C:\phpdev5\apache\Apache.exe -- (dev5_ap1)
SRV - [2009/06/15 10:51:14 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/08/15 04:46:20 | 000,284,016 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe -- (Adobe Version Cue CS4)
SRV - [2008/01/18 16:57:54 | 005,750,784 | ---- | M] () [Auto | Running] -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe -- (MySQL)
SRV - [2005/01/27 01:33:58 | 000,036,864 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\o2flash.exe -- (O2Flash)


[color=#E56717]========== Driver Services (SafeList) ==========[/color]

DRV - [2011/11/03 12:06:56 | 000,064,512 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2011/11/03 12:06:56 | 000,015,232 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)
DRV - [2010/09/01 03:30:58 | 000,015,544 | ---- | M] (Secunia) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)
DRV - [2009/09/28 01:02:44 | 000,014,424 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\PeerBlock\pbfilter.sys -- (pbfilter)
DRV - [2007/09/29 02:06:00 | 002,456,064 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/11/10 15:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2006/03/29 07:49:26 | 000,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2006/02/27 00:00:50 | 000,034,880 | ---- | M] (O2Micro ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\o2media.sys -- (O2MDRDR)
DRV - [2006/02/20 01:01:06 | 000,029,056 | ---- | M] (O2Micro ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\o2sd.sys -- (O2SDRDR)
DRV - [2005/12/09 16:48:00 | 004,123,136 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/10/27 14:06:30 | 000,356,096 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rt61.sys -- (RT61)
DRV - [2005/09/06 14:47:12 | 000,070,144 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGR1310_51.sys -- (AGR1310_51)
DRV - [2005/08/24 16:24:00 | 001,120,352 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/04/20 16:47:28 | 000,024,704 | ---- | M] (Elantech Devices Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ktp3.sys -- (Ktp3)
DRV - [1999/09/10 12:06:00 | 000,025,244 | ---- | M] (Adaptec) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\ASPI32.SYS -- (ASPI32)


[color=#E56717]========== Standard Registry (SafeList) ==========[/color]


[color=#E56717]========== Internet Explorer ==========[/color]


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

[color=#E56717]========== FireFox ==========[/color]

FF - prefs.js..browser.search.selectedEngine: "Search the Web"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9}:5.0
FF - prefs.js..extensions.enabledItems: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}:2.1.106
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.10
FF - prefs.js..extensions.enabledItems: {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}:2.12.21.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {87934c42-161d-45bc-8cef-ef18abe2a30c}:0.9
FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=utf-8&mssrc=ms_kwd&mstb=adawaretb&q="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.type: 1

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: File not found
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/26 18:19:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/22 08:14:27 | 000,000,000 | ---D | M]

[2009/04/19 20:52:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Extensions
[2011/12/01 17:26:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions
[2011/05/04 11:48:31 | 000,000,000 | ---D | M] (IE Tab 2 (FF 3.6+)) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
[2010/12/28 12:30:28 | 000,000,000 | ---D | M] ("Delicious Bookmarks") -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}
[2011/11/30 23:00:34 | 000,000,000 | ---D | M] (Ad-Aware Security Toolbar) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
[2011/05/04 11:48:33 | 000,000,000 | ---D | M] (FireFTP) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\srmkk8ph.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
[2011/11/30 23:10:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/16 09:27:46 | 000,000,000 | ---D | M] (Adobe Contribute Toolbar) -- C:\Program Files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}
[2011/05/21 07:29:32 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2008/09/10 00:09:32 | 000,079,216 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npContribute.dll
[2011/05/21 07:29:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/10/17 13:14:28 | 000,002,149 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\adawaretb.xml

