Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

recurring zbot,g virus again

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: recurring zbot,g virus again

Unread postby swiiper » December 12th, 2011, 4:38 pm

Hi - fix.txt is not hyperlinked in your post - can u post again please
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm
Advertisement
Register to Remove

Re: recurring zbot,g virus again

Unread postby mambass » December 12th, 2011, 4:52 pm

Hi swiiper,

The "filename link below" to which I referred in Step III is labeled SQWinXP_x32.TXT.

Please save that file to your Desktop with filename Fix.txt.

mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: recurring zbot,g virus again

Unread postby swiiper » December 12th, 2011, 5:34 pm

The systemlook tool crashed but still generated the log posted at the bottom here



All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\progra~1\wi371a~1\datamngr\datamngr.dll deleted successfully.
File pInit_DLLs: not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\progra~1\wi371a~1\datamngr\iebho.dll deleted successfully.
File pInit_DLLs: not found.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page deleted successfully.
Registry key HKEY_CURRENT_USER\Software\DataMngr_Toolbar\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Bandoo\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\iLivid\ not found.
Registry key HKEY_CURRENT_USER\Software\AppDataLow\Software\searchqutoolbar\ not found.
Registry key HKEY_CURRENT_USER\Software\DataMngr\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bandoo\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Searchqu 406 MediaBar\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\menuorder\start menu2\programs\bandoo\ not found.
Registry key HKEY_CURRENT_USER\Software\Trolltech\ not found.
Registry key HKEY_CURRENT_USER\Software\ilivid\ not found.
Registry key HKEY_CURRENT_USER\Software\searchqutoolbar\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\DataMngr\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Bandoo\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\BandooCore.EXE\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1301A8A5-3DFB-4731-A162-B357D00C9644}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1301A8A5-3DFB-4731-A162-B357D00C9644}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iLividSetupV1.exe\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.BandooCore.1\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.BandooCore\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.ResourcesMngr.1\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.ResourcesMngr\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.SettingsMngr.1\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.SettingsMngr\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.StatisticMngr.1\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BandooCore.StatisticMngr\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27F69C85-64E1-43CE-98B5-3C9F22FB408E}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27F69C85-64E1-43CE-98B5-3C9F22FB408E}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B543EF05-9758-464E-9F37-4C28525B4A4C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B543EF05-9758-464E-9F37-4C28525B4A4C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB76A90B-2B4C-4378-8506-9A2B6E16943C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB76A90B-2B4C-4378-8506-9A2B6E16943C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C3AB94A4-BFD0-4BBA-A331-DE504F07D2DB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C3AB94A4-BFD0-4BBA-A331-DE504F07D2DB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{477F210A-2A86-4666-9C4B-1189634D2C84}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{477F210A-2A86-4666-9C4B-1189634D2C84}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FF871E51-2655-4D06-AED5-745962A96B32}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FF871E51-2655-4D06-AED5-745962A96B32}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard.1\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}\1.0\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8F5F1CB6-EA9E-40AF-A5CA-C7FD63CC1971\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F5F1CB6-EA9E-40AF-A5CA-C7FD63CC1971\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f000001-db8e-f89c-2fec-49bf726f8c12}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7f000001-db8e-f89c-2fec-49bf726f8c12}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9189560-573A-4fde-B055-AE7B0F4CF080}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A96AF9E-4074-43b7-BEA3-87217BDA7406}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\ilivid.exe\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASAPI32\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASMANCS\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SetupDataMngr_searchqu_RASAPI32\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SetupDataMngr_searchqu_RASMANCS\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASAPI32\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASMANCS\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99079a25-328f-4bd4-be04-00955acaa0a7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Searchqu 406 MediaBar\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Searchqu Toolbar\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Windows Searchqu Toolbar\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Searchqu Toolbar\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\SearchquMediabarTb\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{27f69c85-64e1-43ce-98b5-3c9f22fb408e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27f69c85-64e1-43ce-98b5-3c9f22fb408e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{b543ef05-9758-464e-9f37-4c28525b4a4c}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b543ef05-9758-464e-9f37-4c28525b4a4c}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\typelib\{8f5f1cb6-ea9e-40af-a5ca-c7fd63cc1971}\1.0\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\currentversion\app management\arpcache\searchqu 406 mediabar\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{a40dc6c5-79d0-4ca8-a185-8ff989af1115}\inprocserver32\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{cc1ac828-bb47-4361-afb5-96eee259dd87}\inprocserver32\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{fefd3af5-a346-4451-aa23-a3ad54915515}\inprocserver32\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\typelib\{5b4144e1-b61d-495a-9a50-cd1a95d86d15}\1.0\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\typelib\{6a4bcaba-c437-4c76-a54e-af31b8a76cb9}\1.0\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\typelib\{841d5a49-e48d-413c-9c28-eb3d9081d705}\1.0\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\internet explorer\low rights\elevationpolicy\{99079a25-328f-4bd4-be04-00955acaa0a7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\internet explorer\low rights\elevationpolicy\{d0a4be92-2216-42db-ab35-d72efb9f0176}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d0a4be92-2216-42db-ab35-d72efb9f0176}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\shared tools\msconfig\startupreg\datamngr\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D717F81-9148-4f12-8568-69135F087DB0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D717F81-9148-4f12-8568-69135F087DB0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0EDE4701-347A-45E0-81F0-D81D9F69BBFB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EDE4701-347A-45E0-81F0-D81D9F69BBFB}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{99079a25-328f-4bd4-be04-00955acaa0a7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E1E743B1-DFF5-4DCF-8CD5-9AAFD552B290}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1E743B1-DFF5-4DCF-8CD5-9AAFD552B290}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E1E743B1-DFF5-4DCF-8CD5-9AAFD552B290}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1E743B1-DFF5-4DCF-8CD5-9AAFD552B290}\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\dtUser.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\dtUser.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\dtUser.exe not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\\C:\PROGRA~1\WINDOW~4\Datamngr\DATAMN~1.EXE deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\DATAMNGR deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs deleted successfully.
========== FILES ==========
File\Folder C:\Program Files\Windows iLivid Toolbar not found.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\components folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\searchbar folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\options folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\weatherbutton\panels\images folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\weatherbutton\panels folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\weatherbutton\icons folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\weatherbutton folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\uwa folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\radio\images folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\radio\css folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\radio folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\panels\images folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\panels\default\scripts folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\panels\default\images folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\panels\default\css folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\panels\default folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\panels\css folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib\panels folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\lib folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\skin folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\content\widgets\net.vmn.www.PPCBully folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\content\widgets folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\content\modules folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\content\lib folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\content\data\search folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\content\data folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\content folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\FirefoxExtension\content folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\FirefoxExtension\components folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr\FirefoxExtension folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar\Datamngr folder moved successfully.
C:\Program Files\Windows Searchqu Toolbar folder moved successfully.
File\Folder C:\Program Files\iLivid not found.
File\Folder C:\Windows\Prefetch\ILIVID* not found.
C:\Windows\Prefetch\SEARCHQUMEDIABAR.EXE-06AE37CC.pf moved successfully.
File\Folder C:\Windows\Prefetch\SETUPDATAMNGR* not found.
File\Folder C:\Program Files\mozilla firefox\searchplugins\SearchquWebSearch.xml not found.
File/Folder C:\Documents and Settings\Michael\Application Data\searchquband not found.
C:\Documents and Settings\Michael\Application Data\searchqutoolbar folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49554 bytes

User: Michael
->Temp folder emptied: 184442892 bytes
->Temporary Internet Files folder emptied: 132751089 bytes
->Java cache emptied: 51097704 bytes
->FireFox cache emptied: 397793519 bytes
->Google Chrome cache emptied: 281205817 bytes
->Flash cache emptied: 342195 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 18686628 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 42613013 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1281885909 bytes

Total Files Cleaned = 2,280.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.31.0 log created on 12122011_211120

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
_____________________________________________________________ooo

SystemLook 30.07.11 by jpshortstuff
Log created at 21:28 on 12/12/2011 by Michael
Administrator - Elevation successful

========== filefind ==========

Searching for "*Fun4IM*"
No files found.

Searching for "*Bandoo*"
C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\lxf46fc4.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}\chrome\content\bandoocode.js --a---- 27324 bytes [13:37 31/10/2011] [13:37 31/10/2011] C4F2571481A116A0C24C9644F0E4B4F5
C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\lxf46fc4.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}\chrome\content\lib\bandoocode.js --a---- 33963 bytes [13:37 31/10/2011] [13:37 31/10/2011] 11363D5ADC24F5BBC44C678BE8A29FCC
C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\lxf46fc4.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}\chrome\skin\bandoo.css --a---- 8308 bytes [13:37 31/10/2011] [13:37 31/10/2011] D98167EFDC45E8EC6F4769791A15CE36
C:\_OTL\MovedFiles\12122011_211120\C_Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\content\bandoocode.js --a---- 27324 bytes [13:37 31/10/2011] [13:37 31/10/2011] C4F2571481A116A0C24C9644F0E4B4F5
C:\_OTL\MovedFiles\12122011_211120\C_Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\content\lib\bandoocode.js --a---- 33963 bytes [13:37 31/10/2011] [13:37 31/10/2011] 11363D5ADC24F5BBC44C678BE8A29FCC
C:\_OTL\MovedFiles\12122011_211120\C_Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\chrome\skin\bandoo.css --a---- 8308 bytes [13:37 31/10/2011] [13:37 31/10/2011] D98167EFDC45E8EC6F4769791A15CE36

Searching for "*Searchqu*"
C:\_OTL\MovedFiles\12122011_211120\C_Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\searchquband.dll --a---- 449424 bytes [13:37 31/10/2011] [13:37 31/10/2011] 39ECB144372B2ED7B1B91A1E63D3F275
C:\_OTL\MovedFiles\12122011_211120\C_Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\searchqudtx.dll --a---- 88976 bytes [13:37 31/10/2011] [13:37 31/10/2011] AD14E447F7CED4CA987B91B379EAF952
C:\_OTL\MovedFiles\12122011_211120\C_Windows\Prefetch\SEARCHQUMEDIABAR.EXE-06AE37CC.pf --a---- 43614 bytes [22:25 06/12/2011] [22:25 06/12/2011] DC8B285F97C0CF9A0BE33C615C3B9F8C

Searching for "*iLivid*"
No files found.

Searching for "*whitesmoke*"
No files found.

Searching for "*datamngr*"
C:\_OTL\MovedFiles\12122011_211120\C_Program Files\Windows Searchqu Toolbar\Datamngr\datamngr.dll --a---- 1236368 bytes [22:25 06/12/2011] [07:58 13/11/2011] 232FF2E508B8F1E29BA7F9D96EA5A034
C:\_OTL\MovedFiles\12122011_211120\C_Program Files\Windows Searchqu Toolbar\Datamngr\datamngrUI.exe --a---- 1694608 bytes [22:25 06/12/2011] [07:58 13/11/2011] 93294DC9C849B61738C1EBCD9C5ED72C
C:\_OTL\MovedFiles\12122011_211120\C_Program Files\Windows Searchqu Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlp.dll --a---- 351232 bytes [22:25 06/12/2011] [14:38 02/08/2011] 4D9F92DF1AA8AA39F7645C27D6E7CB1A
C:\_OTL\MovedFiles\12122011_211120\C_Program Files\Windows Searchqu Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlp.xpt --a---- 978 bytes [22:25 06/12/2011] [07:57 13/11/2011] 0CE6DC5C1FB9591A1973586DDDCBEAEB
C:\_OTL\MovedFiles\12122011_211120\C_Program Files\Windows Searchqu Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlpFF3.dll --a---- 355840 bytes [22:25 06/12/2011] [07:56 13/11/2011] 150F3C14A5CD3672B4AD6F55461C35B4
C:\_OTL\MovedFiles\12122011_211120\C_Program Files\Windows Searchqu Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlpFF4.dll --a---- 351744 bytes [22:25 06/12/2011] [07:57 13/11/2011] 2E66ACFB6F2FACD347F0C25DAC9CAE47
C:\_OTL\MovedFiles\12122011_211120\C_Program Files\Windows Searchqu Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlpFF5.dll --a---- 351744 bytes [22:25 06/12/2011] [07:57 13/11/2011] 1E41F9CF786ED9C8DD5A964B6B882CC3
C:\_OTL\MovedFiles\12122011_211120\C_Program Files\Windows Searchqu Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlpFF6.dll --a---- 351744 bytes [22:25 06/12/2011] [07:57 13/11/2011] 7525EA8E07E5AAFB67EB72CE0A8F42AF
C:\_OTL\MovedFiles\12122011_211120\C_Program Files\Windows Searchqu Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlpFF7.dll --a---- 351744 bytes [22:25 06/12/2011] [07:58 13/11/2011] 14E9F51B03046AB91695C7FE4308A409
C:\_OTL\MovedFiles\12122011_211120\C_Program Files\Windows Searchqu Toolbar\Datamngr\FirefoxExtension\content\DataMngr.js --a---- 16184 bytes [22:25 06/12/2011] [06:50 25/10/2011] 74EA142FA2CF77FA2306892E2B45FA13

Searching for "*trolltech*"
No files found.

========== folderfind ==========

Searching for "*Fun4IM*"
No folders found.

Searching for "*Bandoo*"
No folders found.

Searching for "*Searchqu*"
C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\lxf46fc4.default\searchqutoolbar d------ [22:25 06/12/2011]
C:\_OTL\MovedFiles\12122011_211120\C_Documents and Settings\Michael\Application Data\searchqutoolbar d------ [22:25 06/12/2011]
C:\_OTL\MovedFiles\12122011_211120\C_Program Files\Windows Searchqu Toolbar d------ [21:12 12/12/2011]

Searching for "*iLivid*"
No folders found.

Searching for "*whitesmoke*"
No folders found.

Searching for "*datamngr*"
C:\_OTL\MovedFiles\12122011_211120\C_Program Files\Windows Searchqu Toolbar\Datamngr d------ [21:12 12/12/2011]

Searching for "*trolltech*"
No folders found.

Searching for "*boost_interprocess*"
C:\Documents and Settings\All Users\Application Data\boost_interprocess d------ [22:25 06/12/2011]

Searching for "*utorrent*"
C:\Documents and Settings\Michael\Application Data\uTorrent d------ [01:36 09/01/2011]

========== Regfind ==========

Searching for "Fun4IM"
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm

Re: recurring zbot,g virus again

Unread postby mambass » December 14th, 2011, 9:25 am

Hi swiiper,

Please print these instructions because you will not have access to the Internet while performing some of the tasks below.

  1. Remove Programs Using Control Panel
    From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
    Highlight each Entry, as follows, one by one, if it exists, and choose Remove

    J2SE Runtime Environment 5.0
    Java Auto Updater
    Java(TM) 6 Update 19

    Take extra care in answering questions posed by any Uninstaller.

  2. Reboot (restart) your computer

  3. Backup Your Registry with ERUNT
    • Double click ERUNT.exe inside the ERUNT folder on your Desktop to run the program.
    • OK all the prompts to back up your registry to the default location.
    Note: If you ever need to restore your registry later, you would go to the default backup folder and start ERDNT.exe
    (The default backup folder is C:\Windows\ERDNT\ and the backups are saved according to date stamp)

  4. Perform a Custom Fix with OTL
    • Double-click the OTL icon on your Desktop to run the program.
    • In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):
      Code: Select all
      :processes
      killallprocesses
      
      :OTL
      IE - HKU\S-1-5-21-3870564424-1140265585-552937611-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.searchqu.com/102
      FF - prefs.js..browser.search.defaultenginename: "Search Results"
      FF - prefs.js..browser.search.order.1: "Search Results"
      FF - prefs.js..browser.search.selectedEngine: "Search Results"
      FF - prefs.js..browser.startup.homepage: "http://www.searchqu.com/102"
      FF - prefs.js..keyword.URL: "http://dts.search-results.com/sr?src=ffb&appid=0&systemid=102&sr=0&q="
      O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
      O2 - BHO: (DataMngr) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files\Windows Searchqu Toolbar\Datamngr\BrowserConnection.dll (Bandoo Media, inc)
      O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
      O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
      O4 - HKLM..\Run: [] File not found
      O4 - HKLM..\Run: [DATAMNGR] C:\Program Files\Windows Searchqu Toolbar\Datamngr\datamngrUI.exe (Bandoo Media, inc)
      O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_19)
      O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_19)
      O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_19)O20 - AppInit_DLLs: (C:\PROGRA~1\WINDOW~4\Datamngr\datamngr.dll) -C:\Program Files\Windows Searchqu Toolbar\Datamngr\datamngr.dll (Bandoo Media, inc)
      O20 - AppInit_DLLs: (C:\PROGRA~1\WINDOW~4\Datamngr\IEBHO.dll) -C:\Program Files\Windows Searchqu Toolbar\Datamngr\IEBHO.dll (Bandoo Media, inc)
      [7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
      [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
      @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Michael\Desktop\winlogon.exe.PIF: SummaryInformation
      
      :Reg
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
      "C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\dtUser.exe"=-
      
      :Files
      C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\lxf46fc4.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
      C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\lxf46fc4.default\searchplugins\Search_Results.xml
      C:\Program Files\mozilla firefox\searchplugins\Search_Results.xml
      C:\Documents and Settings\Michael\Application Data\searchqutoolbar
      C:\Documents and Settings\All Users\Application Data\boost_interprocess
      C:\Program Files\Windows Searchqu Toolbar
      C:\Documents and Settings\Michael\Application Data\searchqutoolbar
      C:\Program Files\Windows Searchqu Toolbar
      C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\lxf46fc4.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}\chrome\content\bandoocode.js
      C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\lxf46fc4.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}\chrome\content\lib\bandoocode.js
      C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\lxf46fc4.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}\chrome\skin\bandoo.css
      C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\lxf46fc4.default\searchqutoolbar
      C:\_OTL\MovedFiles\12122011_211120\C_Program Files\Windows Searchqu Toolbar\Datamngr
      C:\Documents and Settings\All Users\Application Data\boost_interprocess
      C:\Documents and Settings\Michael\Application Data\uTorrent
      
      :Commands
      [EMPTYTEMP]
      [CREATERESTOREPOINT]
       
    • Then click the Run Fix button at the top.
    • Let the program run unhindered and reboot the PC when it is done.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.


  5. Download and Install Java Runtime Environment
    Goto http://www.oracle.com/technetwork/java/javase/downloads/index.html
    Find the section labeled Java SE 7u1 and click on the JRE Download button. (DO NOT click the JDK Download button).
    Click the Accept License Agreement option.
    Find the Windows x86 Offline entry, click the jre-7u1-windows-i586.exe link and save the installer on your Desktop.
    Double-click the jre-7u1-windows-i586.exe icon on your Desktop and it will install the newest version of Java for you to use.
    During the Installation, be sure to UNCHECK any offer for McAfee Security Scan Plus. It's just adware.
    When it finishes, you can remove the Installer from your desktop.

  6. Rkill
    • Double-click on the Rkill desktop icon to run the tool.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

  7. Run SystemLook
    • Double-click SystemLook.exe to run it.
    • Copy and paste the contents of the following codebox into the main textfield (do not include the word code:):
      Code: Select all
      :Regfind
      Fun4IM
      Bandoo
      Searchqu
      iLivid
      whitesmoke
      datamngr
      kelkoopartners
      trolltech
       
    • Click the Look button to start the scan.
      Because of the Registry searches, the scan may take 15 minutes or a bit more to run on a large machine. Please be patient.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt


Please include in your reply:
  1. The text of any error messages and/or a description of any problems you encountered while performing these steps.
  2. The contents of the OTL.txt log.
  3. The contents of the SystemLook.txt log.
  4. After posting your reply message, please verify that the last line of the last report is present in the post. If any log is cut off then please post the logs in sections.


mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: recurring zbot,g virus again

Unread postby swiiper » December 15th, 2011, 11:09 am

J2SE Runtime Environment 5.0
Java Auto Updater
Java(TM) 6 Update 19

First one uninstalled ok
Second one doesn't exist
Third one would not uninstall - message: fatal error during installation

I didn't proceed any further
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm

Re: recurring zbot,g virus again

Unread postby swiiper » December 15th, 2011, 11:24 am

Update:
I tried rebooting and uninstalling again but got the same message
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm

Re: recurring zbot,g virus again

Unread postby mambass » December 16th, 2011, 4:50 pm

Hi swiiper,

Thank you for letting me know about the problem uninstalling Java. That's not uncommon.

Please ignore the previous instructions. I've made a couple of adjustments in the instructions below.

Please print these instructions because you will not have access to the Internet while performing some of the tasks below.

  1. Backup Your Registry with ERUNT
    • Double click ERUNT.exe inside the ERUNT folder on your Desktop to run the program.
    • OK all the prompts to back up your registry to the default location.
    Note: If you ever need to restore your registry later, you would go to the default backup folder and start ERDNT.exe
    (The default backup folder is C:\Windows\ERDNT\ and the backups are saved according to date stamp)

  2. Perform a Custom Fix with OTL
    • Double-click the OTL icon on your Desktop to run the program.
    • In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):
      Code: Select all
      :processes
      killallprocesses
      
      :OTL
      IE - HKU\S-1-5-21-3870564424-1140265585-552937611-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.searchqu.com/102
      FF - prefs.js..browser.search.defaultenginename: "Search Results"
      FF - prefs.js..browser.search.order.1: "Search Results"
      FF - prefs.js..browser.search.selectedEngine: "Search Results"
      FF - prefs.js..browser.startup.homepage: "http://www.searchqu.com/102"
      FF - prefs.js..keyword.URL: "http://dts.search-results.com/sr?src=ffb&appid=0&systemid=102&sr=0&q="
      O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
      O2 - BHO: (DataMngr) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files\Windows Searchqu Toolbar\Datamngr\BrowserConnection.dll (Bandoo Media, inc)
      O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
      O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
      O4 - HKLM..\Run: [] File not found
      O4 - HKLM..\Run: [DATAMNGR] C:\Program Files\Windows Searchqu Toolbar\Datamngr\datamngrUI.exe (Bandoo Media, inc)
      O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_19)
      O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_19)
      O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_19)O20 - AppInit_DLLs: (C:\PROGRA~1\WINDOW~4\Datamngr\datamngr.dll) -C:\Program Files\Windows Searchqu Toolbar\Datamngr\datamngr.dll (Bandoo Media, inc)
      O20 - AppInit_DLLs: (C:\PROGRA~1\WINDOW~4\Datamngr\IEBHO.dll) -C:\Program Files\Windows Searchqu Toolbar\Datamngr\IEBHO.dll (Bandoo Media, inc)
      [7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
      [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
      @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Michael\Desktop\winlogon.exe.PIF: SummaryInformation
      
      :Reg
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
      "C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\dtUser.exe"=-
      
      :Files
      C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\lxf46fc4.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
      C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\lxf46fc4.default\searchplugins\Search_Results.xml
      C:\Program Files\mozilla firefox\searchplugins\Search_Results.xml
      C:\Documents and Settings\Michael\Application Data\searchqutoolbar
      C:\Documents and Settings\All Users\Application Data\boost_interprocess
      C:\Program Files\Windows Searchqu Toolbar
      C:\Documents and Settings\Michael\Application Data\searchqutoolbar
      C:\Program Files\Windows Searchqu Toolbar
      C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\lxf46fc4.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}\chrome\content\bandoocode.js
      C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\lxf46fc4.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}\chrome\content\lib\bandoocode.js
      C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\lxf46fc4.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}\chrome\skin\bandoo.css
      C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\lxf46fc4.default\searchqutoolbar
      C:\_OTL\MovedFiles\12122011_211120\C_Program Files\Windows Searchqu Toolbar\Datamngr
      C:\Documents and Settings\All Users\Application Data\boost_interprocess
      C:\Documents and Settings\Michael\Application Data\uTorrent
      C:\Program Files\Java
      C:\Program Files\Common Files\Java
      
      :Commands
      [EMPTYTEMP]
      [CREATERESTOREPOINT]
       
    • Then click the Run Fix button at the top.
    • Let the program run unhindered and reboot the PC when it is done.
    • Double-click the OTL icon on your Desktop to run the program again.
    • Click the Quick Scan button. Post the log it produces in your next reply.


  3. Run SystemLook
    • Double-click SystemLook.exe to run it.
    • Copy and paste the contents of the following codebox into the main textfield (do not include the word code:):
      Code: Select all
      :Regfind
      Fun4IM
      Bandoo
      Searchqu
      iLivid
      whitesmoke
      datamngr
      kelkoopartners
      trolltech
       
    • Click the Look button to start the scan.
      Because of the Registry searches, the scan may take 15 minutes or a bit more to run on a large machine. Please be patient.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt


Please include in your reply:
  1. The text of any error messages and/or a description of any problems you encountered while performing these steps.
  2. The contents of the OTL.txt log.
  3. The contents of the SystemLook.txt log.
  4. After posting your reply message, please verify that the last line of the last report is present in the post. If any log is cut off then please post the logs in sections.


mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: recurring zbot,g virus again

Unread postby swiiper » December 17th, 2011, 1:44 pm

OTL log below. SystemLook wouldn't run - encountered problems and closed each time I tried it.


OTL logfile created on: 17/12/2011 17:23:45 - Run 3
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Michael\Desktop
Windows 2000 Professional Edition (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1014.36 Mb Total Physical Memory | 546.90 Mb Available Physical Memory | 53.92% Memory free
2.39 Gb Paging File | 2.00 Gb Available in Paging File | 83.86% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.04 Gb Total Space | 45.67 Gb Free Space | 64.28% Space Free | Partition Type: NTFS
Drive D: | 72.00 Gb Total Space | 65.83 Gb Free Space | 91.44% Space Free | Partition Type: NTFS

Computer Name: JACK | User Name: Michael | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/11/27 13:01:21 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Michael\Desktop\OTL.exe
PRC - [2011/10/19 16:56:50 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2011/10/19 16:56:36 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/10/19 16:56:24 | 000,258,512 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2011/10/19 16:56:24 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/08/03 14:03:22 | 002,680,104 | ---- | M] (Hercules®) -- C:\Program Files\Hercules\Audio\DJ Console Series\HDJSeriesCPL.exe
PRC - [2011/08/02 09:22:18 | 000,020,480 | ---- | M] () -- C:\Program Files\Hercules\Audio\DJ Console Series\drivers\x86\HerculesDJControlMP3.EXE
PRC - [2010/12/25 11:10:54 | 006,529,024 | ---- | M] (TODO: <Company name>) -- C:\WINDOWS\system32\SSSAudioControl.exe
PRC - [2010/12/25 11:10:48 | 000,102,400 | ---- | M] (SSS) -- C:\WINDOWS\system32\AudioDeviceService.exe
PRC - [2008/10/20 18:32:54 | 002,768,896 | ---- | M] () -- C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
PRC - [2008/09/17 13:25:46 | 000,580,200 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2008/04/14 12:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/21 04:40:30 | 000,659,456 | ---- | M] (Samsung Electronics,.LTD) -- C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe


========== Modules (No Company Name) ==========

MOD - [2011/10/19 16:56:38 | 000,398,288 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2011/08/02 09:22:18 | 000,020,480 | ---- | M] () -- C:\Program Files\Hercules\Audio\DJ Console Series\drivers\x86\HerculesDJControlMP3.EXE
MOD - [2010/05/19 20:55:36 | 000,024,576 | ---- | M] () -- C:\WINDOWS\system32\mkunicode.dll
MOD - [2009/01/10 22:15:44 | 000,159,744 | ---- | M] () -- C:\WINDOWS\system32\mmfinfo.dll
MOD - [2008/10/20 18:32:54 | 002,768,896 | ---- | M] () -- C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
MOD - [2008/09/17 13:20:08 | 002,842,624 | ---- | M] () -- C:\WINDOWS\system32\btwicons.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (JavaQuickStarterService)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/10/19 16:56:36 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011/10/19 16:56:24 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/08/02 09:22:18 | 000,020,480 | ---- | M] () [Auto | Running] -- C:\Program Files\Hercules\Audio\DJ Console Series\drivers\x86\HerculesDJControlMP3.EXE -- (HerculesDJControlMP3)
SRV - [2010/12/25 11:10:48 | 000,102,400 | ---- | M] (SSS) [Auto | Running] -- C:\WINDOWS\system32\AudioDeviceService.exe -- (AudioDeviceService)


========== Driver Services (SafeList) ==========

DRV - [2011/12/15 15:02:22 | 000,134,856 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/11/27 12:59:06 | 000,111,872 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TrueSight.sys -- (TrueSight)
DRV - [2011/10/19 16:56:50 | 000,074,640 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2011/10/19 16:56:50 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2011/08/02 09:22:20 | 000,225,408 | ---- | M] (© Guillemot R&D, 2011. All rights reserved.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HDJMidi.sys -- (HDJMidi)
DRV - [2011/08/02 09:22:14 | 000,160,384 | ---- | M] (© Guillemot R&D, 2010. All rights reserved.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HDJBulk.sys -- (Bulk)
DRV - [2010/12/25 11:10:54 | 000,014,848 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\UAExt.sys -- (UAExt)
DRV - [2010/06/17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2008/11/07 09:04:00 | 000,291,328 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2008/10/13 20:21:24 | 001,506,304 | ---- | M] (C-Media Electronics Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CM106.sys -- (USBMULCD)
DRV - [2008/10/08 06:35:10 | 001,334,432 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2008/09/23 20:23:58 | 000,238,464 | ---- | M] (Vimicro Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMC326.sys -- (VMC326)
DRV - [2008/08/26 23:35:00 | 004,753,920 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/07/29 15:59:08 | 000,879,832 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2008/07/29 15:59:02 | 000,156,816 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2008/07/26 23:29:54 | 000,074,688 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2008/07/26 23:29:36 | 000,037,424 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2008/07/26 23:29:28 | 000,539,640 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2008/01/15 03:01:02 | 000,030,208 | ---- | M] (Samsung Electronics,.LTD) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SamsungEDS.SYS -- (DNSeFilter)
DRV - [2006/08/01 23:57:24 | 000,019,840 | ---- | M] (Samsung) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SUE_PD.sys -- (SUEPD)
DRV - [2005/10/27 04:18:05 | 000,004,300 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\MEMIO.SYS -- (DOSMEMIO)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: ""
FF - prefs.js..browser.search.order.1: ""
FF - prefs.js..browser.search.selectedEngine: ""
FF - prefs.js..browser.startup.homepage: ""
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\Michael\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\Michael\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Documents and Settings\Michael\Local Settings\Application Data\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/10 23:48:03 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/03 13:10:27 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff

[2009/12/31 10:31:44 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Michael\Application Data\Mozilla\Extensions
[2011/12/17 17:20:42 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Michael\Application Data\Mozilla\Firefox\Profiles\lxf46fc4.default\extensions
[2011/12/12 21:25:28 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/08/29 17:21:21 | 000,000,000 | ---D | M] (Click to call with Skype) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
File not found (No name found) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/11/10 23:48:02 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/10/11 21:20:04 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2011/10/11 21:20:04 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/10/11 21:20:04 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2011/10/11 21:20:04 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2011/10/11 21:20:04 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

========== Chrome ==========

CHR - default_search_provider: ()
CHR - default_search_provider: search_url =
CHR - default_search_provider: suggest_url =

O1 HOSTS File: ([2008/04/14 12:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll File not found
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [BatteryManager] C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe ()
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [Cm106Sound] RunDll32 cm106.cpl,CMICtrlWnd File not found
O4 - HKLM..\Run: [EDS] C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe (Samsung Electronics,.LTD)
O4 - HKLM..\Run: [Hercules DJ Series] C:\Program Files\Hercules\Audio\DJ Console Series\HDJSeriesCPL.exe (Hercules®)
O4 - HKLM..\Run: [SSSAudioControl] C:\WINDOWS\system32\SSSAudioControl.exe (TODO: <Company name>)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe File not found
O4 - HKLM..\Run: [SUPBackGround] C:\Program Files\Samsung\Samsung Update Plus\SUPBackGround.exe ()
O4 - HKLM..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u File not found
O4 - HKCU..\Run: [Facebook Update] "C:\Documents and Settings\Michael\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Documents and Settings\Michael\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll (Google Inc.)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0FEAA65E-B36D-4070-A6F7-E3FEC90F45F3}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL File not found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL File not found
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL File not found
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\SYSTEM32\Userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/12 19:26:05 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/17 17:24:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2011/12/12 20:32:14 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/12/12 19:58:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/12/12 19:54:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Desktop\ERUNT
[2011/12/07 19:24:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Malwarebytes
[2011/12/07 19:24:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/12/07 19:24:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/12/07 19:23:54 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/12/07 19:23:53 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/12/06 21:19:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2011/12/06 21:12:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Application Data\Avira
[2011/12/06 21:06:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Avira
[2011/12/06 21:06:40 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2011/12/06 21:06:37 | 000,134,856 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2011/12/06 21:06:37 | 000,074,640 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2011/12/06 21:06:37 | 000,036,000 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avkmgr.sys
[2011/12/06 21:06:35 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2011/12/06 21:06:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2011/11/29 07:59:58 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Michael\Start Menu\Programs\Administrative Tools
[2011/11/29 07:59:23 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Michael\Desktop\dds.scr
[2011/11/27 13:13:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Desktop\tdsskiller
[2011/11/27 13:01:21 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Michael\Desktop\OTL.exe
[2011/11/27 12:33:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michael\Desktop\RK_Quarantine

========== Files - Modified Within 30 Days ==========

[2011/12/17 17:22:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/17 17:22:27 | 1063,702,528 | -HS- | M] () -- C:\hiberfil.sys
[2011/12/17 17:22:27 | 000,134,072 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/12/17 01:23:40 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/12/15 15:02:22 | 000,134,856 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2011/12/15 14:58:46 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/12 21:57:01 | 000,000,986 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3870564424-1140265585-552937611-1005UA.job
[2011/12/12 21:57:01 | 000,000,934 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3870564424-1140265585-552937611-1005Core.job
[2011/12/12 20:34:00 | 000,001,004 | ---- | M] () -- C:\WINDOWS\tasks\FacebookUpdateTaskUserS-1-5-21-3870564424-1140265585-552937611-1005UA.job
[2011/12/12 20:34:00 | 000,000,982 | ---- | M] () -- C:\WINDOWS\tasks\FacebookUpdateTaskUserS-1-5-21-3870564424-1140265585-552937611-1005Core.job
[2011/12/12 19:51:12 | 000,513,320 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\erunt.zip
[2011/12/12 19:50:23 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\SystemLook.exe
[2011/12/07 19:24:02 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/06 22:26:37 | 000,003,377 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\attach.zip
[2011/12/06 22:25:09 | 000,000,626 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\jZip.lnk
[2011/12/06 21:06:56 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira Control Center.lnk
[2011/12/06 20:51:45 | 084,358,288 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\avira_free_antivirus_en.exe
[2011/12/05 16:50:54 | 000,000,250 | ---- | M] () -- C:\WINDOWS\System\Cm106.ini
[2011/12/04 14:14:54 | 007,809,901 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\Drake - Headlines (Explicit).mp3
[2011/12/04 13:18:00 | 002,158,386 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\TooBeautiful.mp3
[2011/12/04 13:16:44 | 005,893,140 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\Drake - The Motto ft. Lil Wayne.mp3
[2011/12/03 19:16:07 | 000,000,714 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\Virtual DJ (DJConsole).lnk
[2011/11/29 23:04:33 | 002,817,171 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\HipHopScary.mp3
[2011/11/29 22:56:54 | 002,340,407 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\CaptainBirdseye(1).mp3
[2011/11/29 22:54:54 | 003,661,367 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\x x babez(1).mp3
[2011/11/29 07:59:24 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Michael\Desktop\dds.scr
[2011/11/27 13:12:24 | 001,547,774 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\tdsskiller.zip
[2011/11/27 13:07:02 | 001,008,114 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\rkill.com
[2011/11/27 13:01:21 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Michael\Desktop\OTL.exe
[2011/11/27 12:59:06 | 000,111,872 | ---- | M] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2011/11/27 12:54:04 | 000,002,451 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\HiJackThis.lnk
[2011/11/27 11:45:22 | 000,002,855 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\winlogon.exe.PIF
[2011/11/26 23:46:24 | 000,076,800 | ---- | M] () -- C:\Documents and Settings\Michael\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/11/18 18:55:06 | 008,711,857 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\will.i.am, Nicki Minaj - Check It Out.mp3
[2011/11/18 18:51:37 | 006,408,902 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\Rizzle Kicks - Down With The Trumpets.mp3
[2011/11/18 18:46:58 | 006,847,759 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\Rizzle Kicks - Down With The Trumpets (Sam Reynolds Mashup Remix).mp3
[2011/11/18 18:44:43 | 007,078,473 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\Inna - Hot (Official Video HD).mp3
[2011/11/18 18:43:39 | 008,642,476 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\Avicii - Levels (HD) -- Without intro music.mp3
[2011/11/18 18:40:30 | 005,769,842 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\Pitbull - Something For The DJs FULL 2011.mp3
[2011/11/17 21:57:33 | 001,575,751 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\The Gaa draft.mp3
[2011/11/17 21:55:03 | 003,789,761 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\The Gaa.mp3
[2011/11/17 21:45:42 | 000,821,585 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\5ths.mp3
[2011/11/17 21:43:44 | 003,661,367 | ---- | M] () -- C:\Documents and Settings\Michael\Desktop\x x babez.mp3

========== Files Created - No Company Name ==========

[2011/12/12 19:51:15 | 000,513,320 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\erunt.zip
[2011/12/12 19:50:43 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\SystemLook.exe
[2011/12/07 19:24:02 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/06 22:26:37 | 000,003,377 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\attach.zip
[2011/12/06 21:06:56 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira Control Center.lnk
[2011/12/06 20:42:11 | 084,358,288 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\avira_free_antivirus_en.exe
[2011/12/04 14:12:17 | 007,809,901 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\Drake - Headlines (Explicit).mp3
[2011/12/04 13:15:53 | 005,893,140 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\Drake - The Motto ft. Lil Wayne.mp3
[2011/11/29 23:03:59 | 002,817,171 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\HipHopScary.mp3
[2011/11/29 22:59:32 | 002,158,386 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\TooBeautiful.mp3
[2011/11/29 22:51:11 | 003,661,367 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\x x babez(1).mp3
[2011/11/27 13:12:18 | 001,547,774 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\tdsskiller.zip
[2011/11/27 13:06:56 | 001,008,114 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\rkill.com
[2011/11/27 12:33:32 | 000,111,872 | ---- | C] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2011/11/27 11:44:11 | 000,002,855 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\winlogon.exe.PIF
[2011/11/18 19:02:24 | 000,000,714 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\Virtual DJ (DJConsole).lnk
[2011/11/18 18:54:22 | 008,711,857 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\will.i.am, Nicki Minaj - Check It Out.mp3
[2011/11/18 18:50:47 | 006,408,902 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\Rizzle Kicks - Down With The Trumpets.mp3
[2011/11/18 18:46:10 | 006,847,759 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\Rizzle Kicks - Down With The Trumpets (Sam Reynolds Mashup Remix).mp3
[2011/11/18 18:43:57 | 007,078,473 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\Inna - Hot (Official Video HD).mp3
[2011/11/18 18:39:59 | 005,769,842 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\Pitbull - Something For The DJs FULL 2011.mp3
[2011/11/18 18:35:11 | 008,642,476 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\Avicii - Levels (HD) -- Without intro music.mp3
[2011/11/17 21:56:31 | 001,575,751 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\The Gaa draft.mp3
[2011/11/17 21:54:25 | 003,789,761 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\The Gaa.mp3
[2011/11/17 21:43:55 | 002,340,407 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\CaptainBirdseye(1).mp3
[2011/11/17 21:43:50 | 000,821,585 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\5ths.mp3
[2011/11/17 21:37:54 | 003,661,367 | ---- | C] () -- C:\Documents and Settings\Michael\Desktop\x x babez.mp3
[2010/12/29 17:56:13 | 000,000,250 | ---- | C] () -- C:\WINDOWS\Cm106.ini.cfl
[2010/12/29 17:55:40 | 000,001,249 | ---- | C] () -- C:\WINDOWS\Cm106.ini.cfg
[2010/12/29 17:55:36 | 000,000,490 | ---- | C] () -- C:\WINDOWS\cm106.ini
[2010/12/29 17:55:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\SSSAudioEQAndMicData.dat
[2010/12/25 11:10:54 | 000,014,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\UAExt.sys
[2010/05/24 19:33:00 | 004,670,829 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2010/05/24 19:33:00 | 001,529,856 | ---- | C] () -- C:\WINDOWS\System32\ff_samplerate.dll
[2010/05/24 19:33:00 | 001,447,921 | ---- | C] () -- C:\WINDOWS\System32\ffmpegmt.dll
[2010/05/24 19:33:00 | 000,877,385 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll
[2010/05/24 19:33:00 | 000,810,113 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/05/24 19:33:00 | 000,336,384 | ---- | C] () -- C:\WINDOWS\System32\ff_libfaad2.dll
[2010/05/24 19:33:00 | 000,324,096 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2010/05/24 19:33:00 | 000,248,320 | ---- | C] () -- C:\WINDOWS\System32\ff_kernelDeint.dll
[2010/05/24 19:33:00 | 000,216,576 | ---- | C] () -- C:\WINDOWS\System32\ff_libdts.dll
[2010/05/24 19:33:00 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\ff_libmad.dll
[2010/05/24 19:33:00 | 000,145,408 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2010/05/24 19:33:00 | 000,139,944 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2010/05/24 19:33:00 | 000,121,856 | ---- | C] () -- C:\WINDOWS\System32\ff_liba52.dll
[2010/05/24 19:33:00 | 000,116,736 | ---- | C] () -- C:\WINDOWS\System32\ff_tremor.dll
[2010/05/24 19:33:00 | 000,108,032 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/05/24 19:33:00 | 000,100,864 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2010/05/24 19:33:00 | 000,097,792 | ---- | C] () -- C:\WINDOWS\System32\ff_unrar.dll
[2010/05/19 20:59:20 | 000,150,528 | ---- | C] () -- C:\WINDOWS\System32\mkx.dll
[2010/05/19 20:59:10 | 000,109,568 | ---- | C] () -- C:\WINDOWS\System32\avi.dll
[2010/05/19 20:59:02 | 000,141,824 | ---- | C] () -- C:\WINDOWS\System32\mp4.dll
[2010/05/19 20:58:52 | 000,123,392 | ---- | C] () -- C:\WINDOWS\System32\ogm.dll
[2010/05/19 20:58:24 | 000,113,152 | ---- | C] () -- C:\WINDOWS\System32\dsmux.exe
[2010/05/19 20:58:18 | 000,154,112 | ---- | C] () -- C:\WINDOWS\System32\ts.dll
[2010/05/19 20:58:08 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\dxr.dll
[2010/05/19 20:57:42 | 000,097,792 | ---- | C] () -- C:\WINDOWS\System32\avs.dll
[2010/05/19 20:57:38 | 000,137,728 | ---- | C] () -- C:\WINDOWS\System32\mkv2vfr.exe
[2010/05/19 20:57:26 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\avss.dll
[2010/05/19 20:57:20 | 000,358,400 | ---- | C] () -- C:\WINDOWS\System32\gdsmux.exe
[2010/05/19 20:55:40 | 000,080,384 | ---- | C] () -- C:\WINDOWS\System32\mkzlib.dll
[2010/05/19 20:55:36 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\mkunicode.dll
[2010/03/08 15:20:36 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/12/31 10:31:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/08/11 21:21:26 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\ac3config.exe
[2009/07/10 19:22:53 | 000,076,800 | ---- | C] () -- C:\Documents and Settings\Michael\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/08 23:00:50 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2009/06/07 16:24:04 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/05/30 17:14:42 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/05/01 12:37:35 | 000,001,520 | ---- | C] () -- C:\WINDOWS\System32\Michael_KBD.ini
[2009/04/04 00:42:04 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/02/12 19:44:36 | 000,307,200 | ---- | C] () -- C:\WINDOWS\SetDisplayResolution.exe
[2009/02/12 19:37:53 | 000,001,522 | ---- | C] () -- C:\WINDOWS\System32\MagicKBD.INI
[2009/02/12 19:37:53 | 000,001,520 | ---- | C] () -- C:\WINDOWS\System32\Owner_KBD.ini
[2009/02/12 19:37:51 | 000,003,425 | ---- | C] () -- C:\WINDOWS\System32\KBDR.INI
[2009/02/12 19:37:51 | 000,002,741 | ---- | C] () -- C:\WINDOWS\System32\KBDD.INI
[2009/02/12 19:37:51 | 000,002,699 | ---- | C] () -- C:\WINDOWS\System32\KBDO.INI
[2009/02/12 19:37:51 | 000,002,699 | ---- | C] () -- C:\WINDOWS\System32\KBDC.INI
[2009/02/12 19:37:51 | 000,002,606 | ---- | C] () -- C:\WINDOWS\System32\KBDB.INI
[2009/02/12 19:37:51 | 000,002,236 | ---- | C] () -- C:\WINDOWS\System32\KBDQ.INI
[2009/02/12 19:37:51 | 000,001,956 | ---- | C] () -- C:\WINDOWS\System32\KBDE.INI
[2009/02/12 19:37:51 | 000,001,885 | ---- | C] () -- C:\WINDOWS\System32\KBDP.INI
[2009/02/12 19:37:51 | 000,001,857 | ---- | C] () -- C:\WINDOWS\System32\KBDUU.INI
[2009/02/12 19:37:51 | 000,001,835 | ---- | C] () -- C:\WINDOWS\System32\KBDG.INI
[2009/02/12 19:37:51 | 000,001,835 | ---- | C] () -- C:\WINDOWS\System32\KBDA.INI
[2009/02/12 19:37:51 | 000,001,834 | ---- | C] () -- C:\WINDOWS\System32\KBDU.INI
[2009/02/12 19:37:51 | 000,001,819 | ---- | C] () -- C:\WINDOWS\System32\KBDN.INI
[2009/02/12 19:37:51 | 000,001,699 | ---- | C] () -- C:\WINDOWS\System32\KBDT.INI
[2009/02/12 19:37:51 | 000,001,697 | ---- | C] () -- C:\WINDOWS\System32\KBDV.INI
[2009/02/12 19:37:51 | 000,001,522 | ---- | C] () -- C:\WINDOWS\System32\KBDS.INI
[2009/02/12 19:37:51 | 000,001,476 | ---- | C] () -- C:\WINDOWS\System32\KBDF.INI
[2009/02/12 19:35:41 | 000,000,135 | R--- | C] () -- C:\WINDOWS\System32\lngEng.ini
[2009/02/12 19:35:41 | 000,000,117 | ---- | C] () -- C:\WINDOWS\System32\lngKor.ini
[2009/02/12 19:32:23 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2009/02/12 19:29:57 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\drivers\Marker.exe
[2009/02/12 19:29:56 | 000,004,300 | ---- | C] () -- C:\WINDOWS\System32\MEMIO.SYS
[2009/02/12 19:28:13 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/02/12 19:23:52 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/02/12 18:06:19 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2009/02/12 18:05:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2009/02/12 18:05:39 | 000,312,172 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2009/02/12 18:05:39 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2009/02/12 18:05:39 | 000,040,394 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2009/02/12 18:05:39 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2009/02/12 18:05:38 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2009/02/12 18:05:38 | 000,004,486 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2009/02/12 18:05:38 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2009/02/12 18:05:37 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2009/02/12 18:05:37 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2009/02/12 18:05:31 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2009/02/12 18:05:31 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2009/02/12 11:18:50 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/02/12 11:17:50 | 000,134,072 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/01/10 22:15:44 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\mmfinfo.dll
[2008/11/06 15:37:32 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/09/17 13:20:08 | 002,842,624 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2007/10/13 09:30:20 | 000,000,137 | ---- | C] () -- C:\WINDOWS\System32\Registration.ini
[2007/02/27 00:49:12 | 006,139,774 | ---- | C] () -- C:\WINDOWS\imagine digital freedom.dat
[2001/11/14 12:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2010/10/28 23:03:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2011/01/11 17:05:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WindSolutions
[2009/09/27 12:53:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/02/12 19:33:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WLAN
[2009/06/10 17:34:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\MSNInstaller
[2010/10/28 23:03:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\NCH Swift Sound
[2009/06/09 18:53:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\OpenOffice.org
[2011/06/06 17:38:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Philipp Winterberg
[2010/10/27 21:58:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\Pioneer
[2011/01/11 17:08:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\WindSolutions
[2011/12/12 20:34:00 | 000,000,982 | ---- | M] () -- C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-3870564424-1140265585-552937611-1005Core.job
[2011/12/12 20:34:00 | 000,001,004 | ---- | M] () -- C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-3870564424-1140265585-552937611-1005UA.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Michael\Desktop\winlogon.exe.PIF:SummaryInformation

< End of report >
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm

Re: recurring zbot,g virus again

Unread postby mambass » December 17th, 2011, 10:25 pm

Hi swiiper,

If SystemLook fails to run again, please provide the full text of the error message.

Please print these instructions because you will not have access to the Internet while performing some of the tasks below.

  1. Perform a Custom Fix with OTL
    • Double-click the OTL icon on your Desktop to run the program.
    • In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):
      Code: Select all
      :processes
      killallprocesses
      
      :Files
      C:\Documents and Settings\Michael\Desktop\winlogon.exe.PIF
      
      
    • Then click the Run Fix button at the top.
    • Let the program run unhindered and reboot the PC when it is done.
    • When the computer Reboots, and you start your usual account, a Notepad text file will appear.
    • Copy the contents of that file and post it in your next reply. The log can also be found as C:\_OTL\MovedFiles\(date)_(time).log.

  2. Download and run RogueKiller
    • Please click here to download RogueKiller and save it to your Desktop.
    • Quit all running programs.
    • Double click the RogueKiller.exe icon on your Desktop to run it.
    • When prompted, type 1 and hit Enter.
    • A RKreport.txt should appear on your desktop.
    • Note: If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe .
    • Please post the contents of the RKreport.txt in your next Reply.

  3. Run SystemLook
    • Double-click SystemLook.exe to run it.
    • Copy and paste the contents of the following codebox into the main textfield (do not include the word code:):
      Code: Select all
      :filefind
      winlogin*.*
      
      :regfind
      HDMI
      Fun4IM
      Bandoo
      Searchqu
      iLivid
      whitesmoke
      datamngr
      kelkoopartners
      trolltech
       
    • Click the Look button to start the scan.
      Because of the Registry searches, the scan may take 15 minutes or a bit more to run on a large machine. Please be patient.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt


Please include in your reply:
  1. The text of any error messages and/or a description of any problems you encountered while performing these steps.
  2. The contents of the OTL Fix log.
  3. The contents of the RKreport.txt log.
  4. The contents of the SystemLook.txt log.


mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: recurring zbot,g virus again

Unread postby swiiper » December 18th, 2011, 6:31 am

========== PROCESSES ==========
All processes killed
========== FILES ==========
C:\Documents and Settings\Michael\Desktop\winlogon.exe.PIF moved successfully.

OTL by OldTimer - Version 3.2.31.0 log created on 12182011_102717

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm

Re: recurring zbot,g virus again

Unread postby swiiper » December 18th, 2011, 6:35 am

RogueKiller V6.2.0 [12/12/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/fi ... guekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Michael [Admin rights]
Mode: Scan -- Date : 12/18/2011 10:32:56

¤¤¤ Bad processes: 1 ¤¤¤
[HJ NAME] NOTEPAD.EXE -- C:\WINDOWS\notepad.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 2 ¤¤¤
[SCRSV] HKCU\[...]\Desktop : SCRNSAVE.EXE (C:\WINDOWS\IMAGIN~1.SCR) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤
--- User ---
[MBR] e440afe817fb10031fe366013ca4d1d4
[BSP] 7bd015c98f4f065643ac0b63e9cbbd28 : MBR Code unknown
Partition table:
0 - [XXXXXX] UNKNW [HIDDEN!] Offset (sectors): 63 | Size: 6448 Mo
1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 12594960 | Size: 76282 Mo
2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 161585152 | Size: 77308 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm

Re: recurring zbot,g virus again

Unread postby swiiper » December 18th, 2011, 6:38 am

About 1min into system look it stops and the basic windows message appears "SystemLook.exe has encountered a problem and needs to close. We are sorry for the inconvenience." This is all thats in the file:
SystemLook 30.07.11 by jpshortstuff
Log created at 10:36 on 18/12/2011 by Michael
Administrator - Elevation successful

========== filefind ==========

Searching for "winlogin*.*"
No files found.

========== regfind ==========

Searching for "HDMI"
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm

Re: recurring zbot,g virus again

Unread postby mambass » December 19th, 2011, 1:19 pm

Hi swiiper,

You previously indicated that you were unable to boot into Safe Mode.
  1. How are you attempting to boot into Safe Mode?
  2. What exactly do you see when you do that?

--------------------------------------------

  1. Run RogueKiller
    • Quit all running programs.
    • Double click the RogueKiller.exe icon on your Desktop to run it.
    • When prompted, type 1 and hit Enter.
    • A RKreport.txt should appear on your desktop.
    • Note: If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe .
    • Please post the contents of the RKreport.txt in your next Reply.

  2. Run a custom scan with OTL
    • Double-click the OTL icon on your Desktop to run the program.
    • In the Custom Scans/Fixes box at the bottom, paste in the following line from the Code box (Do not include the word "Code"):
      Code: Select all
      c:\windows\system32|java;true;false;true /FP 
      
    • Click the None button.
    • Click the Run Scan button at the top.
    • A Notepad window will open when the scan completes.
    • Copy the contents of that file and post it in your next reply. The log can also be found on you Desktop as OTL.txt.


Please include in your reply:
  1. The text of any error messages and/or a description of any problems you encountered while performing these steps.
  2. The answers to my questions concerning Safe Mode.
  3. The contents of the RKreport.txt log.
  4. The contents of the OTL.txt log.


mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: recurring zbot,g virus again

Unread postby swiiper » December 19th, 2011, 7:50 pm

ok - I'll be able to do that tomorrow.

As far as safe mode goes I just used the F8 key and it didn't matter if I tried safe or safe with networking, it simply failed after a few seconds and displayed an apologetic message saying that it was unable to start in safe mode.
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm

Re: recurring zbot,g virus again

Unread postby swiiper » December 21st, 2011, 7:17 pm

RogueKiller V6.2.0 [12/12/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/fi ... guekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Michael [Admin rights]
Mode: Scan -- Date : 12/21/2011 23:15:09

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤
[SCRSV] HKCU\[...]\Desktop : SCRNSAVE.EXE (C:\WINDOWS\IMAGIN~1.SCR) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤
--- User ---
[MBR] e440afe817fb10031fe366013ca4d1d4
[BSP] 7bd015c98f4f065643ac0b63e9cbbd28 : MBR Code unknown
Partition table:
0 - [XXXXXX] UNKNW [HIDDEN!] Offset (sectors): 63 | Size: 6448 Mo
1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 12594960 | Size: 76282 Mo
2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 161585152 | Size: 77308 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[4].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 43 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware