Inactive Backdoors and PWS.Fignotok. BSOD when trying to remove the files

broni · 2011/03/15

That looks fine.

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Click the Scan All Users checkbox.

Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

impedrolee · 2011/03/16

I got a OTL log but not an extras log.

OTL logfile created on: 3/16/2011 6:49:14 PM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\user1\Desktop
64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8080.16413)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 29.00% Memory free
4.00 Gb Paging File | 2.00 Gb Available in Paging File | 60.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 233.75 Gb Total Space | 67.16 Gb Free Space | 28.73% Space Free | Partition Type: NTFS
Drive D: | 3.16 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: USER1-PC | User Name: user1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/16 18:33:32 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\user1\Desktop\OTL.exe
PRC - [2011/03/15 23:17:20 | 000,638,976 | ---- | M] () -- C:\Users\user1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\66555.exe
PRC - [2011/03/15 22:08:59 | 000,213,442 | -H-- | M] () -- C:\Users\user1\ctfmon.exe
PRC - [2011/01/14 10:55:56 | 002,250,616 | ---- | M] (TeamViewer GmbH) -- C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
PRC - [2011/01/03 22:04:06 | 000,395,640 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files (x86)\uTorrent\uTorrent.exe
PRC - [2010/12/20 18:08:58 | 000,363,344 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2010/09/01 00:26:04 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PRC - [2010/05/21 07:27:04 | 000,173,352 | ---- | M] (TeamViewer GmbH) -- C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe
PRC - [2010/05/20 16:26:28 | 000,762,736 | ---- | M] (Microsoft Corporation) -- C:\Windows\vVX1000.exe
PRC - [2010/01/07 03:31:06 | 000,233,472 | ---- | M] (INCA Internet Co., Ltd. ) -- C:\Program Files (x86)\INCAInternet\nProtect HKP\nphkpsvc.exe
PRC - [2009/06/10 17:23:22 | 001,169,224 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PRC - [2007/05/28 12:57:54 | 000,275,968 | ---- | M] (Rocket Division Software) -- C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

========== Modules (SafeList) ==========

MOD - [2011/03/16 18:33:32 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\user1\Desktop\OTL.exe
MOD - [2010/08/21 01:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll
MOD - [2009/07/13 21:15:48 | 000,035,328 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\mssprxy.dll
MOD - [2009/07/13 21:15:21 | 000,828,928 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\fontext.dll
MOD - [2009/07/13 21:15:21 | 000,093,696 | ---- | M] (Windows (R) Codename Longhorn DDK provider) -- C:\Windows\SysWOW64\fms.dll
MOD - [2009/07/13 21:09:00 | 000,002,048 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\normaliz.dll

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/01/03 20:58:02 | 000,203,776 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2010/05/20 16:26:28 | 000,199,536 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS64.exe -- (MSCamSvc)
SRV:64bit: - [2010/04/09 08:26:20 | 001,038,088 | ---- | M] (Acresso Software Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe -- (FLEXnet Licensing Service 64)
SRV:64bit: - [2009/11/13 11:28:38 | 000,129,536 | ---- | M] (WDC) [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe -- (WDDMService)
SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 21:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2011/03/03 17:02:40 | 000,407,336 | ---- | M] (Valve Corporation) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2011/01/14 10:55:56 | 002,250,616 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe -- (TeamViewer6)
SRV - [2011/01/05 21:35:22 | 003,129,432 | ---- | M] () [Auto | Running] -- c:\Program Files (x86)\Common Files\Akamai\netsession_win_dbc0250.dll -- (Akamai)
SRV - [2010/12/20 18:08:58 | 000,363,344 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2010/05/21 07:27:04 | 000,173,352 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe -- (TeamViewer5)
SRV - [2010/04/09 08:26:08 | 000,655,624 | ---- | M] (Acresso Software Inc.) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/03/18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/08 12:26:00 | 003,519,560 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\SysWow64\GameMon.des -- (npggsvc)
SRV - [2010/01/07 03:31:06 | 000,233,472 | ---- | M] (INCA Internet Co., Ltd. ) [Auto | Running] -- C:\Program Files (x86)\INCAInternet\nProtect HKP\nphkpsvc.exe -- (nphkpsvc)
SRV - [2009/06/17 11:18:42 | 006,582,912 | ---- | M] () [Disabled | Stopped] -- c:\wamp\bin\mysql\mysql5.1.36\bin\mysqld.exe -- (wampmysqld)
SRV - [2009/06/16 08:58:08 | 000,020,480 | ---- | M] (Memeo) [Auto | Running] -- C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe -- (WDSmartWareBackgroundService)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/12/10 01:10:14 | 000,024,636 | ---- | M] (Apache Software Foundation) [Disabled | Stopped] -- c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe -- (wampapache)
SRV - [2007/05/28 12:57:54 | 000,275,968 | ---- | M] (Rocket Division Software) [Auto | Running] -- C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/02/18 17:36:58 | 000,051,712 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2011/01/27 13:23:42 | 000,871,408 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\sptd.sys -- (sptd)
DRV:64bit: - [2011/01/09 21:52:19 | 000,021,832 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hamachi.sys -- (hamachi)
DRV:64bit: - [2011/01/03 20:58:01 | 008,120,320 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
DRV:64bit: - [2011/01/03 20:58:01 | 008,120,320 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2011/01/03 20:55:58 | 000,289,792 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2011/01/03 20:52:09 | 000,116,752 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
DRV:64bit: - [2010/12/20 18:08:40 | 000,024,152 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2010/07/21 17:59:28 | 000,045,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\point64.sys -- (Point64)
DRV:64bit: - [2010/06/23 10:10:56 | 000,344,680 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2010/05/20 16:26:28 | 002,060,144 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VX1000.sys -- (VX1000)
DRV:64bit: - [2010/04/11 19:45:41 | 000,076,968 | ---- | M] (SafeNet Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GrandUsb.sys -- (Grand)
DRV:64bit: - [2010/04/11 19:45:39 | 000,013,864 | ---- | M] (SafeNet, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\hostnt.sys -- (HOSTNT)
DRV:64bit: - [2009/08/23 10:02:30 | 000,120,336 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV:64bit: - [2009/07/13 21:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 21:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 21:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 20:10:47 | 000,011,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\rootmdm.sys -- (ROOTMODEM)
DRV:64bit: - [2009/07/13 20:01:09 | 000,679,936 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xnacc.sys -- (xnacc)
DRV:64bit: - [2009/06/19 22:09:57 | 001,394,688 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
DRV:64bit: - [2009/06/10 16:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/04/08 14:28:46 | 000,068,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xusb21.sys -- (xusb21)
DRV:64bit: - [2009/03/27 01:23:54 | 000,019,432 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\cpuz132_x64.sys -- (cpuz132)
DRV:64bit: - [2009/02/13 11:02:52 | 000,014,464 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\wdcsam64.sys -- (WDC_SAM)
DRV:64bit: - [2009/01/09 15:02:08 | 000,031,744 | ---- | M] (Research in Motion Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RimSerial_AMD64.sys -- (RimVSerPort)
DRV:64bit: - [2008/05/20 18:33:36 | 000,028,416 | ---- | M] (Research In Motion Limited) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RimUsb_AMD64.sys -- (RimUsb)
DRV - [2005/01/03 02:43:08 | 000,004,682 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\npptNT2.sys -- (NPPTNT2)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-4075034839-4242574894-474356320-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-4075034839-4242574894-474356320-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-4075034839-4242574894-474356320-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-4075034839-4242574894-474356320-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7A 2D 66 FE 8D D7 CA 01 [binary data]
IE - HKU\S-1-5-21-4075034839-4242574894-474356320-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Bing "
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "google.com "
FF - prefs.js..extensions.enabledItems: smartwebprinting@hp.com:4.5
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {872b5b88-9db5-4310-bdd0-ac189557e5f5}:2.7.2.0
FF - prefs.js..extensions.enabledItems: {ACAA314B-EEBA-48e4-AD47-84E31C44796C}:1.0.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23