O1 HOSTS File: ([2012/01/06 08:49:38 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Ad-Aware Browsing Protection] C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft)
O4 - HKCU..\Run: [AdobeBridge] C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
O4 - Startup: C:\Documents and Settings\Richard\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Richard\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A101} http://www.leadstoloans.com/activex/fafile.dll (First American File Control)
O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A201} http://www.leadstoloans.com/activex/faprint.dll (First American Print Control)
O16 - DPF: {4F4D2E63-0377-4188-8B70-52934FA8A301} http://www.leadstoloans.com/activex/fagrid.dll (First American Grid Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159818431983 (WUWebControl Class)
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.systemrequirementslab.com/sysreqlab2.cab (System Requirements Lab Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159818421170 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab (RIM AxLoader)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O16 - DPF: Web-Based Email Tools http://email.secureserver.net/Download.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0D182252-A0DB-4D93-8F57-EA9893617957}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/11 10:43:27 | 000,000,000 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (lsdelete)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]

[2012/01/05 09:06:53 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/01/04 22:30:45 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\Richard\Desktop\esetsmartinstaller_enu.exe
[2012/01/04 10:18:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Richard\Local Settings\Application Data\PCHealth
[2012/01/03 07:36:18 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/01/03 07:36:18 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/01/03 07:36:18 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/01/03 07:36:18 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/01/03 07:35:19 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/01/02 21:20:24 | 004,372,321 | R--- | C] (Swearware) -- C:\Documents and Settings\Richard\Desktop\ComboFix.exe
[2012/01/02 16:02:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/12/31 19:27:37 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Richard\Desktop\OTL(3).exe
[2011/12/17 19:09:27 | 000,000,000 | ---D | C] -- C:\ERDNT
[2011/12/17 19:06:33 | 001,445,888 | ---- | C] (Option^Explicit Software Solutions) -- C:\Documents and Settings\Richard\Desktop\winsockxpfix.exe
[2011/12/14 21:58:09 | 004,702,720 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Richard\Desktop\aswMBR.exe
[2011/12/14 18:51:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2011/12/11 17:30:59 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Richard\Start Menu\Programs\Administrative Tools
[2011/12/09 19:08:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/12/09 19:08:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/12/09 17:36:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\adawaretb
[2007/11/10 23:30:24 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Richard\Application Data\pcouffin.sys

[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]

[2012/01/06 17:33:07 | 000,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/06 17:32:49 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2012/01/06 17:32:16 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/06 08:49:38 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/01/06 08:08:57 | 004,372,321 | R--- | M] (Swearware) -- C:\Documents and Settings\Richard\Desktop\ComboFix.exe
[2012/01/05 20:45:09 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\SystemLook.exe
[2012/01/05 20:37:43 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2012/01/05 20:37:43 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2012/01/04 22:36:35 | 000,466,782 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/01/04 22:36:35 | 000,081,574 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/01/04 22:31:11 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\Richard\Desktop\esetsmartinstaller_enu.exe
[2012/01/03 16:28:28 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\MBR.dat
[2012/01/03 16:21:07 | 004,702,720 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Richard\Desktop\aswMBR.exe
[2012/01/03 16:13:53 | 001,558,406 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\tdsskiller.zip
[2012/01/03 07:33:59 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/12/31 19:48:16 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\iExplore.exe
[2011/12/31 19:46:12 | 000,001,205 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\FixNCR.reg
[2011/12/31 19:27:40 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Richard\Desktop\OTL(3).exe
[2011/12/27 17:50:35 | 000,668,511 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\lotus.jpg
[2011/12/27 17:50:15 | 020,518,736 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\lotus.psd
[2011/12/27 10:27:25 | 000,157,696 | ---- | M] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/12/27 10:24:34 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/12/20 22:57:03 | 002,848,024 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/12/20 10:41:54 | 000,296,303 | ---- | M] () -- C:\Documents and Settings\Richard\My Documents\don-and-alyson.jpg
[2011/12/20 10:41:24 | 007,182,540 | ---- | M] () -- C:\Documents and Settings\Richard\My Documents\dona dn alyson.psd
[2011/12/18 15:37:51 | 000,048,624 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\3978719-Womans-Day-felt-stockings-craft-template.pdf
[2011/12/18 08:37:01 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.bak
[2011/12/17 19:04:06 | 001,445,888 | ---- | M] (Option^Explicit Software Solutions) -- C:\Documents and Settings\Richard\Desktop\winsockxpfix.exe
[2011/12/13 07:41:53 | 000,011,977 | ---- | M] () -- C:\Documents and Settings\Richard\all
[2011/12/11 16:08:56 | 000,000,139 | ---- | M] () -- C:\Documents and Settings\Richard\Desktop\rk-proxy.reg

[color=#E56717]========== Files Created - No Company Name ==========[/color]

[2012/01/05 20:45:07 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\SystemLook.exe
[2012/01/03 16:13:42 | 001,558,406 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\tdsskiller.zip
[2012/01/03 07:36:18 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/01/03 07:36:18 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/01/03 07:36:18 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/01/03 07:36:18 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/01/03 07:36:18 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/12/31 19:48:14 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\iExplore.exe
[2011/12/31 19:46:07 | 000,001,205 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\FixNCR.reg
[2011/12/27 17:49:58 | 020,518,736 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\lotus.psd
[2011/12/27 16:09:24 | 000,668,511 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\lotus.jpg
[2011/12/20 10:41:51 | 000,296,303 | ---- | C] () -- C:\Documents and Settings\Richard\My Documents\don-and-alyson.jpg
[2011/12/20 10:41:22 | 007,182,540 | ---- | C] () -- C:\Documents and Settings\Richard\My Documents\dona dn alyson.psd
[2011/12/18 15:37:51 | 000,048,624 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\3978719-Womans-Day-felt-stockings-craft-template.pdf
[2011/12/14 22:00:57 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\MBR.dat
[2011/12/13 07:28:31 | 000,011,977 | ---- | C] () -- C:\Documents and Settings\Richard\all
[2011/12/11 16:08:56 | 000,000,139 | ---- | C] () -- C:\Documents and Settings\Richard\Desktop\rk-proxy.reg
[2011/12/01 07:26:06 | 000,016,432 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2011/05/27 11:06:06 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/05/27 11:06:06 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2010/10/21 20:49:22 | 000,207,982 | ---- | C] () -- C:\WINDOWS\hpoins43.dat
[2010/10/21 20:49:22 | 000,000,601 | ---- | C] () -- C:\WINDOWS\hpomdl43.dat
[2010/08/23 13:51:19 | 000,000,027 | ---- | C] () -- C:\WINDOWS\phpdev.ini
[2010/08/05 09:57:49 | 000,134,272 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/03/22 11:25:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2009/10/08 07:52:17 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/07/27 14:35:07 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/04/30 15:08:59 | 000,000,256 | ---- | C] () -- C:\WINDOWS\System32\pool.bin
[2009/04/24 13:27:55 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Font Book
[2009/03/12 18:56:25 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\winscp.rnd
[2008/10/09 15:25:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2008/10/09 11:27:00 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008/08/30 08:29:49 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2008/08/30 08:29:49 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\Galaxy Swirl
[2008/05/20 23:05:59 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2008/04/04 10:05:12 | 000,021,312 | ---- | C] () -- C:\WINDOWS\choice.exe
[2008/01/06 14:13:49 | 000,000,054 | ---- | C] () -- C:\WINDOWS\winpoint.ini
[2007/11/10 23:30:24 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\pcouffin.cat
[2007/11/10 23:30:24 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Richard\Application Data\pcouffin.inf
[2007/11/09 21:48:20 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\FoxImager.dll
[2007/04/30 13:53:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\CPC10Q.INI
[2007/04/28 07:23:41 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2007/04/17 14:28:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/03/05 13:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2006/11/26 16:40:52 | 000,000,050 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/11/17 23:35:53 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\hndlt.ini
[2006/11/17 23:34:41 | 000,000,057 | ---- | C] () -- C:\WINDOWS\System32\windll.ini
[2006/11/08 19:59:54 | 000,000,004 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/10/09 11:00:34 | 000,157,696 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/10/04 11:35:52 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/10/02 19:50:46 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/10/02 19:33:26 | 000,000,030 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/10/02 15:29:01 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/10/02 14:32:15 | 000,020,333 | ---- | C] () -- C:\WINDOWS\cmaudio.ini
[2006/10/02 09:56:30 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\FASTWiz.html
[2006/09/30 14:26:44 | 000,000,058 | ---- | C] () -- C:\WINDOWS\mchguid.ini
[2006/09/29 19:10:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/07/18 13:31:20 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\Richard\Local Settings\Application Data\fusioncache.dat
[2006/07/12 15:26:06 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/07/12 15:20:46 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/07/12 07:41:10 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/07/12 07:40:05 | 002,848,024 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/01/27 01:33:58 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\o2flash.exe
[2005/01/20 21:02:28 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\RMDevice.dll
[2003/09/16 10:52:28 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2003/09/16 10:43:31 | 000,884,736 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2003/09/16 10:41:43 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/18 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/18 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/18 07:00:00 | 000,466,782 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/18 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/18 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/18 07:00:00 | 000,081,574 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/18 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/18 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/18 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/18 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/18 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

