malware/virus removal

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

satbahadur

Thread Starter
Joined
Jan 30, 2013
Messages
57
Before I post all the files requested I can not get dds.scr program run it freezes after displaying the message "Two logs shall be created on your Desktop" please help next I have saved Highjack log and gmr and one other log from RSIT I
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,445
Post the logs you`ve got available....;)

Kevin..
 

satbahadur

Thread Starter
Joined
Jan 30, 2013
Messages
57
I have logs of Highjack and gmr however dds did not work on my computer
here are the logs

Highjack
----------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:29:32 PM, on 2/1/2013
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\WINDOWS\system32\cisvc.exe
C:\Documents and Settings\All Users\Application Data\IBUpdaterService\ibsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.in.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {5BFEFF94-6411-4B74-A947-4969134B24DE} - (no file)
R3 - URLSearchHook: (no name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - (no file)
F2 - REG:system.ini: Shell=
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: GomPicker - {F0181C6E-9218-4792-9F3C-E8DF52B2F1AC} - C:\Program Files\GRETECH\GomPicker\GomPickerBHO.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Application Updater - Spigot, Inc. - C:\Program Files\Application Updater\ApplicationUpdater.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Updater Service (IBUpdaterService) - Unknown owner - C:\Documents and Settings\All Users\Application Data\IBUpdaterService\ibsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: Spybot-S&D 2 Scanner Service (SDScannerService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
O23 - Service: Spybot-S&D 2 Updating Service (SDUpdateService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
O23 - Service: Spybot-S&D 2 Security Center Service (SDWSCService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 4828 bytes

GMR
----------------------------------------------------
GMER 2.0.18454 - http://www.gmer.net
Rootkit scan 2013-02-01 16:49:51
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 FUJITSU_MHT2040AH_PL rev.006C 37.26GB
Running: kcwrgv2l.exe; Driver: C:\DOCUME~1\Dad\LOCALS~1\Temp\pgwcyfod.sys

---- System - GMER 2.0 ----
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xAA5550DA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xAA555CA6]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus32_43926.sys ZwCreateThread [0xAA707670]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xAA555EB8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteKey [0xAA559714]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteValueKey [0xAA559756]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwLoadKey [0xAA5598FA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xAA555DCA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenProcess [0xAA555282]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenThread [0xAA555482]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xAA5555C2]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xAA55985E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xAA5597A8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xAA5597EA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xAA559824]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xAA555068]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetInformationFile [0xAA555F6A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetValueKey [0xAA55969C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xAA554FE6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateProcess [0xAA554EEE]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xAA554F46]
---- User code sections - GMER 2.0 ----
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[908] ntdll.dll!KiUserApcDispatcher 7C90E430 5 Bytes JMP 00414FF0 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[908] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71A70001
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[908] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71A10022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[908] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 71AE0022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2604] ntdll.dll!KiUserApcDispatcher 7C90E430 5 Bytes JMP 0043AA00 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2604] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71A80001
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2604] USER32.dll!GetGUIThreadInfo + FB 7E428023 6 Bytes JMP 71AE001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2604] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 719E0022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2604] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 71A20022
---- Files - GMER 2.0 ----
File C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\user\fsm_service_var_1.js.data 0 bytes
---- EOF - GMER 2.0 ----
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,445
Ok, do the following:

Download http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner by Xplode onto your Desktop.

  • Please close all open programs and internet browsers.
  • Double click on Adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

Next,

Download Malwarebytes from one of the following links and save it to your desktop.:


http://www.malwarebytes.org/mbam.php
http://www.softpedia.com/get/Antivirus/Malwarebytes-Anti-Malware.shtml
http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Post both logs.....

Kevin....
 

satbahadur

Thread Starter
Joined
Jan 30, 2013
Messages
57
I just read your instructions Thanks I am going to start I will inform you after I finish Thanks again

Satbahadur
 

satbahadur

Thread Starter
Joined
Jan 30, 2013
Messages
57
Thanks a lot for your attention and help. It took me almost an hour to do the scanning I got one Log from AdwareCleaner and 2 Logs from MalwareBytes I am attaching all 3 Log Files aswell

AdwareCleaner
-------------------------------------------------
# AdwCleaner v2.109 - Logfile created 02/02/2013 at 16:57:42
# Updated 26/01/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Dad - USER-48EF0404BA
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Dad\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****
Stopped & Deleted : Application Updater
Stopped & Deleted : IBUpdaterService
***** [Files / Folders] *****
File Deleted : C:\Documents and Settings\Dad\Local Settings\Application Data\funmoods.crx
File Deleted : C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage
File Deleted : C:\user.js
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Anti-phishing Domain Advisor
Folder Deleted : C:\Documents and Settings\All Users\Application Data\IBUpdaterService
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer
Folder Deleted : C:\Documents and Settings\Dad\Application Data\Funmoods
Folder Deleted : C:\Documents and Settings\Dad\Application Data\PerformerSoft
Folder Deleted : C:\Documents and Settings\Dad\Application Data\PriceGong
Folder Deleted : C:\Documents and Settings\Dad\Application Data\Search Settings
Folder Deleted : C:\Documents and Settings\Dad\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\Dad\Local Settings\Application Data\Wajam
Folder Deleted : C:\Program Files\Application Updater
Folder Deleted : C:\Program Files\Common Files\spigot
***** [Registry] *****
Key Deleted : HKCU\Software\AppDataLow\Software\Search Settings
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Cr_Installer
Key Deleted : HKCU\Software\Crossrider
Key Deleted : HKCU\Software\DataMngr
Key Deleted : HKCU\Software\Funmoods
Key Deleted : HKCU\Software\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\InstalledBrowserExtensions
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011441179}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011501160}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{312F84FB-8970-4FD3-BDDB-7012EAC4AFC9}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{C547C6C2-561B-4169-A2A5-20BA771CA93B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011441179}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011501160}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{312F84FB-8970-4FD3-BDDB-7012EAC4AFC9}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C547C6C2-561B-4169-A2A5-20BA771CA93B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKCU\Software\PriceGong
Key Deleted : HKCU\Software\Search Settings
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\Software\Application Updater
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\Software\BrowserMngr
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\DataMngr
Key Deleted : HKLM\Software\Funmoods
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011441179}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011501160}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{21111111-1111-1111-1111-110011441179}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{21111111-1111-1111-1111-110011501160}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{15D2D75C-9CB2-4EFD-BAD7-B9B4CB4BC693}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Funmoods
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\PricePeep
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Updater Service
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011441179}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011501160}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ED1CAE30F47D14B41B5FC8FA53658044
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Updater Service
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@funwebproducts.com/Plugin
Key Deleted : HKLM\Software\Search Settings
Key Deleted : HKLM\Software\Tarma Installer
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Main [BrowserMngr Start Page]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes [BrowserMngrDefaultScope]
***** [Internet Browsers] *****
-\\ Internet Explorer v8.0.6001.18702
[OK] Registry is clean.
-\\ Google Chrome v [Unable to get version]
File : C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
Deleted [l.5] : search_url = "hxxp://searchfunmoods.com/results.php?f=4&q={searchTerms}&a=download&chnl=downl[...]
*************************
AdwCleaner[S1].txt - [9026 octets] - [02/02/2013 16:57:42]
########## EOF - C:\AdwCleaner[S1].txt - [9086 octets] ##########

MalwareBytes
----------------------------------------------
mbam-log-2013-02-02 (17-22-09)
Malwarebytes Anti-Malware (Trial) 1.70.0.1100
www.malwarebytes.org
Database version: v2013.02.02.09
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dad :: USER-48EF0404BA [administrator]
Protection: Enabled
2/2/2013 5:22:09 PM
mbam-log-2013-02-02 (17-22-09).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 298570
Time elapsed: 12 minute(s), 4 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 21
HKCR\Typelib\{0597D3BE-9A4D-4426-A8A7-572AD299852E} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{4E7F49ED-8C94-4AAA-A407-3010D099B11A} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{5D79F641-C168-40DF-A32F-BACEA7509E75} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5D79F641-C168-40DF-A32F-BACEA7509E75} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{C98D5B61-B0EA-4D48-9839-1079D352D880} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C98D5B61-B0EA-4D48-9839-1079D352D880} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{CB41FC95-F1B3-4797-8BB6-1012FF62ABBA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CB41FC95-F1B3-4797-8BB6-1012FF62ABBA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{04D2B915-19FF-41E9-994D-95DC898BEA43} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{04D2B915-19FF-41E9-994D-95DC898BEA43} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0696F815-A3A9-490A-BB14-9EC3350B1276} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4e7f49ed-8c94-4aaa-a407-3010d099b11a} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d09094b3-b426-4f16-a6d9-e211fe222127} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{0e8a6cb6-3b14-491d-8bba-86a95a62ff72} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D7E63AF-274B-426B-B51D-ADF161DF7F24} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7895609d-c8b4-4cf5-a2c7-28223d0c3d92} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8be781d8-5e70-423d-82de-9e4756fce53c} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{f02c0832-c85c-4b93-8c6f-9df20121a10d} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TelevisionFanaticbar Uninstall (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\MozillaPlugins\@TelevisionFanatic.com/Plugin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\TelevisionFanaticService (PUP.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser|{C98D5B61-B0EA-4D48-9839-1079D352D880} (PUP.MyWebSearch) -> Data: a[Éê°HM˜9yÓR؀ -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{C98D5B61-B0EA-4D48-9839-1079D352D880} (PUP.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 6
C:\Downloads\PDFConverterSetup.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Downloads\PopularScreenSavers.exe (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\Downloads\UtilityChest.exe (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\Downloads\VideoDownloadConvert.exe (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\wgsdgsdgdsgsd.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\TempDIR\BetterInstaller.exe (PUP.BundleInstaller.Somoto) -> Quarantined and deleted successfully.
(end)

protection-log-2013-02-02
-------------------------------------------
2013/02/02 17:18:18 -0500 USER-48EF0404BA Dad MESSAGE Starting protection
2013/02/02 17:18:18 -0500 USER-48EF0404BA Dad MESSAGE Protection started successfully
2013/02/02 17:18:18 -0500 USER-48EF0404BA Dad MESSAGE Starting IP protection
2013/02/02 17:18:36 -0500 USER-48EF0404BA Dad MESSAGE IP Protection started successfully
2013/02/02 17:18:51 -0500 USER-48EF0404BA Dad MESSAGE Executing scheduled update: Daily
2013/02/02 17:19:22 -0500 USER-48EF0404BA Dad MESSAGE Starting database refresh
2013/02/02 17:19:22 -0500 USER-48EF0404BA Dad MESSAGE Stopping IP protection
2013/02/02 17:19:23 -0500 USER-48EF0404BA Dad MESSAGE IP Protection stopped successfully
2013/02/02 17:19:49 -0500 USER-48EF0404BA Dad MESSAGE Database refreshed successfully
2013/02/02 17:19:49 -0500 USER-48EF0404BA Dad MESSAGE Starting IP protection
2013/02/02 17:19:59 -0500 USER-48EF0404BA Dad MESSAGE Scheduled update executed successfully: database updated from version v2012.12.14.11 to version v2013.02.02.09
2013/02/02 17:20:42 -0500 USER-48EF0404BA Dad MESSAGE IP Protection started successfully
2013/02/02 17:47:04 -0500 USER-48EF0404BA MESSAGE Starting protection
2013/02/02 17:47:04 -0500 USER-48EF0404BA MESSAGE Protection started successfully
2013/02/02 17:47:04 -0500 USER-48EF0404BA MESSAGE Starting IP protection
2013/02/02 17:47:48 -0500 USER-48EF0404BA Dad MESSAGE IP Protection started successfully

I am sure after this all that Problems and Viruses on my computer will be eliminated. Thanks a lot for your help

Satbahadur
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,445
Continue as follows please:

Download Security Check by screen317 from either of the following:
http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Next,

Download
OTL from any of the following links and save to your Desktop:


http://oldtimer.geekstogo.com/OTL.exe
http://itxassociates.com/OT-Tools/OTL.com
http://www.itxassociates.com/OT-Tools/OTL.scr
  • Double click on the icon
    to run it, Vista or Windows 7 users right click and select Run as Administartor. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top, make sure Standard output is selected.
  • Select Scan all users
  • Under the Extra Registry section, check Use SafeList
  • In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
  • Under the Custom Scan box paste this in:

    Code:
    netsvcs
    %systemroot%\*. /mp /s
    %systemroot%\*. /rp /s
    msconfig
    %SYSTEMDRIVE%\*.exe
    %LOCALAPPDATA%\*.exe
    %systemdrive%\$Recycle.Bin|@;true;true;true /fp
    /md5start
    consrv.dll
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    CREATERESTOREPOINT
  • Click the
    button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them in your reply

Kevin
 

satbahadur

Thread Starter
Joined
Jan 30, 2013
Messages
57
I am sincerly grateful of your help. Although you have suggested and may have facilitated with plenty of fixes, but I am still looking for some other annoying thing on my computer. That is I am unable to see or config my wireless connection, security center and windows update, as all three utilities were in notification area with icons but all have disappeared now. I am still perplexed by this. I hope after all these logs the problems will cleaar. Here are the logs you have requested.

Security Check
----------------------------------------
Results of screen317's Security Check version 0.99.57
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Windows Defender
Malwarebytes Anti-Malware version 1.70.0.1100
Java(TM) 6 Update 26
Java 2 Runtime Environment Standard Edition v1.3.1_10
Java version out of Date!
Adobe Flash Player 11.5.502.146
Adobe Reader 9 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
Windows Defender MSMpEng.exe
Windows Defender MSASCui.exe
Malwarebytes Anti-Malware mbamservice.exe
Spybot Teatimer.exe is disabled!
Malwarebytes' Anti-Malware mbamscheduler.exe
Windows Defender MsMpEng.exe
Windows Defender MSASCui.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 22% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

OTL
------------------------------------
OTL logfile created on: 2/2/2013 9:57:43 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Dad\Desktop\Cleaning
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.36 Mb Total Physical Memory | 334.86 Mb Available Physical Memory | 32.72% Memory free
2.78 Gb Paging File | 2.15 Gb Available in Paging File | 77.47% Paging File free
Paging file location(s): C:\pagefile.sys 1920 3840 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 13.48 Gb Free Space | 36.17% Space Free | Partition Type: NTFS
Drive D: | 492.57 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: USER-48EF0404BA | User Name: Dad | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/02/02 21:52:08 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dad\Desktop\Cleaning\OTL.exe
PRC - [2012/12/14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012/11/13 14:07:16 | 001,103,392 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
PRC - [2012/09/07 10:07:12 | 001,677,144 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PRC - [2012/09/07 10:07:12 | 000,976,728 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2008/04/13 19:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/13 19:12:12 | 000,256,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\msagent\agentsvr.exe
PRC - [2006/11/03 19:20:12 | 000,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2002/09/20 17:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (No Company Name) ==========

MOD - [2012/11/13 14:06:32 | 000,158,624 | ---- | M] () -- C:\Program Files\Spybot - Search & Destroy 2\snlFileFormats150.bpl
MOD - [2012/11/13 14:06:30 | 000,108,960 | ---- | M] () -- C:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl
MOD - [2012/11/13 14:06:28 | 000,554,400 | ---- | M] () -- C:\Program Files\Spybot - Search & Destroy 2\VirtualTreesDXE150.bpl
MOD - [2012/11/13 14:06:28 | 000,528,288 | ---- | M] () -- C:\Program Files\Spybot - Search & Destroy 2\JSDialogPack150.bpl
MOD - [2012/11/13 14:06:28 | 000,416,160 | ---- | M] () -- C:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl
MOD - [2012/10/09 01:36:58 | 000,006,656 | ---- | M] () -- C:\Program Files\GRETECH\GomPicker\FunctionHandler.dll
MOD - [2012/08/23 09:38:24 | 000,574,840 | ---- | M] () -- C:\Program Files\Spybot - Search & Destroy 2\sqlite3.dll
MOD - [2012/08/21 17:18:44 | 000,557,056 | ---- | M] () -- C:\Program Files\Trusteer\Rapport\bin\js32.dll
MOD - [2012/05/30 02:02:10 | 000,520,464 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportMS.dll
MOD - [2001/10/10 23:01:36 | 000,063,816 | ---- | M] () -- C:\Program Files\Microsoft Office\Office10\BLNMGRPS.DLL
MOD - [2001/10/10 23:01:34 | 000,080,200 | ---- | M] () -- C:\Program Files\Microsoft Office\Office10\BLNMGR.DLL


========== Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - File not found [Auto | Stopped] -- C:\Program Files\Spybot -- (SDWSCService)
SRV - File not found [Auto | Stopped] -- C:\Program Files\Spybot -- (SDUpdateService)
SRV - File not found [Auto | Running] -- C:\Program Files\Spybot -- (SDScannerService)
SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2013/01/16 23:56:51 | 000,251,400 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/12/14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/09/07 10:07:12 | 000,976,728 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2011/03/14 10:27:28 | 000,271,712 | ---- | M] () [Disabled | Stopped] -- C:\Documents and Settings\All Users\Application Data\DatacardService\HWDeviceService.exe -- (HWDeviceService.exe)
SRV - [2008/04/13 19:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2008/04/13 19:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC)
SRV - [2008/04/13 19:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2008/04/13 19:12:02 | 000,105,472 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\p2pgasvc.dll -- (p2pgasvc)
SRV - [2008/04/13 19:11:55 | 000,035,328 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\iprip.dll -- (Iprip)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2002/09/20 17:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\xpsec.sys -- (xpsec)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\xcpip.sys -- (xcpip)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\u302mgmt.sys -- (u302mgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\u302mdm.sys -- (u302mdm)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\u302mdfl.sys -- (u302mdfl)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\u302bus.sys -- (u302bus)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (RkHit)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (cpuz134)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\btwusb.sys -- (BTWUSB)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\btwdndis.sys -- (BTWDNDIS)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\btport.sys -- (BTDriver)
DRV - File not found [2010/03/25 22:35:10] [Kernel | Auto | Stopped] -- -- ({B154377D-700F-42cc-9474-23858FBDF4BD})
DRV - [2012/12/14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/12/02 18:13:29 | 000,076,544 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ew_jubusenum.sys -- (huawei_enumerator)
DRV - [2012/10/30 05:32:35 | 000,272,216 | ---- | M] () [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus32_43926.sys -- (RapportCerberus_43926)
DRV - [2012/09/07 10:07:30 | 000,071,480 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys -- (RapportEI)
DRV - [2012/09/07 10:07:30 | 000,065,848 | ---- | M] (Trusteer Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RapportKELL.sys -- (RapportKELL)
DRV - [2012/09/07 10:07:28 | 000,166,840 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2012/05/30 02:02:09 | 000,021,520 | ---- | M] (Trusteer Ltd.) [Kernel | On_Demand | Running] -- c:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys -- (RapportIaso)
DRV - [2011/06/02 10:08:34 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)
DRV - [2009/11/11 07:26:02 | 002,216,064 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51)
DRV - [2008/04/13 14:00:02 | 000,225,664 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2007/11/29 19:35:44 | 000,163,328 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2005/04/19 12:03:26 | 001,066,278 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2004/05/15 18:29:12 | 000,701,952 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2001/08/17 07:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL =
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{84dc9f6c-c9a5-4c64-ab67-d6ef60f963c8}: "URL" = http://search.mywebsearch.com/myweb...&n=77ee415e&psa=&st=sb&searchfor={searchTerms}
IE - HKLM\..\SearchScopes\{cf6e4b1c-dbde-457e-9cef-ab8ecac8a5e8}: "URL" = http://search.mywebsearch.com/myweb...&n=77ed7a31&psa=&st=sb&searchfor={searchTerms}


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://rnd009.googlepages.com/google.html
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://rnd009.googlepages.com/google.html
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-1715567821-854245398-49474851-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-1715567821-854245398-49474851-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-1715567821-854245398-49474851-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.in.msn.com/
IE - HKU\S-1-5-21-1715567821-854245398-49474851-1004\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKU\S-1-5-21-1715567821-854245398-49474851-1004\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No CLSID value found
IE - HKU\S-1-5-21-1715567821-854245398-49474851-1004\..\URLSearchHook: {5BFEFF94-6411-4B74-A947-4969134B24DE} - No CLSID value found
IE - HKU\S-1-5-21-1715567821-854245398-49474851-1004\..\SearchScopes,DefaultScope = {EB9F23D5-CA46-40FB-A801-BA42709B4915}
IE - HKU\S-1-5-21-1715567821-854245398-49474851-1004\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-1715567821-854245398-49474851-1004\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-1715567821-854245398-49474851-1004\..\SearchScopes\{7A7077AA-2495-4BAA-80DD-D410E2580019}: "URL" = http://www.google.com/search?q={sea...ource}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKU\S-1-5-21-1715567821-854245398-49474851-1004\..\SearchScopes\{EB9F23D5-CA46-40FB-A801-BA42709B4915}: "URL" = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=744028&p={searchTerms}
IE - HKU\S-1-5-21-1715567821-854245398-49474851-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_146.dll ()
FF - HKLM\Software\MozillaPlugins\@ei.UtilityChest_49.com/Plugin: C:\Program Files\UtilityChest_49EI\Installr\1.bin\NP49EISB.dll (Utility Chest)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/DownloadManager,version=1.1: C:\WINDOWS\ [2013/02/02 12:48:05 | 000,000,000 | ---D | M]
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nosltd.com/getPlus+(R),version=1.6.2.100: C:\Program Files\NOS\bin\np_gp.dll (NOS Microsystems Ltd.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files\McAfee\SiteAdvisor


========== Chrome ==========

CHR - default_search_provider: Funmoods ()
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR - homepage: http://www.google.com/
CHR - homepage: http://ca.search.yahoo.com?type=744028&fr=spigot-yhp-ch
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\20.0.1132.57\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\20.0.1132.57\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\20.0.1132.57\gcswf32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U26 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll
CHR - plugin: McAfee SiteAdvisor (Enabled) = C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll
CHR - plugin: getPlusPlus for Adobe 162100 (Enabled) = C:\Program Files\NOS\bin\np_gp.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll
CHR - plugin: McAfee SecurityCenter (Enabled) = c:\progra~1\mcafee\msc\npmcsn~1.dll

O1 HOSTS File: ([2012/03/29 08:57:29 | 000,000,826 | RH-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
O2 - BHO: (GretechBHO Class) - {F0181C6E-9218-4792-9F3C-E8DF52B2F1AC} - C:\Program Files\GRETECH\GomPicker\GomPickerBHO.dll (Gretech Corporation)
O3 - HKU\S-1-5-21-1715567821-854245398-49474851-1004\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRemoteRecursiveEvents = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1715567821-854245398-49474851-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1715567821-854245398-49474851-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKU\S-1-5-21-1715567821-854245398-49474851-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetTaskbar = 0
O7 - HKU\S-1-5-21-1715567821-854245398-49474851-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetHood = 0
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {B479199A-1242-4E3C-AD81-7F0DF801B4AE} http://download.microsoft.com/downl...584-842756A66467/MicrosoftDownloadManager.cab (Microsoft Download Manager ActiveX control)
O16 - DPF: {CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-1_3_1_10-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.13.0.cab (SysInfo Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B4FBB18F-B890-4456-BB06-292B41B5AF14}: DhcpNameServer = 192.168.2.1
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/27 12:50:05 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/08/23 07:00:00 | 000,000,110 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{203f8800-a3b8-11df-940e-000fb391bb04}\Shell - "" = AutoRun
O33 - MountPoints2\{203f8800-a3b8-11df-940e-000fb391bb04}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7848b470-3cd5-11e2-a32f-000802da2486}\Shell - "" = AutoRun
O33 - MountPoints2\{7848b470-3cd5-11e2-a32f-000802da2486}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7848b470-3cd5-11e2-a32f-000802da2486}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{93cf3f50-b044-11dd-9016-000fb391bb04}\Shell - "" = Autorun
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: EventSystem - File not found
NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - C:\WINDOWS\system32\iprip.dll (Microsoft Corporation)
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Sharedaccess - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: WmdmPmSN - File not found

MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk - Reg Error: Value error. - File not found
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE - (WinZip Computing, Inc.)
MsConfig - StartUpReg: BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - hkey= - key= - Reg Error: Value error. File not found
MsConfig - StartUpReg: MSMSGS - hkey= - key= - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
MsConfig - StartUpReg: SpeedyComputer - hkey= - key= - Reg Error: Value error. File not found
MsConfig - StartUpReg: TelevisionFanatic Browser Plugin Loader - hkey= - key= - Reg Error: Value error. File not found
MsConfig - StartUpReg: TelevisionFanatic Search Scope Monitor - hkey= - key= - Reg Error: Value error. File not found
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2013/02/02 18:36:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad\Local Settings\Application Data\Deployment
[2013/02/02 17:17:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad\Application Data\Malwarebytes
[2013/02/02 17:16:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/02/02 17:16:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2013/02/02 17:16:40 | 000,021,104 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2013/02/02 17:16:40 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013/02/02 17:07:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad\My Documents\Clean
[2013/02/02 17:04:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad\Desktop\Cleaning
[2013/02/02 12:54:07 | 000,232,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2013/02/02 12:50:49 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2013/02/02 12:48:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad\My Documents\My Downloads
[2013/02/02 12:48:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Download Manager
[2013/02/02 12:48:05 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Download Manager
[2013/02/01 18:11:14 | 000,000,000 | ---D | C] -- C:\Program Files\SystemRequirementsLab
[2013/02/01 15:45:38 | 000,000,000 | ---D | C] -- C:\rsit
[2013/02/01 15:29:42 | 000,509,440 | ---- | C] (Tech Support Guy System) -- C:\Documents and Settings\Dad\Desktop\SysInfo.exe
[2013/02/01 12:35:23 | 000,688,992 | R--- | C] (Swearware) -- C:\Documents and Settings\Dad\Desktop\dds.scr
[2013/01/31 09:01:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\IIS Temporary Compressed Files
[2013/01/31 09:01:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Cache
[2013/01/31 09:01:02 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\smtpctrs.dll
[2013/01/31 09:01:02 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_smtpctrs.dll
[2013/01/31 09:01:02 | 000,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\snprfdll.dll
[2013/01/31 09:01:02 | 000,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_snprfdll.dll
[2013/01/31 09:01:01 | 000,065,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_mailmsg.dll
[2013/01/31 09:01:01 | 000,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_scripto.dll
[2013/01/31 09:01:01 | 000,045,056 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_aqadmin.dll
[2013/01/31 09:01:01 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fcachdll.dll
[2013/01/31 09:01:01 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_fcachdll.dll
[2013/01/31 09:01:01 | 000,038,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_ntfsdrv.dll
[2013/01/31 09:01:01 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_seos.dll
[2013/01/31 09:01:01 | 000,023,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\regtrace.exe
[2013/01/31 09:01:01 | 000,023,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_regtrace.exe
[2013/01/31 09:01:01 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_adsiisex.dll
[2013/01/31 09:01:01 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\adsiisex.dll
[2013/01/31 09:00:35 | 000,073,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\w3ext.dll
[2013/01/31 09:00:35 | 000,009,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wamps51.dll
[2013/01/31 09:00:35 | 000,009,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iwrps.dll
[2013/01/31 09:00:34 | 000,053,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\nextlink.dll
[2013/01/31 09:00:34 | 000,031,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pagecnt.dll
[2013/01/31 09:00:34 | 000,020,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\permchk.dll
[2013/01/31 09:00:34 | 000,016,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\status.dll
[2013/01/31 09:00:33 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\browscap.dll
[2013/01/31 09:00:33 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\controt.dll
[2013/01/31 09:00:33 | 000,026,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mdsync.dll
[2013/01/31 09:00:33 | 000,020,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\counters.dll
[2013/01/31 09:00:33 | 000,019,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iiscrmap.dll
[2013/01/31 09:00:33 | 000,009,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\authfilt.dll
[2013/01/31 09:00:33 | 000,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\isapips.dll
[2013/01/31 09:00:33 | 000,006,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iissync.exe
[2013/01/31 09:00:32 | 000,049,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\adrot.dll
[2013/01/31 09:00:32 | 000,029,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\asptxn.dll
[2013/01/31 09:00:32 | 000,010,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aspperf.dll
[2013/01/31 09:00:32 | 000,010,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\aspperf.dll
[2013/01/31 09:00:32 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\w3svapi.dll
[2013/01/31 09:00:32 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\w3svapi.dll
[2013/01/31 09:00:32 | 000,004,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\w3ctrs51.dll
[2013/01/31 09:00:32 | 000,004,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\w3ctrs.dll
[2013/01/31 09:00:31 | 000,094,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\certmap.ocx
[2013/01/31 09:00:31 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\iisreset.exe
[2013/01/31 09:00:31 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iisreset.exe
[2013/01/31 09:00:31 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetmgr.exe
[2013/01/31 09:00:31 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ftpsapi2.dll
[2013/01/31 09:00:31 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ftpsapi2.dll
[2013/01/31 09:00:31 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\iisrstap.dll
[2013/01/31 09:00:31 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iisrstap.dll
[2013/01/31 09:00:30 | 000,169,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iisui.dll
[2013/01/31 09:00:30 | 000,060,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iisclex4.dll
[2013/01/31 09:00:30 | 000,022,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\logscrpt.dll
[2013/01/31 09:00:30 | 000,019,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsloc.dll
[2013/01/31 09:00:30 | 000,019,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetsloc.dll
[2013/01/31 09:00:30 | 000,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wamregps.dll
[2013/01/31 09:00:30 | 000,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wamregps.dll
[2013/01/31 09:00:30 | 000,003,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\iismui.dll
[2013/01/31 09:00:30 | 000,003,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iismui.dll
[2013/01/31 09:00:29 | 000,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\convlog.exe
[2013/01/31 09:00:29 | 000,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\convlog.exe
[2013/01/31 09:00:29 | 000,015,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\smierrsm.dll
[2013/01/31 09:00:29 | 000,010,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\snmpstup.dll
[2013/01/31 09:00:29 | 000,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\infoctrs.dll
[2013/01/31 09:00:29 | 000,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\infoctrs.dll
[2013/01/31 09:00:29 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\admxprox.dll
[2013/01/31 09:00:29 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\admxprox.dll
[2013/01/31 09:00:29 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\smimsgif.dll
[2013/01/31 09:00:29 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\smierrsy.dll
[2013/01/31 08:59:14 | 000,000,000 | ---D | C] -- C:\Inetpub
[2013/01/31 08:41:45 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\simptcp.dll
[2013/01/31 08:41:45 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\simptcp.dll
[2013/01/31 06:44:37 | 000,000,000 | ---D | C] -- C:\Program Files\Vtools Toolbar
[2013/01/31 06:43:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad\Application Data\Vtools
[2013/01/31 06:43:50 | 000,000,000 | ---D | C] -- C:\Program Files\Vtools
[2013/01/30 12:52:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2013/01/30 07:47:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy 2
[2013/01/30 07:47:48 | 000,015,224 | ---- | C] (Safer Networking Limited) -- C:\WINDOWS\System32\sdnclean.exe
[2013/01/30 07:47:40 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy 2
[2013/01/20 20:47:18 | 000,000,000 | ---D | C] -- C:\Program Files\MSECache
[2013/01/20 19:50:23 | 038,808,920 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Dad\My Documents\FileFormatConverters.exe
[2013/01/19 09:06:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad\My Documents\GomPlayer
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/02/02 22:19:00 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{30B0C8CA-0968-48BE-8B86-A453A4D8BE23}.job
[2013/02/02 22:03:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/02/02 22:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At47.job
[2013/02/02 22:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2013/02/02 21:56:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/02/02 21:19:39 | 000,446,830 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/02/02 21:19:39 | 000,078,104 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/02/02 21:17:54 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2013/02/02 21:14:45 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/02/02 21:14:43 | 1073,139,712 | -HS- | M] () -- C:\hiberfil.sys
[2013/02/02 18:38:58 | 000,000,278 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\Current local time in India – Delhi – New Delhi.url
[2013/02/02 18:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At43.job
[2013/02/02 18:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2013/02/02 17:16:43 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/02/02 16:56:19 | 000,580,235 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\adwcleaner.exe
[2013/02/02 16:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At41.job
[2013/02/02 16:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2013/02/02 14:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At39.job
[2013/02/02 14:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2013/02/02 12:49:46 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/02/02 11:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At36.job
[2013/02/02 11:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2013/02/02 10:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At35.job
[2013/02/02 10:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2013/02/02 08:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At33.job
[2013/02/02 08:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2013/02/02 07:17:53 | 000,004,885 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/02/01 22:11:48 | 000,320,336 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/02/01 19:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
[2013/02/01 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2013/02/01 18:45:36 | 000,451,840 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\TeamSpybot-20130201-184534.cab
[2013/02/01 18:45:36 | 000,437,201 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\Desktop-20130201-184534.png
[2013/02/01 18:44:40 | 000,449,828 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\TeamSpybot-20130201-184438.cab
[2013/02/01 18:44:40 | 000,435,045 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\Desktop-20130201-184438.png
[2013/02/01 17:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At42.job
[2013/02/01 17:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2013/02/01 15:29:43 | 000,509,440 | ---- | M] (Tech Support Guy System) -- C:\Documents and Settings\Dad\Desktop\SysInfo.exe
[2013/02/01 13:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At38.job
[2013/02/01 13:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2013/02/01 12:35:25 | 000,688,992 | R--- | M] (Swearware) -- C:\Documents and Settings\Dad\Desktop\dds.scr
[2013/02/01 12:27:32 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\HiJackThis.lnk
[2013/02/01 12:03:01 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/02/01 12:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At37.job
[2013/02/01 12:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2013/02/01 09:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At34.job
[2013/02/01 09:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2013/02/01 07:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At32.job
[2013/02/01 07:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2013/02/01 06:36:27 | 001,210,951 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\report.pdf
[2013/02/01 06:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At31.job
[2013/02/01 06:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2013/01/31 23:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At48.job
[2013/01/31 23:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2013/01/31 20:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At45.job
[2013/01/31 20:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2013/01/31 13:39:12 | 000,008,486 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\error.JPG
[2013/01/31 13:25:56 | 000,051,262 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\tb 3.JPG
[2013/01/31 13:25:28 | 000,041,801 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\tb 2.JPG
[2013/01/31 13:24:56 | 000,008,687 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\tb1.JPG
[2013/01/31 13:22:40 | 000,000,155 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\i_view32.ini
[2013/01/31 11:19:18 | 000,000,659 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\Tech Support Guy - Welcome Guide (2).url
[2013/01/31 08:37:35 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Dad\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2013/01/30 21:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At46.job
[2013/01/30 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2013/01/30 15:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At40.job
[2013/01/30 15:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2013/01/30 09:58:08 | 000,000,620 | ---- | M] () -- C:\WINDOWS\tasks\Check for updates (Spybot - Search & Destroy).job
[2013/01/30 08:38:16 | 000,000,082 | ---- | M] () -- C:\WINDOWS\WININIT.INI
[2013/01/30 07:48:27 | 000,000,616 | ---- | M] () -- C:\WINDOWS\tasks\Refresh immunization (Spybot - Search & Destroy).job
[2013/01/30 07:48:27 | 000,000,446 | ---- | M] () -- C:\WINDOWS\tasks\Scan the system (Spybot - Search & Destroy).job
[2013/01/30 07:47:59 | 000,001,836 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\Spybot-S&D Start Center.lnk
[2013/01/30 05:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At30.job
[2013/01/30 05:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2013/01/30 00:32:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2013/01/30 00:07:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
[2013/01/29 19:09:06 | 571,322,368 | ---- | M] () -- C:\xpsp3_5512.080413-2113_usa_x86fre_spcd.iso
[2013/01/28 07:39:41 | 000,000,211 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\Main Wikipedia.url
[2013/01/28 06:58:58 | 000,000,309 | ---- | M] () -- C:\Documents and Settings\Dad\My Documents\My Document.lnk
[2013/01/20 19:50:27 | 038,808,920 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Dad\My Documents\FileFormatConverters.exe
[2013/01/20 16:08:13 | 057,607,105 | ---- | M] () -- C:\Documents and Settings\Dad\My Documents\Hardware_&_DIY.ZIP
[2013/01/19 15:44:34 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2013/01/18 01:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
[2013/01/18 01:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2013/01/17 15:23:02 | 000,014,535 | ---- | M] () -- C:\Documents and Settings\Dad\My Documents\Document 66.rtf
[2013/01/17 02:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At27.job
[2013/01/17 02:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2013/01/17 01:28:58 | 000,232,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2013/01/16 23:56:37 | 000,697,864 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/01/16 23:56:37 | 000,074,248 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/01/08 06:33:37 | 000,000,495 | ---- | M] () -- C:\Documents and Settings\Dad\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to i_view32.lnk
[2013/01/08 04:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At29.job
[2013/01/08 04:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2013/01/06 00:34:35 | 006,009,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/02/02 17:51:07 | 000,580,235 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\adwcleaner.exe
[2013/02/02 17:16:43 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/02/02 12:54:04 | 000,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2013/02/02 12:50:51 | 000,000,955 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Defender.lnk
[2013/02/01 18:45:36 | 000,451,840 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\TeamSpybot-20130201-184534.cab
[2013/02/01 18:45:35 | 000,437,201 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\Desktop-20130201-184534.png
[2013/02/01 18:44:40 | 000,449,828 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\TeamSpybot-20130201-184438.cab
[2013/02/01 18:44:39 | 000,435,045 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\Desktop-20130201-184438.png
[2013/02/01 06:36:27 | 001,210,951 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\report.pdf
[2013/01/31 13:25:56 | 000,051,262 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\tb 3.JPG
[2013/01/31 13:25:28 | 000,041,801 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\tb 2.JPG
[2013/01/31 13:24:56 | 000,008,687 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\tb1.JPG
[2013/01/31 11:38:27 | 000,008,486 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\error.JPG
[2013/01/31 11:19:18 | 000,000,659 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\Tech Support Guy - Welcome Guide (2).url
[2013/01/31 09:01:02 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2013/01/31 09:01:02 | 000,008,002 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.h
[2013/01/31 09:01:01 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2013/01/31 09:01:01 | 000,000,773 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.h
[2013/01/31 09:00:32 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2013/01/31 09:00:32 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2013/01/31 09:00:32 | 000,005,379 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.h
[2013/01/31 09:00:32 | 000,002,024 | ---- | C] () -- C:\WINDOWS\System32\axctrnm.h
[2013/01/31 09:00:30 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2013/01/31 09:00:29 | 000,003,276 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.h
[2013/01/31 09:00:28 | 000,049,275 | ---- | C] () -- C:\WINDOWS\System32\wfospf.mib
[2013/01/31 09:00:28 | 000,038,608 | ---- | C] () -- C:\WINDOWS\System32\nipx.mib
[2013/01/31 09:00:28 | 000,034,317 | ---- | C] () -- C:\WINDOWS\System32\msiprip2.mib
[2013/01/31 09:00:28 | 000,026,236 | ---- | C] () -- C:\WINDOWS\System32\wins.mib
[2013/01/31 09:00:28 | 000,013,767 | ---- | C] () -- C:\WINDOWS\System32\msipbtp.mib
[2013/01/31 09:00:28 | 000,004,332 | ---- | C] () -- C:\WINDOWS\System32\smi.mib
[2013/01/31 09:00:27 | 000,107,882 | ---- | C] () -- C:\WINDOWS\System32\mib_ii.mib
[2013/01/31 09:00:27 | 000,030,448 | ---- | C] () -- C:\WINDOWS\System32\mcastmib.mib
[2013/01/31 09:00:27 | 000,026,100 | ---- | C] () -- C:\WINDOWS\System32\lmmib2.mib
[2013/01/31 09:00:27 | 000,021,386 | ---- | C] () -- C:\WINDOWS\System32\mipx.mib
[2013/01/31 09:00:27 | 000,010,313 | ---- | C] () -- C:\WINDOWS\System32\mripsap.mib
[2013/01/31 09:00:27 | 000,000,581 | ---- | C] () -- C:\WINDOWS\System32\msft.mib
[2013/01/31 09:00:24 | 000,015,799 | ---- | C] () -- C:\WINDOWS\System32\ipforwd.mib
[2013/01/31 09:00:24 | 000,000,698 | ---- | C] () -- C:\WINDOWS\System32\inetsrv.mib
[2013/01/31 09:00:23 | 000,048,593 | ---- | C] () -- C:\WINDOWS\System32\hostmib.mib
[2013/01/31 09:00:23 | 000,020,079 | ---- | C] () -- C:\WINDOWS\System32\http.mib
[2013/01/31 09:00:23 | 000,006,179 | ---- | C] () -- C:\WINDOWS\System32\ftp.mib
[2013/01/31 09:00:22 | 000,016,617 | ---- | C] () -- C:\WINDOWS\System32\authserv.mib
[2013/01/31 09:00:22 | 000,015,597 | ---- | C] () -- C:\WINDOWS\System32\accserv.mib
[2013/01/31 09:00:22 | 000,004,597 | ---- | C] () -- C:\WINDOWS\System32\dhcp.mib
[2013/01/31 08:37:35 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Dad\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2013/01/31 08:37:35 | 000,000,803 | ---- | C] () -- C:\Documents and Settings\Dad\Start Menu\Programs\Internet Explorer.lnk
[2013/01/30 07:48:27 | 000,000,446 | ---- | C] () -- C:\WINDOWS\tasks\Scan the system (Spybot - Search & Destroy).job
[2013/01/30 07:48:25 | 000,000,616 | ---- | C] () -- C:\WINDOWS\tasks\Refresh immunization (Spybot - Search & Destroy).job
[2013/01/30 07:48:24 | 000,000,620 | ---- | C] () -- C:\WINDOWS\tasks\Check for updates (Spybot - Search & Destroy).job
[2013/01/30 07:47:59 | 000,001,842 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot-S&D Start Center.lnk
[2013/01/30 07:47:59 | 000,001,836 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\Spybot-S&D Start Center.lnk
[2013/01/29 14:41:10 | 571,322,368 | ---- | C] () -- C:\xpsp3_5512.080413-2113_usa_x86fre_spcd.iso
[2013/01/29 14:39:54 | 000,000,155 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\i_view32.ini
[2013/01/29 09:55:15 | 1073,139,712 | -HS- | C] () -- C:\hiberfil.sys
[2013/01/28 06:58:58 | 000,000,309 | ---- | C] () -- C:\Documents and Settings\Dad\My Documents\My Document.lnk
[2013/01/20 16:06:33 | 057,607,105 | ---- | C] () -- C:\Documents and Settings\Dad\My Documents\Hardware_&_DIY.ZIP
[2013/01/17 15:23:02 | 000,014,535 | ---- | C] () -- C:\Documents and Settings\Dad\My Documents\Document 66.rtf
[2013/01/08 06:33:37 | 000,000,495 | ---- | C] () -- C:\Documents and Settings\Dad\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to i_view32.lnk
[2012/12/03 20:59:24 | 000,000,690 | ---- | C] () -- C:\Documents and Settings\Dad\Local Settings\Application Data\FASTApp.html
[2012/09/28 11:52:02 | 000,000,064 | ---- | C] () -- C:\WINDOWS\GPlrLanc.dat
[2012/09/22 16:15:58 | 020,480,000 | ---- | C] () -- C:\Documents and Settings\Dad\Local Settings\Application Data\store-pp.jbs
[2012/08/21 10:48:09 | 000,002,055 | ---- | C] () -- C:\Documents and Settings\Dad\doscmd
[2012/07/09 06:08:00 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/03/29 19:03:13 | 000,000,032 | ---- | C] () -- C:\WINDOWS\System32\winweim.dll
[2012/01/31 21:40:56 | 000,000,075 | ---- | C] () -- C:\WINDOWS\ImportClient.INI
[2011/12/22 12:27:25 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Dad\Local Settings\Application Data\{B97FB304-C360-4239-A69D-3279961A7392}
[2011/12/15 19:01:11 | 000,000,044 | ---- | C] () -- C:\WINDOWS\SMWizard.INI
[2011/12/15 06:10:18 | 000,000,129 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/10/22 14:44:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Dad\Application Data\bibstats
[2011/09/20 10:25:20 | 000,000,272 | ---- | C] () -- C:\WINDOWS\reimage.ini
[2011/04/04 15:22:15 | 000,012,562 | -HS- | C] () -- C:\Documents and Settings\Dad\Local Settings\Application Data\sns26gx5n4j3fx46a0a60g14b7lq4tq3t6217
[2011/04/04 15:22:15 | 000,012,562 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\sns26gx5n4j3fx46a0a60g14b7lq4tq3t6217
[2010/12/29 07:35:15 | 000,000,141 | ---- | C] () -- C:\Documents and Settings\Dad\Application Data\lakerda1967.sys
[2010/12/29 07:33:47 | 000,010,584 | ---- | C] () -- C:\Documents and Settings\Dad\Application Data\docXConverter (3).ini
[2010/10/27 05:05:07 | 000,102,811 | ---- | C] () -- C:\Documents and Settings\Dad\Shattering some myths on Kashmir.htm
[2010/10/25 07:52:04 | 000,018,249 | ---- | C] () -- C:\Documents and Settings\Dad\Optimizing Windows XP Services.htm
[2010/10/25 03:49:52 | 000,117,963 | ---- | C] () -- C:\Documents and Settings\Dad\Services Guide for Windows XP.htm
[2010/10/25 02:52:15 | 000,050,643 | ---- | C] () -- C:\Documents and Settings\Dad\Turn Off Unnecessary Windows XP Services JasonN_com.htm
[2010/06/17 19:32:34 | 000,940,282 | ---- | C] () -- C:\Program Files\fastfilerenamer.zip
[2009/12/15 09:09:31 | 015,046,752 | ---- | C] () -- C:\Documents and Settings\Dad\SHRI HANUMAAN CHALISA.mp3
[2009/12/13 09:41:39 | 000,005,353 | ---- | C] () -- C:\Documents and Settings\Dad\Toronto Weather.rtf
[2009/11/09 09:25:35 | 015,040,966 | ---- | C] () -- C:\Documents and Settings\Dad\UNCENSORED_ISSUE1.pdf
[2009/09/15 21:52:49 | 001,869,617 | -H-- | C] () -- C:\Documents and Settings\All Users\JapjiSahib.mp3
[2009/09/15 21:52:49 | 001,746,833 | -H-- | C] () -- C:\Documents and Settings\All Users\Mool_mantar.mp3
[2009/08/22 15:15:11 | 000,000,192 | ---- | C] () -- C:\Documents and Settings\Dad\.boxit.ini
[2009/08/03 06:19:42 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Dad\.gtk-bookmarks
[2009/07/24 22:01:22 | 000,000,030 | ---- | C] () -- C:\Documents and Settings\Dad\.gtkrc-2.0
[2009/03/03 09:40:47 | 000,440,230 | ---- | C] () -- C:\Documents and Settings\Dad\Notetab.pdf
[2008/11/08 18:51:09 | 000,086,016 | ---- | C] () -- C:\Documents and Settings\Dad\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/07 19:21:38 | 006,291,456 | ---- | C] () -- C:\Documents and Settings\Dad\NTUSER.bak

========== ZeroAccess Check ==========

[2011/01/20 10:04:34 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 19:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2008/04/13 19:11:53 | 000,472,064 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/13 19:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/09/11 19:54:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\A-PDF
[2012/01/31 21:39:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund Software
[2012/12/02 18:15:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DatacardService
[2011/02/19 20:25:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\mytaxexpress
[2012/02/13 16:42:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\mytaxexpress-efile
[2012/03/29 13:25:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Temp
[2011/04/10 18:08:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trusteer
[2010/08/19 09:06:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2011/12/31 06:48:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\Acapela Group
[2012/09/16 16:26:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2012/09/15 18:22:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\DriverCure
[2012/09/18 21:54:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\FreeSmith
[2009/07/24 18:48:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\gourmet
[2012/04/11 21:38:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\NewspaperDirect
[2011/09/20 09:55:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\ParetoLogic
[2012/02/24 20:32:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\PySolFC
[2009/02/11 08:55:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\tinySpell
[2011/04/10 18:10:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\Trusteer
[2011/12/22 09:06:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\Uniblue
[2013/01/31 07:18:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\Vtools
[2010/08/17 22:46:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\WordWeb
[2011/04/27 17:14:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Trusteer
[2011/08/21 01:11:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Priti\Application Data\Trusteer
[2011/08/05 22:04:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rohit\Application Data\Trusteer

========== Purity Check ==========



========== Custom Scans ==========

< %systemroot%\*. /mp /s >

< %systemroot%\*. /rp /s >

< %SYSTEMDRIVE%\*.exe >
[2004/06/11 16:33:28 | 000,290,304 | ---- | M] (Microsoft Corporation) -- C:\subinacl.exe
Invalid Environment Variable: LOCALAPPDATA

< %systemdrive%\$Recycle.Bin|@;true;true;true /fp >

< MD5 for: EXPLORER.EXE >
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\system32\dllcache\explorer.exe
[2004/08/04 07:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2012/11/13 14:07:52 | 003,906,584 | ---- | M] (Safer-Networking Ltd.) MD5=E4A0900CF535888DDD85B10040CA3E34 -- C:\Program Files\Spybot - Search & Destroy 2\explorer.exe

< MD5 for: SVCHOST.EXE >
[2012/12/14 16:49:28 | 000,216,424 | ---- | M] () MD5=22101A85B3CA2FE2BE05FE9A61A7A83D -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\dllcache\svchost.exe
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2004/08/04 07:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/04 07:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\dllcache\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 07:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2012/12/14 16:49:28 | 000,216,424 | ---- | M] () MD5=22101A85B3CA2FE2BE05FE9A61A7A83D -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\$NtUninstallKB26527$] -> -> Unknown point type
[C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790 -> Junction
[C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e -> Junction

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\xpsp3_5512.080413-2113_usa_x86fre_spcd.iso:SummaryInformation
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Dad\Desktop\lfx.exe:SummaryInformation
< End of report >

Extras
------------------------------------------
OTL Extras logfile created on: 2/2/2013 9:57:43 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Dad\Desktop\Cleaning
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.36 Mb Total Physical Memory | 334.86 Mb Available Physical Memory | 32.72% Memory free
2.78 Gb Paging File | 2.15 Gb Available in Paging File | 77.47% Paging File free
Paging file location(s): C:\pagefile.sys 1920 3840 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 13.48 Gb Free Space | 36.17% Space Free | Partition Type: NTFS
Drive D: | 492.57 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: USER-48EF0404BA | User Name: Dad | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
"3587:TCP" = 3587:TCP:*:Enabled:Windows Peer-to-Peer Grouping
"3540:UDP" = 3540:UDP:*:Enabled:peer Name Resolution Protocol (PNRP)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
"3587:TCP" = 3587:TCP:*:Enabled:Windows Peer-to-Peer Grouping
"3540:UDP" = 3540:UDP:*:Enabled:peer Name Resolution Protocol (PNRP)

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe:*:Enabled:Spybot-S&D 2 Tray Icon -- (Safer-Networking Ltd.)
"C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe:*:Enabled:Spybot-S&D 2 Scanner Service -- (Safer-Networking Ltd.)
"C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe:*:Enabled:Spybot-S&D 2 Updater -- (Safer-Networking Ltd.)
"C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe:*:Enabled:Spybot-S&D 2 Background update service -- (Safer-Networking Ltd.)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{0373EE20-70B7-437F-8746-09F4F0857DE8}" = Vtools Toolbar v6.7
"{1945A4B5-73B6-4DE9-99A3-05261B7FDED0}" = Shared C Run-time for x86
"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Suite
"{23970E31-948B-466E-8376-1224D32FDF0C}" = Convert
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 26
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36A9D3F8-3FCF-4FBA-A8AD-3C1CE56C8AF4}" = Philips Device Manager
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{57F06897-6735-4B97-9DF3-DE8BC27879D4}" = Philips Device Plug-in
"{654977DB-0001-0002-0001-EABD228DDE8B}" = Microsoft Download Manager
"{68249B6E-B714-11D7-88E8-0050DA21757E}" = Java 2 Runtime Environment Standard Edition v1.3.1_10
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7CDA2B02-E0A4-4EB5-8533-050D535BA43A}" = Media Converter for Philips
"{80E158EA-7181-40FE-A701-301CE6BE64AB}" = CyberLink MediaShow
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90190409-6000-11D3-8CFE-0050048383C9}" = Microsoft Publisher 2002
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}" = CyberLink PowerDVD 9
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{ADD5DB49-72CF-11D8-9D75-000129760D75}" = CyberLink PowerBackup
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1" = Spybot - Search & Destroy
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = CyberLink PowerProducer
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = CyberLink LabelPrint
"{C7CA731B-BF9A-46D9-92CF-8A8737AE9240}" = System Requirements Lab for Intel
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E3D04529-6EDB-11D8-A372-0050BAE317E1}" = CyberLink PowerDVD Copy
"{EC86822D-3A20-11D5-801B-00E029348F40}" = SMSC IrCC V4.10.1999.4
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F16F258A-6300-4A1C-BC49-7929EFF455E2}" = TIPCIxx20
"{F90D6825-8F1F-4E3A-9E42-A9C8A9DD1033}" = Nero 7 Essentials
"{FC57FC53-104C-415C-98D7-B05E659461A9}" = Broadcom NetXtreme Ethernet Controller
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Agere Systems Soft Modem" = Agere Systems AC'97 Modem
"ATI Display Driver" = ATI Display Driver
"Audacity_is1" = Audacity 1.2.6
"Business-in-a-Box" = Business-in-a-Box
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"GOM Picker" = GOM PICKER
"GOM Player" = GOM Player
"GOM Video Converter" = GOM Video Converter
"Gtk+ Runtime Environment" = Gtk+ Runtime Environment 2.8.8-rc2
"ie8" = Windows Internet Explorer 8
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"InstallShield_{80E158EA-7181-40FE-A701-301CE6BE64AB}" = CyberLink MediaShow
"InstallShield_{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}" = CyberLink PowerDVD 9
"InstallShield_{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = CyberLink PowerProducer
"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = CyberLink LabelPrint
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector
"InstallShield_{F16F258A-6300-4A1C-BC49-7929EFF455E2}" = Texas Instruments PCIxx20 drivers.
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.70.0.1100
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"myTaxExpress EFile 2011_is1" = myTaxExpress EFile 2011
"myTaxExpress NETFILE 2011_is1" = myTaxExpress NETFILE 2011
"PySol Fan Club edition_is1" = PySol Fan Club edition v.2.0
"Rapport_msi" = Rapport
"Shockwave" = Shockwave
"Sudoku2PDF Pro_is1" = Sudoku2PDF Pro 2.6
"Time Stopper4.0" = Time Stopper
"tinySpell_is1" = tinySpell 1.7.010
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"WebPost" = Microsoft Web Publishing Wizard 1.52
"WIC" = Windows Imaging Component
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"WordWeb" = WordWeb
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1715567821-854245398-49474851-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"2543445229.www.ndtv.com" = NDTV Play

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 2/2/2013 6:01:47 PM | Computer Name = USER-48EF0404BA | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.

Error - 2/2/2013 6:12:24 PM | Computer Name = USER-48EF0404BA | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

Error - 2/2/2013 6:46:47 PM | Computer Name = USER-48EF0404BA | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80070424 from line 44 of f:\xpsp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 2/2/2013 6:46:47 PM | Computer Name = USER-48EF0404BA | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.

Error - 2/2/2013 6:47:01 PM | Computer Name = USER-48EF0404BA | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80070424 from line 44 of f:\xpsp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 2/2/2013 6:47:01 PM | Computer Name = USER-48EF0404BA | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.

Error - 2/2/2013 10:15:18 PM | Computer Name = USER-48EF0404BA | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80070424 from line 44 of f:\xpsp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 2/2/2013 10:15:19 PM | Computer Name = USER-48EF0404BA | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.

Error - 2/2/2013 10:15:34 PM | Computer Name = USER-48EF0404BA | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80070424 from line 44 of f:\xpsp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 2/2/2013 10:15:34 PM | Computer Name = USER-48EF0404BA | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.

[ System Events ]
Error - 2/2/2013 10:15:36 PM | Computer Name = USER-48EF0404BA | Source = Service Control Manager | ID = 7023
Description = The WebClient service terminated with the following error: %%2

Error - 2/2/2013 10:15:36 PM | Computer Name = USER-48EF0404BA | Source = Service Control Manager | ID = 7003
Description = The Spybot-S&D 2 Updating Service service depends on the following
nonexistent service: seclogon

Error - 2/2/2013 10:15:36 PM | Computer Name = USER-48EF0404BA | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Spybot-S&D 2 Security
Center Service service to connect.

Error - 2/2/2013 10:15:36 PM | Computer Name = USER-48EF0404BA | Source = Service Control Manager | ID = 7000
Description = The Spybot-S&D 2 Security Center Service service failed to start due
to the following error: %%1053

Error - 2/2/2013 10:15:36 PM | Computer Name = USER-48EF0404BA | Source = Service Control Manager | ID = 7000
Description = The Yahoo! Updater service failed to start due to the following error:
%%2

Error - 2/2/2013 10:15:36 PM | Computer Name = USER-48EF0404BA | Source = Service Control Manager | ID = 7000
Description = The Power Control [2010/03/25 22:35:10] service failed to start due
to the following error: %%2

Error - 2/2/2013 10:15:36 PM | Computer Name = USER-48EF0404BA | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1060

Error - 2/2/2013 10:15:36 PM | Computer Name = USER-48EF0404BA | Source = Service Control Manager | ID = 7023
Description = The Windows Time service terminated with the following error: %%2

Error - 2/2/2013 11:00:00 PM | Computer Name = USER-48EF0404BA | Source = Schedule | ID = 7901
Description = The At23.job command failed to start due to the following error: %%2147942402

Error - 2/2/2013 11:00:00 PM | Computer Name = USER-48EF0404BA | Source = Schedule | ID = 7901
Description = The At47.job command failed to start due to the following error: %%2147942402


< End of report >

Thanks again for your help

Satbahadur
 

Attachments

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,445
Your system still has a lot of malware/infection present, run the following:

Re-Run
by double left click, Vista and Widows 7 users accept UAC alert.
  • Under the
    box at the bottom, paste in the following, start with and include the colon plus OTL . :OTL

    Code:
    :OTL
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\xpsec.sys -- (xpsec)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\xcpip.sys -- (xcpip)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
    IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://rnd009.googlepages.com/google.html
    IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://rnd009.googlepages.com/google.html
    IE - HKLM\..\SearchScopes\{84dc9f6c-c9a5-4c64-ab67-d6ef60f963c8}: "URL" = http://search.mywebsearch.com/mywebs...r={searchTerms}
    IE - HKLM\..\SearchScopes\{cf6e4b1c-dbde-457e-9cef-ab8ecac8a5e8}: "URL" = http://search.mywebsearch.com/mywebs...r={searchTerms}
    IE - HKU\S-1-5-21-1715567821-854245398-49474851-1004\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No CLSID value found
    IE - HKU\S-1-5-21-1715567821-854245398-49474851-1004\..\URLSearchHook: {5BFEFF94-6411-4B74-A947-4969134B24DE} - No CLSID value found
    FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll File not found
    CHR - default_search_provider: Funmoods ()
    O3 - HKU\S-1-5-21-1715567821-854245398-49474851-1004\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O16 - DPF: {CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA} http://java.sun.com/products/plugin/...ndows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jin...ndows-i586.cab (Reg Error: Key error.)
    O33 - MountPoints2\{203f8800-a3b8-11df-940e-000fb391bb04}\Shell - "" = AutoRun
    O33 - MountPoints2\{203f8800-a3b8-11df-940e-000fb391bb04}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{7848b470-3cd5-11e2-a32f-000802da2486}\Shell - "" = AutoRun
    O33 - MountPoints2\{7848b470-3cd5-11e2-a32f-000802da2486}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{7848b470-3cd5-11e2-a32f-000802da2486}\Shell\AutoRun\command - "" = E:\AutoRun.exe
    O33 - MountPoints2\{93cf3f50-b044-11dd-9016-000fb391bb04}\Shell - "" = Autorun
    MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk - Reg Error: Value error. - File not found
    MsConfig - StartUpReg: BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - hkey= - key= - Reg Error: Value error. File not found
    MsConfig - StartUpReg: SpeedyComputer - hkey= - key= - Reg Error: Value error. File not found
    MsConfig - StartUpReg: TelevisionFanatic Browser Plugin Loader - hkey= - key= - Reg Error: Value error. File not found
    MsConfig - StartUpReg: TelevisionFanatic Search Scope Monitor - hkey= - key= - Reg Error: Value error. File not found
    [7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [3 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [2013/02/02 22:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At47.job
    [2013/02/02 22:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
    [2013/02/02 18:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At43.job
    [2013/02/02 18:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
    [2013/02/02 16:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At41.job
    [2013/02/02 16:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
    [2013/02/02 14:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At39.job
    [2013/02/02 14:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
    [2013/02/02 11:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At36.job
    [2013/02/02 11:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
    [2013/02/02 10:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At35.job
    [2013/02/02 10:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
    [2013/02/02 08:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At33.job
    [2013/02/02 08:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
    [2013/02/01 19:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
    [2013/02/01 19:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
    [2013/02/01 17:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At42.job
    [2013/02/01 17:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
    [2013/02/01 13:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At38.job
    [2013/02/01 13:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
    [2013/02/01 12:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At37.job
    [2013/02/01 12:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
    [2013/02/01 09:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At34.job
    [2013/02/01 09:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
    [2013/02/01 07:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At32.job
    [2013/02/01 07:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
    [2013/02/01 06:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At31.job
    [2013/02/01 06:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
    [2013/01/31 23:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At48.job
    [2013/01/31 23:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
    [2013/01/31 20:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At45.job
    [2013/01/31 20:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
    [2013/01/30 21:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At46.job
    [2013/01/30 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
    [2013/01/30 15:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At40.job
    [2013/01/30 15:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
    [2013/01/30 05:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At30.job
    [2013/01/30 05:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
    [2013/01/30 00:32:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
    [2013/01/30 00:07:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
    [2013/01/18 01:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
    [2013/01/18 01:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
    [2013/01/17 02:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At27.job
    [2013/01/17 02:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
    [2013/01/08 04:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At29.job
    [2013/01/08 04:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
    [7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [3 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    @Alternate Data Stream - 88 bytes -> C:\xpsp3_5512.080413-2113_usa_x86fre_spcd.iso:SummaryInformation
    @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Dad\Desktop\lfx.exe:SummaryInformation
    :Files
    ipconfig /flushdns /c
    :Commands
    [emptytemp]
    [CREATERESTOREPOINT]
  • Then click
    button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start > All Programs > Accessories > Notepad), click File > Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next,

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the
    icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.

*EXTRA NOTES*
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Next,

Run the MGA Diagnostic Tool and post back the report it creates:
  • Download MGADiag to your desktop.
  • Double-click on MGADiag.exe to launch the program
  • Click "Continue"
  • Ensure that the "Windows" tab is selected (it should be by default).
  • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
  • Paste the MGA Diagnostic Report back here in your next reply.

Post those 3 logs, also give update on current issues/concerns..

Kevin
 

satbahadur

Thread Starter
Joined
Jan 30, 2013
Messages
57
Hi Kevin
I am little frustrated by having this malware/infection present. I went ahead as suggested and ran OTL as directed. It did not work as expected while running it freezes and all the icons on opening screen along with taskbar disappears I tried 3 times with same results. Although it creates a folder C:\_OTL\MovedFiles folder, when checking it is empty. Next I ran the Combofix and it also freezes after a message Rootkit and does not make a file C:\ComboFix.txt. Lastly when I used MGA Diagnostic Tool it did created a report which I am posting. I hope to receive your next directions as in this post I have only MGA Diagnostic Report as other two failed to work on my laptop for a unspecified reason. Thank

Satbahadur

The MGA Diagnostic Report
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-VTY8B-KX7GP-Y8VYB
Windows Product Key Hash: Hli9BCJ6bGXvFUwxfnpZRyBG/VA=
Windows Product ID: 55274-OEM-2245332-53824
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {7EF33B64-8737-4BBF-AAD5-0DBEF8F1FEAA}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: Yes
Version: 1.9.40.0
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 114 Blocked VLK 2
Microsoft Publisher 2002 - 100 Genuine
Microsoft Office XP Professional with FrontPage - 114 Blocked VLK 2
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{7EF33B64-8737-4BBF-AAD5-0DBEF8F1FEAA}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-Y8VYB</PKey><PID>55274-OEM-2245332-53824</PID><PIDType>3</PIDType><SID>S-1-5-21-1715567821-854245398-49474851</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq nc6000 (DV939C#ABA) </Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>68BDD Ver. F.15</Version><SMBIOSVersion major="2" minor="3"/><Date>20060830000000.000000+000</Date></BIOS><HWID>66B93707018400EC</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.9.40.0"/><File Name="WgaLogon.dll" Version="1.9.40.0"/></GANotification></MachineData><Software><Office><Result>114</Result><Products><Product GUID="{90190409-6000-11D3-8CFE-0050048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Publisher 2002</Name><Ver>10</Ver><Val>B128FD8CC4B4004</Val><Hash>Vb2e86j8DAXInLL4wCY3su2GvgU=</Hash><Pid>54197-640-0000025-16365</Pid><PidType>14</PidType></Product><Product GUID="{90280409-6000-11D3-8CFE-0050048383C9}"><LegitResult>114</LegitResult><Name>Microsoft Office XP Professional with FrontPage</Name><Ver>10</Ver><Val>39476F84C4B4004</Val><Hash>4iCnywwNW1w4s9ukTIwGMGxyGic=</Hash><Pid>54185-640-0000025-17209</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="10" Result="114"/><App Id="16" Version="10" Result="114"/><App Id="17" Version="10" Result="114"/><App Id="18" Version="10" Result="114"/><App Id="19" Version="10" Result="100"/><App Id="1A" Version="10" Result="114"/><App Id="1B" Version="10" Result="114"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 87CC:Compaq Computer Corporation|1A25A:Compaq Computer Corporation|1FFEA:Compaq Computer Corporation|1A202:Compaq Computer Corporation|1A202:Compaq Computer Corporation|1FFEA:Hewlett-Packard Company|1A202:Hewlett-Packard Company
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,445
OK, if OTL and Combofix are freezing we try different tool:

Please download the latest version of TDSSKiller from here:
http://support.kaspersky.com/downloads/utils/tdsskiller.exe and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.




  • Put a checkmark beside loaded modules.




  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.




  • Click the Start Scan button.




  • The scan will be quick.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.




  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.




  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Kevin....
 

satbahadur

Thread Starter
Joined
Jan 30, 2013
Messages
57
Hi Kevin
I am deeply impressed by your immediate attention to my problem.

As indicated I did the scan on TDSSKiller and have the log file at C:\ here I found 3 files namely
· TDSSKiller.2.8.15.0_04.02.2013_13.57.30_log.txt
· TDSSKiller.2.8.15.0_04.02.2013_13.47.45_log.txt
· AdwCleaner[S1].txt
The files seems large therefore I have attached them on this post the attachment did not allow me to attach one log file TDSSKiller.2.8.15.0_04.02.2013_13.57.30_log.txt therefore I have divided the file in 2 parts

Now all log files are attached Thanks
Satbahadur
 

Attachments

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,445
The logs from TDSSKiller show the presence of TDSS file system \Device\Harddisk0\DR0 ( TDSS File System ) but no presence of TDL3 or TDL4 infection.

OK can you delete Combofix from your Desktop, d/l a fresh copy from here :- http://download.bleepingcomputer.com/sUBs/ComboFix.exe save to Desktop and run one more time, post log in reply...

Kevin
 

satbahadur

Thread Starter
Joined
Jan 30, 2013
Messages
57
Hi Kevin
Thi time Combofix worked perfectly; I sending Log file here and attaching aswell Thanks

ComboFix Log File
------------------------------------
ComboFix 13-02-03.03 - Dad 02/05/2013 6:50.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.568 [GMT -5:00]
Running from: c:\documents and settings\Dad\Desktop\Cleaning\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}\PostBuild.exe
c:\documents and settings\Dad\Recent\Desktop(2).ini
c:\documents and settings\Dad\WINDOWS
c:\documents and settings\Dad\WINDOWS\Sti_Trace.log
c:\documents and settings\Dad\WINDOWS\win.ini
c:\windows\explorer(2).exe
c:\windows\system32\Cache
c:\windows\system32\ctfmon(2).exe
c:\windows\system32\linkinfo(2).dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_RKHIT
-------\Legacy_TELEVISIONFANATICSERVICE
-------\Service_RkHit
-------\Service_xcpip
-------\Service_xpsec
.
.
((((((((((((((((((((((((( Files Created from 2013-01-05 to 2013-02-05 )))))))))))))))))))))))))))))))
.
.
2013-02-04 18:42 . 2013-02-04 18:51 -------- d-----w- C:\TDSSKiller_Quarantine
2013-02-04 14:11 . 2013-02-04 17:58 13024 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2013-02-04 14:10 . 2013-02-04 14:10 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\SlimWare Utilities Inc
2013-02-04 05:21 . 2013-02-04 05:21 -------- d-----w- C:\_OTL
2013-02-04 05:07 . 2013-02-04 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2013-02-02 23:36 . 2013-02-02 23:36 -------- d-----w- c:\documents and settings\Dad\Local Settings\Application Data\Deployment
2013-02-02 22:17 . 2013-02-02 22:17 -------- d-----w- c:\documents and settings\Dad\Application Data\Malwarebytes
2013-02-02 22:16 . 2013-02-02 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-02-02 22:16 . 2013-02-02 22:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-02-02 22:16 . 2012-12-14 21:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-02-02 17:54 . 2013-01-17 06:28 232336 ------w- c:\windows\system32\MpSigStub.exe
2013-02-02 17:48 . 2013-02-02 17:48 -------- d-----w- c:\program files\Microsoft Download Manager
2013-02-01 23:11 . 2013-02-01 23:11 -------- d-----w- c:\program files\SystemRequirementsLab
2013-02-01 20:45 . 2013-02-01 20:46 -------- d-----w- C:\rsit
2013-01-31 14:00 . 2001-08-23 12:00 9216 -c--a-w- c:\windows\system32\dllcache\wamps51.dll
2013-01-31 13:59 . 2013-01-31 14:01 -------- d-----w- C:\Inetpub
2013-01-31 13:41 . 2001-08-23 12:00 18944 -c--a-w- c:\windows\system32\dllcache\simptcp.dll
2013-01-31 13:41 . 2001-08-23 12:00 18944 ----a-w- c:\windows\system32\simptcp.dll
2013-01-31 11:43 . 2013-01-31 12:18 -------- d-----w- c:\documents and settings\Dad\Application Data\Vtools
2013-01-30 17:44 . 2006-12-29 05:31 19569 ----a-w- c:\windows\000001_.tmp
2013-01-30 12:47 . 2009-01-25 17:14 15224 ----a-w- c:\windows\system32\sdnclean.exe
2013-01-30 12:47 . 2013-01-30 12:48 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2013-01-21 01:47 . 2013-01-21 01:47 -------- d-----w- c:\program files\MSECache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-17 04:56 . 2012-09-20 18:12 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-17 04:56 . 2011-09-09 14:05 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-16 12:23 . 2004-08-04 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-12-02 23:13 . 2012-12-02 23:14 95744 -c--a-w- c:\windows\system32\drivers\ew_jucdcacm.sys
2012-12-02 23:13 . 2012-12-02 23:14 76544 ----a-w- c:\windows\system32\drivers\ew_jubusenum.sys
2012-12-02 23:13 . 2012-12-02 23:14 67584 -c--a-w- c:\windows\system32\drivers\ew_jucdcecm.sys
2012-12-02 23:13 . 2012-12-02 23:14 28672 -c--a-w- c:\windows\system32\drivers\usbccid.sys
2012-12-02 23:13 . 2012-12-02 23:14 27520 -c--a-w- c:\windows\system32\drivers\ew_juextctrl.sys
2012-12-02 23:13 . 2012-12-02 23:14 1112288 -c--a-w- c:\windows\system32\drivers\WdfCoInstaller01007.dll
2012-12-02 23:13 . 2012-12-02 23:14 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2012-12-02 23:13 . 2012-12-02 23:14 861696 -c--a-w- c:\windows\system32\drivers\mod7700.sys
2012-12-02 23:13 . 2012-12-02 23:14 25856 -c--a-w- c:\windows\system32\drivers\ewdcsc.sys
2012-12-02 23:13 . 2012-12-02 23:14 245376 -c--a-w- c:\windows\system32\drivers\ewusbnet.sys
2012-12-02 23:13 . 2012-12-02 23:14 199168 -c--a-w- c:\windows\system32\drivers\ewusbmdm.sys
2012-12-02 23:13 . 2012-12-02 23:14 19200 -c--a-w- c:\windows\system32\drivers\ew_hwupgrade.sys
2012-12-02 23:13 . 2012-12-02 23:14 11136 -c--a-w- c:\windows\system32\drivers\ew_usbenumfilter.sys
2012-12-02 23:13 . 2012-12-02 23:14 102784 -c--a-w- c:\windows\system32\drivers\ew_hwusbdev.sys
2012-11-13 01:25 . 2004-08-04 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
backup=c:\windows\pss\Event Reminder.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedyComputer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TelevisionFanatic Browser Plugin Loader
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TelevisionFanatic Search Scope Monitor
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:peer Name Resolution Protocol (PNRP)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R1 RapportCerberus_43926;RapportCerberus_43926;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus32_43926.sys [10/30/2012 5:32 AM 272216]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [9/7/2012 10:07 AM 71480]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [9/7/2012 10:07 AM 166840]
R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2/2/2013 5:16 PM 398184]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/2/2013 5:16 PM 682344]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [9/7/2012 10:07 AM 976728]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [1/30/2013 7:47 AM 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [1/30/2013 7:47 AM 1369624]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [12/2/2012 6:14 PM 76544]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/2/2013 5:16 PM 21104]
R3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [5/30/2012 2:02 AM 21520]
S2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/03/25 22:35]; [x]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [1/30/2013 7:47 AM 168384]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [6/2/2011 10:08 AM 11336]
S3 cpuz134;cpuz134; [x]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [9/7/2012 10:07 AM 65848]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2/4/2013 9:11 AM 13024]
S3 u302bus;HSPADataCard WMC Bus Driver (WDM);c:\windows\system32\DRIVERS\u302bus.sys --> c:\windows\system32\DRIVERS\u302bus.sys [?]
S3 u302mdfl;HSPADataCard Modem Filter;c:\windows\system32\DRIVERS\u302mdfl.sys --> c:\windows\system32\DRIVERS\u302mdfl.sys [?]
S3 u302mdm;HSPADataCard Modem Driver;c:\windows\system32\DRIVERS\u302mdm.sys --> c:\windows\system32\DRIVERS\u302mdm.sys [?]
S3 u302mgmt;HSPADataCard USB Device Management Drivers (WDM);c:\windows\system32\DRIVERS\u302mgmt.sys --> c:\windows\system32\DRIVERS\u302mgmt.sys [?]
S4 HWDeviceService.exe;HWDeviceService.exe;c:\documents and settings\All Users\Application Data\DatacardService\HWDeviceService.exe [3/14/2011 10:27 AM 271712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-20 04:56]
.
2013-01-30 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-01-30 19:08]
.
2013-02-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-05 16:02]
.
2013-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-05 16:02]
.
2013-01-30 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-01-30 19:07]
.
2013-01-30 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-01-30 19:07]
.
2013-02-05 c:\windows\Tasks\User_Feed_Synchronization-{30B0C8CA-0968-48BE-8B86-A453A4D8BE23}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant =
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{5BFEFF94-6411-4B74-A947-4969134B24DE} - (no file)
SafeBoot-28466839.sys
SafeBoot-54088132.sys
AddRemove-Yahoo! Toolbar - c:\progra~1\Yahoo!\Common\UNYT_W~1.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-05 07:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1715567821-854245398-49474851-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2788)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\netdde.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
.
**************************************************************************
.
Completion time: 2013-02-05 07:16:12 - machine was rebooted
ComboFix-quarantined-files.txt 2013-02-05 12:16
.
Pre-Run: 14,537,658,368 bytes free
Post-Run: 14,617,059,328 bytes free
.
- - End Of File - - EFE9E0AE6EDB5DD0FD82F1805B757BAB
----------------------------------------------------------------End of File

Attached ComboFix.txt

Satbahadur
 

Attachments

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top