1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Run DLL as an App

Discussion in 'Malware and Virus Removal Archive' started by Matthew2011, 2011/05/15.

Page 2 of 2
  1. 2011/05/18
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    ====================================================

    Download, and install Quick Startup: http://www.glarysoft.com/qs.html
    Go File>Export, save report, and paste it into your next post.


    ....and Eset scan...
     
    broni,
    #21
  2. 2011/05/18
    Matthew2011

    Matthew2011 Inactive Thread Starter

    Joined:
    2011/05/15
    Messages:
    22
    Likes Received:
    0
    Here are the ESET results

    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe Win32/TrojanDownloader.Unruy.BN trojan
    C:\Program Files\QuickTime\qttask.exe Win32/TrojanDownloader.Unruy.BN trojan
    C:\Qoobox\Quarantine\C\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
    C:\Qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
    C:\Qoobox\Quarantine\C\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
    C:\Qoobox\Quarantine\C\Program Files\Messenger\msmsgs.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
    C:\Qoobox\Quarantine\C\Program Files\Synaptics\SynTP\SynTPLpr.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
    C:\System Volume Information\_restore{82031A01-7667-41B1-BCCC-5218023A2438}\RP52\A0017875.rbf Win32/TrojanDownloader.Unruy.BN trojan
    C:\System Volume Information\_restore{82031A01-7667-41B1-BCCC-5218023A2438}\RP54\A0018875.rbf Win32/TrojanDownloader.Unruy.BN trojan
    C:\System Volume Information\_restore{82031A01-7667-41B1-BCCC-5218023A2438}\RP54\A0020962.exe Win32/TrojanDownloader.Unruy.BN trojan
    C:\System Volume Information\_restore{82031A01-7667-41B1-BCCC-5218023A2438}\RP54\A0020963.exe Win32/TrojanDownloader.Unruy.BN trojan
    C:\System Volume Information\_restore{82031A01-7667-41B1-BCCC-5218023A2438}\RP54\A0020964.exe Win32/TrojanDownloader.Unruy.BN trojan
    C:\System Volume Information\_restore{82031A01-7667-41B1-BCCC-5218023A2438}\RP54\A0020965.exe Win32/TrojanDownloader.Unruy.BN trojan
    C:\System Volume Information\_restore{82031A01-7667-41B1-BCCC-5218023A2438}\RP54\A0020966.exe Win32/TrojanDownloader.Unruy.BN trojan
    C:\System Volume Information\_restore{82031A01-7667-41B1-BCCC-5218023A2438}\RP54\A0021043.exe Win32/TrojanDownloader.Unruy.BN trojan
    C:\System Volume Information\_restore{82031A01-7667-41B1-BCCC-5218023A2438}\RP55\A0021138.exe Win32/TrojanDownloader.Unruy.BN trojan
    C:\System Volume Information\_restore{82031A01-7667-41B1-BCCC-5218023A2438}\RP55\A0021140.exe Win32/TrojanDownloader.Unruy.BN trojan
    C:\System Volume Information\_restore{82031A01-7667-41B1-BCCC-5218023A2438}\RP55\A0021141.exe Win32/TrojanDownloader.Unruy.BN trojan
    C:\System Volume Information\_restore{82031A01-7667-41B1-BCCC-5218023A2438}\RP55\A0021144.exe Win32/TrojanDownloader.Unruy.BN trojan
    C:\System Volume Information\_restore{82031A01-7667-41B1-BCCC-5218023A2438}\RP55\A0021146.exe Win32/TrojanDownloader.Unruy.BN trojan
    C:\System Volume Information\_restore{82031A01-7667-41B1-BCCC-5218023A2438}\RP55\A0021147.exe Win32/TrojanDownloader.Unruy.BN trojan
    C:\System Volume Information\_restore{82031A01-7667-41B1-BCCC-5218023A2438}\RP55\A0021148.exe Win32/TrojanDownloader.Unruy.BN trojan
    C:\System Volume Information\_restore{82031A01-7667-41B1-BCCC-5218023A2438}\RP55\A0021151.exe Win32/TrojanDownloader.Unruy.BN trojan
    C:\System Volume Information\_restore{82031A01-7667-41B1-BCCC-5218023A2438}\RP55\A0021152.exe Win32/TrojanDownloader.Unruy.BN trojan
    C:\System Volume Information\_restore{82031A01-7667-41B1-BCCC-5218023A2438}\RP55\A0021153.exe Win32/TrojanDownloader.Unruy.BN trojan
     
    Matthew2011,
    #22


  3. to hide this advert.

  4. 2011/05/18
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    ...and QuickStartup...
     
    broni,
    #23
  5. 2011/05/18
    Matthew2011

    Matthew2011 Inactive Thread Starter

    Joined:
    2011/05/15
    Messages:
    22
    Likes Received:
    0
    Quick Start log

    Startup List report created on 5/18/2011 by Startup Manager


    Name: StartCCC
    Path: "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: SoundMAXPnP
    Path: C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: PSUNMain
    Path: "C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" /Traybar
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: PWRMGRTR
    Path: rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: SynTPLpr
    Path: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: SynTPEnh
    Path: %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: MP10_EnsureFileVer
    Path: C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: Adobe Reader Speed Launcher
    Path: "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe "
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: Adobe ARM
    Path: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: KernelFaultCheck
    Path: %systemroot%\system32\dumprep 0 -k
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: SunJavaUpdateSched
    Path: "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: AttachmentWiperwebmail.kroll.com
    Path: "C:\Documents and Settings\Per Scholas\IAG Remote Access Agent\webmailkrollcom\krollwebmail1\AttachmentWiper.exeBatchRun\run.bat "
    Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: ctfmon.exe
    Path: C:\WINDOWS\system32\ctfmon.exe
    Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: McAfee Security Scan Plus
    Path: C:\PROGRA~1\MCAFEE~1\20DEB9~1.181\SSSCHE~1.EXE
    Location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    Status: Enabled
    ------------------------------------------------------------------------------------------

    Name: Windows Search
    Path: C:\PROGRA~1\WI459E~1\WINDOW~1.EXE /startup
    Location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    Status: Enabled
    ------------------------------------------------------------------------------------------
    Total 15 Items
     
    Matthew2011,
    #24
  6. 2011/05/18
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Re-run QuickStartup and UN-check PWRMGRTR.
    Restart computer and let me know, if the error is gone.
     
    broni,
    #25
  7. 2011/05/18
    Matthew2011

    Matthew2011 Inactive Thread Starter

    Joined:
    2011/05/15
    Messages:
    22
    Likes Received:
    0
    so I stopped the power manager as well as SynTPEnh, which Quickstart identified as an invalid entry.

    Shut down and re-started and the error message is gone.

    the terminal window still appears on startup. But I can close it and it goes away without protest

    I suppose the final challenge is that the battery icon is gone from my tray. Cna I jut re-install from the Control panel?

    lastly, no worries about the 25 trojans that ESET seemed to identify?

    thanks again for guiding me through this.
     
    Matthew2011,
    #26
  8. 2011/05/18
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    We'll take care of those in a moment.

    Can you describe it one more time.
    Maybe a screenshot?
     
    broni,
    #27
  9. 2011/05/19
    Matthew2011

    Matthew2011 Inactive Thread Starter

    Joined:
    2011/05/15
    Messages:
    22
    Likes Received:
    0
    It's the same window that would appear if you entered start>run and typed "cmd "

    except when the black box pops up, there is no text in in the box
     
    Matthew2011,
    #28
  10. 2011/05/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Let's disable few more unneeded startups.

    Re-run QuickStartup and UN-check:

    AttachmentWiperwebmail.kroll.com
    SunJavaUpdateSched
    KernelFaultCheck
    Adobe ARM
    StartCCC

    Restart computer.

    How is the issue now?
     
    broni,
    #29
  11. 2011/05/19
    Matthew2011

    Matthew2011 Inactive Thread Starter

    Joined:
    2011/05/15
    Messages:
    22
    Likes Received:
    0
    Thanks, that seems to do the trick.

    just the Trojans lurking in the back of my mind.

    Regards
     
    Matthew2011,
    #30
  12. 2011/05/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Very good :)

    Run OTL
    • Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following

      Code:
      :OTL

:Services

:Reg

:Files
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe 
C:\Program Files\QuickTime\qttask.exe

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
    • Then click the [color= "#FF0000"]Run Fix[/color] button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

    =====================================================

    Your computer is clean :)

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how your computer is doing.
     
    broni,
    #31
  13. 2011/05/19
    Matthew2011

    Matthew2011 Inactive Thread Starter

    Joined:
    2011/05/15
    Messages:
    22
    Likes Received:
    0
    third OTL log

    All processes killed
    ========== OTL ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe moved successfully.
    C:\Program Files\QuickTime\qttask.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33237 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Per Scholas
    ->Temp folder emptied: 15333 bytes
    ->Temporary Internet Files folder emptied: 1087018 bytes
    ->Java cache emptied: 2027 bytes
    ->FireFox cache emptied: 72070371 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 1552 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 483 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 168 bytes

    Total Files Cleaned = 70.00 mb


    [EMPTYFLASH]

    User: Administrator
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    User: Per Scholas
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.22.3 log created on 05192011_215732

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
    Matthew2011,
    #32
  14. 2011/05/19
    Matthew2011

    Matthew2011 Inactive Thread Starter

    Joined:
    2011/05/15
    Messages:
    22
    Likes Received:
    0
    Quick Scan OTL log

    OTL logfile created on: 5/19/2011 10:04:04 PM - Run 2
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Per Scholas\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1,022.00 Mb Total Physical Memory | 474.00 Mb Available Physical Memory | 46.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 81.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 74.53 Gb Total Space | 60.40 Gb Free Space | 81.04% Space Free | Partition Type: NTFS

    Computer Name: YOUR-5B2FA73835 | User Name: Per Scholas | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/05/17 22:15:57 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Per Scholas\Desktop\OTL.exe
    PRC - [2011/04/14 12:25:41 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
    PRC - [2011/02/24 09:36:15 | 000,423,232 | ---- | M] (Panda Security, S.L.) -- C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
    PRC - [2011/02/16 15:49:08 | 000,088,176 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    PRC - [2010/12/16 19:19:34 | 000,140,608 | ---- | M] (Panda Security, S.L.) -- C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
    PRC - [2010/08/05 09:46:02 | 000,583,640 | ---- | M] (PC Tools) -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
    PRC - [2010/05/12 04:25:00 | 000,132,456 | ---- | M] (Lenovo.) -- C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
    PRC - [2010/05/12 04:25:00 | 000,053,248 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe
    PRC - [2010/03/05 02:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
    PRC - [2010/01/15 08:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    PRC - [2009/12/14 18:03:41 | 000,149,904 | ---- | M] (Microsoft ® Corporation) -- C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe
    PRC - [2009/09/25 16:16:06 | 000,093,960 | ---- | M] (Sling Media Inc.) -- C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
    PRC - [2009/03/11 01:18:14 | 000,934,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\WgaTray.exe
    PRC - [2009/02/27 10:54:22 | 000,870,672 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    PRC - [2009/02/27 09:55:20 | 000,909,312 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
    PRC - [2009/02/27 09:38:38 | 000,473,360 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    PRC - [2008/08/21 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2006/03/03 22:03:10 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
    PRC - [2004/10/14 12:11:10 | 001,388,544 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    PRC - [2002/09/20 17:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


    ========== Modules (SafeList) ==========

    MOD - [2011/05/17 22:15:57 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Per Scholas\Desktop\OTL.exe
    MOD - [2011/03/09 16:54:14 | 000,018,176 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
    MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2011/02/16 15:49:08 | 000,088,176 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
    SRV - [2011/01/02 23:09:27 | 000,468,368 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\DOWNLO~1\DMService.exe -- (DMService)
    SRV - [2010/12/16 19:19:34 | 000,140,608 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe -- (NanoServiceMain)
    SRV - [2010/08/05 09:46:02 | 000,583,640 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe -- (PCToolsSSDMonitorSvc)
    SRV - [2010/05/12 04:25:00 | 000,132,456 | ---- | M] (Lenovo.) [Auto | Running] -- C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE -- (DozeSvc)
    SRV - [2010/05/12 04:25:00 | 000,053,248 | ---- | M] () [Auto | Running] -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe -- (Power Manager DBC Service)
    SRV - [2010/03/05 02:38:00 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)
    SRV - [2010/01/15 08:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
    SRV - [2009/12/14 18:03:41 | 000,149,904 | ---- | M] (Microsoft ® Corporation) [Auto | Start_Pending] -- C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe -- (uagqecsvc)
    SRV - [2009/09/25 16:16:06 | 000,093,960 | ---- | M] (Sling Media Inc.) [Auto | Running] -- C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe -- (SlingAgentService)
    SRV - [2009/02/27 10:54:22 | 000,870,672 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel(R)
    SRV - [2009/02/27 09:55:20 | 000,909,312 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor) Intel(R)
    SRV - [2009/02/27 09:38:38 | 000,473,360 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel(R)
    SRV - [2006/03/03 22:03:10 | 000,069,632 | ---- | M] (HP) [Unknown | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
    SRV - [2002/09/20 17:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


    ========== Driver Services (SafeList) ==========

    DRV - [2010/12/16 19:12:59 | 000,113,096 | ---- | M] (Panda Security, S.L.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PSINProt.sys -- (PSINProt)
    DRV - [2010/12/16 19:12:51 | 000,111,944 | ---- | M] (Panda Security, S.L.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\PSINProc.sys -- (PSINProc)
    DRV - [2010/12/16 19:12:42 | 000,130,376 | ---- | M] (Panda Security, S.L.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\PSINKNC.sys -- (PSINKNC)
    DRV - [2010/12/16 19:12:34 | 000,097,352 | ---- | M] (Panda Security, S.L.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\PSINFile.sys -- (PSINFile)
    DRV - [2010/12/16 19:12:26 | 000,141,768 | ---- | M] (Panda Security, S.L.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PSINAflt.sys -- (PSINAflt)
    DRV - [2010/05/12 04:25:00 | 000,024,304 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\DozeHDD.sys -- (DozeHDD)
    DRV - [2010/05/12 04:25:00 | 000,004,442 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)
    DRV - [2009/11/12 17:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
    DRV - [2009/09/29 19:06:14 | 003,565,056 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2008/12/10 13:56:18 | 000,187,392 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
    DRV - [2008/08/13 20:23:56 | 000,011,904 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
    DRV - [2008/01/07 17:36:16 | 002,216,064 | R--- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel(R)
    DRV - [2005/10/10 00:35:28 | 000,017,792 | ---- | M] (Winbond Electronics Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tpm.sys -- (TPM)
    DRV - [2005/01/25 18:27:14 | 001,038,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
    DRV - [2005/01/25 18:26:36 | 000,207,616 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
    DRV - [2005/01/25 18:26:28 | 000,703,616 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========


    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "Yahoo "
    FF - prefs.js..browser.search.order.1: "Yahoo "
    FF - prefs.js..browser.search.order.2: " "
    FF - prefs.js..browser.search.selectedEngine: "Google "
    FF - prefs.js..browser.startup.homepage: "http://www.google.com/ "
    FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.3.1
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
    FF - prefs.js..network.proxy.type: 0


    FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/05/18 16:31:50 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/15 13:03:15 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/15 13:17:06 | 000,000,000 | ---D | M]

    [2010/08/16 14:19:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Per Scholas\Application Data\Mozilla\Extensions
    [2011/05/14 07:45:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Per Scholas\Application Data\Mozilla\Firefox\Profiles\jl0ft643.default\extensions
    [2010/10/26 17:02:47 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Per Scholas\Application Data\Mozilla\Firefox\Profiles\jl0ft643.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2011/05/18 23:01:56 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2011/02/05 14:57:08 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    [2011/05/14 07:31:48 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    [2011/05/18 23:01:56 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
    File not found (No name found) --
    [2011/02/05 14:56:52 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
    [2011/05/18 16:31:50 | 000,000,000 | ---D | M] (McAfee SiteAdvisor) -- C:\PROGRAM FILES\MCAFEE\SITEADVISOR
    [2011/04/14 12:26:02 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
    [2011/04/14 05:08:00 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
    [2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

    O1 HOSTS File: ([2011/05/16 21:48:49 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
    O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
    O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
    O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [PSUNMain] C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe (Panda Security, S.L.)
    O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
    O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics Incorporated)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
    O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} https://webmail.kroll.com/InternalSite/WhlCompMgr.cab (Forefront UAG endpoint components)
    O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab (Java Plug-in 1.6.0_25)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.15.1
    O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O24 - Desktop WallPaper: C:\Documents and Settings\Per Scholas\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Per Scholas\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2010/08/13 18:44:26 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/05/19 06:51:43 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Per Scholas\Start Menu\Programs\Administrative Tools
    [2011/05/18 23:05:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Quick Startup
    [2011/05/18 23:05:17 | 000,000,000 | ---D | C] -- C:\Program Files\Quick Startup
    [2011/05/18 23:05:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per Scholas\Application Data\GlarySoft
    [2011/05/18 23:02:23 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
    [2011/05/18 21:59:48 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
    [2011/05/18 08:44:37 | 000,000,000 | ---D | C] -- C:\_OTL
    [2011/05/17 23:04:29 | 000,000,000 | -HSD | C] -- C:\RECYCLER
    [2011/05/17 22:15:56 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Per Scholas\Desktop\OTL.exe
    [2011/05/16 21:42:33 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2011/05/16 21:38:21 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2011/05/16 21:38:21 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2011/05/16 21:38:20 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2011/05/16 21:38:20 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2011/05/16 21:37:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2011/05/16 21:36:25 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/05/15 23:17:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per Scholas\Desktop\Virus Resolution
    [2011/05/15 20:28:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per Scholas\Application Data\Malwarebytes
    [2011/05/15 20:27:56 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2011/05/15 20:27:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/05/15 20:27:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2011/05/15 20:27:52 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011/05/15 20:27:52 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/05/15 13:26:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Per Scholas\Desktop\Audacity Files
    [2011/05/15 13:10:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Yahoo
    [2011/05/15 13:10:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
    [2011/05/15 13:09:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Identities
    [2011/05/12 22:03:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
    [2011/05/10 18:33:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
    [2011/05/10 18:33:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
    [2011/05/08 21:47:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
    [2011/05/08 21:47:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
    [2011/05/08 10:00:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump

    ========== Files - Modified Within 30 Days ==========

    [2011/05/19 22:08:05 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2011/05/19 22:04:21 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/05/19 22:01:06 | 000,000,892 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2011/05/19 22:00:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/05/19 22:00:32 | 1072,156,672 | -HS- | M] () -- C:\hiberfil.sys
    [2011/05/18 23:05:18 | 000,000,666 | ---- | M] () -- C:\Documents and Settings\Per Scholas\Application Data\Microsoft\Internet Explorer\Quick Launch\Quick Startup.lnk
    [2011/05/18 17:09:19 | 000,000,486 | -H-- | M] () -- C:\WINDOWS\tasks\Norton Security Scan for Per Scholas.job
    [2011/05/17 22:15:57 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Per Scholas\Desktop\OTL.exe
    [2011/05/17 06:47:42 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\5bLcc1ta1.dat
    [2011/05/16 21:48:49 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2011/05/16 21:42:39 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2011/05/16 21:30:08 | 004,349,551 | R--- | M] () -- C:\Documents and Settings\Per Scholas\Desktop\ComboFix.exe
    [2011/05/15 13:51:01 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/05/15 13:17:08 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
    [2011/05/15 13:08:41 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job
    [2011/05/15 13:03:20 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Per Scholas\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
    [2011/05/15 13:03:20 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
    [2011/05/15 12:57:55 | 000,001,854 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
    [2011/05/15 12:57:55 | 000,001,854 | ---- | M] () -- C:\Documents and Settings\Per Scholas\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
    [2011/05/08 21:37:03 | 000,133,280 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2011/05/08 21:28:23 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2011/05/08 21:23:59 | 000,527,076 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/05/08 21:23:59 | 000,096,766 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2011/05/08 10:29:18 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Per Scholas\Desktop\Microsoft Office Word 2003.lnk
    [2011/05/03 22:51:40 | 000,394,564 | ---- | M] () -- C:\Documents and Settings\Per Scholas\Desktop\NYSED ELA Test Manual.pdf

    ========== Files Created - No Company Name ==========

    [2011/05/18 23:05:18 | 000,000,666 | ---- | C] () -- C:\Documents and Settings\Per Scholas\Application Data\Microsoft\Internet Explorer\Quick Launch\Quick Startup.lnk
    [2011/05/17 06:47:42 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\5bLcc1ta1.dat
    [2011/05/16 21:42:39 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2011/05/16 21:42:34 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2011/05/16 21:38:21 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2011/05/16 21:38:21 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2011/05/16 21:38:21 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2011/05/16 21:38:21 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2011/05/16 21:38:21 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2011/05/16 21:30:01 | 004,349,551 | R--- | C] () -- C:\Documents and Settings\Per Scholas\Desktop\ComboFix.exe
    [2011/05/15 13:17:08 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
    [2011/05/15 13:17:08 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
    [2011/05/15 13:03:19 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
    [2011/05/15 12:57:55 | 000,001,854 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
    [2011/05/03 22:51:40 | 000,394,564 | ---- | C] () -- C:\Documents and Settings\Per Scholas\Desktop\NYSED ELA Test Manual.pdf
    [2011/03/06 18:10:42 | 000,022,268 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
    [2011/03/02 08:43:52 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/01/30 12:37:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\setup32.INI
    [2010/12/05 12:00:26 | 000,037,336 | ---- | C] () -- C:\WINDOWS\System32\CleanMFT32.exe
    [2010/11/28 19:19:13 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
    [2010/10/25 21:03:28 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
    [2010/10/22 20:24:59 | 000,354,024 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2010/10/20 13:18:46 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2010/08/16 17:21:52 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2010/08/16 14:51:55 | 000,196,608 | ---- | C] () -- C:\WINDOWS\PWMBTHLP.EXE
    [2010/08/16 14:51:54 | 000,004,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\TPPWRIF.SYS
    [2010/08/16 14:40:07 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
    [2010/08/16 14:35:51 | 000,000,264 | ---- | C] () -- C:\WINDOWS\System32\PSUNCpl.dat
    [2010/08/16 14:19:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
    [2010/08/13 19:33:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
    [2010/08/13 18:58:59 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
    [2010/08/13 18:58:59 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
    [2010/08/13 18:58:58 | 000,189,051 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
    [2010/08/13 18:46:41 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2010/08/13 18:42:01 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2010/08/13 18:30:07 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2010/08/13 18:30:06 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2010/08/13 18:30:06 | 000,527,076 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/08/13 18:30:06 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2010/08/13 18:30:06 | 000,096,766 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/08/13 18:30:06 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2010/08/13 18:30:06 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2010/08/13 18:30:05 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2010/08/13 18:30:05 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2010/08/13 18:30:05 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2010/08/13 18:29:56 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2010/08/13 18:29:56 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
    [2010/08/13 11:36:37 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2010/08/13 11:35:46 | 000,133,280 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2008/05/27 00:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
    [2008/05/27 00:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
    [2007/09/27 13:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
    [2007/09/27 13:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
    [2007/09/27 13:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
    [2003/06/24 17:43:48 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
    [2003/01/07 18:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

    ========== LOP Check ==========

    [2010/10/26 17:19:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Canneverbe Limited
    [2010/08/16 14:35:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Panda Security
    [2010/08/16 14:28:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sling Media
    [2011/05/15 21:00:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2010/10/26 17:19:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per Scholas\Application Data\Canneverbe Limited
    [2011/05/18 23:05:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per Scholas\Application Data\GlarySoft
    [2010/08/16 14:31:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per Scholas\Application Data\ooVoo Details
    [2010/08/16 14:36:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per Scholas\Application Data\Panda Security
    [2010/10/21 11:56:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per Scholas\Application Data\Windows Desktop Search
    [2011/01/23 14:14:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Per Scholas\Application Data\Windows Search
    [2011/05/15 13:08:41 | 000,000,316 | ---- | M] () -- C:\WINDOWS\Tasks\PMTask.job

    ========== Purity Check ==========



    < End of report >
     
    Matthew2011,
    #33
  15. 2011/05/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    That's incorrect log.
    You clicked on "Scan" button instead of "Run Fix" button.
     
    broni,
    #34
  16. 2011/05/19
    Matthew2011

    Matthew2011 Inactive Thread Starter

    Joined:
    2011/05/15
    Messages:
    22
    Likes Received:
    0
    Not sure what happened, can I recreate?

    here is the latest log

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Per Scholas
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 12973974 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 456 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 483 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 12.00 mb


    [EMPTYFLASH]

    User: Administrator
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    User: Per Scholas
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb

    Restore points cleared and new OTL Restore Point set!

    OTL by OldTimer - Version 3.2.22.3 log created on 05192011_221507

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
    Matthew2011,
    #35
  17. 2011/05/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Now, it's good.
    Continue with other steps....
     
    broni,
    #36
  18. 2011/05/19
    Matthew2011

    Matthew2011 Inactive Thread Starter

    Joined:
    2011/05/15
    Messages:
    22
    Likes Received:
    0
    all set

    put on WOT and Secunia is updating a few adobe files.

    thanks again for your patient guidance.
     
    Matthew2011,
    #37
  19. 2011/05/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're very welcome :)

    Good luck and stay safe :)
     
    broni,
    #38
Page 2 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...