[color=#E56717]========== LOP Check ==========[/color]

[2012/01/06 08:50:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection
[2007/11/09 21:35:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2008/08/30 08:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EnterNHelp
[2008/04/05 08:52:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Jes-Soft
[2007/01/26 15:12:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
[2008/06/15 09:53:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OLYMPUS
[2009/07/17 17:29:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2008/08/30 08:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ultima_T15
[2010/06/15 08:56:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2007/11/11 07:29:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vsosdk
[2009/06/01 10:29:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2011/02/05 11:11:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2008/03/24 16:53:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\acccore
[2011/12/22 14:10:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\adawaretb
[2008/01/06 12:12:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Aim
[2011/03/22 08:08:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Amazon
[2010/03/08 09:29:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Azureus
[2009/05/17 10:40:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Blackberry Desktop
[2010/09/23 10:13:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\com.adobe.ExMan
[2010/11/16 16:45:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\com.adobe.WidgetBrowser.E7BED6E5DDA59983786DD72EBFA46B1598278E07.1
[2007/07/18 16:19:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\CTS
[2012/01/06 17:40:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Dropbox
[2009/03/12 18:43:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\FileZilla
[2010/05/09 12:09:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\foobar2000
[2007/03/12 15:24:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Investintech
[2007/06/24 09:57:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Leadertech
[2008/08/30 08:33:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Nikon
[2008/04/02 20:40:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\OfficeUpdate12
[2009/05/20 07:50:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Research In Motion
[2010/05/28 11:41:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Subversion
[2007/01/18 12:32:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Viewpoint
[2011/10/06 18:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Vso
[2012/01/06 17:32:49 | 000,000,486 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

[color=#E56717]========== Purity Check ==========[/color]



< End of report >

Share this post


Link to post
Share on other sites
Good!

[b]1. Removal of ComboFix and all system restore points since they are infected.[/b]
Press Windows-key + R
Copy and paste this line:
ComboFix /Uninstall

Note the space before /
Click on OK.

[b]2.Program updates[/b]
Open Secunia's program and take a screen shot (Alt + Print Screen). Open Paint and select Paste in Edit menu. Save the file and upload it together with your answer.

Share this post


Link to post
Share on other sites
Please, select first "Scan Results" in the left column and then take a new screen shot. If possible save the file as .png or .jpg in Paint, instead of .bmp, before you attach it.

Share this post


Link to post
Share on other sites
All the products that either are marked End-of-Life or Insecure should be uninstalled or upgraded.

First uninstall programs you are not using in Control panel - Add and remove programs.

Follow http://www.dummies.com/how-to/content/how-to-run-windows-update-in-windows-xp.html and install all critical updates and everything for Windows XP.

Configure Automatic Updates in Windows, see http://support.microsoft.com/kb/306525/

Configure Firefox for automatic updates, see http://support.mozilla.org/en-US/kb/Updating%20Firefox#w_how-do-i-configure-update-options choose settings as in pictures.

Restart the computer and attach a new screen shot of the results in Secunia's program.

Share this post


Link to post
Share on other sites
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.

Everyone else please begin a New Topic.

Thank you !

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this