TechSpot

Need help with malware removal

By Suneer
May 16, 2012
  1. Suddenly I see popup while browsing and multiple PING threads in task manager.
    Please help !!!


    ----------------------------------------------------------------------------
    Malwarebytes Anti-Malware (Trial) 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.05.16.07

    Windows Server 2008 Service Pack 2 x86 NTFS
    Internet Explorer 8.0.6001.19019
    Administrator :: WIN2800 [administrator]

    Protection: Enabled

    5/16/2012 6:43:51 PM
    mbam-log-2012-05-16 (18-43-51).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 232914
    Time elapsed: 3 minute(s), 53 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
    ----------------------------------------------------------------------------------------------------

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-05-16 20:29:55
    Windows 6.0.6002 Service Pack 2 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-1 ST3160023A rev.8.01
    Running: bz9iwq2k.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\axtdqpow.sys


    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\System32\ping.exe[316] ntdll.dll!NtCreateProcess 77A842E4 5 Bytes JMP 00D8000A
    .text C:\Windows\System32\ping.exe[316] ntdll.dll!NtCreateProcessEx 77A842F4 5 Bytes JMP 00D9000A
    .text C:\Windows\System32\ping.exe[316] ntdll.dll!NtCreateUserProcess 77A85654 5 Bytes JMP 00DE000A
    .text C:\Windows\System32\ping.exe[316] USER32.dll!WindowFromPoint 77B6884F 5 Bytes JMP 0157000A
    .text C:\Windows\System32\ping.exe[316] USER32.dll!CreateWindowExW 77B71305 5 Bytes JMP 0159000A
    .text C:\Windows\System32\ping.exe[316] USER32.dll!GetForegroundWindow 77B732C4 5 Bytes JMP 0158000A
    .text C:\Windows\System32\ping.exe[316] USER32.dll!GetCursorPos 77B80B88 5 Bytes JMP 0156000A
    .text C:\Windows\System32\ping.exe[316] ole32.dll!CoCreateInstance 766A9F3E 5 Bytes JMP 0155000A
    .text C:\Windows\System32\ping.exe[5604] ntdll.dll!NtCreateProcess 77A842E4 5 Bytes JMP 0149000A
    .text C:\Windows\System32\ping.exe[5604] ntdll.dll!NtCreateProcessEx 77A842F4 5 Bytes JMP 014A000A
    .text C:\Windows\System32\ping.exe[5604] ntdll.dll!NtCreateUserProcess 77A85654 5 Bytes JMP 014B000A
    .text C:\Windows\System32\ping.exe[5604] USER32.dll!WindowFromPoint 77B6884F 5 Bytes JMP 0167000A
    .text C:\Windows\System32\ping.exe[5604] USER32.dll!CreateWindowExW 77B71305 5 Bytes JMP 0169000A
    .text C:\Windows\System32\ping.exe[5604] USER32.dll!GetForegroundWindow 77B732C4 5 Bytes JMP 0168000A
    .text C:\Windows\System32\ping.exe[5604] USER32.dll!GetCursorPos 77B80B88 5 Bytes JMP 0162000A
    .text C:\Windows\System32\ping.exe[5604] ole32.dll!CoCreateInstance 766A9F3E 5 Bytes JMP 0161000A
    .text C:\Windows\System32\ping.exe[6044] ntdll.dll!NtCreateProcess 77A842E4 5 Bytes JMP 00D8000A
    .text C:\Windows\System32\ping.exe[6044] ntdll.dll!NtCreateProcessEx 77A842F4 5 Bytes JMP 00D9000A
    .text C:\Windows\System32\ping.exe[6044] ntdll.dll!NtCreateUserProcess 77A85654 5 Bytes JMP 00DA000A
    .text C:\Windows\System32\ping.exe[6044] USER32.dll!WindowFromPoint 77B6884F 5 Bytes JMP 0153000A
    .text C:\Windows\System32\ping.exe[6044] USER32.dll!CreateWindowExW 77B71305 5 Bytes JMP 0155000A
    .text C:\Windows\System32\ping.exe[6044] USER32.dll!GetForegroundWindow 77B732C4 5 Bytes JMP 0154000A
    .text C:\Windows\System32\ping.exe[6044] USER32.dll!GetCursorPos 77B80B88 5 Bytes JMP 0152000A
    .text C:\Windows\System32\ping.exe[6044] ole32.dll!CoCreateInstance 766A9F3E 5 Bytes JMP 0151000A
    ---- Processes - GMER 1.0.15 ----

    Library c:\windows\system32\n (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1648] 0x00910000
    Library c:\windows\system32\n (*** hidden *** ) @ C:\Windows\Explorer.EXE [4648] 0x02840000

    ---- EOF - GMER 1.0.15 ----
    ----------------------------------------------------------------------------------------------------
     
  2. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.suggestafix.com/index.php?showtopic=35466

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. Suneer

    Suneer TS Rookie Topic Starter

    I have completed 1st three steps and not able to run DDS because my OS is win2008. Please advise for next step.


    ---------------------------------------------------------------------------------------------------------------------------------------------------
    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-05-17 07:30:52
    -----------------------------
    07:30:52.328 OS Version: Windows 6.0.6002 Service Pack 2
    07:30:52.328 Number of processors: 4 586 0x170A
    07:30:52.330 ComputerName: WIN2800 UserName:
    07:30:54.757 Initialize success
    07:31:30.248 AVAST engine defs: 12051700
    07:31:52.148 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    07:31:52.149 Disk 0 Vendor: ST340015A 3.01 Size: 38166MB BusType: 3
    07:31:52.151 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-1
    07:31:52.153 Disk 1 Vendor: ST3160023A 8.01 Size: 152627MB BusType: 3
    07:31:52.155 Disk 2 \Device\Harddisk2\DR2 -> \Device\00000053
    07:31:52.157 Disk 2 Vendor: WDC_WD50 12.0 Size: 476940MB BusType: 3
    07:31:52.170 Disk 1 MBR read successfully
    07:31:52.173 Disk 1 MBR scan
    07:31:52.177 Disk 1 unknown MBR code
    07:31:52.183 Disk 1 Partition 1 00 07 HPFS/NTFS NTFS 76834 MB offset 63
    07:31:52.188 Disk 1 Partition - 00 0F Extended LBA 75791 MB offset 157356675
    07:31:52.206 Disk 1 Partition 2 00 07 HPFS/NTFS NTFS 75790 MB offset 157356738
    07:31:52.211 Disk 1 scanning sectors +312576705
    07:31:52.279 Disk 1 scanning C:\Windows\system32\drivers
    07:31:57.718 Service scanning
    07:32:16.640 Modules scanning
    07:32:21.075 Disk 1 trace - called modules:
    07:32:21.095 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys nvmfdx32.sys
    07:32:21.100 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x854b2ac8]
    07:32:21.106 3 CLASSPNP.SYS[8cb1f8b3] -> nt!IofCallDriver -> [0x85274ab0]
    07:32:21.113 5 acpi.sys[8ca0c6bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0x85237030]
    07:32:23.317 AVAST engine scan C:\Windows
    07:32:25.039 AVAST engine scan C:\Windows\system32
    07:34:02.323 File: C:\Windows\assembly\GAC\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
    07:34:54.283 AVAST engine scan C:\Windows\system32\drivers
    07:35:10.037 AVAST engine scan C:\Users\Administrator
    07:36:03.442 File: C:\Users\Administrator\AppData\Local\{ee380fe6-36dc-c547-2cea-172c095ad21b}\L\80000032.@ **INFECTED** Win32:DNSChanger-VJ [Trj]
    07:36:04.173 File: C:\Users\Administrator\AppData\Local\{ee380fe6-36dc-c547-2cea-172c095ad21b}\U\80000000.@ **INFECTED** Win64:Sirefef-A [Trj]
    07:36:04.265 File: C:\Users\Administrator\AppData\Local\{ee380fe6-36dc-c547-2cea-172c095ad21b}\U\80000032.@ **INFECTED** Win32:DNSChanger-VJ [Trj]
    07:37:06.031 AVAST engine scan C:\ProgramData
    07:37:47.598 Scan finished successfully
    07:38:44.422 Disk 1 MBR has been saved successfully to "C:\Users\Administrator\Documents\MBR.dat"
    07:38:44.541 The log file has been saved successfully to "C:\Users\Administrator\Documents\aswMBR.txt"

    ------------------------------------------------------------------------------------------------------------------
     
  4. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  5. Suneer

    Suneer TS Rookie Topic Starter

    Boot_cleaner Log :---
    ------------------------------

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows Server 2008 Enterprise Edition Service Pack 2 (bui
    ld 6002), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive1 at offset 0x00000000`00007e00
    Boot sector MD5 is: 0d413cafe1920f2c29345c934ee72288

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive1 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...
     
  6. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. Suneer

    Suneer TS Rookie Topic Starter

    Combofix is not running on my machine. My machine OS is windows server 2008.:oops:
     
  8. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Unfortunately I don't have too many tools to run on your OS.
    Most tools are designed for regular Windows versions.

