Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

recurring zbot,g virus again

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

recurring zbot,g virus again

Unread postby swiiper » November 29th, 2011, 4:08 am

Hi - this virus keeps being detected by AVG and affects browsers and I cannot start in safe mode. Here is the log (I can't zip the attact.txt file as some dll file is missing and zip won't work - don't know if this related to virus);
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Run by Michael at 7:59:56 on 2011-11-29
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.144 [GMT 0:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\AudioDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
svchost.exe
C:\Program Files\Hercules\Audio\DJ Console Series\drivers\x86\HerculesDJControlMP3.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\SSSAudioControl.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hercules\Audio\DJ Console Series\HDJSeriesCPL.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\windows-kb890830-v4.2-delta.exe
d:\c5ea1f28b1df4e7322a868234d90\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ie/
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by MSN & Bing
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\michael\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Facebook Update] "c:\documents and settings\michael\local settings\application data\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [<NO NAME>]
mRun: [EDS] c:\program files\samsung\samsung eds\EDSAgent.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SUPBackGround] c:\program files\samsung\samsung update plus\SUPBackGround.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SSSAudioControl] c:\windows\system32\SSSAudioControl.exe
mRun: [Cm106Sound] RunDll32 cm106.cpl,CMICtrlWnd
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Hercules DJ Series] c:\program files\hercules\audio\dj console series\HDJSeriesCPL.exe /boot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\michael\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\documents and settings\michael\start menu\programs\startup\toyulixq.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{0FEAA65E-B36D-4070-A6F7-E3FEC90F45F3} : DhcpNameServer = 192.168.1.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\michael\application data\mozilla\firefox\profiles\lxf46fc4.default\
FF - prefs.js: browser.startup.homepage - hxxp://backstage.kidspartyclub.ie
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\michael\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\michael\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\michael\local settings\application data\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\documents and settings\michael\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
.
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-30 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-30 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-30 108552]
R2 AudioDeviceService;AudioDeviceService;c:\windows\system32\AudioDeviceService.exe [2010-12-25 102400]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-30 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-30 297752]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2009-2-12 4300]
R2 HerculesDJControlMP3;Hercules DJ Control MP3;c:\program files\hercules\audio\dj console series\drivers\x86\HerculesDJControlMP3.EXE [2011-11-16 20480]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-15 30208]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2009-2-12 238464]
S3 Bulk;HDJBulk;c:\windows\system32\drivers\HDJBulk.sys [2011-11-16 160384]
S3 HDJMidi;DJ Control MP3 e2 MIDI;c:\windows\system32\drivers\HDJMidi.sys [2011-11-16 225408]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [2006-8-1 19840]
S3 TrueSight;TrueSight;c:\windows\system32\drivers\TrueSight.sys [2011-11-27 111872]
S3 UAExt;UAExt;c:\windows\system32\drivers\UAExt.sys [2010-12-25 14848]
S3 USBMULCD;USB Multi-Channel Audio Device Interface;c:\windows\system32\drivers\CM106.sys [2010-12-29 1506304]
.
=============== Created Last 30 ================
.
2011-11-27 12:54:04 388096 ----a-r- c:\documents and settings\michael\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-11-27 12:33:32 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2011-11-16 19:40:56 26624 ----a-w- c:\windows\system32\drivers\HDJCtrl.sys
2011-11-16 19:40:56 225408 ----a-w- c:\windows\system32\drivers\HDJMidi.sys
2011-11-16 19:40:56 220672 ----a-w- c:\windows\system32\drivers\HDJAsioK.sys
2011-11-16 19:40:56 160384 ----a-w- c:\windows\system32\drivers\HDJBulk.sys
2011-11-16 19:40:56 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2011-11-16 19:40:48 79872 ----a-w- c:\windows\system32\HerculesDJDevices.dll
2011-11-16 19:40:42 282624 ----a-w- c:\windows\system32\HDJSeries.cpl
2011-11-16 19:20:13 -------- d-----w- c:\program files\Hercules
2011-11-07 10:50:18 -------- d-----w- c:\program files\TheWorld 3
2011-11-07 10:18:57 -------- d--h--w- c:\windows\PIF
2011-11-03 16:31:34 -------- d-----w- c:\program files\Trend Micro
2011-11-03 11:21:41 -------- d-----w- c:\documents and settings\michael\local settings\application data\llhibira
.
==================== Find3M ====================
.
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\SET5.tmp
2011-09-26 10:41:20 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ------w- c:\windows\system32\crypt32.dll
2011-09-08 16:02:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 8:01:22.12 ===============
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm
Advertisement
Register to Remove

Re: recurring zbot,g virus again

Unread postby mambass » November 30th, 2011, 11:38 am

Hi swiiper, :)

Welcome to the forum.

My nickname is mambass and I'll be helping you with any malware problems.

Before we begin...please read and follow these important guidelines so things will proceed smoothly.

  1. If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.
  2. The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  3. Please read all instructions carefully before executing them and perform the steps in the order given.
    lf you have any questions or problems executing these instructions, <<STOP>> do not proceed but rather post back with the question or problem.
  4. Your security programs may give warnings for some of the tools I will ask you to use. Be assured that any links I give are safe.
  5. You must have Administrator rights permissions for this computer.
  6. DO NOT run any other fix or removal tools unless instructed to do so!
  7. DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
  8. Only post your problem at one (1) help site. Applying fixes from multiple help sites can cause problems.
  9. Only reply to this thread. Do not start another thread.
  10. The absence of symptoms does not imply the absence of malware. Please, continue responding, until I give you the "All Clean".
  11. You might want to place a link to this thread in your Favorites/Bookmarks for easy access.
  12. No Reply Within 3 Days Will Result In Your Topic Being Closed! Please let me know in advance if you will not be able to reply within this time limit.
  13. The logs I request can take a while to research, so please be patient.
  14. I am currently in training at Malware Removal University. Each set of instructions that I provide will be reviewed by a faculty member before being posted to this thread. This process may add a small amount of time to my replies. On the positive side, you will have two people working together to resolve your malware issues.
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

How to back up or transfer your data on a Windows-based computer

-----------------------------------------------------------

I am currently reviewing your log and will return, as soon as possible, with additional instructions.

Thanks,

mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: recurring zbot,g virus again

Unread postby swiiper » November 30th, 2011, 12:12 pm

Thanks Mambass - appreciate the help. You might want to check these posts as well.

viewtopic.php?f=12&t=58495
viewtopic.php?f=12&t=58323

I had a post closed as I went over three days, which can happen as I am sometimes away from the infected computer for a few days at a time with work.

swiiper
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm

Re: recurring zbot,g virus again

Unread postby mambass » December 2nd, 2011, 11:13 am

Hi swiiper,
swiiper wrote: Thanks Mambass - appreciate the help.
You're welcome. :)

I've reviewed your logs and I'm afraid that I have some bad news. :(
Your computer is infected with a backdoor trojan.

Backdoor Warning
A backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge.
A backdoor compromises system integrity by making changes to the system that allow it to be used by the attacker for malicious purposes unknown to the user.
Typically it's installed without user interaction through security exploits and can severely compromise system security.
Such infections may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files and install additional malware.
These backdoor infections may also collect and transmit personally identifiable information without your consent and severely degrade the performance and stability of your computer.
A backdoor infection can give intruders complete control of your computer, log your keystrokes, obtain passwords, steal personal information, etc. Stealing accounts and passwords is a specialty of this particular infection.

You are strongly advised to do the following:
  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft
    and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords
    (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, any online activity you perform, requiring a username and password).
    Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again.
Many experts in the security community believe that, once infected with this type of trojan, the best course of action would be to reformat the disk and re-install the operating system (OS).
This decision will have to be made by you.


To help you understand more, please take some time to read the following articles:
When should I re-format and reinstall my OS
What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
How to use Backup to protect data and restore files and folders

I also noticed that the OTL log you provided in the post here was generated on a computer running the Windows 2000 operating system. The log had entries indicating that machine may also be infected with the same backdoor trojan. All of the warnings provided above apply to that computer as well. As such you should not use that computer when changing account passwords. Per our policy concerning Computers using Operating Systems no longer supported by Microsoft, we will not be able to help you with that machine and recommend that you reformat its hard drive and re-install Windows 2000 if you wish to retain that computer.


Please let me know how you would like to proceed.


mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: recurring zbot,g virus again

Unread postby mambass » December 5th, 2011, 11:13 am

Hi swiiper,

It's been 72 hours since I posted my last reply. I just wanted to remind you that our policy is to close the thread if we have not heard back from you within 3 days from the time that reply was posted.

Please let us know how you would like to proceed. If you are having trouble reaching a decision then please let us know if you need some extra time to reach a decision and/or if you have any questions related to making that decision.

Thank you,

mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: recurring zbot,g virus again

Unread postby swiiper » December 5th, 2011, 1:14 pm

Hi - thank for the heads up - I'll be back home this evening (where the infected computer resides) and will get back to you then.
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm

Re: recurring zbot,g virus again

Unread postby swiiper » December 5th, 2011, 8:12 pm

Mambass,
I think I posted all the logs from the infected computer so any problem I think is isolated to that one. As per ur advice, that is now off the home network.

I think I'd like to try and clean it before going down the reformatting route. Can we try that?
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm

Re: recurring zbot,g virus again

Unread postby mambass » December 5th, 2011, 9:23 pm

Hi swiiper, :)

swiiper wrote:I think I posted all the logs from the infected computer so any problem I think is isolated to that one.
The OTL log in the post here was generated on a computer running the Windows 2000 Professional Edition operating system.


swiiper wrote: I can't zip the attact.txt file as some dll file is missing and zip won't work - don't know if this related to virus
Please post the contents of the Attach.txt log in the same manner as you did with the DDS.txt log. If you cannot find the Attach.txt log then you may run DDS again.


swiiper wrote:I think I'd like to try and clean it before going down the reformatting route. Can we try that?
We most certainly can. Disinfecting your computer requires that we have a stable, predictable software and hardware configuration. Furthermore it is imperative that all scans that are performed and all changes provided in my instructions be performed on the one computer that we are disinfecting. I therefore must require that while we are disinfecting your computer:
  • No software or hardware can be installed other than as directed in my posts.
  • No software or hardware can be removed/uninstalled other than as directed in my posts.
  • No scans can be performed other than as directed in my posts.
  • No files can be downloaded other than as directed in my posts.
  • No use of System Restore or change in System Restore options can be performed other than as directed in my posts.
  • No logs generated on any machine other than the one machine that we are disinfecting can be posted to this thread.
  • These rules must remain in effect as long as this thread is active.

If you are unable to download software from the infected machine then please download it to a computer that is known to be clean and then transfer the file(s) to the infected computer using external media such as a USB Flash drive, a CD/DVD or an external drive.

Please print these instructions because you will need to close this browser window while performing some of the tasks below.

  1. Download AntiVir Free
    This program is free for personal, non-business use.
    Download AntiVir Free from here: http://www.softpedia.com/get/Antivirus/AntiVir-Personal-Edition.shtml
    Click the Download button. Then when the "Download Locations" page comes up, choose the first External Mirror (exe)
    Save the Installer to your desktop, but don't run it yet. The installer file will be named avira_antivir_personal_en.exe
    Double check to be sure you know where to find it.

  2. Remove Program Using Control Panel
    From Start, Control Panel, double-click on Add or Remove Programs.
    Click the entry for AVG 8, then click the entry's Remove button.
    Take extra care in answering questions posed by the Uninstaller.

  3. REBOOT (RESTART) Your Machine

  4. Install AntiVir
    Double-click the Avira AntiVir Installer you saved on your desktop and let it Install AntiVir.

  5. Update and Scan with AntiVir
    Right click the red umbrella icon and choose Start AntiVir.
    When the window comes up click Start Update.
    When the update is complete, click on Scan System Now.
    This full scan could take a hour or more.
    It will ask what to do with any item it finds.
    IMPORTANT >> tell it to DELETE or QUARANTINE any items it finds.

  6. Get Last Avira Report
    Right click the red umbrella icon in the system tray and click Start AntiVir
    In the left pane, click Overview, then click Reports
    There wil be reports titled Update and reports titled Scan. Find the most recent report in the list titled Scan
    Click on the Report File button, or Right click the report and choose Display Report.
    The report contents will come up in Notepad. Highlight the entire report (Ctrl+A) and copy to the clipboard (Ctrl+C).
    Paste the contents (Ctrl+V) into your next reply.


Please include in your reply:
  1. The text of any error messages and/or a description of any problems you encountered while performing these steps.
  2. The contents of the Attach.txt log from your earlier DDS run.
  3. The contents of the AntiVir report.
  4. A description of how your computer is running and any Malware symptoms that are still present.
  5. After posting your reply message, please verify that the last line of the last report is present in the post. If any log is cut off then please post the logs in sections.

mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: recurring zbot,g virus again

Unread postby swiiper » December 6th, 2011, 6:41 pm

All reports asked for below.
The computer seems to be behaving itself. Things improved after I managed to get rkill (Ithink it was that one) to work. That seemed to allow AVG to work and I ran AVG scan shortly thereafter (berfore ur involvement) and it seemed to capture a lot of trojans and viruses
You saw the logs after this point and made your assessment so you obviously still saw something in there.

Avira report and DDS logs below.

Avira Free Antivirus
Report file date: 06 December 2011 21:19

Scanning for 3537827 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : JACK

Version information:
BUILD.DAT : 12.0.0.861 41826 Bytes 10/19/2011 19:24:00
AVSCAN.EXE : 12.1.0.18 490448 Bytes 10/19/2011 16:56:25
AVSCAN.DLL : 12.1.0.17 54224 Bytes 10/19/2011 16:56:46
LUKE.DLL : 12.1.0.17 68304 Bytes 10/19/2011 16:56:34
AVSCPLR.DLL : 12.1.0.19 99536 Bytes 10/19/2011 16:56:25
AVREG.DLL : 12.1.0.22 226512 Bytes 10/19/2011 16:56:24
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 20:18:34
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 11:07:39
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 17:08:51
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 12:00:55
VBASE004.VDF : 7.11.8.178 2354176 Bytes 5/31/2011 12:18:22
VBASE005.VDF : 7.11.10.251 1788416 Bytes 7/7/2011 14:12:53
VBASE006.VDF : 7.11.13.60 6411776 Bytes 8/16/2011 09:26:09
VBASE007.VDF : 7.11.15.106 2389504 Bytes 10/5/2011 16:56:40
VBASE008.VDF : 7.11.18.32 2132992 Bytes 11/24/2011 21:09:48
VBASE009.VDF : 7.11.18.33 2048 Bytes 11/24/2011 21:09:48
VBASE010.VDF : 7.11.18.34 2048 Bytes 11/24/2011 21:09:48
VBASE011.VDF : 7.11.18.35 2048 Bytes 11/24/2011 21:09:48
VBASE012.VDF : 7.11.18.36 2048 Bytes 11/24/2011 21:09:48
VBASE013.VDF : 7.11.18.89 204800 Bytes 11/28/2011 21:09:50
VBASE014.VDF : 7.11.18.145 143872 Bytes 12/1/2011 21:09:51
VBASE015.VDF : 7.11.18.180 173056 Bytes 12/2/2011 21:09:52
VBASE016.VDF : 7.11.18.208 164864 Bytes 12/5/2011 21:09:54
VBASE017.VDF : 7.11.18.239 177152 Bytes 12/6/2011 21:09:55
VBASE018.VDF : 7.11.18.240 2048 Bytes 12/6/2011 21:09:55
VBASE019.VDF : 7.11.18.241 2048 Bytes 12/6/2011 21:09:55
VBASE020.VDF : 7.11.18.242 2048 Bytes 12/6/2011 21:09:55
VBASE021.VDF : 7.11.18.243 2048 Bytes 12/6/2011 21:09:55
VBASE022.VDF : 7.11.18.244 2048 Bytes 12/6/2011 21:09:56
VBASE023.VDF : 7.11.18.245 2048 Bytes 12/6/2011 21:09:56
VBASE024.VDF : 7.11.18.246 2048 Bytes 12/6/2011 21:09:56
VBASE025.VDF : 7.11.18.247 2048 Bytes 12/6/2011 21:09:56
VBASE026.VDF : 7.11.18.248 2048 Bytes 12/6/2011 21:09:56
VBASE027.VDF : 7.11.18.249 2048 Bytes 12/6/2011 21:09:56
VBASE028.VDF : 7.11.18.250 2048 Bytes 12/6/2011 21:09:56
VBASE029.VDF : 7.11.18.251 2048 Bytes 12/6/2011 21:09:56
VBASE030.VDF : 7.11.18.252 2048 Bytes 12/6/2011 21:09:56
VBASE031.VDF : 7.11.19.2 14848 Bytes 12/6/2011 21:09:56
Engineversion : 8.2.6.128
AEVDF.DLL : 8.1.2.2 106868 Bytes 12/6/2011 21:10:21
AESCRIPT.DLL : 8.1.3.88 479611 Bytes 12/6/2011 21:10:20
AESCN.DLL : 8.1.7.2 127349 Bytes 9/1/2011 23:46:02
AESBX.DLL : 8.2.4.5 434549 Bytes 12/6/2011 21:10:22
AERDL.DLL : 8.1.9.15 639348 Bytes 9/8/2011 23:16:06
AEPACK.DLL : 8.2.14.4 741752 Bytes 12/6/2011 21:10:19
AEOFFICE.DLL : 8.1.2.21 201084 Bytes 12/6/2011 21:10:16
AEHEUR.DLL : 8.1.3.3 3871095 Bytes 12/6/2011 21:10:15
AEHELP.DLL : 8.1.18.0 254327 Bytes 12/6/2011 21:10:01
AEGEN.DLL : 8.1.5.15 405878 Bytes 12/6/2011 21:10:00
AEEMU.DLL : 8.1.3.0 393589 Bytes 9/1/2011 23:46:01
AECORE.DLL : 8.1.24.0 196983 Bytes 12/6/2011 21:09:59
AEBB.DLL : 8.1.1.0 53618 Bytes 9/1/2011 23:46:01
AVWINLL.DLL : 12.1.0.17 27344 Bytes 10/19/2011 16:56:27
AVPREF.DLL : 12.1.0.17 51920 Bytes 10/19/2011 16:56:24
AVREP.DLL : 12.1.0.17 179408 Bytes 10/19/2011 16:56:24
AVARKT.DLL : 12.1.0.17 223184 Bytes 10/19/2011 16:56:22
AVEVTLOG.DLL : 12.1.0.17 169168 Bytes 10/19/2011 16:56:23
SQLITE3.DLL : 3.7.0.0 398288 Bytes 10/19/2011 16:56:38
AVSMTP.DLL : 12.1.0.17 62928 Bytes 10/19/2011 16:56:25
NETNT.DLL : 12.1.0.17 17104 Bytes 10/19/2011 16:56:34
RCIMAGE.DLL : 12.1.0.17 4450000 Bytes 10/19/2011 16:56:49
RCTEXT.DLL : 12.1.0.16 96208 Bytes 10/19/2011 16:56:49

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: default
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: extended

Start of the scan: 06 December 2011 21:19

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting search for hidden objects.

The scan of running processes will be started
Scan process 'rsmsink.exe' - '29' Module(s) have been scanned
Scan process 'msdtc.exe' - '40' Module(s) have been scanned
Scan process 'dllhost.exe' - '62' Module(s) have been scanned
Scan process 'dllhost.exe' - '45' Module(s) have been scanned
Scan process 'vssvc.exe' - '48' Module(s) have been scanned
Scan process 'avscan.exe' - '68' Module(s) have been scanned
Scan process 'avscan.exe' - '61' Module(s) have been scanned
Scan process 'avcenter.exe' - '93' Module(s) have been scanned
Scan process 'NOTEPAD.EXE' - '28' Module(s) have been scanned
Scan process 'avgnt.exe' - '60' Module(s) have been scanned
Scan process 'sched.exe' - '37' Module(s) have been scanned
Scan process 'avshadow.exe' - '26' Module(s) have been scanned
Scan process 'avguard.exe' - '91' Module(s) have been scanned
Scan process 'rundll32.exe' - '57' Module(s) have been scanned
Scan process 'firefox.exe' - '86' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'BTTray.exe' - '45' Module(s) have been scanned
Scan process 'Skype.exe' - '80' Module(s) have been scanned
Scan process 'msmsgs.exe' - '43' Module(s) have been scanned
Scan process 'alg.exe' - '33' Module(s) have been scanned
Scan process 'ctfmon.exe' - '26' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '55' Module(s) have been scanned
Scan process 'HDJSeriesCPL.exe' - '39' Module(s) have been scanned
Scan process 'rundll32.exe' - '35' Module(s) have been scanned
Scan process 'RunDll32.exe' - '40' Module(s) have been scanned
Scan process 'SSSAudioControl.exe' - '27' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '23' Module(s) have been scanned
Scan process 'BatteryManager.exe' - '25' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '27' Module(s) have been scanned
Scan process 'igfxpers.exe' - '23' Module(s) have been scanned
Scan process 'hkcmd.exe' - '26' Module(s) have been scanned
Scan process 'igfxtray.exe' - '27' Module(s) have been scanned
Scan process 'EDSAgent.exe' - '23' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '36' Module(s) have been scanned
Scan process 'jusched.exe' - '21' Module(s) have been scanned
Scan process 'RUNDLL32.EXE' - '35' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'jqs.exe' - '33' Module(s) have been scanned
Scan process 'HerculesDJControlMP3.EXE' - '34' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'AudioDeviceService.exe' - '18' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'Explorer.EXE' - '99' Module(s) have been scanned
Scan process 'spoolsv.exe' - '59' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'svchost.exe' - '32' Module(s) have been scanned
Scan process 'btwdins.exe' - '22' Module(s) have been scanned
Scan process 'svchost.exe' - '166' Module(s) have been scanned
Scan process 'svchost.exe' - '40' Module(s) have been scanned
Scan process 'svchost.exe' - '53' Module(s) have been scanned
Scan process 'lsass.exe' - '58' Module(s) have been scanned
Scan process 'services.exe' - '36' Module(s) have been scanned
Scan process 'winlogon.exe' - '66' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting to scan executable files (registry).
The registry was scanned ( '1599' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Documents and Settings\Michael\Application Data\Sun\Java\Deployment\cache\6.0\0\72072600-72b05088
[0] Archive type: ZIP
--> json/Parser.class
[DETECTION] Contains recognition pattern of the EXP/Java.Dldr.A exploit
--> json/XML.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.FL exploit
Begin scan in 'D:\'

Beginning disinfection:
C:\Documents and Settings\Michael\Application Data\Sun\Java\Deployment\cache\6.0\0\72072600-72b05088
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.FL exploit
[NOTE] The file was moved to the quarantine directory under the name '4c2037f7.qua'.


End of the scan: 06 December 2011 22:13
Used time: 53:09 Minute(s)

The scan has been done completely.

8661 Scanned directories
342857 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
342855 Files not concerned
8824 Archives were scanned
0 Warnings
1 Notes
293240 Objects were scanned with rootkit scan
0 Hidden objects were found



.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Run by Michael at 22:18:36 on 2011-12-06
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.249 [GMT 0:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\AudioDeviceService.exe
svchost.exe
C:\Program Files\Hercules\Audio\DJ Console Series\drivers\x86\HerculesDJControlMP3.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\SSSAudioControl.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hercules\Audio\DJ Console Series\HDJSeriesCPL.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\notepad.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ie/
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by MSN & Bing
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\michael\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Facebook Update] "c:\documents and settings\michael\local settings\application data\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [<NO NAME>]
mRun: [EDS] c:\program files\samsung\samsung eds\EDSAgent.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SUPBackGround] c:\program files\samsung\samsung update plus\SUPBackGround.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SSSAudioControl] c:\windows\system32\SSSAudioControl.exe
mRun: [Cm106Sound] RunDll32 cm106.cpl,CMICtrlWnd
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Hercules DJ Series] c:\program files\hercules\audio\dj console series\HDJSeriesCPL.exe /boot
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\michael\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{0FEAA65E-B36D-4070-A6F7-E3FEC90F45F3} : DhcpNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\michael\application data\mozilla\firefox\profiles\lxf46fc4.default\
FF - prefs.js: browser.startup.homepage - hxxp://backstage.kidspartyclub.ie
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\michael\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\michael\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\michael\local settings\application data\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\documents and settings\michael\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-12-6 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-12-6 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-12-6 110032]
R2 AudioDeviceService;AudioDeviceService;c:\windows\system32\AudioDeviceService.exe [2010-12-25 102400]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-12-6 74640]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2009-2-12 4300]
R2 HerculesDJControlMP3;Hercules DJ Control MP3;c:\program files\hercules\audio\dj console series\drivers\x86\HerculesDJControlMP3.EXE [2011-11-16 20480]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-15 30208]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2009-2-12 238464]
S3 Bulk;HDJBulk;c:\windows\system32\drivers\HDJBulk.sys [2011-11-16 160384]
S3 HDJMidi;DJ Control MP3 e2 MIDI;c:\windows\system32\drivers\HDJMidi.sys [2011-11-16 225408]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [2006-8-1 19840]
S3 TrueSight;TrueSight;c:\windows\system32\drivers\TrueSight.sys [2011-11-27 111872]
S3 UAExt;UAExt;c:\windows\system32\drivers\UAExt.sys [2010-12-25 14848]
S3 USBMULCD;USB Multi-Channel Audio Device Interface;c:\windows\system32\drivers\CM106.sys [2010-12-29 1506304]
.
=============== Created Last 30 ================
.
2011-12-06 21:19:46 -------- d-----w- c:\windows\system32\NtmsData
2011-12-06 21:12:26 -------- d-----w- c:\documents and settings\michael\application data\Avira
2011-12-06 21:06:37 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-12-06 21:06:37 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-12-06 21:06:35 -------- d-----w- c:\program files\Avira
2011-12-06 21:06:35 -------- d-----w- c:\documents and settings\all users\application data\Avira
2011-11-27 12:54:04 388096 ----a-r- c:\documents and settings\michael\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-11-27 12:33:32 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2011-11-16 19:40:56 26624 ----a-w- c:\windows\system32\drivers\HDJCtrl.sys
2011-11-16 19:40:56 225408 ----a-w- c:\windows\system32\drivers\HDJMidi.sys
2011-11-16 19:40:56 220672 ----a-w- c:\windows\system32\drivers\HDJAsioK.sys
2011-11-16 19:40:56 160384 ----a-w- c:\windows\system32\drivers\HDJBulk.sys
2011-11-16 19:40:56 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2011-11-16 19:40:48 79872 ----a-w- c:\windows\system32\HerculesDJDevices.dll
2011-11-16 19:40:42 282624 ----a-w- c:\windows\system32\HDJSeries.cpl
2011-11-16 19:20:13 -------- d-----w- c:\program files\Hercules
2011-11-07 10:50:18 -------- d-----w- c:\program files\TheWorld 3
2011-11-07 10:18:57 -------- d--h--w- c:\windows\PIF
.
==================== Find3M ====================
.
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 10:41:20 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-08 16:02:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 22:19:20.53 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 01/05/2009 13:36:25
System Uptime: 29/11/2011 07:49:30 (1 hours ago)
.
Motherboard: SAMSUNG ELECTRONICS CO., LTD. | | NC10
Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | U2E1 | 1596/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 71 GiB total, 43.048 GiB free.
D: is FIXED (NTFS) - 72 GiB total, 65.831 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP360: 18/11/2011 19:51:19 - Installed Hercules DJ Series Drivers
RP361: 18/11/2011 20:08:25 - System Checkpoint
RP362: 27/11/2011 11:20:52 - System Checkpoint
RP363: 29/11/2011 07:53:41 - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
AC3Filter (remove only)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.4
Atheros WLAN Client
AVG 8.5
Click to Call with Skype
CopyTrans Suite Remove Only
Easy Display Manager
Easy Network Manager
Facebook Video Calling 1.0.0.8953
Google Chrome
Google Talk Plugin
Google Toolbar for Internet Explorer
Hercules DJ Products Series drivers
HiJackThis
HijackThis 2.0.2
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
imagine digital freedom - Samsung
Intel(R) Graphics Media Accelerator Driver
J2SE Runtime Environment 5.0
Java Auto Updater
Java(TM) 6 Update 19
jZip
Magic Keyboard
Marvell Miniport Driver
Media Player Codec Pack 3.9.6
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox 8.0 (x86 en-GB)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Namuga 1.3M Webcam
OpenOffice.org 3.1
Play Camera
QuickTime
Realtek High Definition Audio Driver
Samsung Battery Manager
Samsung EDS
Samsung Magic Doctor
Samsung Recovery Solution III
Samsung Update Plus
Samsung Wallpaper
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Skype™ 5.5
Synaptics Pointing Device Driver
TheWorld Browser 3.0 Final
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB Multi-Channel Audio Device
User Guide
Virtual DJ - Atomix Productions
WebFldrs XP
WIDCOMM Bluetooth Software
Windows Internet Explorer 8
.
==== Event Viewer Messages From Past Week ========
.
27/11/2011 13:03:46, error: Service Control Manager [7031] - The AVG Free8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
27/11/2011 12:50:28, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AVG Free8 E-mail Scanner service to connect.
27/11/2011 12:50:28, error: Service Control Manager [7000] - The AVG Free8 E-mail Scanner service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
27/11/2011 12:32:24, error: Service Control Manager [7034] - The Hercules DJ Control MP3 service terminated unexpectedly. It has done this 1 time(s).
27/11/2011 12:32:18, error: Service Control Manager [7034] - The AudioDeviceService service terminated unexpectedly. It has done this 1 time(s).
27/11/2011 09:52:42, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{CFA6B096-0CE0-4761-8CF8-1C567346EF24} because another computer on the network has the same name. The server could not start.
27/11/2011 09:52:42, error: NetBT [4321] - The name "MIKE :20" could not be registered on the Interface with IP address 169.254.75.56. The machine with the IP address 169.254.75.56 did not allow the name to be claimed by this machine.
27/11/2011 09:52:42, error: NetBT [4321] - The name "MIKE :0" could not be registered on the Interface with IP address 169.254.75.56. The machine with the IP address 169.254.75.56 did not allow the name to be claimed by this machine.
26/11/2011 23:26:58, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{0FEAA65E-B36D-4070-A6F7-E3FEC90F45F3} because another computer on the network has the same name. The server could not start.
26/11/2011 23:26:53, error: NetBT [4321] - The name "MIKE :20" could not be registered on the Interface with IP address 192.168.1.89. The machine with the IP address 192.168.1.22 did not allow the name to be claimed by this machine.
26/11/2011 23:26:53, error: NetBT [4321] - The name "MIKE :0" could not be registered on the Interface with IP address 192.168.1.89. The machine with the IP address 192.168.1.22 did not allow the name to be claimed by this machine.
.
==== End Of File ===========================
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm

Re: recurring zbot,g virus again

Unread postby mambass » December 7th, 2011, 11:21 am

Hi swiiper, :)

Are you still experiencing any malware-related issues?

There are a few more things we need to do even if everything is running smoothly.

  1. Download and Run MalwareBytes' Anti-Malware
    It is free for non-business use.
    Please go here to the Download Location, and click Download Now for the Free one on the Left.
    When the next page comes up, click on the Official Mirror button.
    • Choose Save File when asked if you would like to save the file and the "Save to location" dialog will come up.
    • Choose Desktop as the location to save the installer and click Save again.
    • You should now have a desktop icon named mbam-setup.exe. Double-click it.
    • Let it install the program where it wants to, with the default settings, and click Finish.
    • If an update is found, it will download and install the latest version.
    • If necessary, start Malwarebytes Anti-Malware again.
      (You can Decline any Offer for a Trial)
    • Once the program is running, select Perform Quick Scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • If it found any malware items. Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
    • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
    • The log can also be found using the "Logs" tab in the program. You can click any "Scan" log listed to open its contents.
    • Recent logs are named by time/date stamp in this format : mbam-log-2011-mm-dd(hour-min-sec).txt
    • You can now delete the installer icon, named mbam-setup.exe from your desktop.

  2. Run a Scan with OTL
    • Please download OTL by OldTimer and save it to your desktop.
    • Double click on the OTL icon on your Desktop to run it.
    • Check the boxes labeled :
      • Scan All Users
      • LOP check
      • Purity check
      • Extra Registry > Use SafeList
    • Make sure all other windows are closed to let it run uninterrupted.
    • Click on the Run Scan button at the top left hand corner. Do not change any settings unless otherwise told to do so. The scan wont take long.
    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. (desktop)
    The Extras.txt file will only appear the very first time you run OTL.
    Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them as a reply. Use separate replies if more convenient.


Please include in your reply:
  1. The text of any error messages and/or a description of any problems you encountered while performing these steps.
  2. The contents of the Malwarebytes log.
  3. The contents of the OTL.txt and Extras.txt logs.
  4. A description of how your computer is running and any Malware symptoms that are still present.
  5. After posting your reply message, please verify that the last line of the last report is present in the post. If any log is cut off then please post the logs in sections.


mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: recurring zbot,g virus again

Unread postby swiiper » December 7th, 2011, 4:56 pm

I posted the logs requested here a few minutes ago but don't see them now! Perhaps it takes a while for posts to show or be approved?

Anyway, after posting the logs I decided to repeat a few processes I know didn't work during the infection. The computer would not start in safe mode and it still won't. IE would not start and it still will not.

I no longer get warning after warning of infections from my AV program. The only error message I get is that MSXML.DLL is missing.
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm

Re: recurring zbot,g virus again

Unread postby mambass » December 7th, 2011, 5:00 pm

Please try to post the logs again. Be careful to click Submit rather than Preview.
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: recurring zbot,g virus again

Unread postby swiiper » December 7th, 2011, 5:10 pm

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8329

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

07/12/2011 19:34:15
mbam-log-2011-12-07 (19-34-15).txt

Scan type: Quick scan
Objects scanned: 151421
Time elapsed: 7 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\qni8hj710fdl (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


__________________________________________________________________ooo

OTL logfile created on: 07/12/2011 20:00:30 - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Michael\Desktop
Windows 2000 Professional Edition (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1014.36 Mb Total Physical Memory | 389.56 Mb Available Physical Memory | 38.40% Memory free
2.39 Gb Paging File | 1.81 Gb Available in Paging File | 75.91% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.04 Gb Total Space | 43.95 Gb Free Space | 61.87% Space Free | Partition Type: NTFS
Drive D: | 72.00 Gb Total Space | 65.83 Gb Free Space | 91.44% Space Free | Partition Type: NTFS

Computer Name: JACK | User Name: Michael | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/11/27 13:01:21 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Michael\Desktop\OTL.exe
PRC - [2011/11/13 07:58:12 | 001,694,608 | ---- | M] (Bandoo Media, inc) -- C:\Program Files\Windows Searchqu Toolbar\Datamngr\datamngrUI.exe
PRC - [2011/11/10 23:48:02 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/10/19 16:56:50 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2011/10/19 16:56:36 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/10/19 16:56:24 | 000,258,512 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2011/10/19 16:56:24 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/08/03 14:03:22 | 002,680,104 | ---- | M] (Hercules®) -- C:\Program Files\Hercules\Audio\DJ Console Series\HDJSeriesCPL.exe
PRC - [2011/08/02 09:22:18 | 000,020,480 | ---- | M] () -- C:\Program Files\Hercules\Audio\DJ Console Series\drivers\x86\HerculesDJControlMP3.EXE
PRC - [2010/12/25 11:10:54 | 006,529,024 | ---- | M] (TODO: <Company name>) -- C:\WINDOWS\system32\SSSAudioControl.exe
PRC - [2010/12/25 11:10:48 | 000,102,400 | ---- | M] (SSS) -- C:\WINDOWS\system32\AudioDeviceService.exe
PRC - [2008/10/20 18:32:54 | 002,768,896 | ---- | M] () -- C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
PRC - [2008/09/17 13:25:46 | 000,580,200 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2008/04/14 12:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/21 04:40:30 | 000,659,456 | ---- | M] (Samsung Electronics,.LTD) -- C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe


========== Modules (No Company Name) ==========

MOD - [2011/11/10 23:48:01 | 001,989,592 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/10/19 16:56:38 | 000,398,288 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2011/09/08 16:02:01 | 006,277,280 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2011/08/02 09:22:18 | 000,020,480 | ---- | M] () -- C:\Program Files\Hercules\Audio\DJ Console Series\drivers\x86\HerculesDJControlMP3.EXE
MOD - [2010/05/19 20:55:36 | 000,024,576 | ---- | M] () -- C:\WINDOWS\system32\mkunicode.dll
MOD - [2009/01/10 22:15:44 | 000,159,744 | ---- | M] () -- C:\WINDOWS\system32\mmfinfo.dll
MOD - [2008/10/20 18:32:54 | 002,768,896 | ---- | M] () -- C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
MOD - [2008/09/17 13:20:08 | 002,842,624 | ---- | M] () -- C:\WINDOWS\system32\btwicons.dll
MOD - [2008/04/14 12:00:00 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/10/19 16:56:36 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011/10/19 16:56:24 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/08/02 09:22:18 | 000,020,480 | ---- | M] () [Auto | Running] -- C:\Program Files\Hercules\Audio\DJ Console Series\drivers\x86\HerculesDJControlMP3.EXE -- (HerculesDJControlMP3)
SRV - [2010/12/25 11:10:48 | 000,102,400 | ---- | M] (SSS) [Auto | Running] -- C:\WINDOWS\system32\AudioDeviceService.exe -- (AudioDeviceService)


========== Driver Services (SafeList) ==========

DRV - [2011/11/27 12:59:06 | 000,111,872 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TrueSight.sys -- (TrueSight)
DRV - [2011/10/19 16:56:50 | 000,134,344 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/10/19 16:56:50 | 000,074,640 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2011/10/19 16:56:50 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2011/08/02 09:22:20 | 000,225,408 | ---- | M] (© Guillemot R&D, 2011. All rights reserved.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HDJMidi.sys -- (HDJMidi)
DRV - [2011/08/02 09:22:14 | 000,160,384 | ---- | M] (© Guillemot R&D, 2010. All rights reserved.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HDJBulk.sys -- (Bulk)
DRV - [2010/12/25 11:10:54 | 000,014,848 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\UAExt.sys -- (UAExt)
DRV - [2010/06/17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2008/11/07 09:04:00 | 000,291,328 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2008/10/13 20:21:24 | 001,506,304 | ---- | M] (C-Media Electronics Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CM106.sys -- (USBMULCD)
DRV - [2008/10/08 06:35:10 | 001,334,432 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2008/09/23 20:23:58 | 000,238,464 | ---- | M] (Vimicro Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMC326.sys -- (VMC326)
DRV - [2008/08/26 23:35:00 | 004,753,920 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/07/29 15:59:08 | 000,879,832 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2008/07/29 15:59:02 | 000,156,816 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2008/07/26 23:29:54 | 000,074,688 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2008/07/26 23:29:36 | 000,037,424 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2008/07/26 23:29:28 | 000,539,640 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2008/01/15 03:01:02 | 000,030,208 | ---- | M] (Samsung Electronics,.LTD) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SamsungEDS.SYS -- (DNSeFilter)
DRV - [2006/08/01 23:57:24 | 000,019,840 | ---- | M] (Samsung) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SUE_PD.sys -- (SUEPD)
DRV - [2005/10/27 04:18:05 | 000,004,300 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\MEMIO.SYS -- (DOSMEMIO)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-3870564424-1140265585-552937611-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/
IE - HKU\S-1-5-21-3870564424-1140265585-552937611-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-3870564424-1140265585-552937611-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-3870564424-1140265585-552937611-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.searchqu.com/102
IE - HKU\S-1-5-21-3870564424-1140265585-552937611-1005\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-3870564424-1140265585-552937611-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3870564424-1140265585-552937611-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Search Results"
FF - prefs.js..browser.search.order.1: "Search Results"
FF - prefs.js..browser.search.selectedEngine: "Search Results"
FF - prefs.js..browser.startup.homepage: "http://www.searchqu.com/102"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..keyword.URL: "http://dts.search-results.com/sr?src=ffb&appid=0&systemid=102&sr=0&q="
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\Michael\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\Michael\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Documents and Settings\Michael\Local Settings\Application Data\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/10 23:48:03 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/03 13:10:27 | 000,000,000 | ---D | M]

[2009/12/31 10:31:44 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Michael\Application Data\Mozilla\Extensions
[2011/07/30 20:29:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\lxf46fc4.default\extensions
[2011/12/06 22:25:27 | 000,000,000 | ---D | M] (Searchqu Toolbar) -- C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\lxf46fc4.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
[2011/12/06 22:25:08 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\lxf46fc4.default\searchplugins\Search_Results.xml
[2011/11/10 23:48:11 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/08/29 17:21:21 | 000,000,000 | ---D | M] (Click to call with Skype) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2009/06/09 18:51:02 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/11/10 23:48:02 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/10/11 21:20:04 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2011/10/11 21:20:04 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/10/11 21:20:04 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2011/10/11 21:20:04 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2011/12/06 22:25:08 | 000,002,515 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\Search_Results.xml
[2011/10/11 21:20:04 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

========== Chrome ==========

CHR - default_search_provider: ()
CHR - default_search_provider: search_url =
CHR - default_search_provider: suggest_url =

O1 HOSTS File: ([2008/04/14 12:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
O2 - BHO: (DataMngr) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files\Windows Searchqu Toolbar\Datamngr\BrowserConnection.dll (Bandoo Media, inc)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [BatteryManager] C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe ()
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [Cm106Sound] RunDll32 cm106.cpl,CMICtrlWnd File not found
O4 - HKLM..\Run: [DATAMNGR] C:\Program Files\Windows Searchqu Toolbar\Datamngr\datamngrUI.exe (Bandoo Media, inc)
O4 - HKLM..\Run: [EDS] C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe (Samsung Electronics,.LTD)
O4 - HKLM..\Run: [Hercules DJ Series] C:\Program Files\Hercules\Audio\DJ Console Series\HDJSeriesCPL.exe (Hercules®)
O4 - HKLM..\Run: [SSSAudioControl] C:\WINDOWS\system32\SSSAudioControl.exe (TODO: <Company name>)
O4 - HKLM..\Run: [SUPBackGround] C:\Program Files\Samsung\Samsung Update Plus\SUPBackGround.exe ()
O4 - HKLM..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u File not found
O4 - HKU\S-1-5-21-3870564424-1140265585-552937611-1005..\Run: [Facebook Update] "C:\Documents and Settings\Michael\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver File not found
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Documents and Settings\Michael\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3870564424-1140265585-552937611-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll (Google Inc.)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0FEAA65E-B36D-4070-A6F7-E3FEC90F45F3}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL File not found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL File not found
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL File not found
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - AppInit_DLLs: (C:\PROGRA~1\WINDOW~4\Datamngr\datamngr.dll) -C:\Program Files\Windows Searchqu Toolbar\Datamngr\datamngr.dll (Bandoo Media, inc)
O20 - AppInit_DLLs: (C:\PROGRA~1\WINDOW~4\Datamngr\IEBHO.dll) -C:\Program Files\Windows Searchqu Toolbar\Datamngr\IEBHO.dll (Bandoo Media, inc)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\SYSTEM32\Userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/12 19:26:05 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/07 19:24:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Malwarebytes
[2011/12/07 19:24:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/12/07 19:24:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/12/07 19:23:54 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/12/07 19:23:53 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/12/06 22:25:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\searchqutoolbar
[2011/12/06 22:25:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\boost_interprocess
[2011/12/06 22:25:08 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Searchqu Toolbar
[2011/12/06 21:19:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2011/12/06 21:12:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Avira
[2011/12/06 21:06:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Avira
[2011/12/06 21:06:40 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2011/12/06 21:06:37 | 000,134,344 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2011/12/06 21:06:37 | 000,074,640 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2011/12/06 21:06:37 | 000,036,000 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avkmgr.sys
[2011/12/06 21:06:35 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2011/12/06 21:06:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2011/11/29 07:59:58 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Michael\Start Menu\Programs\Administrative Tools
[2011/11/29 07:59:23 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Michael\Desktop\dds.scr
[2011/11/27 13:13:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Desktop\tdsskiller
[2011/11/27 13:01:21 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Michael\Desktop\OTL.exe
[2011/11/27 12:33:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Desktop\RK_Quarantine
[2011/11/16 19:40:56 | 001,461,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\WdfCoInstaller01009.dll
[2011/11/16 19:40:56 | 000,225,408 | ---- | C] (© Guillemot R&D, 2011. All rights reserved.) -- C:\WINDOWS\System32\drivers\HDJMidi.sys
[2011/11/16 19:40:56 | 000,220,672 | ---- | C] (© Guillemot R&D, 2010. All rights reserved.) -- C:\WINDOWS\System32\drivers\HDJAsioK.sys
[2011/11/16 19:40:56 | 000,160,384 | ---- | C] (© Guillemot R&D, 2010. All rights reserved.) -- C:\WINDOWS\System32\drivers\HDJBulk.sys
[2011/11/16 19:40:56 | 000,026,624 | ---- | C] (© Guillemot R&D, 2010. All rights reserved.) -- C:\WINDOWS\System32\drivers\HDJCtrl.sys
[2011/11/16 19:40:48 | 000,079,872 | ---- | C] (Windows (R) Win 7 DDK provider) -- C:\WINDOWS\System32\HerculesDJDevices.dll
[2011/11/16 19:40:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Hercules
[2011/11/16 19:40:42 | 000,282,624 | ---- | C] (Hercules®) -- C:\WINDOWS\System32\HDJSeries.cpl
[2011/11/16 19:20:13 | 000,000,000 | ---D | C] -- C:\Program Files\Hercules
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/12/07 19:57:02 | 000,000,986 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3870564424-1140265585-552937611-1005UA.job
[2011/12/07 19:24:02 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/07 19:16:10 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/07 19:16:08 | 1063,702,528 | -HS- | M] () -- C:\hiberfil.sys
[2011/12/06 22:26:37 | 000,003,377 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\attach.zip
[2011/12/06 22:25:09 | 000,000,626 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\jZip.lnk
[2011/12/06 21:57:09 | 000,000,934 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3870564424-1140265585-552937611-1005Core.job
[2011/12/06 21:06:56 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira Control Center.lnk
[2011/12/06 20:51:45 | 084,358,288 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\avira_free_antivirus_en.exe
[2011/12/06 20:34:00 | 000,001,004 | ---- | M] () -- C:\WINDOWS\tasks\FacebookUpdateTaskUserS-1-5-21-3870564424-1140265585-552937611-1005UA.job
[2011/12/06 20:34:00 | 000,000,982 | ---- | M] () -- C:\WINDOWS\tasks\FacebookUpdateTaskUserS-1-5-21-3870564424-1140265585-552937611-1005Core.job
[2011/12/05 16:50:54 | 000,000,250 | ---- | M] () -- C:\WINDOWS\System\Cm106.ini
[2011/12/04 14:14:54 | 007,809,901 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\Drake - Headlines (Explicit).mp3
[2011/12/04 13:18:00 | 002,158,386 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\TooBeautiful.mp3
[2011/12/04 13:16:44 | 005,893,140 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\Drake - The Motto ft. Lil Wayne.mp3
[2011/12/03 19:16:07 | 000,000,714 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\Virtual DJ (DJConsole).lnk
[2011/12/01 00:08:50 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/11/29 23:04:33 | 002,817,171 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\HipHopScary.mp3
[2011/11/29 22:56:54 | 002,340,407 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\CaptainBirdseye(1).mp3
[2011/11/29 22:54:54 | 003,661,367 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\x x babez(1).mp3
[2011/11/29 07:59:24 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Michael\Desktop\dds.scr
[2011/11/29 07:54:59 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/11/27 13:12:24 | 001,547,774 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\tdsskiller.zip
[2011/11/27 13:07:02 | 001,008,114 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\rkill.com
[2011/11/27 13:01:21 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Michael\Desktop\OTL.exe
[2011/11/27 12:59:06 | 000,111,872 | ---- | M] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2011/11/27 12:54:04 | 000,002,451 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\HiJackThis.lnk
[2011/11/27 11:45:22 | 000,002,855 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\winlogon.exe.PIF
[2011/11/26 23:46:24 | 000,076,800 | ---- | M] () -- C:\Documents and Settings\Michael\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/11/18 18:55:06 | 008,711,857 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\will.i.am, Nicki Minaj - Check It Out.mp3
[2011/11/18 18:51:37 | 006,408,902 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\Rizzle Kicks - Down With The Trumpets.mp3
[2011/11/18 18:46:58 | 006,847,759 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\Rizzle Kicks - Down With The Trumpets (Sam Reynolds Mashup Remix).mp3
[2011/11/18 18:44:43 | 007,078,473 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\Inna - Hot (Official Video HD).mp3
[2011/11/18 18:43:39 | 008,642,476 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\Avicii - Levels (HD) -- Without intro music.mp3
[2011/11/18 18:40:30 | 005,769,842 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\Pitbull - Something For The DJs FULL 2011.mp3
[2011/11/17 21:57:33 | 001,575,751 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\The Gaa draft.mp3
[2011/11/17 21:55:03 | 003,789,761 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\The Gaa.mp3
[2011/11/17 21:45:42 | 000,821,585 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\5ths.mp3
[2011/11/17 21:43:44 | 003,661,367 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\x x babez.mp3
[2011/11/16 23:55:05 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\MBR.dat
[2011/11/13 17:13:53 | 002,340,279 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\CaptainBirdseye.mp3
[2011/11/08 20:56:16 | 000,294,400 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\exeHelper.com
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/07 19:24:02 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/06 22:26:37 | 000,003,377 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\attach.zip
[2011/12/06 21:06:56 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira Control Center.lnk
[2011/12/06 20:42:11 | 084,358,288 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\avira_free_antivirus_en.exe
[2011/12/04 14:12:17 | 007,809,901 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\Drake - Headlines (Explicit).mp3
[2011/12/04 13:15:53 | 005,893,140 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\Drake - The Motto ft. Lil Wayne.mp3
[2011/11/29 23:03:59 | 002,817,171 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\HipHopScary.mp3
[2011/11/29 22:59:32 | 002,158,386 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\TooBeautiful.mp3
[2011/11/29 22:51:11 | 003,661,367 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\x x babez(1).mp3
[2011/11/27 13:12:18 | 001,547,774 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\tdsskiller.zip
[2011/11/27 13:06:56 | 001,008,114 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\rkill.com
[2011/11/27 12:33:32 | 000,111,872 | ---- | C] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2011/11/27 11:44:11 | 000,002,855 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\winlogon.exe.PIF
[2011/11/18 19:02:24 | 000,000,714 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\Virtual DJ (DJConsole).lnk
[2011/11/18 18:54:22 | 008,711,857 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\will.i.am, Nicki Minaj - Check It Out.mp3
[2011/11/18 18:50:47 | 006,408,902 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\Rizzle Kicks - Down With The Trumpets.mp3
[2011/11/18 18:46:10 | 006,847,759 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\Rizzle Kicks - Down With The Trumpets (Sam Reynolds Mashup Remix).mp3
[2011/11/18 18:43:57 | 007,078,473 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\Inna - Hot (Official Video HD).mp3
[2011/11/18 18:39:59 | 005,769,842 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\Pitbull - Something For The DJs FULL 2011.mp3
[2011/11/18 18:35:11 | 008,642,476 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\Avicii - Levels (HD) -- Without intro music.mp3
[2011/11/17 21:56:31 | 001,575,751 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\The Gaa draft.mp3
[2011/11/17 21:54:25 | 003,789,761 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\The Gaa.mp3
[2011/11/17 21:43:55 | 002,340,407 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\CaptainBirdseye(1).mp3
[2011/11/17 21:43:50 | 000,821,585 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\5ths.mp3
[2011/11/17 21:37:54 | 003,661,367 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\x x babez.mp3
[2011/11/16 23:55:05 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\MBR.dat
[2011/11/13 17:13:17 | 002,340,279 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\CaptainBirdseye.mp3
[2011/11/08 20:56:19 | 000,294,400 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\exeHelper.com
[2010/12/29 17:56:13 | 000,000,250 | ---- | C] () -- C:\WINDOWS\Cm106.ini.cfl
[2010/12/29 17:55:40 | 000,001,249 | ---- | C] () -- C:\WINDOWS\Cm106.ini.cfg
[2010/12/29 17:55:36 | 000,000,490 | ---- | C] () -- C:\WINDOWS\cm106.ini
[2010/12/29 17:55:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\SSSAudioEQAndMicData.dat
[2010/12/25 11:10:54 | 000,014,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\UAExt.sys
[2010/05/24 19:33:00 | 004,670,829 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2010/05/24 19:33:00 | 001,529,856 | ---- | C] () -- C:\WINDOWS\System32\ff_samplerate.dll
[2010/05/24 19:33:00 | 001,447,921 | ---- | C] () -- C:\WINDOWS\System32\ffmpegmt.dll
[2010/05/24 19:33:00 | 000,877,385 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll
[2010/05/24 19:33:00 | 000,810,113 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/05/24 19:33:00 | 000,336,384 | ---- | C] () -- C:\WINDOWS\System32\ff_libfaad2.dll
[2010/05/24 19:33:00 | 000,324,096 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2010/05/24 19:33:00 | 000,248,320 | ---- | C] () -- C:\WINDOWS\System32\ff_kernelDeint.dll
[2010/05/24 19:33:00 | 000,216,576 | ---- | C] () -- C:\WINDOWS\System32\ff_libdts.dll
[2010/05/24 19:33:00 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\ff_libmad.dll
[2010/05/24 19:33:00 | 000,145,408 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2010/05/24 19:33:00 | 000,139,944 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2010/05/24 19:33:00 | 000,121,856 | ---- | C] () -- C:\WINDOWS\System32\ff_liba52.dll
[2010/05/24 19:33:00 | 000,116,736 | ---- | C] () -- C:\WINDOWS\System32\ff_tremor.dll
[2010/05/24 19:33:00 | 000,108,032 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/05/24 19:33:00 | 000,100,864 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2010/05/24 19:33:00 | 000,097,792 | ---- | C] () -- C:\WINDOWS\System32\ff_unrar.dll
[2010/05/19 20:59:20 | 000,150,528 | ---- | C] () -- C:\WINDOWS\System32\mkx.dll
[2010/05/19 20:59:10 | 000,109,568 | ---- | C] () -- C:\WINDOWS\System32\avi.dll
[2010/05/19 20:59:02 | 000,141,824 | ---- | C] () -- C:\WINDOWS\System32\mp4.dll
[2010/05/19 20:58:52 | 000,123,392 | ---- | C] () -- C:\WINDOWS\System32\ogm.dll
[2010/05/19 20:58:24 | 000,113,152 | ---- | C] () -- C:\WINDOWS\System32\dsmux.exe
[2010/05/19 20:58:18 | 000,154,112 | ---- | C] () -- C:\WINDOWS\System32\ts.dll
[2010/05/19 20:58:08 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\dxr.dll
[2010/05/19 20:57:42 | 000,097,792 | ---- | C] () -- C:\WINDOWS\System32\avs.dll
[2010/05/19 20:57:38 | 000,137,728 | ---- | C] () -- C:\WINDOWS\System32\mkv2vfr.exe
[2010/05/19 20:57:26 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\avss.dll
[2010/05/19 20:57:20 | 000,358,400 | ---- | C] () -- C:\WINDOWS\System32\gdsmux.exe
[2010/05/19 20:55:40 | 000,080,384 | ---- | C] () -- C:\WINDOWS\System32\mkzlib.dll
[2010/05/19 20:55:36 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\mkunicode.dll
[2010/03/08 15:20:36 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/12/31 10:31:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/08/11 21:21:26 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\ac3config.exe
[2009/07/10 19:22:53 | 000,076,800 | ---- | C] () -- C:\Documents and Settings\Michael\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/08 23:00:50 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2009/06/07 16:24:04 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/05/30 17:14:42 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/05/01 12:37:35 | 000,001,520 | ---- | C] () -- C:\WINDOWS\System32\Michael_KBD.ini
[2009/04/04 00:42:04 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/02/12 19:44:36 | 000,307,200 | ---- | C] () -- C:\WINDOWS\SetDisplayResolution.exe
[2009/02/12 19:37:53 | 000,001,522 | ---- | C] () -- C:\WINDOWS\System32\MagicKBD.INI
[2009/02/12 19:37:53 | 000,001,520 | ---- | C] () -- C:\WINDOWS\System32\Owner_KBD.ini
[2009/02/12 19:37:51 | 000,003,425 | ---- | C] () -- C:\WINDOWS\System32\KBDR.INI
[2009/02/12 19:37:51 | 000,002,741 | ---- | C] () -- C:\WINDOWS\System32\KBDD.INI
[2009/02/12 19:37:51 | 000,002,699 | ---- | C] () -- C:\WINDOWS\System32\KBDO.INI
[2009/02/12 19:37:51 | 000,002,699 | ---- | C] () -- C:\WINDOWS\System32\KBDC.INI
[2009/02/12 19:37:51 | 000,002,606 | ---- | C] () -- C:\WINDOWS\System32\KBDB.INI
[2009/02/12 19:37:51 | 000,002,236 | ---- | C] () -- C:\WINDOWS\System32\KBDQ.INI
[2009/02/12 19:37:51 | 000,001,956 | ---- | C] () -- C:\WINDOWS\System32\KBDE.INI
[2009/02/12 19:37:51 | 000,001,885 | ---- | C] () -- C:\WINDOWS\System32\KBDP.INI
[2009/02/12 19:37:51 | 000,001,857 | ---- | C] () -- C:\WINDOWS\System32\KBDUU.INI
[2009/02/12 19:37:51 | 000,001,835 | ---- | C] () -- C:\WINDOWS\System32\KBDG.INI
[2009/02/12 19:37:51 | 000,001,835 | ---- | C] () -- C:\WINDOWS\System32\KBDA.INI
[2009/02/12 19:37:51 | 000,001,834 | ---- | C] () -- C:\WINDOWS\System32\KBDU.INI
[2009/02/12 19:37:51 | 000,001,819 | ---- | C] () -- C:\WINDOWS\System32\KBDN.INI
[2009/02/12 19:37:51 | 000,001,699 | ---- | C] () -- C:\WINDOWS\System32\KBDT.INI
[2009/02/12 19:37:51 | 000,001,697 | ---- | C] () -- C:\WINDOWS\System32\KBDV.INI
[2009/02/12 19:37:51 | 000,001,522 | ---- | C] () -- C:\WINDOWS\System32\KBDS.INI
[2009/02/12 19:37:51 | 000,001,476 | ---- | C] () -- C:\WINDOWS\System32\KBDF.INI
[2009/02/12 19:35:41 | 000,000,135 | R--- | C] () -- C:\WINDOWS\System32\lngEng.ini
[2009/02/12 19:35:41 | 000,000,117 | ---- | C] () -- C:\WINDOWS\System32\lngKor.ini
[2009/02/12 19:32:23 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2009/02/12 19:29:57 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\drivers\Marker.exe
[2009/02/12 19:29:56 | 000,004,300 | ---- | C] () -- C:\WINDOWS\System32\MEMIO.SYS
[2009/02/12 19:28:13 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/02/12 19:23:52 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/02/12 18:06:19 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2009/02/12 18:05:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2009/02/12 18:05:39 | 000,312,172 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2009/02/12 18:05:39 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2009/02/12 18:05:39 | 000,040,394 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2009/02/12 18:05:39 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2009/02/12 18:05:38 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2009/02/12 18:05:38 | 000,004,486 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2009/02/12 18:05:38 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2009/02/12 18:05:37 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2009/02/12 18:05:37 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2009/02/12 18:05:31 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2009/02/12 18:05:31 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2009/02/12 11:18:50 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/02/12 11:17:50 | 000,134,072 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/01/10 22:15:44 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\mmfinfo.dll
[2008/11/06 15:37:32 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/09/17 13:20:08 | 002,842,624 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2007/10/13 09:30:20 | 000,000,137 | ---- | C] () -- C:\WINDOWS\System32\Registration.ini
[2007/02/27 00:49:12 | 006,139,774 | ---- | C] () -- C:\WINDOWS\imagine digital freedom.dat
[2001/11/14 12:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2011/12/07 19:16:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\boost_interprocess
[2010/10/28 23:03:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2011/01/11 17:05:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WindSolutions
[2009/09/27 12:53:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/02/12 19:33:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WLAN
[2009/06/10 17:34:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\MSNInstaller
[2010/10/28 23:03:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\NCH Swift Sound
[2009/06/09 18:53:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\OpenOffice.org
[2011/06/06 17:38:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Philipp Winterberg
[2010/10/27 21:58:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Pioneer
[2011/12/06 22:25:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\searchqutoolbar
[2011/02/10 21:17:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\uTorrent
[2011/01/11 17:08:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\WindSolutions
[2011/12/06 20:34:00 | 000,000,982 | ---- | M] () -- C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-3870564424-1140265585-552937611-1005Core.job
[2011/12/06 20:34:00 | 000,001,004 | ---- | M] () -- C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-3870564424-1140265585-552937611-1005UA.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Michael\Desktop\winlogon.exe.PIF:SummaryInformation

< End of report >

_____________________________________________________________________________ooo

OTL Extras logfile created on: 07/12/2011 20:00:30 - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Michael\Desktop
Windows 2000 Professional Edition (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1014.36 Mb Total Physical Memory | 389.56 Mb Available Physical Memory | 38.40% Memory free
2.39 Gb Paging File | 1.81 Gb Available in Paging File | 75.91% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.04 Gb Total Space | 43.95 Gb Free Space | 61.87% Space Free | Partition Type: NTFS
Drive D: | 72.00 Gb Total Space | 65.83 Gb Free Space | 91.44% Space Free | Partition Type: NTFS

Computer Name: JACK | User Name: Michael | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-3870564424-1140265585-552937611-1005\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll" = C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll:*:Enabled:Google Talk Plugin -- (Google)
"C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
"C:\Documents and Settings\Michael\gotomypc_438.exe" = C:\Documents and Settings\Michael\gotomypc_438.exe:*:Enabled:gotomypc_438 -- (Citrix Online, a division of Citrix Systems, Inc.)
"C:\Program Files\Atheros WLAN Client\Driver\athw.sys" = C:\Program Files\Atheros WLAN Client\Driver\athw.sys:*:Enabled:athw -- (Atheros Communications, Inc.)
"C:\Program Files\Samsung\Easy Network Manager\ENM.exe" = C:\Program Files\Samsung\Easy Network Manager\ENM.exe:*:Enabled:Samsung Easy Network Manager
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager
"C:\Program Files\Google\Google Earth\plugin\geplugin.exe" = C:\Program Files\Google\Google Earth\plugin\geplugin.exe:*:Enabled:Google Earth
"C:\Program Files\Pioneer\rekordbox 1.3.1\PSvNFSd.exe" = C:\Program Files\Pioneer\rekordbox 1.3.1\PSvNFSd.exe:*:Enabled:ProDJ Link NFS Server
"C:\Program Files\Pioneer\rekordbox 1.3.1\Rekordbox.exe" = C:\Program Files\Pioneer\rekordbox 1.3.1\Rekordbox.exe:*:Enabled:rekordbox program file
"C:\Program Files\Pioneer\rekordbox 1.3.1\PSvLinkSysMgr.exe" = C:\Program Files\Pioneer\rekordbox 1.3.1\PSvLinkSysMgr.exe:*:Enabled:ProDJ Link System Manager
"C:\Program Files\Guillemot\tools\giWebUpdater.exe" = C:\Program Files\Guillemot\tools\giWebUpdater.exe:*:Enabled:Guillemot Web Updater -- (Guillemot Inc.)
"C:\Program Files\Java\jre6\bin\javaws.exe" = C:\Program Files\Java\jre6\bin\javaws.exe:*:Disabled:Java(TM) Web Start Launcher -- (Sun Microsystems, Inc.)
"C:\Documents and Settings\Michael\Local Settings\Application Data\Facebook\Video\Skype\FacebookVideoCalling.exe" = C:\Documents and Settings\Michael\Local Settings\Application Data\Facebook\Video\Skype\FacebookVideoCalling.exe:*:Enabled:Facebook Video Calling Plugin -- (Skype Limited)
"C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\dtUser.exe" = C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\dtUser.exe:*:Enabled:DTX broker -- (Visicom Media Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{145DE957-0679-4A2A-BB5C-1D3E9808FAB2}" = Samsung Recovery Solution III
"{17283B95-21A8-4996-97DA-547A48DB266F}" = Easy Display Manager
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1D7CE340-70C3-4848-BCCF-215950328A4C}" = Facebook Video Calling 1.0.0.8953
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 19
"{3248F0A8-6813-11D6-A77B-00B0D0150000}" = J2SE Runtime Environment 5.0
"{32D6A58F-9659-446C-BBFC-E6F2B41F24DC}" = Samsung Magic Doctor
"{33999F1F-EA46-4E55-A239-1BA803235396}" = Hercules DJ Products Series drivers
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{46AA30DF-ED7B-438a-9462-60AB9A6D57E4}" = TheWorld Browser 3.0 Final
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5CBB720F-08E6-4043-B83F-76C277AF6DE7}" = Samsung Wallpaper
"{5CF6EEE9-86B1-3DB6-A07C-8F6C079C39BA}" = Google Talk Plugin
"{6F730513-8688-4C3C-90A3-6B9792CE2EF3}" = Samsung Battery Manager
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{71A51B59-E7D3-11DB-A386-005056C00008}" = Namuga 1.3M Webcam
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7B46F9CF-CF60-492E-816E-95EB1A9D1BB4}" = Play Camera
"{84814E6B-2581-46EC-926A-823BD1C670F6}" = WIDCOMM Bluetooth Software
"{8B7917E0-AF55-4E8A-9473-017F0AA03AC8}" = QuickTime
"{8E106A57-A17E-431D-B48F-175E42EB9F74}" = imagine digital freedom - Samsung
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{A5F483F0-2D79-4FCA-AE09-D0D96E23EBF7}" = Samsung Update Plus
"{A7581D39-EA20-4883-A480-80C21047052B}" = Easy Network Manager
"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
"{ABB14904-A11B-4F42-996C-80FD608A0F17}" = Samsung EDS
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.4
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Click to Call with Skype
"{BAE68339-B0F6-4D33-9554-5A3DB2DFF5DA}" = User Guide
"{BD723E53-A42C-4702-AA04-1D74A0311590}" = Magic Keyboard
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F4F41D14-E0DD-4FB4-AA09-A14225C769BD}" = Atheros WLAN Client
"AC3Filter" = AC3Filter (remove only)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Avira AntiVir Desktop" = Avira Free Antivirus
"Generic USB 106 Sound" = USB Multi-Channel Audio Device
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"ie8" = Windows Internet Explorer 8
"InstallShield_{7B46F9CF-CF60-492E-816E-95EB1A9D1BB4}" = Play Camera
"InstallShield_{A5F483F0-2D79-4FCA-AE09-D0D96E23EBF7}" = Samsung Update Plus
"jZip" = jZip
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Marvell Miniport Driver" = Marvell Miniport Driver
"Media Player - Codec Pack" = Media Player Codec Pack 3.9.6
"Mozilla Firefox 8.0 (x86 en-GB)" = Mozilla Firefox 8.0 (x86 en-GB)
"Searchqu Toolbar" = Windows Searchqu Toolbar
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Virtual DJ - Atomix Productions" = Virtual DJ - Atomix Productions
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3870564424-1140265585-552937611-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"CopyTrans Suite" = CopyTrans Suite Remove Only
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ System Events ]
Error - 27/11/2011 09:03:46 | Computer Name = MIKE | Source = Service Control Manager | ID = 7031
Description = The AVG Free8 WatchDog service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 0 milliseconds:
Restart the service.

Error - 27/11/2011 19:01:23 | Computer Name = MIKE | Source = NetBT | ID = 4321
Description = The name "MIKE :0" could not be registered on the Interface
with IP address 192.168.1.89. The machine with the IP address 192.168.1.22 did not
allow the name to be claimed by this machine.

Error - 27/11/2011 19:01:24 | Computer Name = MIKE | Source = NetBT | ID = 4321
Description = The name "MIKE :20" could not be registered on the Interface
with IP address 192.168.1.89. The machine with the IP address 192.168.1.22 did not
allow the name to be claimed by this machine.

Error - 27/11/2011 19:01:24 | Computer Name = MIKE | Source = Server | ID = 2505
Description = The server could not bind to the transport \Device\NetBT_Tcpip_{0FEAA65E-B36D-4070-A6F7-E3FEC90F45F3}
because another computer on the network has the same name. The server could not
start.

Error - 29/11/2011 03:53:26 | Computer Name = JACK | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.1.89 on
the Network Card with network address 00242C1D208C.

Error - 29/11/2011 18:24:17 | Computer Name = JACK | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.1.89 on
the Network Card with network address 00242C1D208C.

Error - 01/12/2011 19:21:22 | Computer Name = JACK | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.1.89 on
the Network Card with network address 00242C1D208C.

Error - 02/12/2011 03:53:39 | Computer Name = JACK | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.1.89 on
the Network Card with network address 00242C1D208C.

Error - 03/12/2011 15:05:52 | Computer Name = JACK | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.1.89 on
the Network Card with network address 00242C1D208C.

Error - 04/12/2011 08:24:58 | Computer Name = JACK | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.1.89 on
the Network Card with network address 00242C1D208C.

[ Application Events ]
Error - 09/01/2011 12:59:08 | Computer Name = MIKE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 09/01/2011 12:59:15 | Computer Name = MIKE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 09/01/2011 12:59:19 | Computer Name = MIKE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 09/01/2011 12:59:21 | Computer Name = MIKE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 09/01/2011 12:59:25 | Computer Name = MIKE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 09/01/2011 12:59:28 | Computer Name = MIKE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 09/01/2011 12:59:30 | Computer Name = MIKE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 09/01/2011 12:59:32 | Computer Name = MIKE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 09/01/2011 12:59:52 | Computer Name = MIKE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 09/01/2011 13:00:14 | Computer Name = MIKE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established


< End of report >
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm

Re: recurring zbot,g virus again

Unread postby mambass » December 8th, 2011, 5:37 pm

Hi swiiper, :)

It appears that you've picked up the Searchqu infection. I strongly suggest that you do not click on the iLivid toolbar, Bandoo or Searchqu. Your computer may become impossible to fix if you keep loading things of this nature.

Please print these instructions because you will not have access to the Internet while performing some of the tasks below.

  1. Download SystemLook
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    Find the icon on your desktop so you'll know where to look later.
    Do not run the program at this time.

  2. Backup Your Registry with ERUNT
    • Download erunt.zip to your Desktop from here:
      http://aumha.org/downloads/erunt.zip
    • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to your Desktop. It will create a new folder.
    • Inside the new folder double click ERUNT.exe.
    • OK all the prompts to back up your registry to the default location.
    Note: If you ever need to restore your registry later, you would go to the default backup folder and start ERDNT.exe
    (The default backup folder is C:\Windows\ERDNT\ and the backups are saved according to date stamp)

  3. Run the Searchqu OTL Fix
    Please right-click on the filename link below and select "Save target as..." or "Save Link as...", choose the Desktop location, and choose to save as the filename: Fix.txt

    SQWinXP_x32.TXT

    Double Click the OTL icon on your Desktop
    • Click the Run Fix button at the top.
    • You will see a popup dialog reporting "No fix has been provided. Click OK to load from a file or Cancel". Click on OK
    • When the Open dialog comes up, Navigate to the Desktop, scroll to find the file named Fix.txt and click Open
    • Some text will appear in the Custom scans/Fixes box.
    • Click the Run Fix button.
    • Let the program run unhindered and reboot the PC when it is done.
      When the computer Reboots, and you start your usual account, a Notepad text file will appear.
    • Copy the contents of that file and post it in your next reply. The file will also appear on your desktop as OTL.txt

  4. Run SystemLook
    • Double-click SystemLook.exe to run it.
    • Copy and paste the contents of the following codebox into the main textfield (do not include the word code:):
      Code: Select all
      :filefind
      *Fun4IM*
      *Bandoo*
      *Searchqu*
      *iLivid*
      *whitesmoke*
      *datamngr*
      *trolltech*
      
      :folderfind
      *Fun4IM*
      *Bandoo*
      *Searchqu*
      *iLivid*
      *whitesmoke*
      *datamngr*
      *trolltech*
      *boost_interprocess*
      *utorrent*
      
      :Regfind
      Fun4IM
      Bandoo
      Searchqu
      iLivid
      whitesmoke
      datamngr
      kelkoopartners
      trolltech
       
    • Click the Look button to start the scan.
      Because of the Registry searches, the scan may take 15 minutes or a bit more to run on a large machine. Please be patient.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt


Please include in your reply:
  1. The text of any error messages and/or a description of any problems you encountered while performing these steps.
  2. The contents of the OTL.txt log.
  3. The contents of the SystemLook.txt log.
  4. After posting your reply message, please verify that the last line of the last report is present in the post. If any log is cut off then please post the logs in sections.


mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: recurring zbot,g virus again

Unread postby swiiper » December 9th, 2011, 5:35 am

"It appears that you've picked up the Searchqu infection. I strongly suggest that you do not click on the iLivid toolbar, Bandoo or Searchqu. Your computer may become impossible to fix if you keep loading things of this nature."

Mambass - what a strange statement to make! You make it sound like we have installed these things on purpose. I can assure you we have not and there is no toolbar for ilivid or anything else visible to click on. Nor does the computer display any of the annoying characteristics that searchqu would throw up such as an over slow connection or constant pop-ups.

I will follow your instructions when next at the infected computer which will either be this evening or tomorrow evening.
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 43 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware