also @ TechSpot: AMD A4-5000 Review: the affordable ultraportable APU

TechSpot

TechSpot News Products Downloads Forums

About
Sign in

Welcome to TechSpot

Why should I register?

Sign up for a new account or log in here:

Forgot your password?

Couldn't sign you in, please try again.

[A] Unnamed virus, black screen, no access to task manager or any icons or files

Discussion in 'Virus and Malware Removal' started by tapersteve, Oct 1, 2012.

Page 3 of 4

Broni Malware Annihilator Posts: 39,412 +177
Do this on the computer you are posting from:
Copy the text in the codebox below:

Code:

:OTL :Services :Reg :Files C:\WINDOWS\system32\services.exe|C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe /replace :Commands [purity]

Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive

On the infected computer the following...

Run OTLPE

Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.

(The content of Fix.txt should appear in the box)

Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

Post the log produced (you'll need to transfer it with USB stick)

Remove the CD and shut down computer manually.

Reboot normally into Windows.

Let me know if MBAM keeps complaining.
Broni, Oct 5, 2012

#41
tapersteve Newcomer, in training Posts: 52

Broni,
I am able to do all of this from the "infected" computer. The only issue is being unable to access this forum from the IE built into the REATOGO-X-PE desktop, and the lack of a functional Firefox icon on the desktop. I am simply going to my regular documents and settings, while the REATOGO-X-PE is running, and starting Firefox from there. I will now run OPTLE with the fix.txt. Steve

tapersteve, Oct 5, 2012

#42
tapersteve Newcomer, in training Posts: 52

Broni,

I think that I have done everything that you wanted me to do. There were two logs produced, one after OTL ran, and another after I did the "Run fix." I am posting both below. My continued thanks for all of your efforts. Steve

OTL:

OTL logfile created on: 10/5/2012 8:26:37 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 88.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.82 Gb Total Space | 63.07 Gb Free Space | 27.09% Space Free | Partition Type: NTFS
Drive D: | 37.26 Gb Total Space | 5.46 Gb Free Space | 14.66% Space Free | Partition Type: NTFS
Drive E: | 698.64 Gb Total Space | 102.48 Gb Free Space | 14.67% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet005

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled] -- -- (stllssvr)
SRV - File not found [Auto] -- -- (MDM)
SRV - File not found [Disabled] -- -- (IDriverT)
SRV - File not found [Disabled] -- -- (AOL TopSpeedMonitor)
SRV - [2012/09/09 02:25:57 | 000,114,144 | ---- | M] (Mozilla Foundation) [On_Demand] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/09/07 17:04:46 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/09/07 17:04:46 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/08/29 16:17:06 | 002,445,880 | ---- | M] (Check Point Software Technologies LTD) [Auto] -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon)
SRV - [2012/08/21 05:12:25 | 000,044,808 | ---- | M] (AVAST Software) [Auto] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2012/04/28 18:37:11 | 000,253,088 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2011/11/03 14:25:09 | 002,358,656 | ---- | M] (TeamViewer GmbH) [Auto] -- C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe -- (TeamViewer6)
SRV - [2011/08/11 19:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Disabled] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2011/02/02 11:57:54 | 000,052,288 | ---- | M] (NOS Microsystems Ltd.) [On_Demand] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus(R)
SRV - [2009/01/30 01:50:06 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter) SupportSoft Sprocket Service (DellSupportCenter)
SRV - [2008/07/21 17:53:04 | 000,193,888 | ---- | M] (Seagate Technology LLC) [Auto] -- C:\Program Files\Maxtor\Sync\SyncServices.exe -- (Maxtor Sync Service)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | Auto] -- -- (PfModNT)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand] -- -- (EraserUtilDrv11010)
DRV - File not found [Kernel | On_Demand] -- -- (ENTECH)
DRV - File not found [Kernel | On_Demand] -- -- (DELTAII) Service for M-Audio Delta Driver (WDM)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | On_Demand] -- -- (catchme)
DRV - File not found [Kernel | System] -- -- (A2DDA)
DRV - [2012/10/03 18:22:10 | 000,035,144 | ---- | M] () [File_System | On_Demand] -- C:\WINDOWS\system32\drivers\mbamchameleon.sys -- (mbamchameleon)
DRV - [2012/09/07 17:04:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/08/29 15:45:24 | 000,526,640 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System] -- C:\WINDOWS\system32\vsdatant.sys -- (Vsdatant)
DRV - [2012/08/21 05:13:15 | 000,729,752 | ---- | M] (AVAST Software) [File_System | System] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/08/21 05:13:15 | 000,355,632 | ---- | M] (AVAST Software) [Kernel | System] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/08/21 05:13:15 | 000,054,232 | ---- | M] (AVAST Software) [Kernel | System] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/08/21 05:13:14 | 000,097,608 | ---- | M] (AVAST Software) [File_System | Auto] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2012/08/21 05:13:14 | 000,035,928 | ---- | M] (AVAST Software) [Kernel | System] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2012/08/21 05:13:13 | 000,025,256 | ---- | M] (AVAST Software) [Kernel | System] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2012/08/21 05:13:13 | 000,021,256 | ---- | M] (AVAST Software) [File_System | Auto] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2011/07/29 13:54:56 | 000,013,192 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\epmntdrv.sys -- (epmntdrv)
DRV - [2011/07/29 13:54:56 | 000,008,456 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\EuGdiDrv.sys -- (EuGdiDrv)
DRV - [2011/07/22 12:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 17:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/03/18 12:08:54 | 000,025,240 | ---- | M] (Almico Software) [Kernel | Boot] -- C:\WINDOWS\system32\speedfan.sys -- (speedfan)
DRV - [2011/01/12 21:15:08 | 000,136,680 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ssadmdm.sys -- (ssadmdm)
DRV - [2011/01/12 21:15:08 | 000,121,192 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ssadbus.sys -- (ssadbus) SAMSUNG Android USB Composite Device driver (WDM)
DRV - [2011/01/12 21:15:08 | 000,012,776 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ssadmdfl.sys -- (ssadmdfl) SAMSUNG Android USB Modem (Filter)
DRV - [2009/12/18 10:58:52 | 000,011,336 | ---- | M] () [Kernel | On_Demand] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)
DRV - [2009/02/13 11:02:52 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2007/05/03 14:37:08 | 000,022,152 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mxopswd.sys -- (MXOPSWD)
DRV - [2007/05/02 16:21:22 | 004,403,712 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/01/25 12:12:22 | 000,302,336 | ---- | M] (Midiman/M-Audio) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\delta.sys -- (DELTA) Service for Delta Driver (WDM)
DRV - [2007/01/19 13:53:43 | 000,018,304 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2007/01/19 13:53:42 | 000,019,712 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2003/11/17 15:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 15:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 15:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2003/01/10 17:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [1996/04/03 15:33:26 | 000,005,248 | ---- | M] () [Kernel | Disabled] -- C:\WINDOWS\system32\giveio.sys -- (giveio)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator.STEVE-QUAD_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Guest_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Steve_Kwartin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
IE - HKU\Steve_Kwartin_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\systemprofile_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: File not found
FF - HKLM\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nosltd.com/getPlus+(R),version=1.6.2.97: C:\Program Files\NOS\bin\np_gp.dll (NOS Microsystems Ltd.)
FF - HKLM\Software\MozillaPlugins\@nosltd.com/getPlus+(R),version=1.6.2.99: C:\Program Files\NOS\bin\np_gp.dll (NOS Microsystems Ltd.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\wrc@avast.com: C:\Program Files\Alwil Software\Avast5\WebRep\FF [2012/09/05 18:33:39 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/09/09 02:26:00 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/08 01:01:32 | 000,000,000 | ---D | M]

[2012/10/01 07:11:10 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator.STEVE-QUAD\Application Data\Mozilla\Extensions
[2012/06/11 11:32:11 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
File not found (No name found) --
[2012/09/09 02:25:59 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/04/27 11:35:22 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/08/14 17:49:30 | 000,171,136 | ---- | M] (Tracker Software Products (Canada) Ltd.) -- C:\Program Files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll
[2012/09/09 02:25:53 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/09/09 02:25:53 | 000,002,253 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/10/04 21:13:24 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O4 - HKLM..\Run: [avast] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [ZoneAlarm] C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies LTD)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\Administrator.STEVE-QUAD_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Guest_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Steve_Kwartin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\Steve_Kwartin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\Steve_Kwartin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\systemprofile_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
O18 - Protocol\Handler\sds {79E0F14C-9C52-4218-89A7-7C4B0563D121} - C:\Program Files\Sharp\Sharpdesk\ExplorerExtensions.dll (SHARP CORPORATION)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/21 09:33:29 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/03/13 14:32:42 | 000,000,000 | ---- | M] () - D:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2012/10/04 21:19:56 | 000,000,055 | ---- | M] () - E:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/11/24 15:25:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Steve Kwartin\Desktop\Virus
[2012/10/05 12:38:30 | 000,600,064 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Steve Kwartin\Desktop\OTL.exe
[2012/10/05 12:33:07 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/10/04 21:20:14 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NetworkService\Cookies
[2012/10/04 19:56:49 | 002,212,440 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Steve Kwartin\Desktop\TDSSKiller.exe
[2012/10/04 19:15:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Steve Kwartin\Desktop\Alamo
[2012/10/03 23:24:02 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/10/03 23:22:13 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/10/03 23:22:13 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/10/03 23:22:13 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/10/03 23:22:13 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/10/03 23:15:11 | 004,761,955 | R--- | C] (Swearware) -- C:\Documents and Settings\Steve Kwartin\Desktop\ComboFix.exe
[2012/10/03 23:05:37 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Steve Kwartin\Recent
[2012/10/03 09:41:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Check Point
[2012/10/03 03:59:49 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Steve Kwartin\Desktop\aswMBR.exe
[2012/10/03 03:42:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Steve Kwartin\My Documents\ForceField Shared Files
[2012/10/03 03:32:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Steve Kwartin\Desktop\RK_Quarantine
[2012/10/03 00:04:17 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/10/02 17:23:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\My Documents\Jose
[2012/10/02 14:59:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2012/10/01 23:15:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\My Documents\Run
[2012/10/01 23:14:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\Application Data\EurekaLog
[2012/10/01 23:12:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\Application Data\WinRAR
[2012/10/01 21:20:23 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\My Documents\My Videos
[2012/10/01 21:20:23 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\My Documents\My Pictures
[2012/10/01 21:20:23 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\My Documents\My Music
[2012/10/01 21:20:23 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\Start Menu\Programs\Administrative Tools
[2012/10/01 20:31:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Steve Kwartin\My Documents\virus
[2012/10/01 18:03:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ZA_PreservedFiles
[2012/10/01 15:32:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\My Documents\Downloads
[2012/10/01 07:12:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\Application Data\Macromedia
[2012/10/01 07:11:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\Local Settings\Application Data\Mozilla
[2012/10/01 07:11:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\Application Data\Mozilla
[2012/10/01 06:20:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\Application Data\Malwarebytes
[2012/10/01 06:05:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\Application Data\Adobe
[2012/10/01 05:55:54 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\Application Data\Microsoft
[2012/10/01 05:55:54 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\Start Menu\Programs\Startup
[2012/10/01 05:55:54 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\Start Menu
[2012/10/01 05:55:54 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\SendTo
[2012/10/01 05:55:54 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\Application Data
[2012/10/01 05:55:54 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\Start Menu\Programs\Accessories
[2012/10/01 05:55:54 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\Cookies
[2012/10/01 05:55:54 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\Local Settings
[2012/10/01 05:55:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\Templates
[2012/10/01 05:55:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\Recent
[2012/10/01 05:55:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\PrintHood
[2012/10/01 05:55:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\NetHood
[2012/10/01 05:55:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\My Documents
[2012/10/01 05:55:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\Local Settings\Application Data\Microsoft
[2012/10/01 05:55:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\Favorites
[2012/10/01 05:55:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.STEVE-QUAD\Desktop
[2012/09/25 11:39:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Open Freely
[2012/09/25 11:39:17 | 000,000,000 | ---D | C] -- C:\Program Files\Open Freely
[2012/09/20 17:00:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PDF-XChange PDF Viewer
[2012/09/17 18:08:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Steve Kwartin\Application Data\Sound Devices
[2012/09/17 17:55:28 | 000,000,000 | ---D | C] -- C:\Program Files\Silabs
[2012/09/17 17:55:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Silabs
[2012/09/17 17:55:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Sound Devices
[2012/09/17 17:55:02 | 000,000,000 | ---D | C] -- C:\Program Files\Sound Devices
[2012/09/12 22:05:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2012/09/12 22:05:25 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/09/07 23:36:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData

========== Files - Modified Within 30 Days ==========

[2012/11/24 13:39:57 | 000,199,046 | ---- | M] () -- C:\Documents and Settings\Steve Kwartin\Desktop\Thank you for your Order2!.pdf
[2012/11/24 13:37:41 | 000,166,662 | ---- | M] () -- C:\Documents and Settings\Steve Kwartin\Desktop\Shopping cart3.pdf
[2012/11/24 13:35:26 | 000,198,523 | ---- | M] () -- C:\Documents and Settings\Steve Kwartin\Desktop\Thank you for your Order!.pdf
[2012/11/24 13:30:28 | 000,167,294 | ---- | M] () -- C:\Documents and Settings\Steve Kwartin\Desktop\Shopping cart2.pdf
[2012/10/05 15:37:18 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/10/05 14:58:00 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/10/05 14:57:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/10/05 13:47:00 | 000,000,394 | ---- | M] () -- C:\WINDOWS\tasks\FreeFileViewerUpdateChecker.job
[2012/10/05 12:38:28 | 000,600,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steve Kwartin\Desktop\OTL.exe
[2012/10/05 06:33:00 | 000,000,318 | -H-- | M] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2012/10/04 21:20:42 | 000,000,328 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2012/10/04 21:20:41 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2012/10/04 21:20:14 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/10/04 21:20:12 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/10/04 21:13:24 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/10/04 18:00:00 | 000,000,458 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration.job
[2012/10/04 12:56:08 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Steve Kwartin\cd
[2012/10/04 01:20:00 | 000,000,432 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Update Version2.job
[2012/10/04 01:00:39 | 001,422,336 | ---- | M] () -- C:\Documents and Settings\Steve Kwartin\Desktop\RogueKiller.exe
[2012/10/04 00:52:05 | 000,521,038 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/10/04 00:52:05 | 000,095,478 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/10/03 23:24:06 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/10/03 23:15:11 | 004,761,955 | R--- | M] (Swearware) -- C:\Documents and Settings\Steve Kwartin\Desktop\ComboFix.exe
[2012/10/03 18:22:10 | 000,035,144 | ---- | M] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2012/10/03 09:41:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Check Point
[2012/10/03 09:01:37 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Steve Kwartin\Desktop\MBR.dat
[2012/10/03 04:00:03 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Steve Kwartin\Desktop\aswMBR.exe
[2012/10/03 03:46:12 | 000,415,877 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2012/10/03 03:45:37 | 000,000,256 | ---- | M] () -- C:\Boot.bak
[2012/10/03 03:29:49 | 002,193,278 | ---- | M] () -- C:\Documents and Settings\Steve Kwartin\Desktop\tdsskiller.zip
[2012/10/02 00:52:49 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/10/01 23:36:15 | 000,811,138 | ---- | M] () -- C:\Documents and Settings\Administrator.STEVE-QUAD\My Documents\152 Order Adopting Report and Recommendations re Attorneys Fees.pdf
[2012/10/01 20:17:23 | 000,000,440 | RHS- | M] () -- C:\Documents and Settings\Steve Kwartin\ntuser.pol
[2012/10/01 17:22:32 | 000,000,440 | RHS- | M] () -- C:\Documents and Settings\Administrator.STEVE-QUAD\ntuser.pol
[2012/10/01 12:44:20 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/09/30 14:48:32 | 000,081,792 | ---- | M] () -- C:\Documents and Settings\Steve Kwartin\Desktop\Scanned Image 122740000.jpg
[2012/09/29 19:42:48 | 000,000,063 | ---- | M] () -- C:\Documents and Settings\Steve Kwartin\Application Data\bteasy.ini
[2012/09/29 18:56:32 | 000,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
[2012/09/28 12:16:15 | 000,187,238 | ---- | M] () -- C:\Documents and Settings\Steve Kwartin\My Documents\Ticketmaster Confirmation.pdf
[2012/09/26 23:29:52 | 000,000,745 | ---- | M] () -- C:\Documents and Settings\Steve Kwartin\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to iexplore.exe.lnk
[2012/09/26 23:01:31 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2012/09/26 22:49:05 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Guest\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/09/26 22:28:21 | 000,001,337 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/09/25 11:39:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Open Freely
[2012/09/24 12:20:44 | 000,181,703 | ---- | M] () -- C:\Documents and Settings\Steve Kwartin\Desktop\Confirm Order.pdf
[2012/09/22 01:24:04 | 000,000,706 | ---- | M] () -- C:\Documents and Settings\Steve Kwartin\Application Data\Microsoft\Internet Explorer\Quick Launch\foobar2000.lnk
[2012/09/21 19:03:38 | 000,068,565 | ---- | M] () -- C:\Documents and Settings\Steve Kwartin\Desktop\The Who - Posters.pdf
[2012/09/20 17:00:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\PDF-XChange PDF Viewer
[2012/09/19 20:57:15 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2012/09/17 19:25:14 | 002,212,440 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Steve Kwartin\Desktop\TDSSKiller.exe
[2012/09/17 17:55:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Sound Devices
[2012/09/15 18:40:31 | 000,102,300 | ---- | M] () -- C:\Documents and Settings\Steve Kwartin\Desktop\axel-rosales-most-piercings-on-face_dsc5560.jpg
[2012/09/12 22:05:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2012/09/09 02:37:37 | 000,000,548 | ---- | M] () -- C:\WINDOWS\tasks\Rescue Reminder for 2HAA48PR.job
[2012/09/07 17:04:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2012/11/24 13:39:56 | 000,199,046 | ---- | C] () -- C:\Documents and Settings\Steve Kwartin\Desktop\Thank you for your Order2!.pdf
[2012/11/24 13:37:40 | 000,166,662 | ---- | C] () -- C:\Documents and Settings\Steve Kwartin\Desktop\Shopping cart3.pdf
[2012/11/24 13:35:25 | 000,198,523 | ---- | C] () -- C:\Documents and Settings\Steve Kwartin\Desktop\Thank you for your Order!.pdf
[2012/11/24 13:30:27 | 000,167,294 | ---- | C] () -- C:\Documents and Settings\Steve Kwartin\Desktop\Shopping cart2.pdf
[2012/10/04 12:56:08 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Steve Kwartin\cd
[2012/10/04 01:00:45 | 001,422,336 | ---- | C] () -- C:\Documents and Settings\Steve Kwartin\Desktop\RogueKiller.exe
[2012/10/03 23:22:13 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/10/03 23:22:13 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/10/03 23:22:13 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/10/03 23:22:13 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/10/03 23:22:13 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/10/03 18:22:10 | 000,035,144 | ---- | C] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2012/10/03 09:01:37 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Steve Kwartin\Desktop\MBR.dat
[2012/10/03 03:42:29 | 000,415,877 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
[2012/10/03 03:29:45 | 002,193,278 | ---- | C] () -- C:\Documents and Settings\Steve Kwartin\Desktop\tdsskiller.zip
[2012/10/01 23:36:15 | 000,811,138 | ---- | C] () -- C:\Documents and Settings\Administrator.STEVE-QUAD\My Documents\152 Order Adopting Report and Recommendations re Attorneys Fees.pdf
[2012/10/01 12:44:20 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/01 06:44:31 | 000,000,440 | RHS- | C] () -- C:\Documents and Settings\Administrator.STEVE-QUAD\ntuser.pol
[2012/10/01 05:55:55 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\Administrator.STEVE-QUAD\Start Menu\Programs\Remote Assistance.lnk
[2012/10/01 05:55:55 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Administrator.STEVE-QUAD\Start Menu\Programs\Windows Media Player.lnk
[2012/09/30 14:46:08 | 000,081,792 | ---- | C] () -- C:\Documents and Settings\Steve Kwartin\Desktop\Scanned Image 122740000.jpg
[2012/09/28 12:16:13 | 000,187,238 | ---- | C] () -- C:\Documents and Settings\Steve Kwartin\My Documents\Ticketmaster Confirmation.pdf
[2012/09/26 23:29:52 | 000,000,745 | ---- | C] () -- C:\Documents and Settings\Steve Kwartin\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to iexplore.exe.lnk
[2012/09/24 12:20:42 | 000,181,703 | ---- | C] () -- C:\Documents and Settings\Steve Kwartin\Desktop\Confirm Order.pdf
[2012/09/22 01:24:04 | 000,000,706 | ---- | C] () -- C:\Documents and Settings\Steve Kwartin\Application Data\Microsoft\Internet Explorer\Quick Launch\foobar2000.lnk
[2012/09/21 19:03:37 | 000,068,565 | ---- | C] () -- C:\Documents and Settings\Steve Kwartin\Desktop\The Who - Posters.pdf
[2012/09/15 18:46:42 | 000,102,300 | ---- | C] () -- C:\Documents and Settings\Steve Kwartin\Desktop\axel-rosales-most-piercings-on-face_dsc5560.jpg
[2012/09/12 22:02:33 | 000,000,440 | RHS- | C] () -- C:\Documents and Settings\Steve Kwartin\ntuser.pol
[2012/08/05 14:25:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Bench32.INI
[2012/08/05 03:28:39 | 000,019,840 | ---- | C] () -- C:\WINDOWS\System32\EuEpmGdi.dll
[2012/08/05 03:28:37 | 002,468,520 | ---- | C] () -- C:\WINDOWS\System32\BootMan.exe
[2012/08/05 03:28:37 | 000,086,408 | ---- | C] () -- C:\WINDOWS\System32\setupempdrv03.exe
[2012/08/05 03:28:37 | 000,013,192 | ---- | C] () -- C:\WINDOWS\System32\epmntdrv.sys
[2012/08/05 03:28:37 | 000,008,456 | ---- | C] () -- C:\WINDOWS\System32\EuGdiDrv.sys
[2012/08/02 19:27:20 | 000,178,688 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2012/07/13 19:18:42 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/07/13 17:50:51 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Guest\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/04/20 18:54:29 | 000,156,864 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/01/06 18:10:20 | 000,000,088 | ---- | C] () -- C:\Documents and Settings\Steve Kwartin\default.pls
[2012/01/06 16:30:50 | 000,156,160 | ---- | C] () -- C:\WINDOWS\System32\WS_ContextMenu.dll
[2011/10/26 17:10:24 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2011/09/11 15:31:07 | 000,000,918 | ---- | C] () -- C:\Documents and Settings\Steve Kwartin\.recently-used.xbel
[2011/01/08 16:19:10 | 000,074,703 | ---- | C] () -- C:\WINDOWS\System32\mfc45.dll
[2011/01/05 17:35:49 | 000,004,212 | ---- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2011/01/05 13:49:22 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2010/12/13 02:18:45 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/05/12 01:00:18 | 000,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2009/02/12 12:26:33 | 000,492,118 | ---- | C] () -- C:\Documents and Settings\Steve Kwartin\Application Data\fontlst2.opf
[2009/02/03 15:15:15 | 000,000,543 | ---- | C] () -- C:\WINDOWS\OPHC.ini
[2008/12/07 22:53:20 | 000,021,504 | ---- | C] () -- C:\Documents and Settings\Steve Kwartin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/20 23:46:29 | 135,124,796 | ---- | C] () -- C:\Documents and Settings\Steve Kwartin\Dg24.wav
[2008/11/20 23:46:21 | 130,717,148 | ---- | C] () -- C:\Documents and Settings\Steve Kwartin\Dg23.wav
[2008/11/19 15:38:52 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2008/11/03 23:15:06 | 000,131,584 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall.exe
[2008/11/03 21:54:53 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2008/11/02 23:39:59 | 000,000,063 | ---- | C] () -- C:\Documents and Settings\Steve Kwartin\Application Data\bteasy.ini
[2008/11/02 21:25:18 | 000,561,086 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\fontlst2.opf
[2008/10/23 18:26:12 | 000,000,715 | ---- | C] () -- C:\WINDOWS\aolback.exe.lnk
[2008/10/23 18:17:28 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/10/23 18:09:19 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\SPZLPO__.DLL
[2008/08/09 18:04:56 | 000,000,203 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/08/09 17:34:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2008/07/21 19:30:17 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4820.dll
[2008/07/21 19:29:28 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2008/07/21 13:37:27 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/07/21 09:35:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/07/21 09:31:08 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/07/21 05:25:29 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/07/21 05:24:32 | 000,263,824 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/03/21 19:48:05 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/03/21 19:48:05 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/06 20:00:42 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\WINREGP.DLL
[2004/08/04 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 06:00:00 | 000,521,038 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 06:00:00 | 000,095,478 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 06:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 06:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/02/06 13:05:22 | 000,014,848 | ---- | C] () -- C:\WINDOWS\System32\TERNT.DLL
[2004/02/06 13:00:04 | 000,015,872 | ---- | C] () -- C:\WINDOWS\System32\TER9X.DLL
[2003/12/14 02:03:42 | 001,107,472 | ---- | C] () -- C:\WINDOWS\System32\OWL52.DLL
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1996/04/03 15:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== LOP Check ==========

[2012/10/02 00:57:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.STEVE-QUAD\Application Data\EurekaLog
[2008/11/02 21:25:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Sharpdesk
[2011/05/16 12:03:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\.oit
[2012/07/27 15:51:55 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\0FF73A05
[2012/09/30 17:23:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\Audacity
[2012/08/04 18:48:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\Auslogics
[2012/10/03 03:42:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\CheckPoint
[2011/01/20 17:08:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\DriverCure
[2012/09/22 15:10:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\foobar2000
[2011/11/04 13:52:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\FreeFileViewer
[2011/07/26 01:42:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\GARMIN
[2012/08/04 16:57:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\GlarySoft
[2010/09/01 16:22:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\gtk-2.0
[2011/07/12 02:04:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\IVONA ControlCenter
[2011/05/22 17:11:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\OfficeRecovery
[2010/05/25 17:43:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\PandoraRecovery
[2011/01/20 17:08:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\ParetoLogic
[2008/08/03 14:42:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\Publish Providers
[2008/12/05 16:53:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\Sharpdesk
[2010/07/27 19:13:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\Sony
[2010/07/26 23:28:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\Sony Setup
[2012/09/18 13:14:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\Sound Devices
[2011/07/23 01:26:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\SoundSpectrum
[2012/06/11 17:24:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\Southwest Airlines
[2011/07/23 01:43:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\SystemRequirementsLab
[2012/08/16 06:33:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\TeamViewer
[2011/01/05 01:07:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\Tific
[2012/08/04 16:13:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\Uniblue
[2012/10/05 15:36:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve Kwartin\Application Data\uTorrent
[2011/01/05 17:25:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2008/08/02 20:05:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AT&T
[2011/05/22 15:50:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cached Installations
[2012/10/02 14:59:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2012/04/23 15:50:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ClubSanDisk
[2011/07/26 01:42:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GARMIN
[2012/01/06 16:26:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallMate
[2011/01/08 16:19:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo
[2010/01/01 14:34:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Maxtor
[2011/01/05 17:20:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/06/29 16:03:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
[2011/05/22 15:51:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2011/01/06 01:27:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PassMark
[2011/08/04 06:24:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Samsung
[2011/01/05 01:41:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2008/10/23 18:18:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sharpdesk
[2010/07/27 18:51:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sony
[2011/01/08 15:52:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2012/01/06 18:18:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\xml_param
[2012/10/01 18:03:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ZA_PreservedFiles
[2012/10/05 06:33:00 | 000,000,318 | -H-- | M] () -- C:\WINDOWS\Tasks\avast! Emergency Update.job
[2012/10/05 13:47:00 | 000,000,394 | ---- | M] () -- C:\WINDOWS\Tasks\FreeFileViewerUpdateChecker.job
[2012/10/04 21:20:42 | 000,000,328 | ---- | M] () -- C:\WINDOWS\Tasks\GlaryInitialize.job
[2012/10/04 18:00:00 | 000,000,458 | ---- | M] () -- C:\WINDOWS\Tasks\ParetoLogic Registration.job
[2012/10/04 01:20:00 | 000,000,432 | ---- | M] () -- C:\WINDOWS\Tasks\ParetoLogic Update Version2.job
[2012/09/09 02:37:37 | 000,000,548 | ---- | M] () -- C:\WINDOWS\Tasks\Rescue Reminder for 2HAA48PR.job
[2012/10/04 21:20:41 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========

========== Custom Scans ==========

< :OTL >

< :Services >

< :Reg >

< :Files >

< C:\WINDOWS\system32\services.exe|C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe /replace >
Invalid Switch: replace

< :Commands >

< [purity] >

========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Steve Kwartin\My Documents\My Videos:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Steve Kwartin\Desktop\Widespread_Panic_2008-10-28_Fillmore_Miami_Beach_FL_TLM-170_FOB.flac16:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Steve Kwartin\Desktop\Buckethead_2008-10-26_Culture_Room_Ft._Lauderdale_FL_TLM-170:Roxio EMC Stream

< End of report >

----------------------------------------------------------------------------------------------
"Run fix" log:

========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File C:\WINDOWS\system32\services.exe successfully replaced with C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
========== COMMANDS ==========

OTLPE by OldTimer - Version 3.1.48.0 log created on 10052012_203348

tapersteve, Oct 5, 2012

#43
Broni Malware Annihilator Posts: 39,412 +177

That's incorrect.
Most likely you clicked on "Scan" button instead of "Run fix" button.
Redo.

Broni, Oct 5, 2012

#44
tapersteve Newcomer, in training Posts: 52

Broni,

Before I screw anything else up, do you want me to go back to the REATOGO-X-PE desktop and re-run both steps? Can I try running OLT which is downloaded on my normal desktop, and if it works, post both logs? Let me know, and I will get right on it. Thanks. Steve

tapersteve, Oct 5, 2012

#45

Broni Malware Annihilator Posts: 39,412 +177

You don't run OTL but OTLPE and make that after pasting my script you click on "Run fix" button not "Scan" button.

Broni, Oct 5, 2012

#46

tapersteve Newcomer, in training Posts: 52

OK, got it. Will be back shortly.

tapersteve, Oct 5, 2012

#47
tapersteve Newcomer, in training Posts: 52

Broni, I only ran the Runfix, and here is the log:

========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File C:\WINDOWS\system32\services.exe successfully replaced with C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
========== COMMANDS ==========

OTLPE by OldTimer - Version 3.1.48.0 log created on 10062012_000349

tapersteve, Oct 5, 2012

#48
Broni Malware Annihilator Posts: 39,412 +177

Very good.

Is MBAM still complaining?

Broni, Oct 5, 2012

#49
tapersteve Newcomer, in training Posts: 52

Not as of yet, but every time I say that, I end up eating my words. I am holding my breath, and will let you know if ET tries to phone home. Steve

tapersteve, Oct 5, 2012

#50
Broni Malware Annihilator Posts: 39,412 +177
I hope replacing that system file helped.

Let's run couple more scans...

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

Make sure the following options are checked:

Internet Services

Windows Firewall

System Restore

Security Center

Windows Update

Windows Defender

Press "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

3. Please download AdwCleaner by Xplode onto your desktop.

Close all open programs and internet browsers.

Double click on adwcleaner.exe to run the tool.

Click on Delete.

Confirm each time with Ok.

Your computer will be rebooted automatically. A text file will open after the restart.

Please post the contents of that logfile with your next reply.

You can find the logfile at C:\AdwCleaner[S1].txt as well.

Next...

Double click on adwcleaner.exe to run the tool.

Click on Uninstall.

Confirm with yes.

4. Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe

Double click on TFC.exe to run the program.

Click on Start button to begin cleaning process.

TFC will close all running programs, and it may ask you to restart computer.

5. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Tick the box next to YES, I accept the Terms of Use

Click Start

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, click on List of found threats

Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

NOTE. If Eset won't find any threats, it won't produce any log.
Broni, Oct 5, 2012

#51
tapersteve Newcomer, in training Posts: 52

Security Check log file:

Results of screen317's Security Check version 0.99.51
Windows XP Service Pack 3 x86
Internet Explorer 7 Out of date!
``````````````Antivirus/Firewall Check:``````````````
avast! Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Out of date HijackThis installed!
Spybot - Search & Destroy
SUPERAntiSpyware
Malwarebytes Anti-Malware version 1.65.0.1400
HijackThis 2.0.2
Java(TM) 6 Update 31
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 10.3.183.7 Flash Player out of Date!
Adobe Reader 8 Adobe Reader out of Date!
Mozilla Firefox (15.0.1)
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 avastUI.exe
CheckPoint ZoneAlarm vsmon.exe
CheckPoint ZoneAlarm zatray.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 4%
````````````````````End of Log``````````````````````

tapersteve, Oct 5, 2012

#52
tapersteve Newcomer, in training Posts: 52

Farbar Service Scanner log:

Farbar Service Scanner Version: 19-09-2012
Ran by Steve Kwartin (administrator) on 05-10-2012 at 23:12:47
Running from "C:\Documents and Settings\Steve Kwartin\desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is set to Demand. The default start type is Auto.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

netman Service is not running. Checking service configuration:
The start type of netman service is set to Disabled. The default start type is 3.
The ImagePath of netman service is OK.
The ServiceDll of netman service is OK.

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe
[2004-08-04 06:00] - [2009-02-06 07:06] - 0110592 ____A (Microsoft Corporation) 020CEAAEDC8EB655B6506B8C70D53BB6

Extra List:
=======
aswTdi(9) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x09000000050000000100000002000000030000000400000009000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****

tapersteve, Oct 5, 2012

#53
tapersteve Newcomer, in training Posts: 52

AdwCleaner log file:

# AdwCleaner v2.003 - Logfile created 10/05/2012 at 23:14:50
# Updated 23/09/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Steve Kwartin - STEVE-QUAD
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Steve Kwartin\desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\InstallMate
Folder Deleted : C:\Program Files\Conduit

***** [Registry] *****

Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2645238
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com

***** [Internet Browsers] *****

-\\ Internet Explorer v7.0.5730.13

Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Mozilla Firefox v15.0.1 (en-US)

Profile name : default
File : C:\Documents and Settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\prefs.js

C:\Documents and Settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\user.js ... Deleted !

[OK] File is clean.

Profile name : default
File : C:\Documents and Settings\Administrator.STEVE-QUAD\Application Data\Mozilla\Firefox\Profiles\8sohzsm4.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [2556 octets] - [05/10/2012 23:14:50]

########## EOF - C:\AdwCleaner[S1].txt - [2616 octets] ##########

tapersteve, Oct 5, 2012

#54
tapersteve Newcomer, in training Posts: 52

Broni, I was able to get those first few scans done. I have TFC on my computer. I tried to run my copy, then a copy downloaded from the first site you listed, then the other. Everyone gets hung up almost immediately, and is unable to stop other running processes. I have used this program many times without any issue, so I really do not know what to do. I have spent the last hour trying this different ways, but no go. Steve

tapersteve, Oct 6, 2012

#55
Broni Malware Annihilator Posts: 39,412 +177

Run it from safe mode.

Broni, Oct 6, 2012

#56
tapersteve Newcomer, in training Posts: 52

Broni,

Sorry about the delay, but Eset took a while to run, and I went to bed. TFC was able to run in safe mode, and did its thing. I then did the Eset scan, and the log is below. So far, I have not seen MBAM indicate any suspicious traffic, but I will let you know a little later, after I have spent some more time in front of the computer. Thank you yet again. Steve

Eset log:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=8df7fe4b42a4cc4ea7d50b4c834bd64e
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-10-06 06:01:48
# local_time=2012-10-06 02:01:48 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 54967300 54967300 0 0
# compatibility_mode=768 16777215 100 0 55152548 55152548 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 75 4 0 0 0 0
# scanned=135500
# found=9
# cleaned=9
# scan_time=5216
C:\Documents and Settings\Steve Kwartin\desktop\Audio Programs\setup.exe Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Steve Kwartin\desktop\Program Files\Nero-9.4.12.3d_free.exe Win32/Toolbar.AskSBar application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Steve Kwartin\desktop\Program Files\SoftonicDownloader_for_internet-explorer.exe a variant of Win32/SoftonicDownloader.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Steve Kwartin\My Documents\virus\New Folder\IHBETQ a variant of Java/Exploit.CVE-2012-4681.BC trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Steve Kwartin\My Documents\virus\New Folder\jar_cache6100115203503054071.tmp a variant of Java/Exploit.CVE-2012-4681.BC trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E5CD8885-81EB-4EA5-9C7D-F91E4C407EEE}\RP1421\A0426702.exe Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E5CD8885-81EB-4EA5-9C7D-F91E4C407EEE}\RP1421\A0426703.exe Win32/Toolbar.AskSBar application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E5CD8885-81EB-4EA5-9C7D-F91E4C407EEE}\RP1421\A0426704.exe a variant of Win32/SoftonicDownloader.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
H:\Desktop\Audio Programs\setup.exe Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

tapersteve, Oct 6, 2012

#57
tapersteve Newcomer, in training Posts: 52

Broni,

Well, it took a little while, but now MBAM is reporting attempts at outgoing communications to an IP address located in China. I don't know if this is something old or something that is part of the recent infection, but whatever it is, it has so far survived all of the attempts to kill it. Steve

tapersteve, Oct 6, 2012

#58
tapersteve Newcomer, in training Posts: 52

I am now seeing both incoming and outgoing attempts as reported by MBAM.

tapersteve, Oct 6, 2012

#59
Broni Malware Annihilator Posts: 39,412 +177

For x86 (x32) bit systems please download Listparts
For x64 bit systems please download Listparts64

Click on Scan button.

Scan result will open in Notepad.
Post it in your next reply.

Broni, Oct 6, 2012

#60

Page 3 of 4

Topic Status:: Not open for further replies.

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.