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\tasks\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /I " " /c
    dir /b "%systemroot%\*.exe" | find /I " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  9. Suneer

    Suneer TS Rookie Topic Starter

    On execution OTL is crashing :-

    Problem signature:
    Problem Event Name: APPCRASH
    Application Name: OTL.exe
    Application Version: 3.2.43.0
    Application Timestamp: 2a425e19
    Fault Module Name: kernel32.dll
    Fault Module Version: 6.0.6002.18005
    Fault Module Timestamp: 49e037dd
    Exception Code: c0000005
    Exception Offset: 000bf9cd
    OS Version: 6.0.6002.2.2.0.274.10
    Locale ID: 1033
    Additional Information 1: b37c
    Additional Information 2: 2a7328d8bb40c81c93b4b5f46adb8e10
    Additional Information 3: b37c
    Additional Information 4: 2a7328d8bb40c81c93b4b5f46adb8e10

    Read our privacy statement:
    http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409
     
  10. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Let's see, if we can look at your computer booting from an external source.

    Please download OTLPE (filesize 120,9 MB)

    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your system using the boot CD you just created.
      • Note : If you do not know how to set your computer to boot from CD follow the steps here
    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.
     
  11. Suneer

    Suneer TS Rookie Topic Starter

    My machine have duel OS c:\ - winxp and d:\- server 2008
    OTLPE is loading profile of winxp and scanning c: (winxp resources) only.
    Is there any way which allow me to execute OLTPE on Server2008 drive.
     
  12. Suneer

    Suneer TS Rookie Topic Starter

    OTL logfile created on: 5/17/2012 2:32:08 PM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 92.00% Memory free
    3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
    Paging file location(s): C:\pagefile.sys 4990 5092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.26 Gb Total Space | 6.01 Gb Free Space | 16.12% Space Free | Partition Type: NTFS
    Drive D: | 75.03 Gb Total Space | 43.28 Gb Free Space | 57.68% Space Free | Partition Type: NTFS
    Drive E: | 74.01 Gb Total Space | 22.45 Gb Free Space | 30.33% Space Free | Partition Type: NTFS
    Drive G: | 270.45 Gb Total Space | 92.81 Gb Free Space | 34.32% Space Free | Partition Type: NTFS
    Drive H: | 195.31 Gb Total Space | 38.30 Gb Free Space | 19.61% Space Free | Partition Type: NTFS
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV - [2012/05/12 07:49:48 | 000,257,696 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2012/05/05 05:14:18 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2008/01/28 06:34:12 | 002,236,416 | ---- | M] (Actuate Corporation) [Auto] -- C:\Program Files\Actuate9\iServer\bin\pmd9.exe -- (__AC_PROCESS_MGMT_DAEMON9)
    SRV - [2006/02/17 10:39:02 | 000,139,264 | ---- | M] () [Auto] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe -- (ForceWare Intelligent Application Manager (IAM)) ForceWare Intelligent Application Manager (IAM)
    SRV - [2006/02/17 10:35:58 | 000,127,035 | ---- | M] (NVIDIA Corporation) [Auto] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe -- (nSvcIp)
    SRV - [2006/02/17 10:35:42 | 000,061,503 | ---- | M] (NVIDIA) [Auto] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe -- (nSvcLog)
    SRV - [2006/02/17 10:17:08 | 000,020,543 | ---- | M] (Apache Software Foundation) [Auto] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe -- (ForcewareWebInterface)
    SRV - [2004/10/21 14:13:54 | 000,017,920 | ---- | M] () [Auto] -- C:\Program Files\Actuate9\iServer\bin\portserv.exe -- (NobleNet Portmapper for TCP)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
    DRV - File not found [Kernel | System] -- -- (PCIDump)
    DRV - File not found [Kernel | System] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System] -- -- (i2omgmt)
    DRV - File not found [Kernel | System] -- -- (Changer)
    DRV - File not found [Kernel | On_Demand] -- -- (AFGSp50)
    DRV - File not found [Kernel | On_Demand] -- -- (AFGMp50)
    DRV - [2011/04/07 17:57:27 | 000,685,816 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
    DRV - [2010/06/21 18:07:39 | 000,091,496 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nvhda32.sys -- (NVHDA)
    DRV - [2010/04/02 10:11:16 | 000,087,536 | ---- | M] (CyberLink Corp.) [2011/12/25 11:09:33] [Kernel | Auto] -- C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl -- ({1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC})
    DRV - [2009/04/06 08:00:00 | 000,100,736 | ---- | M] (NVIDIA Corporation) [Kernel | Boot] -- C:\WINDOWS\System32\drivers\nvatabus.sys -- (nvatabus)
    DRV - [2009/04/06 08:00:00 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
    DRV - [2009/04/06 08:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
    DRV - [2009/04/06 08:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
    DRV - [2008/12/18 21:31:00 | 000,083,808 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\jraid.sys -- (jraid)
    DRV - [2007/01/24 17:27:54 | 000,039,704 | ---- | M] (Belcarra Technologies) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\rcblan.sys -- (RemoteControl-USBLAN)
    DRV - [2006/11/15 23:34:00 | 004,225,920 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
    DRV - [2006/04/25 10:52:28 | 000,100,736 | ---- | M] (NVIDIA Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\nvata.sys -- (nvata)
    DRV - [2006/02/18 04:28:32 | 000,013,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
    DRV - [2006/02/18 04:28:30 | 000,034,176 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
    DRV - [2005/09/23 22:18:32 | 000,171,520 | ---- | M] (Pinnacle Systems GmbH) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\MarvinBus.sys -- (MarvinBus)
    DRV - [2001/12/19 00:45:00 | 000,008,576 | ---- | M] (Microsoft Corporation) [File_System | System] -- C:\Program Files\System\CPL Bonus\vcdrom.sys -- (vcdrom)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Jim_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/
    IE - HKU\Jim_ON_C\Software\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKU\Jim_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
    IE - HKU\Jim_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.msn.com/
    IE - HKU\Jim_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\Jim_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


    IE - HKU\NetworkService_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

    IE - HKU\Sonia_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/
    IE - HKU\Sonia_ON_C\Software\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKU\Sonia_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
    IE - HKU\Sonia_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========



    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/05/05 05:14:18 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
    FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\mozilla_cc@internetdownloadmanager.com: C:\Documents and Settings\Jim\Application Data\IDM\idmmzcc3 [2011/04/04 17:28:08 | 000,000,000 | ---D | M]

    [2011/11/12 20:23:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jim\Application Data\Mozilla\Extensions
    [2012/05/01 20:50:36 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\48szs630.default\extensions
    [2011/11/12 20:22:51 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    File not found (No name found) --
    [2012/05/05 05:14:18 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2012/03/08 17:38:42 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2012/03/08 17:38:42 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

    O1 HOSTS File: ([2009/04/06 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (IDMIEHlprObj Class) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll (Tonec Inc.)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - No CLSID value found.
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
    O3 - HKU\Jim_ON_C\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O3 - HKU\Sonia_ON_C\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
    O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
    O4 - HKLM..\Run: [BDRegion] C:\Program Files\CyberLink\Shared files\brs.exe (cyberlink)
    O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
    O4 - HKLM..\Run: [KernelFaultCheck] File not found
    O4 - HKLM..\Run: [LClock] C:\Program Files\LClock\LClock.exe ()
    O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
    O4 - HKLM..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe (NVIDIA Corporation)
    O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
    O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
    O4 - HKLM..\Run: [RemoteControl10] C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe (CyberLink Corp.)
    O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()
    O4 - HKLM..\Run: [USBToolTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe (Pinnacle Systems GmbH)
    O4 - HKLM..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe ()
    O4 - HKU\Jim_ON_C..\Run: [{68F70EC9-6475-7D57-F531-A3C3A7BA1B22}] File not found
    O4 - HKU\Jim_ON_C..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
    O4 - HKU\Jim_ON_C..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe (Tonec Inc.)
    O4 - HKU\Sonia_ON_C..\RunOnce: [Shockwave Updater] File not found
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (Logitech Inc.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, S.L.)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRemoteRecursiveEvents = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SynchronousMachineGroupPolicy = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SynchronousUserGroupPolicy = 0
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
    O7 - HKU\Jim_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Jim_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
    O7 - HKU\Jim_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
    O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
    O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
    O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
    O7 - HKU\Sonia_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Sonia_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
    O7 - HKU\Sonia_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
    O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm ()
    O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm ()
    O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm ()
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\nvappfilter.dll (NVIDIA)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\nvappfilter.dll (NVIDIA)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\nvappfilter.dll (NVIDIA)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\nvappfilter.dll (NVIDIA)
    O16 - DPF: {3F4AC0C9-3A7D-4115-99B4-2693DE0014AF} http://optimum.net/downloads/TNetworkScannerXControl.ocx (TNetworkScanner Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://remoteaccess.caremark.com/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClientControl Class)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 167.206.245.130 167.206.245.129
    O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\WINDOWS\Resources\Themes\Da7kStyle\wall\WinDENS.bmp
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Resources\Themes\Da7kStyle\wall\WinDENS.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2011/03/21 19:57:05 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - D:\autoexec.bat -- [ NTFS ]
    O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O33 - MountPoints2\{734f6a1c-058d-11e1-af81-001bfc7ceae6}\Shell\AutoRun\command - "" = F:\RunClubSanDisk.exe
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/05/17 10:46:01 | 000,000,000 | ---D | C] -- C:\_OTL
    [2012/05/17 10:44:32 | 000,595,456 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\24960-OTL.exe
    [2012/05/16 11:55:09 | 000,000,000 | ---D | C] -- C:\ebook
    [2012/05/05 05:14:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Mozilla
    [2012/05/05 05:14:27 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
    [2012/04/26 20:19:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Local Settings\Application Data\Help
    [2012/04/26 20:19:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Application Data\Help
    [2011/09/22 11:06:53 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Jim\Application Data\pcouffin.sys
    [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\Documents and Settings\Sonia\*.tmp files -> C:\Documents and Settings\Sonia\*.tmp -> ]
    [1 C:\Documents and Settings\Jim\*.tmp files -> C:\Documents and Settings\Jim\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/05/17 11:07:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/05/17 11:03:00 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{88ADB489-0873-492C-95B0-24A04397CE73}.job
    [2012/05/17 10:56:15 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
    [2012/05/17 10:47:52 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2012/05/17 10:44:33 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\24960-OTL.exe
    [2012/05/17 10:39:00 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2012/05/16 18:14:24 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/05/12 10:38:43 | 000,088,380 | ---- | M] () -- C:\Documents and Settings\Jim\My Documents\I-765.pdf
    [2012/05/12 07:49:48 | 000,419,488 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
    [2012/05/12 07:49:47 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
    [2012/05/11 19:55:25 | 000,061,930 | ---- | M] () -- C:\Documents and Settings\Jim\My Documents\I-765_suneer.pdf
    [2012/05/11 19:17:12 | 000,003,400 | ---- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
    [2012/05/02 22:33:32 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2012/04/22 17:11:15 | 000,236,200 | ---- | M] () -- C:\WINDOWS\System32\nvdrsdb0.bin
    [2012/04/22 17:11:15 | 000,000,001 | ---- | M] () -- C:\WINDOWS\System32\nvdrssel.bin
    [2012/04/22 17:10:48 | 000,236,200 | ---- | M] () -- C:\WINDOWS\System32\nvdrsdb1.bin
    [2012/04/21 19:24:49 | 002,656,392 | ---- | M] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\Documents and Settings\Sonia\*.tmp files -> C:\Documents and Settings\Sonia\*.tmp -> ]
    [1 C:\Documents and Settings\Jim\*.tmp files -> C:\Documents and Settings\Jim\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/05/11 20:31:57 | 000,088,380 | ---- | C] () -- C:\Documents and Settings\Jim\My Documents\I-765.pdf
    [2012/05/11 19:55:25 | 000,061,930 | ---- | C] () -- C:\Documents and Settings\Jim\My Documents\I-765_suneer.pdf
    [2012/04/12 11:07:37 | 000,000,012 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
    [2012/04/11 12:43:57 | 000,004,096 | -H-- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\keyfile3.drm
    [2011/12/25 13:28:55 | 000,000,054 | ---- | C] () -- C:\WINDOWS\DVDFab.INI
    [2011/11/17 09:29:55 | 000,000,057 | ---- | C] () -- C:\Documents and Settings\Jim\dlmgr_.pro
    [2011/11/01 22:16:31 | 000,000,232 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2011/11/01 22:15:52 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
    [2011/09/24 12:22:15 | 000,000,473 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
    [2011/09/24 09:12:18 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
    [2011/09/22 11:06:53 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\inst.exe
    [2011/09/22 11:06:53 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\pcouffin.cat
    [2011/09/22 11:06:53 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\pcouffin.inf
    [2011/09/13 11:35:46 | 000,010,752 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/09/13 11:11:01 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
    [2011/09/13 11:02:48 | 000,000,436 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
    [2011/09/13 11:00:26 | 000,290,919 | ---- | C] () -- C:\WINDOWS\System32\pythoncom21.dll
    [2011/09/13 11:00:26 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes21.dll
    [2011/09/13 10:54:33 | 000,096,768 | ---- | C] () -- C:\WINDOWS\SlantAdj.dll
    [2011/09/13 10:54:33 | 000,003,136 | ---- | C] () -- C:\WINDOWS\Ade001.bin
    [2011/09/13 10:54:33 | 000,000,072 | ---- | C] () -- C:\WINDOWS\System32\epDPE.ini
    [2011/09/13 10:48:05 | 000,000,196 | ---- | C] () -- C:\WINDOWS\EPSON 1260_1660 Installer.ini
    [2011/04/14 20:01:56 | 000,003,400 | ---- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
    [2011/04/14 20:01:56 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\3E71DA25A5.sys
    [2011/04/06 22:36:01 | 000,066,532 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
    [2011/04/06 22:36:01 | 000,029,114 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
    [2011/04/06 22:36:01 | 000,021,021 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
    [2011/04/06 22:36:01 | 000,015,670 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
    [2011/04/06 22:36:01 | 000,013,280 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
    [2011/04/06 22:36:01 | 000,010,673 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
    [2011/04/06 22:36:01 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
    [2011/04/06 22:36:01 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
    [2011/04/06 22:36:01 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
    [2011/04/06 22:36:01 | 000,001,137 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
    [2011/04/06 22:36:01 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
    [2011/04/06 22:36:01 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
    [2011/04/06 22:36:01 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
    [2011/04/06 22:36:01 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
    [2011/04/06 22:32:35 | 000,000,058 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
    [2011/04/06 22:32:27 | 000,000,025 | ---- | C] () -- C:\WINDOWS\EPR340.ini
    [2011/04/04 17:48:03 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
    [2011/04/04 06:58:08 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/03/22 02:45:39 | 000,003,898 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2011/03/22 02:42:53 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
    [2011/03/22 02:40:26 | 000,411,080 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2011/03/21 20:20:32 | 000,236,200 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
    [2011/03/21 20:20:30 | 000,236,200 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
    [2011/03/21 20:20:30 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
    [2011/03/21 20:02:22 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2011/03/21 20:01:47 | 000,001,671 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
    [2011/03/21 19:52:53 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2010/10/05 04:01:02 | 002,656,392 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2010/07/31 10:47:00 | 002,195,030 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
    [2009/07/30 21:58:42 | 000,000,314 | ---- | C] () -- C:\WINDOWS\primopdf.ini
    [2009/04/06 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2009/04/06 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2009/04/06 08:00:00 | 000,428,974 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2009/04/06 08:00:00 | 000,394,240 | ---- | C] () -- C:\WINDOWS\System32\HMTCD.dll
    [2009/04/06 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2009/04/06 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2009/04/06 08:00:00 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\cabarc.exe
    [2009/04/06 08:00:00 | 000,065,924 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2009/04/06 08:00:00 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\CopyToSendTo.dll
    [2009/04/06 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2009/04/06 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2009/04/06 08:00:00 | 000,008,636 | ---- | C] () -- C:\WINDOWS\modifyPE.exe
    [2009/04/06 08:00:00 | 000,006,144 | ---- | C] () -- C:\WINDOWS\System32\FontReg.exe
    [2009/04/06 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2009/04/06 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2009/04/06 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
    [2009/04/06 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2007/06/28 06:54:10 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
    [2007/06/28 06:52:18 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll

    ========== LOP Check ==========

    [2011/07/24 20:40:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\.ABC
    [2012/02/26 15:56:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Actuate e.Report Designer Professional
    [2011/04/07 17:35:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Command and Conquer 4
    [2011/10/20 10:23:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\DJJava
    [2012/05/17 10:49:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\DMCache
    [2011/11/07 19:20:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\DVD Ripper Pro
    [2011/12/25 13:32:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\DVDFab
    [2011/07/27 16:35:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\EBookSys
    [2011/09/13 11:11:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\EPSON
    [2012/01/30 23:19:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\IDM
    [2011/06/30 06:40:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Juniper Networks
    [2012/04/07 10:33:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\LaunchPad
    [2012/05/04 21:36:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\PrimoPDF
    [2011/12/01 11:08:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Smart PDF Editor
    [2011/12/01 11:12:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Smart PDF Editor Pro
    [2011/11/01 21:47:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Tyuhn
    [2011/11/01 21:48:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Vso
    [2011/11/12 14:34:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Xilisoft
    [2011/04/07 10:05:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sonia\Application Data\Foxit Software
    [2011/03/24 08:33:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sonia\Application Data\Windows Desktop Search
    [2011/09/22 12:20:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\1Click DVD Copy
    [2011/12/25 12:05:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\1Click DVD Copy Pro
    [2012/03/28 21:19:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DDD
    [2011/09/24 12:07:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FreeRIP
    [2011/11/01 21:50:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\install_clap
    [2011/05/11 12:52:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Juniper Networks
    [2011/07/25 08:42:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle
    [2011/07/25 08:42:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle Studio Plus
    [2011/07/25 08:54:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle Studio Ultimate
    [2011/07/25 04:50:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle Studio Ultimate Collection
    [2011/07/25 08:42:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Studio 15
    [2011/12/25 12:50:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Temp
    [2012/03/28 21:22:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TriDef 3D
    [2011/12/25 13:50:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vsosdk
    [2011/03/22 02:41:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
    [2011/03/25 12:40:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2012/05/17 11:03:00 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{88ADB489-0873-492C-95B0-24A04397CE73}.job

    ========== Purity Check ==========



    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:8CE646EE
    < End of report >
     
  13. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    C and D are those separate drives or just two partitions of a same drive?
     
  14. Suneer

    Suneer TS Rookie Topic Starter

    Separate drives
     
  15. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    I suggest you remove XP drive and try OTLPE CD again.
     
  16. Suneer

    Suneer TS Rookie Topic Starter

    Log after removing hard disk
    --------------------------------------------------------------------------------
    OTL logfile created on: 5/18/2012 12:35:39 AM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    Windows Server (R) 2008 Datacenter Service Pack 2 (Version = 6.0.6002) - Type = System
    Internet Explorer (Version = 8.0.6001.19019)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free
    3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 75.03 Gb Total Space | 43.28 Gb Free Space | 57.68% Space Free | Partition Type: NTFS
    Drive D: | 74.01 Gb Total Space | 22.45 Gb Free Space | 30.33% Space Free | Partition Type: NTFS
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto] -- -- (OracleServiceSAMPLE)
    SRV - File not found [Auto] -- -- (OracleServiceORACLE)
    SRV - File not found [Auto] -- -- (OracleServiceMICRO)
    SRV - File not found [Auto] -- -- (OracleServiceBODATA)
    SRV - File not found [Auto] -- -- (OracleOraDb10g_home1TNSListener)
    SRV - File not found [Auto] -- -- (OracleOraDb10g_home1iSQL*Plus)
    SRV - File not found [Disabled] -- -- (OracleJobSchedulerSAMPLE)
    SRV - File not found [Disabled] -- -- (OracleJobSchedulerORACLE)
    SRV - File not found [Disabled] -- -- (OracleJobSchedulerMICRO)
    SRV - File not found [Disabled] -- -- (OracleJobSchedulerBODATA)
    SRV - File not found [Auto] -- -- (OracleDBConsolesample)
    SRV - File not found [Auto] -- -- (OracleDBConsoleoracle)
    SRV - File not found [Auto] -- -- (OracleDBConsolemicro)
    SRV - File not found [Auto] -- -- (OracleDBConsolebodata)
    SRV - File not found [Auto] -- -- (NobleNet Portmapper for TCP)
    SRV - File not found [On_Demand] -- -- (MicroStrategy System Monitor)
    SRV - File not found [On_Demand] -- -- (MicroStrategy SMTP Service)
    SRV - File not found [On_Demand] -- -- (MicroStrategy NC PDF Formatter)
    SRV - File not found [On_Demand] -- -- (MicroStrategy Logging Server)
    SRV - File not found [On_Demand] -- -- (MicroStrategy Logging Consumer)
    SRV - File not found [On_Demand] -- -- (MicroStrategy Logging Client)
    SRV - File not found [On_Demand] -- -- (MicroStrategy Intelligence Server)
    SRV - File not found [On_Demand] -- -- (MicroStrategy Execution Engine)
    SRV - File not found [Auto] -- -- (MicroStrategy Distribution Manager)
    SRV - File not found [On_Demand] -- -- (MAEMETLS)
    SRV - File not found [On_Demand] -- -- (DB2REMOTECMD_DB2COPY1) DB2 Remote Command Server (DB2COPY1)
    SRV - File not found [On_Demand] -- -- (DB2NTSECSERVER_ToadF40) DB2 Security Server (ToadF40)
    SRV - File not found [On_Demand] -- -- (DB2MGMTSVC_ToadF40) DB2 Management Service (ToadF40)
    SRV - File not found [On_Demand] -- -- (DB2MGMTSVC_DB2COPY1) DB2 Management Service (DB2COPY1)
    SRV - File not found [On_Demand] -- -- (DB2LICD_DB2COPY1) DB2 License Server (DB2COPY1)
    SRV - File not found [On_Demand] -- -- (DB2GOVERNOR_DB2COPY1) DB2 Governor (DB2COPY1)
    SRV - File not found [On_Demand] -- -- (DB2DAS00)
    SRV - File not found [On_Demand] -- -- (DB2)
    SRV - File not found [Auto] -- -- (BOE120Tomcat)
    SRV - File not found [Auto] -- -- (BOE120SIAWIN2800) Server Intelligence Agent (WIN2800)
    SRV - File not found [On_Demand] -- -- (__AC_PROCESS_MGMT_DAEMON11)
    SRV - [2012/05/14 16:23:19 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2012/05/13 19:12:37 | 000,257,696 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
    SRV - [2011/10/15 04:53:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) [Auto] -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
    SRV - [2011/06/15 08:20:48 | 000,180,224 | ---- | M] (MicroStrategy Incorporated) [On_Demand] -- C:\Program Files\Common Files\MicroStrategy\MSTRLsn.exe -- (MAPing)
    SRV - [2011/06/15 08:20:04 | 000,180,224 | ---- | M] (MicroStrategy Incorporated) [On_Demand] -- C:\Program Files\Common Files\MicroStrategy\Health Center\MSTRExec.EXE -- (MHealthAgent)
    SRV - [2011/06/15 08:20:04 | 000,180,224 | ---- | M] (MicroStrategy Incorporated) [Disabled] -- C:\Program Files\Common Files\MicroStrategy\Health Center\MSTRExec.EXE -- (HealthAgent)
    SRV - [2011/06/15 07:40:08 | 000,757,829 | ---- | M] () [Auto] -- C:\Program Files\DataDirect\slserver55\bin\swagent.exe -- (SLAgent55)
    SRV - [2011/06/15 07:40:08 | 000,118,853 | ---- | M] () [Auto] -- C:\Program Files\DataDirect\slserver55\bin\swstrtr.exe -- (SLSocket55)
    SRV - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
    SRV - [2010/02/20 19:05:18 | 000,373,760 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\inetsrv\iisw3adm.dll -- (WAS)
    SRV - [2010/02/20 19:05:18 | 000,373,760 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Windows\System32\inetsrv\iisw3adm.dll -- (W3SVC)
    SRV - [2010/01/21 02:52:14 | 000,167,528 | ---- | M] () [Auto] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe -- (nSvcIp)
    SRV - [2010/01/21 02:52:12 | 000,370,792 | ---- | M] () [Auto] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe -- (ForceWare Intelligent Application Manager (IAM)) ForceWare Intelligent Application Manager (IAM)
    SRV - [2009/04/11 09:00:21 | 000,052,224 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Windows\System32\inetsrv\apphostsvc.dll -- (AppHostSvc)
    SRV - [2009/04/11 09:00:18 | 000,078,336 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\rsopprov.exe -- (RSoPProv)
    SRV - [2008/01/19 07:27:19 | 000,013,824 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\inetsrv\inetinfo.exe -- (MSFTPSVC)
    SRV - [2008/01/19 07:27:19 | 000,013,824 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Windows\System32\inetsrv\inetinfo.exe -- (IISADMIN)
    SRV - [2008/01/19 07:27:06 | 000,013,312 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\sacsvr.dll -- (sacsvr)
    SRV - [2008/01/19 07:27:05 | 000,022,016 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\FCRegSvc.dll -- (FCRegSvc)
    SRV - [2006/10/17 10:29:52 | 000,069,632 | ---- | M] (Computer Associates) [Auto] -- C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe -- (LogWatch)


    ========== Driver Services (SafeList) ==========

    DRV - [2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
    DRV - [2011/10/15 04:53:00 | 010,327,360 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
    DRV - [2011/07/07 19:21:28 | 000,139,880 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\nvhda32v.sys -- (NVHDA)
    DRV - [2010/04/09 03:32:36 | 000,215,656 | ---- | M] (NVIDIA Corporation) [Kernel | Boot] -- C:\Windows\System32\drivers\nvstor32.sys -- (nvstor32)
    DRV - [2010/03/04 19:26:58 | 000,291,560 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVNET)
    DRV - [2009/04/11 08:59:36 | 000,185,320 | ---- | M] (Microsoft Corporation) [Kernel | Disabled] -- C:\Windows\system32\drivers\vmbus.sys -- (vmbus)
    DRV - [2009/04/11 08:59:36 | 000,035,304 | ---- | M] (Microsoft Corporation) [Kernel | Disabled] -- C:\Windows\system32\drivers\storvsc.sys -- (storvsc)
    DRV - [2008/01/19 07:27:06 | 000,088,632 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\Windows\System32\drivers\sacdrv.sys -- (sacdrv)
    DRV - [2008/01/19 07:26:59 | 000,042,440 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\Windows\System32\drivers\storflt.sys -- (storflt)
    DRV - [2008/01/19 07:26:59 | 000,015,816 | ---- | M] (Microsoft Corporation) [Kernel | Disabled] -- C:\Windows\system32\drivers\s3cap.sys -- (s3cap)
    DRV - [2008/01/19 07:26:58 | 000,031,232 | ---- | M] (Intel Corporation) [Kernel | Disabled] -- C:\Windows\system32\drivers\qd26032.sys -- (ioatdma) Intel(R)
    DRV - [2006/11/02 03:30:56 | 000,429,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\nvm60x32.sys -- (NVENETFD)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/HardAdmin.htm
    IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
    IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages =
    IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm
    IE - HKU\Administrator_ON_C\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - Reg Error: Key error. File not found
    IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0






    ========== FireFox ==========


    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\System32\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\Program Files\Microsoft Office\Office14\NPSPWRAP.DLL (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Administrator\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/05/14 16:23:20 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/04/28 12:04:15 | 000,000,000 | ---D | M]

    [2011/11/18 13:12:40 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Extensions
    [2012/05/16 17:58:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\kt8yfjy1.default\extensions
    [2012/03/06 12:43:25 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    File not found (No name found) --
    [2012/05/14 16:23:19 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2011/12/09 13:23:32 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\mozilla firefox\plugins\npwachk.dll
    [2012/03/06 12:43:20 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2012/03/06 12:43:20 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

    O1 HOSTS File: ([2012/05/16 21:53:27 | 000,001,476 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
    O3 - HKU\Administrator_ON_C\..\Toolbar\WebBrowser: (no name) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - No CLSID value found.
    O4 - HKLM..\Run: [DB2COPY1 - db2systray.exe DB2] File not found
    O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O4 - HKLM..\Run: [StereoLinksInstall] File not found
    O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe (Nullsoft, Inc.)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
    O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - File not found
    O13 - gopher Prefix: missing
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 167.206.245.130 167.206.245.129
    O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O22 - SharedTaskScheduler: {E31004D1-A431-41B8-826F-E902F9D95C81} - Windows DreamScene - File not found
    O24 - Desktop WallPaper: C:\Wallpaper 1080p (4).jpg
    O24 - Desktop BackupWallPaper: C:\Wallpaper 1080p (4).jpg
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/05/17 12:51:40 | 000,595,456 | ---- | C] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
    [2012/05/17 08:23:13 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\log
    [2012/05/17 08:23:12 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\TMRBLog
    [2012/05/17 08:22:41 | 008,656,400 | ---- | C] (Trend Micro Inc.) -- C:\Users\Administrator\Desktop\RootkitBuster_v5_1061.exe
    [2012/05/17 07:28:08 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\Administrator\Desktop\aswMBR.exe
    [2012/05/16 21:56:02 | 004,495,010 | ---- | C] (Swearware) -- C:\Users\Administrator\Desktop\ComboFix.exe
    [2012/05/16 20:39:34 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
    [2012/05/16 19:55:16 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Administrator\Desktop\dds.scr
    [2012/05/16 18:06:02 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Malwarebytes
    [2012/05/16 18:05:57 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2012/05/16 18:05:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/05/16 18:05:57 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2012/05/16 18:05:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012/05/16 14:33:05 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
    [2012/05/16 12:25:14 | 000,000,000 | ---D | C] -- C:\Downloads
    [2012/05/16 12:23:21 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\FlashGet
    [2012/05/16 12:23:13 | 000,000,000 | ---D | C] -- C:\Program Files\FlashGet
    [2012/05/14 16:23:21 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
    [2012/05/14 16:23:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla
    [2012/05/05 19:29:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tomcat
    [2012/05/05 19:29:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BusinessObjects XI 3.1
    [2012/05/05 19:23:32 | 000,000,000 | ---D | C] -- C:\.businessobjects
    [2012/05/05 14:40:41 | 000,000,000 | -HSD | C] -- C:\RECYCLER
    [2012/04/29 18:36:47 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee
    [2012/04/28 12:04:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Winamp
    [2012/04/28 12:04:20 | 002,414,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_31.dll
    [2012/04/28 12:04:20 | 001,892,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_42.dll
    [2012/04/28 12:04:15 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winamp Detector Plug-in
    [2012/04/28 12:04:15 | 000,000,000 | ---D | C] -- C:\Program Files\Winamp Detect
    [2012/04/28 12:04:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PX Storage Engine
    [2012/04/28 12:04:02 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Winamp
    [2012/04/28 12:04:02 | 000,000,000 | ---D | C] -- C:\Program Files\Winamp
    [2012/04/19 21:32:49 | 000,000,000 | ---D | C] -- C:\Repository
    [2011/11/20 17:26:25 | 000,011,264 | ---- | C] ( ) -- C:\Windows\System32\Interop.mscoree.dll

    ========== Files - Modified Within 30 Days ==========

    [2012/05/17 13:10:58 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/05/17 13:10:47 | 000,000,000 | ---- | M] () -- C:\Windows\System32\nmesrvc_core_2012_5_17_13_10_47.dmp
    [2012/05/17 13:09:23 | 000,005,984 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/05/17 13:09:23 | 000,005,984 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/05/17 12:51:41 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
    [2012/05/17 12:51:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2012/05/17 12:07:24 | 000,083,968 | ---- | M] (Esage Lab) -- C:\Users\Administrator\Desktop\boot_cleaner.exe
    [2012/05/17 08:22:45 | 008,656,400 | ---- | M] (Trend Micro Inc.) -- C:\Users\Administrator\Desktop\RootkitBuster_v5_1061.exe
    [2012/05/17 07:38:44 | 000,000,512 | ---- | M] () -- C:\Users\Administrator\Documents\MBR.dat
    [2012/05/17 07:28:12 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\Administrator\Desktop\aswMBR.exe
    [2012/05/16 22:09:06 | 000,000,000 | ---- | M] () -- C:\Windows\System32\nmesrvc_core_2012_5_16_22_9_6.dmp
    [2012/05/16 21:56:05 | 004,495,010 | ---- | M] (Swearware) -- C:\Users\Administrator\Desktop\ComboFix.exe
    [2012/05/16 21:53:27 | 000,001,476 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2012/05/16 19:55:16 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Administrator\Desktop\dds.scr
    [2012/05/16 19:41:24 | 000,302,592 | ---- | M] () -- C:\Users\Administrator\Desktop\bz9iwq2k.exe
    [2012/05/16 18:05:58 | 000,000,807 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/05/16 18:05:58 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/05/16 17:47:33 | 000,000,000 | R--D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
    [2012/05/16 12:13:20 | 000,000,015 | ---- | M] () -- C:\Users\Administrator\Documents\03TiPYQYc5AC.pdf
    [2012/05/16 07:29:22 | 000,002,633 | ---- | M] () -- C:\Users\Administrator\Desktop\Microsoft Office Outlook 2007.lnk
    [2012/05/15 20:04:19 | 000,012,643 | ---- | M] () -- C:\Windows\System32\nmesrvc_core_2012_5_15_20_4_19.dmp
    [2012/05/15 15:23:02 | 000,013,523 | ---- | M] () -- C:\Windows\System32\nmesrvc_core_2012_5_15_15_22_58.dmp
    [2012/05/15 15:22:57 | 000,000,000 | ---- | M] () -- C:\Windows\System32\nmesrvc_core_2012_5_15_15_22_57.dmp
    [2012/05/15 14:49:29 | 000,001,480 | ---- | M] () -- C:\Windows\ODBC.INI
    [2012/05/13 19:12:37 | 000,419,488 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
    [2012/05/13 19:12:37 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
    [2012/05/13 14:33:14 | 001,042,622 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2012/05/13 14:33:14 | 000,291,950 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2012/05/09 21:10:02 | 000,013,423 | ---- | M] () -- C:\Windows\System32\nmesrvc_core_2012_5_9_21_10_0.dmp
    [2012/05/06 12:33:52 | 000,013,423 | ---- | M] () -- C:\Windows\System32\nmesrvc_core_2012_5_6_12_33_49.dmp
    [2012/05/06 09:16:12 | 000,378,424 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [2012/05/05 19:29:26 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tomcat
    [2012/05/05 19:29:25 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BusinessObjects XI 3.1
    [2012/05/05 18:27:56 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oracle - OraDb10g_home1
    [2012/05/05 17:31:56 | 000,001,603 | ---- | M] () -- C:\Users\Administrator\Desktop\services.lnk
    [2012/05/02 11:15:51 | 000,011,733 | ---- | M] () -- C:\Windows\System32\nmesrvc_core_2012_5_2_11_15_49.dmp
    [2012/05/02 04:18:04 | 000,012,607 | ---- | M] () -- C:\Windows\System32\nmesrvc_core_2012_5_2_4_18_3.dmp
    [2012/04/29 09:51:16 | 000,013,423 | ---- | M] () -- C:\Windows\System32\nmesrvc_core_2012_4_29_9_51_14.dmp
    [2012/04/28 19:14:46 | 000,000,000 | ---- | M] () -- C:\Windows\System32\nmesrvc_core_2012_4_28_19_14_46.dmp
    [2012/04/28 12:04:21 | 000,000,719 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Winamp.lnk
    [2012/04/28 12:04:21 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Winamp
    [2012/04/24 04:43:24 | 219,909,384 | ---- | M] () -- C:\Windows\MEMORY.DMP
    [2012/04/20 22:02:46 | 000,013,423 | ---- | M] () -- C:\Windows\System32\nmesrvc_core_2012_4_20_22_2_45.dmp
    [2012/04/18 12:52:54 | 000,013,423 | ---- | M] () -- C:\Windows\System32\nmesrvc_core_2012_4_18_12_52_52.dmp

    ========== Files Created - No Company Name ==========

    [2012/05/17 13:10:47 | 000,000,000 | ---- | C] () -- C:\Windows\System32\nmesrvc_core_2012_5_17_13_10_47.dmp
    [2012/05/17 07:38:44 | 000,000,512 | ---- | C] () -- C:\Users\Administrator\Documents\MBR.dat
    [2012/05/16 22:09:06 | 000,000,000 | ---- | C] () -- C:\Windows\System32\nmesrvc_core_2012_5_16_22_9_6.dmp
    [2012/05/16 19:42:47 | 000,302,592 | ---- | C] () -- C:\Users\Administrator\Desktop\bz9iwq2k.exe
    [2012/05/16 18:05:58 | 000,000,807 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/05/16 12:13:19 | 000,000,015 | ---- | C] () -- C:\Users\Administrator\Documents\03TiPYQYc5AC.pdf
    [2012/05/15 20:04:19 | 000,012,643 | ---- | C] () -- C:\Windows\System32\nmesrvc_core_2012_5_15_20_4_19.dmp
    [2012/05/15 15:22:58 | 000,013,523 | ---- | C] () -- C:\Windows\System32\nmesrvc_core_2012_5_15_15_22_58.dmp
    [2012/05/15 15:22:57 | 000,000,000 | ---- | C] () -- C:\Windows\System32\nmesrvc_core_2012_5_15_15_22_57.dmp
    [2012/05/14 08:07:25 | 000,002,633 | ---- | C] () -- C:\Users\Administrator\Desktop\Microsoft Office Outlook 2007.lnk
    [2012/05/09 21:10:00 | 000,013,423 | ---- | C] () -- C:\Windows\System32\nmesrvc_core_2012_5_9_21_10_0.dmp
    [2012/05/06 12:33:49 | 000,013,423 | ---- | C] () -- C:\Windows\System32\nmesrvc_core_2012_5_6_12_33_49.dmp
    [2012/05/05 17:31:56 | 000,001,603 | ---- | C] () -- C:\Users\Administrator\Desktop\services.lnk
    [2012/05/02 11:15:49 | 000,011,733 | ---- | C] () -- C:\Windows\System32\nmesrvc_core_2012_5_2_11_15_49.dmp
    [2012/05/02 04:18:03 | 000,012,607 | ---- | C] () -- C:\Windows\System32\nmesrvc_core_2012_5_2_4_18_3.dmp
    [2012/04/29 09:51:14 | 000,013,423 | ---- | C] () -- C:\Windows\System32\nmesrvc_core_2012_4_29_9_51_14.dmp
    [2012/04/28 19:14:46 | 000,000,000 | ---- | C] () -- C:\Windows\System32\nmesrvc_core_2012_4_28_19_14_46.dmp
    [2012/04/28 12:04:21 | 000,000,719 | ---- | C] () -- C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Winamp.lnk
    [2012/04/20 22:02:45 | 000,013,423 | ---- | C] () -- C:\Windows\System32\nmesrvc_core_2012_4_20_22_2_45.dmp
    [2012/04/18 12:52:52 | 000,013,423 | ---- | C] () -- C:\Windows\System32\nmesrvc_core_2012_4_18_12_52_52.dmp
    [2012/04/17 15:12:37 | 000,073,220 | ---- | C] () -- C:\Windows\System32\EPPICPrinterDB.dat
    [2012/04/17 15:12:37 | 000,031,053 | ---- | C] () -- C:\Windows\System32\EPPICPattern131.dat
    [2012/04/17 15:12:37 | 000,029,114 | ---- | C] () -- C:\Windows\System32\EPPICPattern1.dat
    [2012/04/17 15:12:37 | 000,027,417 | ---- | C] () -- C:\Windows\System32\EPPICPattern121.dat
    [2012/04/17 15:12:37 | 000,021,021 | ---- | C] () -- C:\Windows\System32\EPPICPattern3.dat
    [2012/04/17 15:12:37 | 000,015,670 | ---- | C] () -- C:\Windows\System32\EPPICPattern5.dat
    [2012/04/17 15:12:37 | 000,013,280 | ---- | C] () -- C:\Windows\System32\EPPICPattern2.dat
    [2012/04/17 15:12:37 | 000,010,673 | ---- | C] () -- C:\Windows\System32\EPPICPattern4.dat
    [2012/04/17 15:12:37 | 000,004,943 | ---- | C] () -- C:\Windows\System32\EPPICPattern6.dat
    [2012/04/17 15:12:37 | 000,001,140 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_PT.dat
    [2012/04/17 15:12:37 | 000,001,140 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_BP.dat
    [2012/04/17 15:12:37 | 000,001,137 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_ES.dat
    [2012/04/17 15:12:37 | 000,001,130 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_FR.dat
    [2012/04/17 15:12:37 | 000,001,130 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_CF.dat
    [2012/04/17 15:12:37 | 000,001,104 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_EN.dat
    [2012/04/17 15:12:37 | 000,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini
    [2012/04/17 15:08:57 | 000,000,058 | ---- | C] () -- C:\Windows\System32\EAL32.INI
    [2012/02/06 14:55:20 | 000,010,084 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
    [2012/02/03 12:55:08 | 000,022,016 | ---- | C] () -- C:\Windows\System32\ODBCSTF.DLL
    [2011/11/20 17:26:25 | 000,012,288 | ---- | C] () -- C:\Windows\System32\REGOCX32.EXE
    [2011/10/31 12:29:47 | 000,000,896 | ---- | C] () -- C:\Windows\ODBCINST.INI
    [2011/10/15 01:54:52 | 000,321,856 | ---- | C] () -- C:\Windows\System32\nvStreaming.exe
    [2011/10/12 08:47:03 | 000,001,480 | ---- | C] () -- C:\Windows\ODBC.INI
    [2011/10/10 14:49:15 | 000,069,632 | ---- | C] () -- C:\Windows\aaRemove.exe
    [2011/10/10 13:08:28 | 001,481,728 | ---- | C] () -- C:\Windows\System32\LegitCheckControl.dll
    [2011/10/10 13:08:28 | 000,323,072 | ---- | C] () -- C:\Windows\System32\WgaTray.exe
    [2011/10/10 13:08:28 | 000,190,976 | ---- | C] () -- C:\Windows\System32\WgaLogon.dll
    [2011/07/20 09:32:49 | 000,000,680 | ---- | C] () -- C:\Users\Administrator\AppData\Local\d3d9caps.dat
    [2009/04/11 09:00:17 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
    [2009/04/11 09:00:17 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
    [2009/04/11 09:00:16 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
    [2008/01/19 07:46:41 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
    [2008/01/19 07:38:47 | 000,378,424 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
    [2008/01/19 07:28:03 | 000,001,702 | ---- | C] () -- C:\Windows\System32\StorageMgmt.dll.config
    [2008/01/19 07:28:03 | 000,001,048 | ---- | C] () -- C:\Windows\System32\SetupNfsIdMap.exe.config
    [2008/01/19 07:28:03 | 000,000,989 | ---- | C] () -- C:\Windows\System32\NfsConfigGuide.exe.config
    [2008/01/19 07:28:03 | 000,000,940 | ---- | C] () -- C:\Windows\System32\ProvisionShare.exe.config
    [2008/01/19 07:28:03 | 000,000,933 | ---- | C] () -- C:\Windows\System32\ProvisionStorage.exe.config
    [2008/01/19 04:56:38 | 001,042,622 | ---- | C] () -- C:\Windows\System32\perfh009.dat
    [2008/01/19 04:56:38 | 000,291,950 | ---- | C] () -- C:\Windows\System32\perfc009.dat
    [2008/01/19 04:56:38 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
    [2008/01/19 04:56:38 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
    [2008/01/19 04:45:36 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
    [2008/01/19 01:56:52 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
    [2008/01/19 00:34:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
    [2008/01/03 15:04:28 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
    [2008/01/03 14:57:53 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
    [2004/08/26 06:13:00 | 000,159,744 | ---- | C] () -- C:\Windows\System32\EPSPTDV.DLL

    ========== LOP Check ==========

    [2012/02/07 15:19:59 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Actuate e.Report Designer Professional
    [2012/04/15 15:05:10 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Azureus
    [2011/10/11 08:58:46 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\ComputerAssociates
    [2012/05/16 12:23:21 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\FlashGet
    [2012/02/06 15:19:49 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Hex-Rays
    [2011/10/31 14:48:11 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\IBM
    [2011/11/18 13:04:52 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\MicroStrategy
    [2011/10/10 16:57:40 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\PLSQL Developer
    [2011/10/31 13:21:23 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Software
    [2011/11/01 14:06:53 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Unity
    [2008/01/19 07:51:29 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data
    [2008/01/19 07:51:29 | 000,000,000 | -HSD | M] -- C:\ProgramData\Desktop
    [2008/01/19 07:51:29 | 000,000,000 | -HSD | M] -- C:\ProgramData\Documents
    [2008/01/19 07:51:29 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favorites
    [2011/10/31 12:27:20 | 000,000,000 | ---D | M] -- C:\ProgramData\IBM
    [2008/01/19 07:51:29 | 000,000,000 | -HSD | M] -- C:\ProgramData\Start Menu
    [2008/01/19 07:51:29 | 000,000,000 | -HSD | M] -- C:\ProgramData\Templates
    [2012/05/17 13:10:40 | 000,032,590 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========


    < End of report >
    -----------------------------------------------------------------------------------------
     
  17. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
    
    :Services
    
    :Reg
    
    :Files
    C:\Windows\assembly\GAC\Desktop.ini
    C:\Users\Administrator\AppData\Local\{ee380fe6-36dc-c547-2cea-172c095ad21b}\L\80000032.@
    C:\Users\Administrator\AppData\Local\{ee380fe6-36dc-c547-2cea-172c095ad21b}\U\80000000.@
    C:\Users\Administrator\AppData\Local\{ee380fe6-36dc-c547-2cea-172c095ad21b}\U\80000032.@ 
    
    :Commands
    [purity]
    
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Remove the CD and shut down computer manually.
    • Attempt to reboot normally into Windows.
     
  18. Suneer

    Suneer TS Rookie Topic Starter

    Done. Can I plug bootable hard disk and reboot machine.
    Appreciate for your help.


    --------------------------------
    ========== OTL ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Windows\assembly\GAC\Desktop.ini moved successfully.
    C:\Users\Administrator\AppData\Local\{ee380fe6-36dc-c547-2cea-172c095ad21b}\L\80000032.@ moved successfully.
    C:\Users\Administrator\AppData\Local\{ee380fe6-36dc-c547-2cea-172c095ad21b}\U\80000000.@ moved successfully.
    C:\Users\Administrator\AppData\Local\{ee380fe6-36dc-c547-2cea-172c095ad21b}\U\80000032.@ moved successfully.
    ========== COMMANDS ==========

    OTLPE by OldTimer - Version 3.1.48.0 log created on 05182012_005735
    --------------------------------
     
  19. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Go ahead and post new aswMBR log.
     
  20. Suneer

    Suneer TS Rookie Topic Starter

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-05-18 01:38:35
    -----------------------------
    01:38:35.141 OS Version: Windows 6.0.6002 Service Pack 2
    01:38:35.141 Number of processors: 4 586 0x170A
    01:38:35.141 ComputerName: WIN2800 UserName:
    01:38:36.183 Initialize success
    01:38:42.303 AVAST engine defs: 12051700
    01:38:45.983 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    01:38:45.985 Disk 0 Vendor: ST340015A 3.01 Size: 38166MB BusType: 3
    01:38:45.986 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-1
    01:38:45.988 Disk 1 Vendor: ST3160023A 8.01 Size: 152627MB BusType: 3
    01:38:45.990 Disk 2 \Device\Harddisk2\DR2 -> \Device\00000053
    01:38:45.992 Disk 2 Vendor: WDC_WD50 12.0 Size: 476940MB BusType: 3
    01:38:46.006 Disk 1 MBR read successfully
    01:38:46.009 Disk 1 MBR scan
    01:38:46.012 Disk 1 unknown MBR code
    01:38:46.015 Disk 1 Partition 1 00 07 HPFS/NTFS NTFS 76834 MB offset 63
    01:38:46.020 Disk 1 Partition - 00 0F Extended LBA 75791 MB offset 157356675
    01:38:46.042 Disk 1 Partition 2 00 07 HPFS/NTFS NTFS 75790 MB offset 157356738
    01:38:46.047 Disk 1 scanning sectors +312576705
    01:38:46.114 Disk 1 scanning C:\Windows\system32\drivers
    01:38:55.100 Service scanning
    01:39:56.116 Modules scanning
    01:40:18.219 Disk 1 trace - called modules:
    01:40:18.258 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys
    01:40:18.264 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x854b29b0]
    01:40:18.269 3 CLASSPNP.SYS[8cb288b3] -> nt!IofCallDriver -> [0x8526af08]
    01:40:18.275 5 acpi.sys[8ca156bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0x85235b98]
    01:40:19.552 AVAST engine scan C:\Windows
    01:40:21.557 AVAST engine scan C:\Windows\system32
    01:41:51.284 File: C:\Windows\assembly\GAC\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
    01:42:34.625 AVAST engine scan C:\Windows\system32\drivers
    01:42:48.533 AVAST engine scan C:\Users\Administrator
    01:43:41.761 File: C:\Users\Administrator\AppData\Local\{ee380fe6-36dc-c547-2cea-172c095ad21b}\L\80000032.@ **INFECTED** Win32:DNSChanger-VJ [Trj]
    01:43:42.289 File: C:\Users\Administrator\AppData\Local\{ee380fe6-36dc-c547-2cea-172c095ad21b}\U\80000000.@ **INFECTED** Win64:Sirefef-A [Trj]
    01:43:42.327 File: C:\Users\Administrator\AppData\Local\{ee380fe6-36dc-c547-2cea-172c095ad21b}\U\80000032.@ **INFECTED** Win32:DNSChanger-VJ [Trj]
    01:44:36.033 AVAST engine scan C:\ProgramData
    01:44:59.478 Scan finished successfully
    01:45:18.852 Disk 1 MBR has been saved successfully to "C:\Users\Administrator\Documents\MBR.dat"
    01:45:18.856 The log file has been saved successfully to "C:\Users\Administrator\Documents\aswMBR.txt"
     
  21. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Not much has changed...

    For the next try you'll have to remove XP drive again....

    Download Kaspersky Rescue Disk 10
    Burn downloaded .iso file to CD. How to: http://www.petri.co.il/how_to_write_iso_files_to_cd.htm

    Boot from Kaspersky Rescue Disk 10. How to boot from CD: http://www.hiren.info/pages/bios-boot-cdrom

    A loading wizard will start (you will see the menu to select the required language). See screenshots here: http://support.kaspersky.com/viruses/rescuedisk/main?qid=208286086
    If you do not press any key in 10 seconds, the computer boots from hard drive automatically.
    Select the required interface language using the arrow-keys on your keyboard.
    Press the Enter key on the keyboard.
    In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode
    Click Enter.
    Click 'A' to accept the agreement.
    Select operating system from dropdown menu.
    In Objects Scan tab checkmark:
    • Disk boot sectors
    • Hidden startup objects
    • C:
    Click My Update Center tab and update if any available
    Go back to other tab and click Start Object Scan.
    NOTE. Be patient. It will take a while.

    When scan has completed save a report:
    • On the upper part of the Kaspersky Rescue Disk window, click on the Report link.
    • On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button.
    • On the upper right hand corner of the Detailed report window, click on the Save button.
    • After clicking Detailed Report and 'SAVE', a browse window opens.
    • Double-click on the \
    • Click 'Disks'.
    • All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt.
    • Click on the Save button.
    • The report has been saved to the file.
    Remove the disk from the drive (or disconnect USB) and reboot normally.

    Post the content of the file for my review.
     
  22. Suneer

    Suneer TS Rookie Topic Starter

    Here what I did : -
    1. Scan I removed virus with Kaspersky Rescue Disk 10
    2. Execute OLPE and remove files ( Instructions from Post #17)
    3. Restart machine and execute aswMBR

    :) Looks like every thing working fine , No more pop-up

    Thanks A Lot for your help!!!!!!

    -----------------------------------------------------------------------------------------------------------
    --------------------------------Kaspersky Rescue Disk 10-------------------------------------
    ----------------------------------------------------------------------------------------------------------

    Objects Scan: completed 1 hour ago (events: 32, objects: 1028438, time: 02:08:38)
    5/19/12 10:06 AM Task completed
    5/19/12 10:06 AM Deleted: Trojan.Win32.Regrun.gjf E:/System Volume Information/_restore{4D97CFF1-9B0A-4C8A-8154-803FF093B6F9}/RP166/A0075237.exe
    5/19/12 10:06 AM Detected: Trojan.Win32.Regrun.gjf E:/System Volume Information/_restore{4D97CFF1-9B0A-4C8A-8154-803FF093B6F9}/RP166/A0075237.exe/scripts/Uninstall.exe
    5/19/12 10:06 AM Detected: Trojan.Win32.Regrun.gje E:/System Volume Information/_restore{4D97CFF1-9B0A-4C8A-8154-803FF093B6F9}/RP166/A0075237.exe/scripts/Cleantool.exe
    5/19/12 10:06 AM Deleted: Net-Worm.Win32.Kolab.ghw E:/System Volume Information/_restore{4D97CFF1-9B0A-4C8A-8154-803FF093B6F9}/RP166/A0075223.exe
    5/19/12 10:05 AM Detected: Net-Worm.Win32.Kolab.ghw E:/System Volume Information/_restore{4D97CFF1-9B0A-4C8A-8154-803FF093B6F9}/RP166/A0075223.exe
    5/19/12 10:03 AM Deleted: HEUR:Trojan.Win32.Generic /mnt/MountedDevices/PD-01CD4EA0-0000000000007E00/Users/Administrator/AppData/Local/{ee380fe6-36dc-c547-2cea-172c095ad21b}/n
    5/19/12 9:59 AM Detected: HEUR:Trojan.Win32.Generic /mnt/MountedDevices/PD-01CD4EA0-0000000000007E00/Users/Administrator/AppData/Local/{ee380fe6-36dc-c547-2cea-172c095ad21b}/n
    5/19/12 9:43 AM Untreated: HEUR:Trojan.Win32.Generic /mnt/MountedDevices/PD-01CD4EA0-0000000000007E00/Users/Administrator/AppData/Local/{ee380fe6-36dc-c547-2cea-172c095ad21b}/n Postponed
    5/19/12 9:43 AM Detected: HEUR:Trojan.Win32.Generic /mnt/MountedDevices/PD-01CD4EA0-0000000000007E00/Users/Administrator/AppData/Local/{ee380fe6-36dc-c547-2cea-172c095ad21b}/n
    5/19/12 9:34 AM Untreated: HEUR:Trojan.Win32.Generic E:/Users/Administrator/AppData/Local/{ee380fe6-36dc-c547-2cea-172c095ad21b}/n Postponed
    5/19/12 9:34 AM Detected: HEUR:Trojan.Win32.Generic E:/Users/Administrator/AppData/Local/{ee380fe6-36dc-c547-2cea-172c095ad21b}/n
    5/19/12 9:33 AM Detected: Trojan.Win32.Regrun.gjf E:/System Volume Information/_restore{4D97CFF1-9B0A-4C8A-8154-803FF093B6F9}/RP166/A0075237.exe/scripts/Uninstall.exe
    5/19/12 9:33 AM Untreated: Trojan.Win32.Regrun.gje E:/System Volume Information/_restore{4D97CFF1-9B0A-4C8A-8154-803FF093B6F9}/RP166/A0075237.exe/scripts/Cleantool.exe Postponed
    5/19/12 9:33 AM Detected: Trojan.Win32.Regrun.gje E:/System Volume Information/_restore{4D97CFF1-9B0A-4C8A-8154-803FF093B6F9}/RP166/A0075237.exe/scripts/Cleantool.exe
    5/19/12 9:33 AM Untreated: Net-Worm.Win32.Kolab.ghw E:/System Volume Information/_restore{4D97CFF1-9B0A-4C8A-8154-803FF093B6F9}/RP166/A0075223.exe Postponed
    5/19/12 9:33 AM Detected: Net-Worm.Win32.Kolab.ghw E:/System Volume Information/_restore{4D97CFF1-9B0A-4C8A-8154-803FF093B6F9}/RP166/A0075223.exe
    5/19/12 9:22 AM Untreated: HEUR:Trojan.Win32.Generic /mnt/MountedDevices/PD-01CD4EA0-0000000000007E00/Users/Administrator/AppData/Local/{ee380fe6-36dc-c547-2cea-172c095ad21b}/n Postponed
    5/19/12 9:22 AM Detected: HEUR:Trojan.Win32.Generic /mnt/MountedDevices/PD-01CD4EA0-0000000000007E00/Users/Administrator/AppData/Local/{ee380fe6-36dc-c547-2cea-172c095ad21b}/n
    5/19/12 9:18 AM Untreated: HEUR:Trojan.Win32.Generic /mnt/MountedDevices/PD-01CD4EA0-0000000000007E00/Users/Administrator/AppData/Local/{ee380fe6-36dc-c547-2cea-172c095ad21b}/n Postponed
    5/19/12 9:18 AM Detected: HEUR:Trojan.Win32.Generic /mnt/MountedDevices/PD-01CD4EA0-0000000000007E00/Users/Administrator/AppData/Local/{ee380fe6-36dc-c547-2cea-172c095ad21b}/n
    5/19/12 8:35 AM Untreated: Trojan-Downloader.JS.Agent.ghy C:/Documents and Settings/Jim/Local Settings/Temporary Internet Files/Content.IE5/RUTDJSLZ/main[1].htm Postponed
    5/19/12 8:35 AM Detected: Trojan-Downloader.JS.Agent.ghy C:/Documents and Settings/Jim/Local Settings/Temporary Internet Files/Content.IE5/RUTDJSLZ/main[1].htm
    5/19/12 8:08 AM Untreated: Net-Worm.Win32.Kolab.ghw C:/Documents and Settings/Jim/Local Settings/Temp/XChat Portable.exe Postponed
    5/19/12 8:08 AM Detected: Net-Worm.Win32.Kolab.ghw C:/Documents and Settings/Jim/Local Settings/Temp/XChat Portable.exe
    5/19/12 8:07 AM Untreated: Net-Worm.Win32.Kolab.ghw C:/Documents and Settings/Jim/Local Settings/Temp/KZS9If.exe Postponed
    5/19/12 8:07 AM Detected: Net-Worm.Win32.Kolab.ghw C:/Documents and Settings/Jim/Local Settings/Temp/KZS9If.exe
    5/19/12 8:04 AM Untreated: Trojan-Spy.Win32.Zbot.ddtn C:/Documents and Settings/Jim/Application Data/Sun/Java/Deployment/cache/6.0/37/4789fa25-2067fd54/PE-Crypt.XorPE Postponed
    5/19/12 8:04 AM Detected: Trojan-Spy.Win32.Zbot.ddtn C:/Documents and Settings/Jim/Application Data/Sun/Java/Deployment/cache/6.0/37/4789fa25-2067fd54/PE-Crypt.XorPE
    5/19/12 7:57 AM Task started
    Objects Scan: completed 1 minute ago (events: 2, objects: 380982, time: 00:42:57)
    5/19/12 11:05 AM Task completed
    5/19/12 10:22 AM Task started

    -----------------------------------------------------------------------------------
    -------------------------------aswMBR---------------------------------------
    -----------------------------------------------------------------------------------
    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-05-19 13:51:13
    -----------------------------
    13:51:13.281 OS Version: Windows 6.0.6002 Service Pack 2
    13:51:13.281 Number of processors: 4 586 0x170A
    13:51:13.281 ComputerName: WIN2800 UserName:
    13:51:13.562 Initialize success
    13:51:20.098 AVAST engine defs: 12051800
    13:51:22.797 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    13:51:22.797 Disk 0 Vendor: ST340015A 3.01 Size: 38166MB BusType: 3
    13:51:22.813 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-1
    13:51:22.813 Disk 1 Vendor: ST3160023A 8.01 Size: 152627MB BusType: 3
    13:51:22.813 Disk 2 \Device\Harddisk2\DR2 -> \Device\00000053
    13:51:22.813 Disk 2 Vendor: WDC_WD50 12.0 Size: 476940MB BusType: 3
    13:51:22.828 Disk 1 MBR read successfully
    13:51:22.828 Disk 1 MBR scan
    13:51:22.828 Disk 1 unknown MBR code
    13:51:22.828 Disk 1 Partition 1 00 07 HPFS/NTFS NTFS 76834 MB offset 63
    13:51:22.844 Disk 1 Partition - 00 0F Extended LBA 75791 MB offset 157356675
    13:51:22.859 Disk 1 Partition 2 00 07 HPFS/NTFS NTFS 75790 MB offset 157356738
    13:51:22.859 Disk 1 scanning sectors +312576705
    13:51:22.937 Disk 1 scanning C:\Windows\system32\drivers
    13:51:27.805 Service scanning
    13:51:44.543 Modules scanning
    13:51:48.038 Disk 1 trace - called modules:
    13:51:48.053 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
    13:51:48.069 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x854b29b0]
    13:51:48.069 3 CLASSPNP.SYS[8cb268b3] -> nt!IofCallDriver -> [0x85270c10]
    13:51:48.069 5 acpi.sys[8ca136bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0x85234030]
    13:51:48.428 AVAST engine scan C:\Windows
    13:51:50.237 AVAST engine scan C:\Windows\system32
    13:53:55.318 AVAST engine scan C:\Windows\system32\drivers
    13:54:02.213 AVAST engine scan C:\Users\Administrator
    13:55:25.564 AVAST engine scan C:\ProgramData
    13:55:48.028 Scan finished successfully
    13:56:02.365 Disk 1 MBR has been saved successfully to "C:\Users\Administrator\Documents\MBR.dat"
    13:56:02.380 The log file has been saved successfully to "C:\Users\Administrator\Documents\aswMBR.txt"
     
  23. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Good news :)
    You got lucky because as I said before there are not too many tools available for your Windows version.

    Good luck and stay safe :)
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...