1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Google redirect

Discussion in 'Malware and Virus Removal Archive' started by natasha, 2011/01/02.

Page 3 of 4
  1. 2011/01/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You still owe me OTL.txt log.
    You posted Extras.txt only.
     
    broni,
    #41
  2. 2011/01/03
    natasha

    natasha Inactive Thread Starter

    Joined:
    2011/01/02
    Messages:
    40
    Likes Received:
    0
    OTL logfile created on: 1/3/2011 2:14:38 PM - Run 1
    OTL by OldTimer - Version 3.2.20.1 Folder = C:\Documents and Settings\user\Desktop\spy ware programs
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.5730.13)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1,015.00 Mb Total Physical Memory | 465.00 Mb Available Physical Memory | 46.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 81.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 48.83 Gb Total Space | 27.96 Gb Free Space | 57.25% Space Free | Partition Type: NTFS
    Drive D: | 74.22 Gb Total Space | 72.81 Gb Free Space | 98.10% Space Free | Partition Type: NTFS

    Computer Name: RAJ | User Name: user | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/01/03 14:13:38 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\spy ware programs\OTL.exe
    PRC - [2011/01/02 20:41:50 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
    PRC - [2010/12/13 08:40:07 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
    PRC - [2010/12/13 08:39:54 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    PRC - [2010/12/13 08:39:54 | 000,267,944 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    PRC - [2010/12/13 08:39:53 | 000,389,288 | ---- | M] (Avira GmbH) -- c:\Program Files\Avira\AntiVir Desktop\avcenter.exe
    PRC - [2010/10/13 22:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
    PRC - [2010/09/13 09:52:56 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    PRC - [2010/06/02 18:50:58 | 001,144,104 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    PRC - [2010/03/19 00:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    PRC - [2009/03/30 02:47:00 | 000,254,042 | ---- | M] (IDT, Inc.) -- c:\Program Files\IDT\WDM\stacsv.exe
    PRC - [2008/12/11 04:23:08 | 000,604,776 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    PRC - [2008/08/26 04:02:24 | 000,014,336 | ---- | M] (Agere Systems) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe
    PRC - [2008/04/13 19:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


    ========== Modules (SafeList) ==========

    MOD - [2011/01/03 14:13:38 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\spy ware programs\OTL.exe
    MOD - [2010/09/13 09:54:09 | 000,040,960 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
    MOD - [2010/08/23 10:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
    MOD - [2008/12/11 04:22:02 | 000,094,273 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\BtMmHook.dll
    MOD - [2008/12/11 04:20:20 | 000,069,697 | ---- | M] () -- C:\Program Files\WIDCOMM\Bluetooth Software\BTKeyInd.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
    SRV - [2010/12/13 08:40:07 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
    SRV - [2010/12/13 08:39:54 | 000,267,944 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
    SRV - [2010/10/13 22:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
    SRV - [2010/03/19 00:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
    SRV - [2009/03/30 02:47:00 | 000,254,042 | ---- | M] (IDT, Inc.) [Auto | Running] -- c:\Program Files\IDT\WDM\stacsv.exe -- (STacSV)
    SRV - [2008/08/26 04:02:24 | 000,014,336 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Program Files\LSI SoftModem\agrsmsvc.exe -- (AgereModemAudio)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | System | Stopped] -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\A2.tmp -- (MEMSWEEP2)
    DRV - File not found [Kernel | On_Demand | Running] -- C:\ComboFix\catchme.sys -- (catchme)
    DRV - [2010/12/13 08:40:21 | 000,135,096 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
    DRV - [2010/12/13 08:40:21 | 000,061,960 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
    DRV - [2010/10/13 22:28:54 | 000,386,840 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
    DRV - [2010/10/13 22:28:54 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
    DRV - [2010/06/17 14:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
    DRV - [2010/06/17 14:27:12 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
    DRV - [2009/03/30 02:47:00 | 001,550,891 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
    DRV - [2009/03/27 02:08:00 | 000,296,960 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
    DRV - [2009/03/04 00:31:00 | 004,202,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel(R)
    DRV - [2009/02/18 03:41:56 | 000,113,536 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AESTAud.sys -- (AESTAud)
    DRV - [2009/01/21 02:42:56 | 006,278,560 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
    DRV - [2009/01/14 05:16:20 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
    DRV - [2009/01/14 05:16:18 | 000,991,656 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
    DRV - [2008/10/29 05:43:44 | 001,204,128 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
    DRV - [2008/09/26 08:01:00 | 000,101,376 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
    DRV - [2008/04/28 04:22:10 | 000,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)
    DRV - [2008/04/13 14:26:08 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
    DRV - [2008/04/13 12:06:06 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
    DRV - [2007/06/18 06:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
    DRV - [2007/02/08 07:45:00 | 000,029,184 | R--- | M] (Thesycon GmbH, Germany) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ActionReplayDS.sys -- (ActionReplayDS)
    DRV - [2001/08/23 08:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
    DRV - [2001/08/23 08:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.startup.homepage: "www.google.com "
    FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2
    FF - prefs.js..extensions.enabledItems: addon@privacychoice.org:3.0.7
    FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.5
    FF - prefs.js..network.proxy.no_proxies_on: "*.local "
    FF - prefs.js..network.proxy.type: 0

    FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/09/13 09:54:09 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/01/02 20:42:05 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/01/02 20:42:05 | 000,000,000 | ---D | M]

    [2010/07/06 20:17:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions
    [2011/01/02 19:40:32 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\denmoxky.default\extensions
    [2010/07/06 20:20:05 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\denmoxky.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    [2010/07/06 20:20:04 | 000,000,000 | ---D | M] ( "PrivacyChoice Opt-out ") -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\denmoxky.default\extensions\addon@privacychoice.org
    [2010/12/31 23:05:01 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2010/09/13 09:54:09 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT

    O1 HOSTS File: ([2011/01/03 13:31:02 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
    O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
    O4 - HKLM..\Run: [HPCam_Menu] c:\Program Files\Hewlett-Packard\HP Webcam\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
    O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
    O4 - HKCU..\Run: [MSS] C:\Documents and Settings\All Users\Application Data\c1a53ea\MSc1a5_289.exe ()
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
    O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
    O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
    O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
    O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
    O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} http://picasaweb.google.com/s/v/62.14/uploader2.cab (UploadListView Class)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 216.230.147.90 216.230.128.32
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2010/02/14 07:59:44 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
    Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point (16902109354000384)

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/01/03 13:35:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
    [2011/01/03 13:25:51 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2011/01/03 12:37:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Avira
    [2011/01/03 12:12:10 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2011/01/03 12:12:10 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2011/01/03 12:12:10 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2011/01/03 12:12:10 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2011/01/03 12:12:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2011/01/03 12:11:16 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/01/03 11:12:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/01/03 11:12:13 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2011/01/03 11:12:07 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011/01/03 10:11:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Avira
    [2011/01/03 10:11:16 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
    [2011/01/03 10:11:13 | 000,135,096 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
    [2011/01/03 10:11:13 | 000,061,960 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
    [2011/01/03 10:11:13 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
    [2011/01/03 10:11:13 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
    [2011/01/03 10:11:12 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
    [2011/01/03 10:11:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
    [2011/01/03 09:33:40 | 000,141,792 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\mfevtps.exe
    [2011/01/03 07:44:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\KB905474
    [2011/01/03 07:43:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie7updates
    [2011/01/02 23:31:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
    [2011/01/02 23:31:01 | 003,137,976 | ---- | C] (McAfee, Inc.) -- C:\DMSetup.exe
    [2011/01/02 10:40:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\PreInstall
    [2011/01/01 18:55:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\SoftwareDistribution
    [2011/01/01 17:33:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\PackageAware
    [2011/01/01 17:27:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Malwarebytes
    [2011/01/01 17:27:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2011/01/01 17:27:36 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/01/01 17:26:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\spy ware programs
    [2011/01/01 12:34:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
    [2011/01/01 12:34:17 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
    [2011/01/01 12:34:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    [2010/12/31 23:07:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\Unused Desktop Shortcuts
    [2010/12/31 23:03:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Temp
    [2010/12/31 23:00:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
    [2010/12/31 23:00:18 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
    [2010/12/31 23:00:15 | 000,000,000 | ---D | C] -- C:\Config.Msi
    [2010/12/30 18:53:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\New Folder (2)
    [2010/12/24 16:34:36 | 000,000,000 | ---D | C] -- C:\Program Files\100% Free Toolbar
    [2010/12/24 16:34:31 | 000,000,000 | ---D | C] -- C:\Program Files\DreamQuest
    [2010/12/09 21:12:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\Reverse_Engineering-Highly_Complex_Machinery-(FX095)-2010-KOUALA
    [2010/12/09 16:59:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\New Folder
    [2010/12/04 19:53:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\New Folder(2)

    ========== Files - Modified Within 30 Days ==========

    [2011/01/03 14:13:27 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1708537768-1647877149-725345543-1003.job
    [2011/01/03 14:13:27 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1708537768-1647877149-725345543-1003.job
    [2011/01/03 13:31:09 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
    [2011/01/03 13:31:02 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2011/01/03 13:30:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/01/03 13:25:54 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2011/01/03 11:22:57 | 000,395,768 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/01/03 11:22:57 | 000,059,842 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2011/01/03 11:18:13 | 000,264,616 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2011/01/03 11:12:14 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/01/03 10:11:33 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
    [2011/01/03 10:08:32 | 059,325,912 | ---- | M] () -- C:\avira_antivir_personal_en.exe
    [2011/01/03 07:46:23 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2011/01/02 23:31:16 | 003,137,976 | ---- | M] (McAfee, Inc.) -- C:\DMSetup.exe
    [2011/01/02 19:17:53 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/01/01 13:05:03 | 000,000,361 | ---- | M] () -- C:\WINDOWS\wininit.ini
    [2010/12/29 17:59:36 | 000,009,932 | ---- | M] () -- C:\Documents and Settings\user\My Documents\http.docx
    [2010/12/29 16:45:18 | 000,080,730 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Zi6_2969.JPG
    [2010/12/28 20:02:36 | 000,004,224 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Spinning-Vortex-865095.jpg
    [2010/12/22 22:15:44 | 000,011,672 | ---- | M] () -- C:\Documents and Settings\user\My Documents\MEDITATION TECHNIQUE FOR PAIN HEALING.docx
    [2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2010/12/18 19:17:14 | 000,041,184 | ---- | M] () -- C:\Documents and Settings\user\Desktop\www.AllSubs.org_acteurs-les-english-subtitles-subtitle-2000_15274.zip
    [2010/12/13 08:40:21 | 000,135,096 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
    [2010/12/13 08:40:21 | 000,061,960 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys

    ========== Files Created - No Company Name ==========

    [2011/01/03 13:25:54 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2011/01/03 13:25:52 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2011/01/03 12:12:10 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2011/01/03 12:12:10 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2011/01/03 12:12:10 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2011/01/03 12:12:10 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2011/01/03 12:12:10 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2011/01/03 11:12:14 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/01/03 10:11:33 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
    [2011/01/03 09:33:17 | 059,325,912 | ---- | C] () -- C:\avira_antivir_personal_en.exe
    [2011/01/03 07:44:30 | 000,000,260 | ---- | C] () -- C:\WINDOWS\tasks\WGASetup.job
    [2011/01/01 13:05:01 | 000,000,361 | ---- | C] () -- C:\WINDOWS\wininit.ini
    [2010/12/29 17:59:36 | 000,009,932 | ---- | C] () -- C:\Documents and Settings\user\My Documents\http.docx
    [2010/12/29 16:45:16 | 000,080,730 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Zi6_2969.JPG
    [2010/12/28 20:02:35 | 000,004,224 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Spinning-Vortex-865095.jpg
    [2010/12/22 17:01:12 | 000,011,672 | ---- | C] () -- C:\Documents and Settings\user\My Documents\MEDITATION TECHNIQUE FOR PAIN HEALING.docx
    [2010/12/18 19:17:13 | 000,041,184 | ---- | C] () -- C:\Documents and Settings\user\Desktop\www.AllSubs.org_acteurs-les-english-subtitles-subtitle-2000_15274.zip
    [2010/06/17 08:57:09 | 000,000,216 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
    [2010/06/16 06:53:20 | 000,000,522 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
    [2010/04/20 02:32:37 | 000,028,672 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/02/15 01:38:14 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\QSwitch.txt
    [2010/02/15 01:38:14 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\DSwitch.txt
    [2010/02/15 01:38:14 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\AtStart.txt
    [2010/02/14 11:42:29 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2008/12/11 04:22:10 | 002,854,976 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
    [2001/11/14 02:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

    ========== LOP Check ==========

    [2010/10/04 12:30:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\c1a53ea
    [2010/02/14 22:18:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Temp
    [2010/11/24 21:15:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Zoom Player
    [2010/04/12 00:04:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2011/01/03 13:31:09 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2010/02/14 07:59:44 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2011/01/03 10:08:32 | 059,325,912 | ---- | M] () -- C:\avira_antivir_personal_en.exe
    [2010/02/14 07:54:29 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2011/01/03 13:25:54 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2011/01/03 13:35:08 | 000,015,131 | ---- | M] () -- C:\ComboFix.txt
    [2010/02/14 07:59:44 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2011/01/02 23:31:16 | 003,137,976 | ---- | M] (McAfee, Inc.) -- C:\DMSetup.exe
    [2010/02/14 07:59:44 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2010/02/14 07:59:44 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2004/08/03 16:38:34 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2010/02/15 00:37:46 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2011/01/03 13:30:46 | 1598,029,824 | -HS- | M] () -- C:\pagefile.sys

    < %systemroot%\Fonts\*.com >

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2010/02/14 07:59:23 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2006/10/26 09:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >
    [2010/06/08 16:21:54 | 000,001,674 | -H-- | M] () -- C:\Documents and Settings\user\Application Data\Microsoft\LastFlashConfig.WFC

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2010/02/14 11:40:55 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2010/02/14 11:40:55 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2010/02/14 11:40:55 | 000,901,120 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2010/02/15 00:42:49 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2010/02/15 01:19:18 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2010/02/14 08:47:37 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2010/09/13 09:23:50 | 002,845,488 | ---- | M] () -- C:\Documents and Settings\user\Desktop\installer_realplayer_sp_1_1_5_English.exe
    [2010/04/11 23:59:57 | 097,525,032 | ---- | M] (Apple Inc.) -- C:\Documents and Settings\user\Desktop\iTunesSetup.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2010/02/15 01:19:18 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\user\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2011/01/03 13:36:30 | 000,327,680 | ---- | M] () -- C:\Documents and Settings\user\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2008/04/13 19:42:40 | 000,208,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008/04/13 19:41:52 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2004/08/03 15:06:34 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2004/08/03 15:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2008/05/02 08:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2008/04/13 13:00:30 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008/04/13 19:42:30 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2007/04/02 13:37:24 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2007/04/02 13:37:24 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2007/04/02 13:37:26 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2004/08/03 15:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2004/08/03 15:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < End of report >
     
    natasha,
    #42


  3. to hide this advert.

  4. 2011/01/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ===============================================================

    Run OTL
    • Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following

      Code:
      :OTL
PRC - [2010/10/13 22:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
SRV - [2010/10/13 22:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
DRV - File not found [Kernel | System | Stopped] -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk)
DRV - [2010/10/13 22:28:54 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
O4 - HKCU..\Run: [MSS] C:\Documents and Settings\All Users\Application Data\c1a53ea\MSc1a5_289.exe ()
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/downlo...8f/wvc1dmo.cab (Reg Error: Key error.)
[2011/01/02 23:31:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2011/01/02 23:31:01 | 003,137,976 | ---- | C] (McAfee, Inc.) -- C:\DMSetup.exe
[2010/10/04 12:30:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\c1a53ea


:Files
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee


:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
    • Then click the [color= "#FF0000"]Run Fix[/color] button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ==============================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
    broni,
    #43
  5. 2011/01/03
    natasha

    natasha Inactive Thread Starter

    Joined:
    2011/01/02
    Messages:
    40
    Likes Received:
    0
    JavaRa 1.16 Removal Log.

    Report follows after line.

    ------------------------------------

    The JavaRa removal process was started on Mon Jan 03 19:38:45 2011

    Found and removed: C:\Documents and Settings\user\Application Data\Sun\Java\jre1.6.0_20

    Found and removed: Applications\java.exe

    Found and removed: Applications\javaw.exe

    Found and removed: JavaPlugin.FamilyVersionSupport

    Found and removed: CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0009-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0009-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0012-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0014-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0014-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0016-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0016-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0017-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0017-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-0019-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBB}

    Found and removed: CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBC}

    Found and removed: JavaScript

    Found and removed: JavaScript Author

    Found and removed: JavaScript1.1

    Found and removed: JavaScript1.1 Author

    Found and removed: JavaScript1.2

    Found and removed: JavaScript1.2 Author

    Found and removed: Software\Classes\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}

    Found and removed: SOFTWARE\Classes\JavaPlugin

    Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

    Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

    Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.1

    Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.1.1

    Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.1.3

    Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.2

    Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.2.1

    Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.3

    Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.3.1

    Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.4

    Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.4.1

    Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.5

    ------------------------------------

    Finished reporting.
     
    natasha,
    #44
  6. 2011/01/03
    natasha

    natasha Inactive Thread Starter

    Joined:
    2011/01/02
    Messages:
    40
    Likes Received:
    0
    All processes killed
    ========== OTL ==========
    Process mfevtps.exe killed successfully!
    Error: No service named mfevtp was found to stop!
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfevtp deleted successfully.
    C:\WINDOWS\system32\mfevtps.exe moved successfully.
    Service mferkdk stopped successfully!
    Service mferkdk deleted successfully!
    File C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys not found.
    Service mfeapfk stopped successfully!
    Service mfeapfk deleted successfully!
    C:\WINDOWS\system32\drivers\mfeapfk.sys moved successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\MSS deleted successfully.
    C:\Documents and Settings\All Users\Application Data\c1a53ea\MSc1a5_289.exe moved successfully.
    Starting removal of ActiveX control {31435657-9980-0010-8000-00AA00389B71}
    C:\WINDOWS\Downloaded Program Files\wvc1dmo.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{31435657-9980-0010-8000-00AA00389B71}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{31435657-9980-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
    C:\Documents and Settings\All Users\Application Data\McAfee\WinCore folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\McAfee\MSC folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\MISP\Install folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\MISP folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\McMSCIns\Install folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\McMSCIns folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\MasterInstaller\Install folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\MasterInstaller folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\Common\Install folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\Common folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\McAfee folder moved successfully.
    C:\DMSetup.exe moved successfully.
    C:\Documents and Settings\All Users\Application Data\c1a53ea folder moved successfully.
    ========== FILES ==========
    File\Folder C:\WINDOWS\system32\mfevtps.exe not found.
    File\Folder C:\Program Files\McAfee not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: user
    ->Temp folder emptied: 28274814 bytes
    ->Temporary Internet Files folder emptied: 901939 bytes
    ->Java cache emptied: 2027 bytes
    ->FireFox cache emptied: 59103382 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 990 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 108384 bytes

    Total Files Cleaned = 84.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default User

    User: LocalService

    User: NetworkService

    User: user
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.20.1 log created on 01032011_194105

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
    natasha,
    #45
  7. 2011/01/03
    natasha

    natasha Inactive Thread Starter

    Joined:
    2011/01/02
    Messages:
    40
    Likes Received:
    0
    security check report

    Results of screen317's Security Check version 0.99.7
    Windows XP Service Pack 3
    Internet Explorer 7 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:
    Windows Firewall Enabled!
    Avira AntiVir Personal - Free Antivirus
    Antivirus up to date!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:
    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 23
    Out of date Java installed!
    Adobe Flash Player 10.1.53.64
    Adobe Reader 9
    Out of date Adobe Reader installed!
    Mozilla Firefox (3.6.13)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent
    Avira Antivir avgnt.exe
    Avira Antivir avguard.exe
    ``````````End of Log````````````
     
    natasha,
    #46
  8. 2011/01/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.
    On this page:

    [​IMG]

    make sure, you have both boxes UN-checked AND (important!) click on Decline button
     
    broni,
    #47
  9. 2011/01/03
    natasha

    natasha Inactive Thread Starter

    Joined:
    2011/01/02
    Messages:
    40
    Likes Received:
    0
    two problems
    1) a window WINDOWS GENUENE ADVANTAGE NOTIFICATION keeps popping up
    2) a window jusched.eve has encountered problems... keeps popping up

    I have yet to do the ESET online antivirus scanner.
    Do I need to download that or may I use the antivirus scanner I already have?
    thanks
     
    natasha,
    #48
  10. 2011/01/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    For now, run Eset online scanner.
     
    broni,
    #49
  11. 2011/01/03
    natasha

    natasha Inactive Thread Starter

    Joined:
    2011/01/02
    Messages:
    40
    Likes Received:
    0
    BRONI,
    THE Eset online scanner is taking way too long to run
    I was on the screen (part , right after unchecking remove threat)
    it downloaded like 8% in 26 minutes...

    Since the antivirus is also disabled during the time

    should I be concerned?
    please comment

    I stop it now to come on line and write this message
     
    natasha,
    #50
  12. 2011/01/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No. Leave it overnight.
     
    broni,
    #51
  13. 2011/01/04
    natasha

    natasha Inactive Thread Starter

    Joined:
    2011/01/02
    Messages:
    40
    Likes Received:
    0
    Broni
    the eset online scanner keeps giving me
    unexpected error 2002
    I found it 100% scanned but with this remark
    I tried again this morning same story.
    please sugges
     
    natasha,
    #52
  14. 2011/01/04
    natasha

    natasha Inactive Thread Starter

    Joined:
    2011/01/02
    Messages:
    40
    Likes Received:
    0
    I deleted Est online scanner
    trying to download again and rerun

    THe est tells me that it is detecting another virus program which may cause problems
    but avira antivurus program has been turned off.. is this responsible for the error
    message at the end?
     
    natasha,
    #53
  15. 2011/01/04
    natasha

    natasha Inactive Thread Starter

    Joined:
    2011/01/02
    Messages:
    40
    Likes Received:
    0
    Dah! you guys must want to slap us silly.
    I read the email you send and it says
    very clearly
    no log will be produced if there is not threats.

    I am assume there is no log
    cause there is no threats
    the only message in red
    is unexpected error 2002. but scan 100% completed.

    what is next?
    the adobe stuff
    will do it now
     
    natasha,
    #54
  16. 2011/01/04
    natasha

    natasha Inactive Thread Starter

    Joined:
    2011/01/02
    Messages:
    40
    Likes Received:
    0
    Adobe done
    the program unistall old versions itself.

    NOw
    still experiencing
    the jusched.eve ( the symbol looks related to java) window pops up
    saying has encountered some problem and needs to close
    I simply close the window and nothing else happens
    but it is annoying
    the other window that pops up
    is Windows Genuine Advantage Notification

    All else seem to be fine.

    what is next Captain?
     
    natasha,
    #55
  17. 2011/01/04
    natasha

    natasha Inactive Thread Starter

    Joined:
    2011/01/02
    Messages:
    40
    Likes Received:
    0
    you guys are smart
    if you had shown me or given me
    everything I had to do in the beginning
    I would have been afraid and ran

    but feeding it little at a time.. makes it a bit more doable.

    Thanks
     
    natasha,
    #56
  18. 2011/01/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    The above process is not needed as a startup, so we can disable it.

    Download, and install Quick Startup: http://www.glarysoft.com/qs.html
    Go File>Export, save report, and paste it into your next post.

    What exactly does it say?
     
    broni,
    #57
  19. 2011/01/04
    natasha

    natasha Inactive Thread Starter

    Joined:
    2011/01/02
    Messages:
    40
    Likes Received:
    0
    please tell me how to disable the jusched.eve stuff

    next time the windows genuine adv not.... pops up .. I will write it down
    it actually says something about
    it will verify which programs are authentic and has a symbol that looks like a snow flake.
    I will see when it comes up again.
     
    natasha,
    #58
  20. 2011/01/04
    natasha

    natasha Inactive Thread Starter

    Joined:
    2011/01/02
    Messages:
    40
    Likes Received:
    0
    here is the export log

    Startup List report created on 1/4/2011 by Startup Manager


    Name: HPCam_Menu
    Path: "c:\Program Files\Hewlett-Packard\HP Webcam\MUITransfer\MUIStartMenu.exe" "c:\Program Files\Hewlett-Packard\HP Webcam" UpdateWithCreateOnce "Software\CyberLink\HP Webcam\1.0 "
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: QlbCtrl.exe
    Path: C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: GrooveMonitor
    Path: "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: QuickTime Task
    Path: "C:\Program Files\QuickTime\qttask.exe" -atboottime
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: iTunesHelper
    Path: "C:\Program Files\iTunes\iTunesHelper.exe "
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: DivXUpdate
    Path: "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: TkBellExe
    Path: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: avgnt
    Path: "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: SunJavaUpdateSched
    Path: "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: Adobe Reader Speed Launcher
    Path: "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe "
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: Adobe ARM
    Path: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: Skype
    Path: "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: ctfmon.exe
    Path: C:\WINDOWS\system32\ctfmon.exe
    Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: Bluetooth
    Path: C:\PROGRA~1\WIDCOMM\BLUETO~1\BTTray.exe
    Location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: McAfee Security Scan Plus
    Path: C:\PROGRA~1\MCAFEE~1\20DEB9~1.181\SSSCHE~1.EXE
    Location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: OneNote 2007 Screen Clipper and Launcher
    Path: C:\PROGRA~1\MICROS~2\Office12\ONENOTEM.EXE /tsr
    Location: C:\Documents and Settings\user\Start Menu\Programs\Startup
    Status: Enabled
    ------------------------------------------------------------------------------------------
    Total 16 Items
     
    natasha,
    #59
  21. 2011/01/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Actually, we can disable more than just Java scheduler (no actual programs will be removed).

    Re-run "Quick startup" and UN-check following items:

    GrooveMonitor
    iTunesHelper
    DivXUpdate
    TkBellExe
    SunJavaUpdateSched
    Adobe ARM
    Skype
    McAfee Security Scan Plus

    Restart computer.

    When done...

    Your computer is clean :)

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how your computer is doing.
     
    broni,
    #60
Page 3 of 4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...