FF - HKLM\software\mozilla\Firefox\Extensions\\msntoolbar@msn.com: C:\Program Files (x86)\MSN Toolbar\Platform\4.0.0379.0\Firefox [2010/05/21 17:03:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/06/06 20:16:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2010/07/19 10:41:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/12/20 19:40:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/12/20 19:40:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird

[2010/03/18 06:55:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\user1\AppData\Roaming\Mozilla\Extensions
[2011/01/18 17:20:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\h0mkxkaf.default\extensions
[2010/11/10 23:18:39 | 000,000,000 | ---D | M] (DVDVideoSoftTB Toolbar) -- C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\h0mkxkaf.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}
[2010/11/10 23:14:32 | 000,000,000 | ---D | M] ( "DVDVideoSoft Menu ") -- C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\h0mkxkaf.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
[2010/06/05 14:41:42 | 000,001,834 | ---- | M] () -- C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\h0mkxkaf.default\searchplugins\bing.xml
[2011/03/09 19:09:02 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2010/06/25 14:23:23 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/09/13 18:15:26 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/12/04 11:09:06 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/12/19 18:03:41 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/03/09 19:09:04 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2010/06/06 20:16:00 | 000,000,000 | ---D | M] (HP Smart Web Printing) -- C:\PROGRAM FILES (X86)\HP\DIGITAL IMAGING\SMART WEB PRINTING\MOZILLAADDON3
[2011/02/02 22:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/03/10 19:56:42 | 000,113,308 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 avg.com
O1 - Hosts: 127.0.0.1 avp.com
O1 - Hosts: 127.0.0.1 rads.mcafee.com
O1 - Hosts: 127.0.0.1 scanner.novirusthanks.org
O1 - Hosts: 127.0.0.1 secure.nai.com
O1 - Hosts: 127.0.0.1 securityresponse.symantec.com
O1 - Hosts: 127.0.0.1 sophos.com
O1 - Hosts: 127.0.0.1 symantec.com
O1 - Hosts: 127.0.0.1 threatexpert.com
O1 - Hosts: 127.0.0.1 trendmicro.com
O1 - Hosts: 127.0.0.1 ca.com
O1 - Hosts: 127.0.0.1 customer.symantec.com
O1 - Hosts: 127.0.0.1 dispatch.mcafee.com
O1 - Hosts: 127.0.0.1 download.mcafee.com
O1 - Hosts: 127.0.0.1 f-secure.com
O1 - Hosts: 127.0.0.1 kaspersky-labs.com
O1 - Hosts: 127.0.0.1 kaspersky.com
O1 - Hosts: 127.0.0.1 liveupdate.symantec.com
O1 - Hosts: 127.0.0.1 liveupdate.symantecliveupdate.com
O1 - Hosts: 127.0.0.1 mast.mcafee.com
O1 - Hosts: 127.0.0.1 mcafee.com
O1 - Hosts: 127.0.0.1 my-etrust.com
O1 - Hosts: 127.0.0.1 nai.com
O1 - Hosts: 127.0.0.1 networkassociates.com
O1 - Hosts: 127.0.0.1 update.symantec.com
O1 - Hosts: 4857 more lines...
O4:64bit: - HKLM..\Run: [IntelliPoint] c:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [VX1000] C:\Windows\vVX1000.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MSWUpdate] File not found
O4 - HKLM..\Run: [SVC Host] File not found
O4 - HKU\S-1-5-21-4075034839-4242574894-474356320-1000..\Run: [46335] C:\Users\user1\ctfmon.exe ()
O4 - HKU\S-1-5-21-4075034839-4242574894-474356320-1000..\Run: [ctfmon] C:\Users\user1\ctfmon.exe ()
O4 - HKU\S-1-5-21-4075034839-4242574894-474356320-1000..\Run: [MSWUpdate] File not found
O4 - HKU\S-1-5-21-4075034839-4242574894-474356320-1000..\Run: [SVC Host] File not found
O4 - HKU\S-1-5-21-4075034839-4242574894-474356320-1000..\Run: [uTorrent] C:\Program Files (x86)\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - HKU\S-1-5-21-4075034839-4242574894-474356320-1000..\Run: [Windows Updater] File not found
O4 - Startup: C:\Users\user1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\66555.exe ()
O4 - Startup: C:\Users\user1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rundll32.dll ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run: SVC Host = C:\Users\user1\AppData\Roaming\svchost.exe
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\S-1-5-21-4075034839-4242574894-474356320-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-4075034839-4242574894-474356320-1000\..Trusted Domains: ichotelsgroup.com ([secure] https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - ( "C:\Users\user1\AppData\Roaming\lsass.exe ") - File not found
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/12/09 14:56:08 | 000,000,000 | -HS- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{659daa32-5f4d-11df-8211-001d7d002fa4}\Shell - " " = AutoRun
O33 - MountPoints2\{659daa32-5f4d-11df-8211-001d7d002fa4}\Shell\AutoRun\command - " " = "F:\WD SmartWare.exe" autoplay=true
O33 - MountPoints2\{68de001a-2a3a-11e0-a77f-001d7d002fa4}\Shell - " " = AutoRun
O33 - MountPoints2\{68de001a-2a3a-11e0-a77f-001d7d002fa4}\Shell\AutoRun\command - " " = E:\Autorun.exe
O33 - MountPoints2\{f8c5f8f7-ba86-11df-a6c8-001d7d002fa4}\Shell - " " = AutoRun
O33 - MountPoints2\{f8c5f8f7-ba86-11df-a6c8-001d7d002fa4}\Shell\AutoRun\command - " " = G:\LaunchU3.exe
O33 - MountPoints2\E\Shell - " " = AutoRun
O33 - MountPoints2\E\Shell\AutoRun\command - " " = E:\Autorun.exe
O33 - MountPoints2\F\Shell - " " = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - " " = F:\RunGame.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/16 18:33:29 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\user1\Desktop\OTL.exe
[2011/03/16 09:45:08 | 000,000,000 | ---D | C] -- C:\Users\user1\Desktop\vp
[2011/03/15 21:22:39 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2011/03/15 20:04:16 | 000,000,000 | R--D | C] -- C:\32788R22FWJFW
[2011/03/14 19:34:53 | 000,000,000 | ---D | C] -- C:\Users\user1\AppData\Roaming\Malwarebytes
[2011/03/14 19:34:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2011/03/14 19:34:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/03/14 19:34:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/03/14 19:34:46 | 000,024,152 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2011/03/14 19:34:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2011/03/14 19:32:02 | 000,000,000 | ---D | C] -- C:\Users\user1\AppData\Roaming\fag.exe
[2011/03/10 19:48:14 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
[2011/03/10 19:48:14 | 000,000,000 | ---D | C] -- C:\Users\user1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/03/10 19:21:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET
[2011/03/10 19:21:17 | 000,000,000 | ---D | C] -- C:\ProgramData\ESET
[2011/03/10 18:58:59 | 000,000,000 | ---D | C] -- C:\Windows\BDOSCAN8
[2011/03/10 17:55:12 | 000,000,000 | RHSD | C] -- C:\Users\user1\AppData\Roaming\sysanalizer
[2011/03/09 19:15:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2011/03/09 19:03:06 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee
[2011/03/07 20:17:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2011/03/07 20:17:09 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/03/07 20:17:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iTunes
[2011/03/07 20:17:09 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/03/07 20:14:14 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2011/03/07 20:14:14 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Bonjour
[2011/03/05 09:11:46 | 000,000,000 | ---D | C] -- C:\Users\user1\AppData\Roaming\NVIDIA
[2011/03/03 20:39:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft LifeCam
[2011/03/03 20:37:51 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft LifeCam
[2011/03/03 20:37:51 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft LifeCam
[2011/03/01 21:04:29 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Wat
[2011/03/01 21:04:29 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Wat
[2011/03/01 20:41:18 | 000,000,000 | RHSD | C] -- C:\Users\user1\AppData\Roaming\install
[2011/03/01 00:26:39 | 000,000,000 | RHSD | C] -- C:\Windows\SysWow64\install
[2011/02/28 23:28:39 | 000,000,000 | ---D | C] -- C:\ProgramData\TeamViewer GmbH
[2011/02/25 18:33:53 | 000,080,896 | RHS- | C] (CVPTXVZFL) -- C:\Users\user1\AppData\Roaming\winlogon.exe
[2011/02/25 18:33:53 | 000,080,896 | RHS- | C] (CVPTXVZFL) -- C:\Users\user1\AppData\Roaming\ctfmon.exe
[2011/02/24 15:39:57 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\SPReview
[2011/02/24 15:39:06 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\EventProviders
[2011/02/24 11:00:10 | 000,000,000 | ---D | C] -- C:\Downloads
[2011/02/23 22:32:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Farbs
[2011/02/23 22:31:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ROM CHECK FAIL
[2011/02/23 22:31:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ROM CHECK FAIL
[2011/02/16 23:28:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMR to MP3 Converter
[2011/02/16 23:28:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AMR to MP3 Converter
[2011/02/16 20:25:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SimPE
[2011/02/16 20:25:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SimPE
[2011/02/16 19:09:49 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\neoncube
[2011/02/16 18:55:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\EKRO
[2011/02/14 19:30:12 | 000,278,016 | ---- | C] (Watermarker.com) -- C:\Windows\SysWow64\aisExif.dll
[2011/02/14 19:30:11 | 000,113,664 | ---- | C] (Desaware) -- C:\Windows\SysWow64\APIGID32.DLL
[2011/02/14 19:30:11 | 000,057,344 | ---- | C] (MicroProse Software) -- C:\Windows\SysWow64\mp3SpecX4.dll
[2011/02/14 19:30:05 | 000,231,139 | ---- | C] (Innovasys) -- C:\Windows\SysWow64\BtnPlus1.ocx
[2011/02/14 19:30:03 | 000,167,936 | ---- | C] (Common Controls Replacement Project (CCRP)) -- C:\Windows\SysWow64\ccrpftv6.ocx
[2011/02/14 19:29:59 | 000,178,889 | ---- | C] (Innovasys) -- C:\Windows\SysWow64\FraPlus1.ocx
[2011/02/14 19:29:58 | 000,076,496 | ---- | C] (Mabry Software, Inc.) -- C:\Windows\SysWow64\mftp32.ocx
[2011/02/14 19:29:54 | 000,065,536 | ---- | C] (Global Components (GlobalCom@pobox.com)) -- C:\Windows\SysWow64\sblist.ocx
[2011/02/14 19:29:49 | 000,129,024 | ---- | C] (Visual Design Softscape AB) -- C:\Windows\SysWow64\vdgt.ocx
[2011/02/14 19:28:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Creative Element Power Tools
[2009/07/13 16:46:42 | 001,169,224 | ---- | C] (Microsoft Corporation) -- C:\Users\user1\AppData\Roaming\flyryan.exe
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/16 18:49:15 | 000,057,783 | ---- | M] () -- C:\Users\user1\AppData\Roaming\data.dat
[2011/03/16 18:34:53 | 000,730,320 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/03/16 18:34:53 | 000,626,844 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/03/16 18:34:53 | 000,107,160 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/03/16 18:33:32 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\user1\Desktop\OTL.exe
[2011/03/16 18:29:16 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/16 18:29:02 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/03/16 18:29:00 | 459,362,330 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/03/16 18:28:55 | 1609,424,896 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/16 18:25:11 | 000,001,381 | ---- | M] () -- C:\Users\user1\AppData\Roaming\fag.exe - Shortcut.lnk
[2011/03/16 18:11:02 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/16 17:54:00 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4075034839-4242574894-474356320-1000UA.job
[2011/03/15 23:37:48 | 000,014,848 | -H-- | M] () -- C:\Users\user1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rundll32.dll
[2011/03/15 23:32:02 | 000,000,823 | ---- | M] () -- C:\Windows\SysWow64\mail.dat
[2011/03/15 23:31:56 | 000,000,749 | ---- | M] () -- C:\Windows\SysWow64\mess.dat
[2011/03/15 23:17:20 | 000,638,976 | ---- | M] () -- C:\Users\user1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\66555.exe
[2011/03/15 22:08:59 | 000,213,442 | -H-- | M] () -- C:\Users\user1\ctfmon.exe
[2011/03/15 20:54:00 | 000,000,856 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4075034839-4242574894-474356320-1000Core.job
[2011/03/15 19:38:42 | 000,010,240 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/03/15 19:38:42 | 000,010,240 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/03/14 18:07:57 | 000,110,593 | RHS- | M] () -- C:\Users\user1\AppData\Roaming\smss.exe
[2011/03/13 17:36:53 | 000,000,366 | ---- | M] () -- C:\Windows\hegames.ini
[2011/03/12 16:20:57 | 000,000,069 | ---- | M] () -- C:\Windows\NeroDigital.ini
[2011/03/10 18:58:31 | 000,001,437 | ---- | M] () -- C:\Users\user1\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/03/10 16:39:23 | 000,081,920 | RHS- | M] () -- C:\Users\user1\AppData\Roaming\udBiHCHyK.exe
[2011/03/10 16:04:03 | 000,080,896 | RHS- | M] (CVPTXVZFL) -- C:\Users\user1\AppData\Roaming\winlogon.exe
[2011/03/10 16:04:03 | 000,080,896 | RHS- | M] (CVPTXVZFL) -- C:\Users\user1\AppData\Roaming\ctfmon.exe
[2011/03/04 19:53:45 | 000,921,624 | ---- | M] () -- C:\img2-001.raw
[2011/03/01 20:33:26 | 004,313,544 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/03/01 00:26:38 | 001,228,276 | RH-- | M] () -- C:\ProgramData\test.exe
[2011/02/25 19:27:26 | 000,413,696 | ---- | M] () -- C:\Users\user1\AppData\Roaming\gay1exeJust got my facebook 'dislike' button! www.facebookdislikebutton.tk
[2011/02/16 20:25:33 | 000,000,929 | ---- | M] () -- C:\Users\user1\Application Data\Microsoft\Internet Explorer\Quick Launch\SimPE.lnk
[2011/02/16 19:57:06 | 000,072,822 | ---- | M] () -- C:\Windows\SysWow64\ieuinit.inf
[2011/02/16 19:57:02 | 000,072,822 | ---- | M] () -- C:\Windows\SysNative\ieuinit.inf
[2011/02/14 19:10:20 | 000,001,975 | ---- | M] () -- C:\Users\user1\Desktop\MapleSyrup.lnk
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/16 18:25:11 | 000,001,381 | ---- | C] () -- C:\Users\user1\AppData\Roaming\fag.exe - Shortcut.lnk
[2011/03/15 23:37:48 | 000,014,848 | -H-- | C] () -- C:\Users\user1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rundll32.dll
[2011/03/15 23:17:22 | 000,638,976 | ---- | C] () -- C:\Users\user1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\66555.exe
[2011/03/15 22:08:57 | 000,213,442 | -H-- | C] () -- C:\Users\user1\ctfmon.exe
[2011/03/14 20:05:44 | 000,057,783 | ---- | C] () -- C:\Users\user1\AppData\Roaming\data.dat
[2011/03/14 18:07:57 | 000,110,593 | RHS- | C] () -- C:\Users\user1\AppData\Roaming\smss.exe
[2011/03/13 00:49:25 | 000,000,823 | ---- | C] () -- C:\Windows\SysWow64\mail.dat
[2011/03/13 00:49:18 | 000,000,749 | ---- | C] () -- C:\Windows\SysWow64\mess.dat
[2011/03/10 19:00:49 | 459,362,330 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/03/10 18:58:31 | 000,001,443 | ---- | C] () -- C:\Users\user1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2011/03/10 16:39:28 | 000,081,920 | RHS- | C] () -- C:\Users\user1\AppData\Roaming\udBiHCHyK.exe
[2011/03/04 19:53:45 | 000,921,624 | ---- | C] () -- C:\img2-001.raw
[2011/03/01 00:26:38 | 001,228,276 | RH-- | C] () -- C:\ProgramData\test.exe
[2011/02/25 19:27:22 | 000,413,696 | ---- | C] () -- C:\Users\user1\AppData\Roaming\gay1exeJust got my facebook 'dislike' button! www.facebookdislikebutton.tk
[2011/02/16 20:25:33 | 000,000,929 | ---- | C] () -- C:\Users\user1\Application Data\Microsoft\Internet Explorer\Quick Launch\SimPE.lnk
[2011/02/16 19:57:06 | 000,072,822 | ---- | C] () -- C:\Windows\SysWow64\ieuinit.inf
[2011/02/16 19:57:02 | 000,072,822 | ---- | C] () -- C:\Windows\SysNative\ieuinit.inf
[2011/02/14 19:30:10 | 000,039,424 | ---- | C] () -- C:\Windows\SysWow64\rpiAccessProcess.dll
[2011/02/14 19:30:03 | 000,044,752 | ---- | C] () -- C:\Windows\SysWow64\FMDROP32.OCX
[2011/02/13 23:33:35 | 000,000,037 | ---- | C] () -- C:\Windows\wmvtoiPodconverter.ini
[2011/02/13 23:32:04 | 000,003,584 | ---- | C] () -- C:\Users\user1\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/02/13 23:31:29 | 000,000,001 | ---- | C] () -- C:\Windows\SysWow64\SysWMVtoiPod.dat
[2011/01/04 20:29:58 | 000,000,002 | ---- | C] () -- C:\Program Files (x86)\mssbextcxml.bmp
[2010/12/24 21:37:53 | 000,352,260 | -H-- | C] () -- C:\Windows\SysWow64\mlfcache.dat
[2010/10/13 19:43:17 | 001,970,176 | ---- | C] () -- C:\Windows\SysWow64\d3dx9.dll
[2010/09/17 19:17:02 | 000,002,888 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2010/09/01 15:35:55 | 000,000,218 | ---- | C] () -- C:\Windows\iepreview.ini
[2010/07/15 18:28:01 | 000,000,256 | ---- | C] () -- C:\Windows\SysWow64\pool.bin
[2010/06/22 20:20:16 | 000,043,520 | ---- | C] () -- C:\Windows\SysWow64\CmdLineExt03.dll
[2010/06/10 14:46:08 | 001,429,461 | ---- | C] () -- C:\ProgramData\mugen2.exe
[2010/06/06 20:38:29 | 000,730,638 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010/06/06 20:07:05 | 000,168,121 | ---- | C] () -- C:\Windows\hpoins37.dat
[2010/05/26 18:07:22 | 000,000,366 | ---- | C] () -- C:\Windows\hegames.ini
[2010/04/12 21:17:38 | 000,066,920 | ---- | C] () -- C:\Windows\SysWow64\CMListControl.dll
[2010/04/11 19:45:49 | 000,163,840 | ---- | C] () -- C:\Windows\SysWow64\RC_Err_Info.dll
[2010/04/10 20:37:00 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2010/04/10 20:16:25 | 000,007,604 | ---- | C] () -- C:\Users\user1\AppData\Local\Resmon.ResmonCfg
[2010/03/19 16:53:33 | 000,000,026 | ---- | C] () -- C:\Windows\Irremote.ini
[2010/03/19 15:54:28 | 000,000,064 | ---- | C] () -- C:\ProgramData\sandra.ldb
[2010/03/18 02:18:02 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2009/07/14 01:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 22:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/13 22:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/13 20:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 17:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/07/08 10:40:39 | 000,000,632 | ---- | C] () -- C:\Windows\hpomdl37.dat
[2009/06/26 18:24:18 | 000,015,498 | ---- | C] () -- C:\Windows\VX1000.ini
[2009/06/19 20:06:22 | 000,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll
[2009/06/19 20:06:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll
[2009/06/19 20:06:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll
[2009/06/19 20:06:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll
[2009/06/19 20:06:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2009/06/19 20:06:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll
[2009/06/19 20:06:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll
[2009/06/19 20:06:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll
[2009/06/19 20:06:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll
[2009/06/19 20:06:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2009/01/23 10:33:22 | 000,214,352 | ---- | C] () -- C:\Windows\FileboxDownloader.exe
[2009/01/05 16:44:10 | 000,053,248 | ---- | C] () -- C:\Windows\bdoscandel.exe
[2009/01/05 16:44:10 | 000,000,453 | ---- | C] () -- C:\Windows\bdoscandellang.ini
[2008/10/22 05:29:06 | 000,173,550 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat

========== LOP Check ==========

[2010/11/01 19:56:07 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\2K Sports
[2010/04/09 16:35:33 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\acccore
[2010/06/22 20:19:08 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\Atari
[2011/03/12 17:04:28 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\Audacity
[2011/01/17 00:42:57 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\Blackberry Desktop
[2011/01/28 12:10:58 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\Cyberduck
[2011/01/11 12:06:40 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\DiskAid
[2011/02/13 22:52:11 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\DVDVideoSoft
[2010/11/10 23:14:31 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\DVDVideoSoftIEHelpers
[2011/03/14 19:32:02 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\fag.exe
[2010/05/28 19:29:36 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\GetRightToGo
[2011/03/10 18:03:48 | 000,000,000 | RHSD | M] -- C:\Users\user1\AppData\Roaming\install
[2010/06/22 20:12:39 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\Leadertech
[2011/01/25 16:07:45 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\LolClient
[2011/02/03 17:36:59 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\MySQL
[2011/01/28 12:35:14 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\NCH Swift Sound
[2010/06/15 17:24:54 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\Nexon
[2010/06/13 20:42:50 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\ooVoo Details
[2010/06/13 20:40:31 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\oovooinstaller
[2010/07/15 18:36:48 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\Research In Motion
[2010/05/15 12:41:10 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\Sports Interactive
[2010/06/03 18:41:07 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\StepMania 4
[2011/03/10 17:55:14 | 000,000,000 | RHSD | M] -- C:\Users\user1\AppData\Roaming\sysanalizer
[2011/01/17 13:13:24 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\TeamViewer
[2011/03/16 18:49:44 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\uTorrent
[2010/05/20 20:14:57 | 000,000,000 | ---D | M] -- C:\Users\user1\AppData\Roaming\Western Digital
[2011/01/28 12:11:18 | 000,000,000 | -HSD | M] -- C:\Users\user1\AppData\Roaming\wyUpdate AU
[2011/03/09 19:29:53 | 000,032,646 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2007/07/10 09:38:00 | 000,421,888 | ---- | M] () -- C:\activate-add-on.exe
[2007/12/09 14:56:08 | 000,000,000 | -HS- | M] () -- C:\AUTOEXEC.BAT
[2007/12/09 14:50:43 | 000,000,211 | -H-- | M] () -- C:\Boot.BAK
[2009/07/26 17:39:41 | 000,000,355 | RHS- | M] () -- C:\Boot.ini.saved
[2010/11/20 08:40:07 | 000,383,786 | RHS- | M] () -- C:\bootmgr
[2010/03/18 03:13:19 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2007/12/09 14:56:08 | 000,000,000 | -HS- | M] () -- C:\CONFIG.SYS
[2010/11/09 20:53:35 | 000,006,141 | ---- | M] () -- C:\default.txt
[2010/11/09 20:53:25 | 002,878,976 | ---- | M] () -- C:\fsg-4_3.exe
[2009/08/02 10:59:51 | 000,171,136 | RHS- | M] () -- C:\grldr
[2009/08/02 10:59:51 | 000,171,136 | ---- | M] () -- C:\grldr.bak
[2008/07/19 17:30:56 | 000,000,000 | ---- | M] () -- C:\HDDVD.txt
[2011/03/16 18:28:55 | 1609,424,896 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/04 19:53:45 | 000,921,624 | ---- | M] () -- C:\img2-001.raw
[2007/12/09 14:56:08 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2011/01/13 19:19:50 | 000,000,705 | -H-- | M] () -- C:\IPH.PH
[2005/08/31 19:05:50 | 000,078,882 | ---- | M] () -- C:\Lib4_End-2.PNG
[2005/08/31 19:06:16 | 000,099,354 | ---- | M] () -- C:\Lib5_End-5.PNG
[2005/08/31 19:06:34 | 000,094,106 | ---- | M] () -- C:\Lib6_Undernet-4.PNG
[2005/08/31 19:06:50 | 000,085,904 | ---- | M] () -- C:\Lib7_Nebula-1.PNG
[2005/08/31 19:07:10 | 000,097,996 | ---- | M] () -- C:\Lib8_Nebula-3.PNG
[2005/08/31 19:07:32 | 000,077,504 | ---- | M] () -- C:\Lib9_Nebula-5.PNG
[2011/03/14 20:38:55 | 000,004,010 | ---- | M] () -- C:\mbam-log-2011-03-14 (20-38-48).txt
[2006/12/01 23:37:14 | 000,904,704 | ---- | M] (Microsoft Corporation) -- C:\msdia80.dll
[2007/12/09 14:56:08 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2006/02/28 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/08/31 13:02:53 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2011/03/16 18:29:05 | 2145,902,592 | -HS- | M] () -- C:\pagefile.sys
[2010/11/09 20:57:42 | 000,000,104 | ---- | M] () -- C:\settings.ini

< %systemroot%\Fonts\*.com >
[2009/07/14 01:32:31 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2009/07/14 01:32:31 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2009/07/14 01:32:31 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2009/07/14 01:32:31 | 000,043,318 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2009/06/10 16:49:50 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2009/07/10 12:15:46 | 000,306,544 | ---- | M] (Microsoft Corporation) -- C:\Windows\WLXPGSS.SCR
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >
[2011/02/23 22:35:44 | 000,126,976 | RHS- | M] (Cush) -- C:\Users\user1\AppData\Roaming\Microsoft\svchosts.exe

< %PROGRAMFILES%\*.* >
[2009/07/14 00:54:24 | 000,000,174 | -HS- | M] () -- C:\Program Files (x86)\desktop.ini
[2011/01/04 20:29:58 | 000,000,002 | ---- | M] () -- C:\Program Files (x86)\mssbextcxml.bmp

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2011/03/10 18:58:31 | 000,000,221 | -HS- | M] () -- C:\Users\user1\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

< %USERPROFILE%\Desktop\*.exe >
[2011/03/16 18:33:32 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\user1\Desktop\OTL.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >
[2009/06/26 18:24:18 | 000,013,023 | ---- | M] () -- C:\Windows\VX1000.src
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >
[2011/03/15 22:08:59 | 000,213,442 | -H-- | M] () -- C:\Users\user1\ctfmon.exe

< %systemroot%\ADDINS\*.* >
[2009/06/10 17:20:04 | 000,000,802 | ---- | M] () -- C:\Windows\addins\FXSEXT.ecf

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

impedrolee · 2011/03/16

< %systemroot%\SECURITY\Database\*.sdb /x >
[2011/03/05 09:46:52 | 000,008,192 | ---- | M] () -- C:\Windows\security\database\edb.chk
[2011/03/05 09:46:52 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edb.log
[2011/03/03 20:23:53 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00001.jrs
[2011/03/03 20:23:54 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00002.jrs
[2011/03/05 09:46:52 | 001,056,768 | ---- | M] () -- C:\Windows\security\database\tmp.edb

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2011/03/10 18:58:30 | 000,000,402 | -HS- | M] () -- C:\Users\user1\Favorites\desktop.ini
[2011/02/16 20:10:37 | 000,000,290 | ---- | M] () -- C:\Users\user1\Favorites\NCH Software Download Site.lnk

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >
[2010/10/07 17:50:34 | 000,002,237 | ---- | M] () -- C:\ProgramData\hpzinstall.log
[2010/06/10 14:46:20 | 001,429,461 | ---- | M] () -- C:\ProgramData\mugen2.exe
[2010/03/19 15:54:45 | 000,000,064 | ---- | M] () -- C:\ProgramData\sandra.ldb
[2011/03/01 00:26:38 | 001,228,276 | RH-- | M] () -- C:\ProgramData\test.exe
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >

========== Files - Unicode (All) ==========
[2010/05/19 21:38:22 | 000,182,985 | ---- | M] ()(C:\Users\user1\Documents\???+-+????(Piano+Solo).pdf) -- C:\Users\user1\Documents\김범수+-+보고싶다(Piano+Solo).pdf
[2010/05/19 21:38:20 | 000,182,985 | ---- | C] ()(C:\Users\user1\Documents\???+-+????(Piano+Solo).pdf) -- C:\Users\user1\Documents\김범수+-+보고싶다(Piano+Solo).pdf

========== Alternate Data Streams ==========

@Alternate Data Stream - 156 bytes -> C:\ProgramData\Temp:10151AE6

< End of report >

broni · 2011/03/16

Run OTL

Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following

Code:

:OTL
PRC - [2011/03/15 23:17:20 | 000,638,976 | ---- | M] () -- C:\Users\user1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\66555.exe
PRC - [2011/03/15 22:08:59 | 000,213,442 | -H-- | M] () -- C:\Users\user1\ctfmon.exe
O4 - HKLM..\Run: [MSWUpdate] File not found
O4 - HKLM..\Run: [SVC Host] File not found
O4 - HKU\S-1-5-21-4075034839-4242574894-474356320-1000..\Run: [46335] C:\Users\user1\ctfmon.exe ()
O4 - HKU\S-1-5-21-4075034839-4242574894-474356320-1000..\Run: [ctfmon] C:\Users\user1\ctfmon.exe ()
O4 - HKU\S-1-5-21-4075034839-4242574894-474356320-1000..\Run: [MSWUpdate] File not found
O4 - HKU\S-1-5-21-4075034839-4242574894-474356320-1000..\Run: [SVC Host] File not found
O4 - HKU\S-1-5-21-4075034839-4242574894-474356320-1000..\Run: [Windows Updater] File not found
O4 - Startup: C:\Users\user1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\66555.exe ()
O4 - Startup: C:\Users\user1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rundll32.dll ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run: SVC Host = C:\Users\user1\AppData\Roaming\svchost.exe
O15 - HKU\S-1-5-21-4075034839-4242574894-474356320-1000\..Trusted Domains: ichotelsgroup.com ([secure] https in Trusted sites)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - ( "C:\Users\user1\AppData\Roaming\lsass.exe ") - File not found
O33 - MountPoints2\{659daa32-5f4d-11df-8211-001d7d002fa4}\Shell - " " = AutoRun
O33 - MountPoints2\{659daa32-5f4d-11df-8211-001d7d002fa4}\Shell\AutoRun\command - " " =  "F:\WD SmartWare.exe" autoplay=true
O33 - MountPoints2\{68de001a-2a3a-11e0-a77f-001d7d002fa4}\Shell - " " = AutoRun
O33 - MountPoints2\{68de001a-2a3a-11e0-a77f-001d7d002fa4}\Shell\AutoRun\command - " " = E:\Autorun.exe
O33 - MountPoints2\{f8c5f8f7-ba86-11df-a6c8-001d7d002fa4}\Shell - " " = AutoRun
O33 - MountPoints2\{f8c5f8f7-ba86-11df-a6c8-001d7d002fa4}\Shell\AutoRun\command - " " = G:\LaunchU3.exe
O33 - MountPoints2\E\Shell - " " = AutoRun
O33 - MountPoints2\E\Shell\AutoRun\command - " " = E:\Autorun.exe
O33 - MountPoints2\F\Shell - " " = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - " " = F:\RunGame.exe
[2011/03/14 19:32:02 | 000,000,000 | ---D | C] -- C:\Users\user1\AppData\Roaming\fag.exe
[2011/03/01 20:41:18 | 000,000,000 | RHSD | C] -- C:\Users\user1\AppData\Roaming\install
[2011/03/01 00:26:39 | 000,000,000 | RHSD | C] -- C:\Windows\SysWow64\install
[2011/02/25 18:33:53 | 000,080,896 | RHS- | C] (CVPTXVZFL) -- C:\Users\user1\AppData\Roaming\winlogon.exe
[2011/02/25 18:33:53 | 000,080,896 | RHS- | C] (CVPTXVZFL) -- C:\Users\user1\AppData\Roaming\ctfmon.exe
[2009/07/13 16:46:42 | 001,169,224 | ---- | C] (Microsoft Corporation) -- C:\Users\user1\AppData\Roaming\flyryan.exe
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2011/03/14 18:07:57 | 000,110,593 | RHS- | M] () -- C:\Users\user1\AppData\Roaming\smss.exe
[2011/03/10 16:39:23 | 000,081,920 | RHS- | M] () -- C:\Users\user1\AppData\Roaming\udBiHCHyK.exe
@Alternate Data Stream - 156 bytes -> C:\ProgramData\Temp:10151AE6

:Services

:Reg

:Files
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\66555.exe
C:\Users\user1\ctfmon.exe


:Commands
[purity]
[emptytemp]
[emptyflash]
[resethosts]
[Reboot]

Then click the [color= "#FF0000"]Run Fix[/color] button at the top
Let the program run unhindered, reboot the PC when it is done
You will get a log that shows the results of the fix. Please post it.
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply. Only one log will be created.

impedrolee · 2011/03/16

**** that gave me a BSOD as well.. -_-

broni · 2011/03/16

Try to run the above fix from Safe Mode.
We're dealing here with a serious infection, so it may take a while.

impedrolee · 2011/03/17

Like I said before, Safe Mode doesn't work. It goes into Video Mode Not Supported until I restart my computer to go into Normal Mode. I've tried many, MANY times now

broni · 2011/03/17

Let's see, if we can look at your computer booting from an external source.

Please download OTLPE (filesize 120,9 MB)

When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.

Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps HERE

Your system should now display a REATOGO-X-PE desktop.

Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.

Double-click on the OTLPE icon.

When asked Do you wish to load the remote registry, select Yes

When asked Do you wish to load remote user profile(s) for scanning, select Yes

Ensure the box Automatically Load All Remaining Users" is checked and press OK

OTL should now start.

Press Run Scan to start the scan.

When finished, the file will be saved in drive C:\OTL.txt

Copy this file to your USB drive if you do not have internet connection on this system

Please post the contents of the OTL.txt file in your reply.

impedrolee · 2011/03/18

That didn't work either. It would say loading REATOGO-X-PE and load all the way and just sit there and not do anything.

broni · 2011/03/18

Please, try again.
If still a problem, try to boot another working computer from the very same CD, just to see if the CD is working properly.

impedrolee · 2011/03/22

It's just this computer. Works on others

broni · 2011/03/22

You may have some other issues on a top of severe infection.

Run hard drive diagnostics: http://www.tacktech.com/display.cfm?ttid=287 (or http://www.bleepingcomputer.com/forums/index.php?showtopic=28744&hl=hard+drive+diagnostic)
Make sure, you select tool, which is appropriate for the brand of your hard drive.
Depending on the program, it'll create bootable floppy, or bootable CD.
If downloaded file is of .iso type, use ImgBurn: http://www.imgburn.com/ to burn .iso file to a CD (select "Write image file to disc" option), to make the CD bootable.
For Toshiba hard drives, see here: http://sdd.toshiba.com/main.aspx?Pa...rivesUSandCanada/SoftwareUtilities#diagnostic

Note : If you do not know how to set your computer to boot from CD follow the steps HERE

Log in or Sign up

Inactive Backdoors and PWS.Fignotok. BSOD when trying to remove the files

broni Moderator Malware Analyst

impedrolee Inactive Thread Starter

impedrolee Inactive Thread Starter

broni Moderator Malware Analyst

impedrolee Inactive Thread Starter

broni Moderator Malware Analyst

impedrolee Inactive Thread Starter

broni Moderator Malware Analyst

impedrolee Inactive Thread Starter

broni Moderator Malware Analyst

impedrolee Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Inactive Backdoors and PWS.Fignotok. BSOD when trying to remove the files

broni Moderator Malware Analyst

impedrolee Inactive Thread Starter

impedrolee Inactive Thread Starter

broni Moderator Malware Analyst

impedrolee Inactive Thread Starter

broni Moderator Malware Analyst

impedrolee Inactive Thread Starter

broni Moderator Malware Analyst

impedrolee Inactive Thread Starter

broni Moderator Malware Analyst

impedrolee Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches