Jump to content

Recommended Posts

I'm having a similar issue to the other thread about this virus. http://forums.malwarebytes.org/index.php?showtopic=79349&st=20

Hopefully elise025 sees this :). It shut down firefox for me, starting doing its thing. I opened up task manager and shut down the only process running that was unfamiliar. ljm.exe and the fake antivirus scan closed. I can't open up firefox or malwarebytes and if I try it starts up ljm.exe all over again. It looks like fixreg.exe will probably be the fix but I'll wait to do that. I can't get online on that computer so I figure I'll have to maybe try usb'ing everything over if that is safe.

Link to post
Share on other sites

Hello, lets see if we can first get a bit more information here. :)

To protect your clean computer, please use Flash Disinfector.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Note: If using Firefox right-click on any download links and choose Save As

Please download OTH to a flashdrive

Please download OTL to a flashdrive

Put the flash drive into your infected computer, open it and double click the OTH file to run it and click Kill All Processes, your desktop will go blank.

OTH_Main.gif

Then select Start OTL. OTL will now run

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    [*]Click the Internet Explorer button, post these logs in your next reply.

Link to post
Share on other sites

The Laptop I am using is Windows 7 64bit and the infected computer is Windows XP 32bit Service Pack 3. I tried running and the program above and it said that it wasn't sure if it installed correctly. I tried running it in compatibility mode for XP sp2 that it recommended and in sp3 with no results.

Link to post
Share on other sites

Hi, it is supposed to be 64 bit compatible. You can check if the hidden folder named autorun.inf was created on the usb drive. What AV are you using on the Windows 7 computer? If you have for example Avira, you should be okay, because it is quite good at picking up possible autorun malware.

Link to post
Share on other sites

Hi, it is supposed to be 64 bit compatible. You can check if the hidden folder named autorun.inf was created on the usb drive. What AV are you using on the Windows 7 computer? If you have for example Avira, you should be okay, because it is quite good at picking up possible autorun malware.

There's no hidden folder named autorun.inf on the usb drive. When I double click on Flash_Disinfector.exe it looks like it starts then nothing. I tried running it again with compatibility mode off. Should I delete it and redownload?

Link to post
Share on other sites

Did you show hidden files first (don't forget to change the setting back afterwards)?

  • Click Start.
  • Open "Computer".
  • Select the Organize menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck Hide file extensions for known file types
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.

Link to post
Share on other sites

Yes I have done that. I have only gotten as far as step 1. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear. It doesn't appear to be working properly. I have Microsoft Security Essentials running and I tried it again with it disabled and no luck. What is it supposed to look like if it's working?

Link to post
Share on other sites

Panda worked. I have autorun.ini on the usb I put OTH and OTL on it. I followed the instructions, kill all process, start OTL, ran quick scan. When I try to run internet explorer it gets blocked and xp antivirus 2011 tries to start again. I just kill the process in the task manager. What should I do next? Should I try to save the txt files onto the usb since internet explorer gets blocked?

Link to post
Share on other sites

Yes, when the logs come up, maximize them, click File > Save as and save them to your flashdrive, then transfer them to another computer and post them here.

Let me know if you also want the extras.txt and if I have to zip it.

OTL logfile created on: 3/31/2011 2:11:47 PM - Run 1

OTL by OldTimer - Version 3.2.22.3 Folder = J:\

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 87.00% Memory free

5.00 Gb Paging File | 5.00 Gb Available in Paging File | 95.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 465.75 Gb Total Space | 23.55 Gb Free Space | 5.06% Space Free | Partition Type: NTFS

Drive D: | 2.97 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS

Drive J: | 3.77 Gb Total Space | 3.77 Gb Free Space | 99.98% Space Free | Partition Type: FAT32

Computer Name: USER-2EC5FD82AA | User Name: Owner | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/31 14:07:26 | 000,580,608 | ---- | M] (OldTimer Tools) -- J:\OTL.scr

PRC - [2011/03/31 14:07:08 | 000,258,560 | ---- | M] (OldTimer Tools) -- J:\OTH.scr

========== Modules (SafeList) ==========

MOD - [2011/03/31 14:07:26 | 000,580,608 | ---- | M] (OldTimer Tools) -- J:\OTL.scr

MOD - [2010/08/23 09:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)

SRV - [2010/11/11 13:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)

SRV - [2010/09/17 21:14:22 | 000,460,144 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)

SRV - [2010/03/08 14:46:26 | 000,025,832 | ---- | M] (BioWare) [On_Demand | Stopped] -- c:\Program Files\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)

SRV - [2009/11/12 10:08:00 | 003,403,420 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\System32\GameMon.des -- (npggsvc)

========== Driver Services (SafeList) ==========

DRV - [2011/03/30 18:46:30 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3DCDAC99-F738-45AF-A668-8F71CDE7EDA5}\MpKsl9023fccc.sys -- (MpKsl9023fccc)

DRV - [2010/03/04 16:13:36 | 000,037,920 | ---- | M] (RapidSolution Software AG) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tbhsd.sys -- (tbhsd)

DRV - [2009/10/06 08:45:12 | 000,011,168 | ---- | M] (Headsoft) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vjoy.sys -- (vhidmini)

DRV - [2008/04/14 05:00:00 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)

DRV - [2008/02/14 02:04:06 | 004,676,096 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)

DRV - [2008/01/03 07:10:16 | 000,105,856 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: ""

FF - prefs.js..browser.search.useDBForOrder: true

FF - prefs.js..browser.startup.homepage: "google.com"

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3

FF - prefs.js..extensions.enabledItems: battlefieldheroespatcher@ea.com:4.0.27.0

FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.48.3

FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.7.2

FF - prefs.js..extensions.enabledItems: firefox@ghostery.com:2.5.2

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {37E4D8EA-8BDA-4831-8EA1-89053939A250}:3.0.0.2

FF - prefs.js..extensions.enabledItems: {EF522540-89F5-46b9-B6FE-1829E2B572C6}:5.0

FF - prefs.js..extensions.enabledItems: firefox-extension@shareaholic.com:2.2.0

FF - prefs.js..extensions.enabledItems: tineye@ideeinc.com:1.1

FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.9.1

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21

FF - prefs.js..extensions.enabledItems: {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}:2.12.21.1

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22

FF - prefs.js..extensions.enabledItems: battlefieldplay4free@ea.com:1.0.27.2

FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.6.2

FF - prefs.js..extensions.enabledItems: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2}:0.9.86

FF - prefs.js..extensions.enabledItems: bitlypreview@jay.ridgeway:1.272

FF - prefs.js..extensions.enabledItems: {5c876f30-10ce-11dd-bd0b-0800200c9a66}:3.6.7

FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/19 10:31:03 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/10 02:08:54 | 000,000,000 | ---D | M]

[2009/05/08 15:48:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions

[2011/03/27 02:37:24 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p516ghij.default\extensions

[2010/12/22 13:52:18 | 000,000,000 | ---D | M] (IE Tab 2 (FF 3.6+)) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p516ghij.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}

[2011/02/04 04:25:13 | 000,000,000 | ---D | M] (PDF Download) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p516ghij.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}

[2010/11/26 20:17:04 | 000,000,000 | ---D | M] (Aero Fox Silver XL) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p516ghij.default\extensions\{5c876f30-10ce-11dd-bd0b-0800200c9a66}

[2011/03/09 18:30:58 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p516ghij.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

[2011/02/16 14:04:18 | 000,000,000 | ---D | M] (ReloadEvery) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p516ghij.default\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}

[2011/01/26 13:06:01 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p516ghij.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

[2009/12/07 23:00:25 | 000,000,000 | ---D | M] (Battlefield Heroes Updater) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p516ghij.default\extensions\battlefieldheroespatcher@ea.com

[2011/01/14 21:26:57 | 000,000,000 | ---D | M] (Battlefield Play4Free) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p516ghij.default\extensions\battlefieldplay4free@ea.com

[2011/03/10 01:52:46 | 000,000,000 | ---D | M] (bit.ly preview) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p516ghij.default\extensions\bitlypreview@jay.ridgeway

[2011/02/25 07:24:44 | 000,000,000 | ---D | M] (Ghostery) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p516ghij.default\extensions\firefox@ghostery.com

[2010/12/18 09:45:44 | 000,000,000 | ---D | M] (Shareaholic) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p516ghij.default\extensions\firefox-extension@shareaholic.com

[2011/02/16 14:04:18 | 000,000,000 | ---D | M] (TinEye Reverse Image Search) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p516ghij.default\extensions\tineye@ideeinc.com

[2010/12/18 09:45:42 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p516ghij.default\extensions\firefox-extension@shareaholic.com\chrome

[2010/12/18 09:45:43 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p516ghij.default\extensions\firefox-extension@shareaholic.com\defaults

[2010/11/26 20:17:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p516ghij.default\extensions\{5c876f30-10ce-11dd-bd0b-0800200c9a66}\chrome\win\mozapps\extensions

[2011/03/10 02:08:58 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2010/08/21 23:41:20 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

[2010/10/18 01:02:10 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

File not found (No name found) --

() (No name found) -- C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\P516GHIJ.DEFAULT\EXTENSIONS\{59C81DF5-4B7A-477B-912D-4E0FDF64E5F2}.XPI

() (No name found) -- C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\P516GHIJ.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI

() (No name found) -- C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\P516GHIJ.DEFAULT\EXTENSIONS\{D40F5E7B-D2CF-4856-B441-CC613EEFFBE3}.XPI

() (No name found) -- C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\P516GHIJ.DEFAULT\EXTENSIONS\{D4DD63FA-01E4-46A7-B6B1-EDAB7D6AD389}.XPI

() (No name found) -- C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\P516GHIJ.DEFAULT\EXTENSIONS\{EF522540-89F5-46B9-B6FE-1829E2B572C6}.XPI

() (No name found) -- C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\P516GHIJ.DEFAULT\EXTENSIONS\FIREBUG@SOFTWARE.JOEHEWITT.COM.XPI

() (No name found) -- C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\P516GHIJ.DEFAULT\EXTENSIONS\SELECTBUG@GETFIREBUG.COM.XPI

() (No name found) -- C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\P516GHIJ.DEFAULT\EXTENSIONS\SROUSSEY@ILLUMINATION-FOR-DEVELOPERS.COM.XPI

[2010/04/16 08:53:58 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF

[2009/09/01 17:42:40 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION

[2011/03/19 10:30:57 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll

[2010/09/15 04:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

[2010/03/23 00:03:22 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

[2010/01/01 01:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2008/04/14 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No CLSID value found.

O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)

O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)

O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()

O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)

O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)

O4 - HKCU..\Run: [starcraftCalendar] C:\Program Files\brn\ScCalendar\StarcraftCalendar.exe (Microsoft)

O4 - HKCU..\Run: [steam] C:\Program Files\Steam\steam.exe (Valve Corporation)

O4 - HKCU..\Run: [Timezone] C:\Program Files\Microsoft Time Zone\TimeZone.exe (Microsoft)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/05/06 16:31:27 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2011/03/31 14:05:44 | 000,000,016 | -H-- | M] () - J:\AUTORUN.INF -- [ FAT32 ]

O33 - MountPoints2\{d4382c46-58b0-11df-895e-0024212d5363}\Shell\AutoRun\command - "" = J:\Setup_FlipShare.exe

O33 - MountPoints2\{d4382c46-58b0-11df-895e-0024212d5363}\Shell\Setup FlipShare\command - "" = J:\Setup_FlipShare.exe

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O35 - HKCU\..exefile [open] -- "C:\Documents and Settings\Owner\Local Settings\Application Data\ljm.exe" -a "%1" %* ()

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/31 08:45:01 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent

[2011/03/29 03:22:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Darkspore

[2011/03/29 03:22:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\DarksporeData

[2011/03/23 12:52:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Square Enix

[2011/03/18 12:03:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Darksiders

[2011/03/18 12:01:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\THQ

[2011/03/18 12:01:12 | 000,000,000 | ---D | C] -- C:\Program Files\THQ

[2011/03/17 23:10:09 | 000,000,000 | ---D | C] -- C:\My Games

[2011/03/13 14:18:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\VodBurner

[2011/03/12 12:17:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\ScCalendar

[2011/03/12 12:17:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\ScC

[2011/03/12 12:17:22 | 000,000,000 | ---D | C] -- C:\Program Files\brn

[2011/03/12 07:55:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Wow-achievements MP3

[2011/03/12 07:48:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype

[2011/03/12 07:48:34 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype

[2011/03/11 02:53:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Perfect World Entertainment

[2011/03/11 02:47:51 | 000,000,000 | ---D | C] -- C:\Perfect World Entertainment

[2011/03/11 02:25:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\GetRightToGo

[2011/03/09 01:07:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes

[2011/03/09 01:06:21 | 000,000,000 | ---D | C] -- C:\Program Files\iPod

[2011/03/09 01:03:39 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour

[2011/03/04 13:54:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\yoclient

[2011/03/01 18:01:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Braid

[2009/10/06 22:19:03 | 001,654,869 | ---- | C] (Dynu Systems Inc.) -- C:\Documents and Settings\All Users\Application Data\DynuEncrypt.dll

[12 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/31 14:16:58 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2011/03/31 14:09:56 | 000,006,790 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\1pu4igwom771p2571ra12y7fk5447qc4010k6c3cbv2p5ub

[2011/03/31 14:09:56 | 000,006,790 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\1pu4igwom771p2571ra12y7fk5447qc4010k6c3cbv2p5ub

[2011/03/31 14:09:42 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2011/03/31 08:42:41 | 000,002,441 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk

[2011/03/31 08:38:46 | 000,331,776 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\tsv.exe

[2011/03/31 08:38:45 | 000,331,776 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\ljm.exe

[2011/03/31 06:00:28 | 000,000,751 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\World of Warcraft.lnk

[2011/03/30 18:34:09 | 000,013,708 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2011/03/29 23:42:00 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\ScCalendar.lnk

[2011/03/28 21:36:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2011/03/19 09:05:07 | 000,252,332 | ---- | M] () -- C:\WINDOWS\System32\nvdrsdb0.bin

[2011/03/19 09:05:07 | 000,000,001 | ---- | M] () -- C:\WINDOWS\System32\nvdrssel.bin

[2011/03/19 09:05:06 | 000,252,332 | ---- | M] () -- C:\WINDOWS\System32\nvdrsdb1.bin

[2011/03/18 13:57:18 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk

[2011/03/18 12:27:35 | 000,053,760 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2011/03/18 12:01:37 | 000,001,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Darksiders Comic.lnk

[2011/03/18 12:01:37 | 000,001,694 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Darksiders Soundtrack.lnk

[2011/03/15 19:00:59 | 000,002,545 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\ScCPlayer.lnk

[2011/03/13 08:02:41 | 000,523,366 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2011/03/13 08:02:41 | 000,095,282 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2011/03/12 07:49:55 | 000,002,435 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MP3 Skype Recorder.lnk

[2011/03/12 07:42:46 | 000,044,931 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\worstpictureever2.JPG

[2011/03/11 02:57:28 | 000,000,831 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Forsaken World.lnk

[2011/03/10 02:08:59 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk

[2011/03/10 02:08:59 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

[2011/03/09 17:55:10 | 000,000,704 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Steam.lnk

[2011/03/09 01:07:10 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

[2011/03/08 23:56:53 | 000,138,440 | ---- | M] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys

[2011/03/08 23:56:45 | 000,270,856 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.xtr

[2011/03/07 13:22:18 | 000,270,856 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.ex0

[2011/03/07 00:52:56 | 000,682,065 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Multitasking_Trainer_v0.95.SC2Map

[12 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/31 08:38:47 | 000,006,790 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\1pu4igwom771p2571ra12y7fk5447qc4010k6c3cbv2p5ub

[2011/03/31 08:38:47 | 000,006,790 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1pu4igwom771p2571ra12y7fk5447qc4010k6c3cbv2p5ub

[2011/03/31 08:38:46 | 000,331,776 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\tsv.exe

[2011/03/31 08:38:45 | 000,331,776 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\ljm.exe

[2011/03/18 12:01:37 | 000,001,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Darksiders Comic.lnk

[2011/03/18 12:01:37 | 000,001,694 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Darksiders Soundtrack.lnk

[2011/03/12 12:17:24 | 000,002,545 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\ScCPlayer.lnk

[2011/03/12 12:17:24 | 000,002,447 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\ScCalendar.lnk

[2011/03/12 07:48:35 | 000,002,265 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk

[2011/03/12 07:42:46 | 000,044,931 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\worstpictureever2.JPG

[2011/03/11 02:57:28 | 000,000,831 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Forsaken World.lnk

[2011/03/10 02:08:59 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk

[2011/03/09 01:07:10 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

[2011/03/07 00:52:55 | 000,682,065 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Multitasking_Trainer_v0.95.SC2Map

[2011/03/04 14:01:40 | 000,000,032 | R--- | C] () -- C:\Documents and Settings\All Users\hash.dat

[2011/02/20 23:17:08 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat

[2010/12/31 07:35:35 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini

[2010/11/21 03:42:05 | 001,843,527 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-583907252-484061587-1801674531-1003-0.dat

[2010/11/21 03:42:04 | 000,152,370 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat

[2010/10/14 02:36:44 | 000,179,263 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat

[2010/10/10 12:53:09 | 000,000,058 | -H-- | C] () -- C:\WINDOWS\popcreg.dat

[2010/10/06 07:28:05 | 002,601,752 | ---- | C] () -- C:\WINDOWS\System32\pbsvc_moh.exe

[2010/09/12 01:08:40 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat

[2010/06/28 21:44:46 | 000,252,332 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin

[2010/06/28 21:44:44 | 000,252,332 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin

[2010/06/28 21:44:44 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin

[2010/06/23 03:32:48 | 000,738,352 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

[2010/06/11 19:42:50 | 002,444,656 | ---- | C] () -- C:\WINDOWS\System32\pbsvc_apb.exe

[2010/01/28 11:29:17 | 002,434,856 | ---- | C] () -- C:\WINDOWS\System32\pbsvc_bc2.exe

[2010/01/03 19:32:26 | 000,000,040 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ra3.ini

[2009/12/23 10:37:11 | 000,000,045 | ---- | C] () -- C:\WINDOWS\popcinfot.dat

[2009/12/07 23:02:02 | 002,395,944 | ---- | C] () -- C:\WINDOWS\System32\pbsvc_heroes.exe

[2009/12/02 22:45:21 | 000,000,096 | -H-- | C] () -- C:\WINDOWS\System32\HsInfo.dat

[2009/11/25 13:40:50 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll

[2009/09/27 03:21:17 | 000,025,284 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat

[2009/08/14 07:42:11 | 002,292,678 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin

[2009/07/30 23:08:47 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2009/07/28 00:26:08 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2009/07/28 00:26:07 | 000,053,760 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/07/08 18:03:02 | 000,058,880 | ---- | C] () -- C:\WINDOWS\System32\bdmpegv.dll

[2009/05/08 20:48:37 | 000,138,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys

[2009/05/08 20:48:36 | 000,138,056 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\PnkBstrK.sys

[2009/05/08 20:47:56 | 000,270,856 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrB.exe

[2009/05/08 20:47:55 | 000,075,136 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrA.exe

[2009/05/08 20:47:54 | 002,373,712 | ---- | C] () -- C:\WINDOWS\System32\pbsvc.exe

[2009/05/08 15:48:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat

[2009/05/06 16:49:38 | 000,003,972 | ---- | C] () -- C:\WINDOWS\System32\drivers\PciBus.sys

[2009/05/06 16:42:30 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\ChCfg.exe

[2009/05/06 16:32:35 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat

[2009/05/06 16:29:32 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2009/05/06 09:21:34 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2009/05/06 09:20:37 | 000,122,928 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2008/10/07 13:33:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll

[2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin

[2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin

[2008/04/14 05:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin

[2008/04/14 05:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat

[2008/04/14 05:00:00 | 000,523,366 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat

[2008/04/14 05:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat

[2008/04/14 05:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat

[2008/04/14 05:00:00 | 000,095,282 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat

[2008/04/14 05:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin

[2008/04/14 05:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat

[2008/04/14 05:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat

[2008/04/14 05:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

[2008/04/14 05:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin

[2008/04/14 05:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini

[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini

[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini

========== LOP Check ==========

[2010/11/21 01:42:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Age of Empires 3

[2009/12/26 18:51:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BioWare

[2009/12/19 02:46:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Codemasters

[2011/01/20 13:58:28 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\DSS

[2010/01/14 06:37:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EA Core

[2011/01/20 13:09:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Electronic Arts

[2010/02/09 12:20:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Electronic Arts Inc

[2010/05/05 18:44:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Flip Video

[2009/12/03 11:39:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ijjigame

[2010/05/09 16:54:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Isotx

[2010/11/24 08:56:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nexon

[2010/12/16 14:11:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NexonUS

[2010/07/06 12:28:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Paterva

[2010/10/11 08:10:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games

[2010/04/04 01:34:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RapidSolution

[2009/10/04 04:23:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2010/04/02 13:27:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

[2009/09/24 02:35:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

[2009/05/08 23:37:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

[2010/11/08 14:57:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\.maltego

[2010/10/04 03:09:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\.minecraft

[2010/06/02 10:04:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\.purple

[2010/08/31 14:14:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Amazon

[2011/02/27 07:28:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\APOX

[2009/12/30 23:54:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Atari

[2011/01/24 10:18:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Audacity

[2010/12/24 02:35:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Beat Hazard

[2011/03/01 20:18:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Braid

[2010/12/24 02:16:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Chime

[2010/04/19 06:27:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Command & Conquer 3 Kane's Wrath

[2010/01/03 21:44:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Command & Conquer 3 Tiberium Wars

[2010/02/09 12:25:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Command and Conquer 4 Beta

[2011/03/29 03:22:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\DarksporeData

[2010/04/11 19:42:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Dropbox

[2010/08/07 20:45:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\EVEMon

[2010/05/23 16:10:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Facebook

[2009/06/01 08:22:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Foxit

[2010/03/28 23:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Foxit Software

[2011/03/11 02:43:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\GetRightToGo

[2010/09/21 12:30:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Hi-Rez Studios

[2011/02/19 15:27:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Hothead Games

[2010/04/16 08:18:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\id Software

[2010/04/17 05:00:58 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\ijjigame

[2010/12/26 16:05:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MP3SkypeRecorder

[2010/08/10 17:25:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\NationRed

[2010/08/14 23:43:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Notepad++

[2009/09/22 17:26:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\NPLUTO Corporation

[2010/10/09 07:51:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Octoshape

[2010/08/28 13:49:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\OpenOffice.org

[2010/01/03 22:58:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Red Alert 3

[2010/01/03 04:35:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Red Alert 3 Demo

[2010/01/06 11:00:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Red Alert 3 Uprising

[2011/02/15 20:10:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\RIFT

[2009/12/04 18:33:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\runic games

[2011/03/12 12:34:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ScC

[2011/01/11 00:53:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Sony Online Entertainment

[2010/08/26 09:24:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1

[2010/09/06 15:12:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Unity

[2010/06/14 22:32:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Windows Desktop Search

[2011/02/15 13:45:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Windows Search

[2011/03/04 14:21:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\yoclient

[2010/04/12 19:30:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ZombieDriver

[2011/03/31 14:16:58 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========

< End of report >

Link to post
Share on other sites

Hi again, lets see if we can fix this. :)

You can copy the script below into notepad (press Windows key + R, type notepad and press enter) and save it to your flashdrive. Then put the flashdrive into the sick computer, and run OTH like last time.

Except now, instead of clicking Quick Scan, copy/paste the following text into the "custom scan/fix" field and click Run Fix.

:otl
O32 - AutoRun File - [2011/03/31 14:05:44 | 000,000,016 | -H-- | M] () - J:\AUTORUN.INF -- [ FAT32 ]
O35 - HKCU\..exefile [open] -- "C:\Documents and Settings\Owner\Local Settings\Application Data\ljm.exe" -a "%1" %* ()
[2011/03/31 08:38:47 | 000,006,790 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\1pu4igwom771p2571ra12y7fk5447qc4010k6c3cbv2p5ub
[2011/03/31 08:38:47 | 000,006,790 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1pu4igwom771p2571ra12y7fk5447qc4010k6c3cbv2p5ub
[2011/03/31 08:38:46 | 000,331,776 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\tsv.exe
[2011/03/31 08:38:45 | 000,331,776 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\ljm.exe

:commands
[reboot]

Your computer should be rebooted. Afterwards, let me know how things are. Any problem left?

Link to post
Share on other sites

Hi again, lets see if we can fix this. :)

You can copy the script below into notepad (press Windows key + R, type notepad and press enter) and save it to your flashdrive. Then put the flashdrive into the sick computer, and run OTH like last time.

Except now, instead of clicking Quick Scan, copy/paste the following text into the "custom scan/fix" field and click Run Fix.

:otl
O32 - AutoRun File - [2011/03/31 14:05:44 | 000,000,016 | -H-- | M] () - J:\AUTORUN.INF -- [ FAT32 ]
O35 - HKCU\..exefile [open] -- "C:\Documents and Settings\Owner\Local Settings\Application Data\ljm.exe" -a "%1" %* ()
[2011/03/31 08:38:47 | 000,006,790 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\1pu4igwom771p2571ra12y7fk5447qc4010k6c3cbv2p5ub
[2011/03/31 08:38:47 | 000,006,790 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1pu4igwom771p2571ra12y7fk5447qc4010k6c3cbv2p5ub
[2011/03/31 08:38:46 | 000,331,776 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\tsv.exe
[2011/03/31 08:38:45 | 000,331,776 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\ljm.exe

:commands
[reboot]

Your computer should be rebooted. Afterwards, let me know how things are. Any problem left?

I am posting now from the former infected computer.

I have done the above. When it rebooted I watched task manager to make sure it didn't reappear. I ran a quick scan of malwarebytes and found 6 infected entries, posting log.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6244

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/2/2011 1:25:34 AM
mbam-log-2011-04-02 (01-25-34).txt

Scan type: Quick scan
Objects scanned: 156651
Time elapsed: 6 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\ljm.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\ljm.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\ljm.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I was able to enable windows firewall and get mbam to work of course, and I'm now in firefox posting this. I see those keys must have been what was disabling/alerting the malware to execute. Should I also delete them from the quarantine list?

I am having one issue that occurs still. It says my automatic updates are disabled. I will go into security center to try and correct it and it says it is unable to do that, please go to automatic updates, so I do and it says that I'm already on the recommended setting. So it's telling me that its off on security center and in automatic updates its telling me that its on. I'll probably go to the microsoft manual windows update page at some point. I just wanted to check with you first. I will run a full mbam scan in the meantime.

I would like to do additional logs and scans if you are available to walk me through it. Maybe an ESET scan. I want to be absolutely sure I am clean before I start using this computer fully again. You have been so amazing. Thank you so very very much. I hope to hear from you soon.

Link to post
Share on other sites

Lets make sure things are okay here and do some additional scanning.

The problem here was not the keys mbam removed, the problem was that the fake scanner process had hooked up the exe file extension. So, as soon as you ended that process using Task Manager, no exe file could run anymore.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

Lets make sure things are okay here and do some additional scanning.

The problem here was not the keys mbam removed, the problem was that the fake scanner process had hooked up the exe file extension. So, as soon as you ended that process using Task Manager, no exe file could run anymore.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

ComboFix 11-04-01.01 - Owner 04/02/2011   6:04.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.1990 [GMT -7:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\Install.exe

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_IAS

.

.

((((((((((((((((((((((((( Files Created from 2011-03-02 to 2011-04-02 )))))))))))))))))))))))))))))))

.

.

2011-03-31 01:46 . 2011-03-15 04:05 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3DCDAC99-F738-45AF-A668-8F71CDE7EDA5}\mpengine.dll

2011-03-29 10:22 . 2011-03-29 10:22 -------- d-----w- c:\documents and settings\Owner\Application Data\DarksporeData

2011-03-18 19:25 . 2008-04-14 12:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2011-03-18 19:03 . 2011-03-19 14:06 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Darksiders

2011-03-18 19:01 . 2011-03-18 19:01 -------- d-----w- c:\program files\THQ

2011-03-18 06:10 . 2011-03-18 06:10 -------- d-----w- C:\My Games

2011-03-18 06:04 . 2011-03-18 06:04 -------- d-----w- c:\windows\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP

2011-03-12 19:17 . 2011-03-12 19:34 -------- d-----w- c:\documents and settings\Owner\Application Data\ScC

2011-03-12 19:17 . 2011-03-12 19:17 -------- d-----w- c:\program files\brn

2011-03-12 14:48 . 2011-03-12 14:48 -------- d-----w- c:\program files\Common Files\Skype

2011-03-11 09:47 . 2011-03-11 09:47 -------- d-----w- C:\Perfect World Entertainment

2011-03-11 09:43 . 2011-03-11 09:43 258352 ----a-w- c:\windows\system32\unicows.dll

2011-03-11 09:25 . 2011-03-11 09:43 -------- d-----w- c:\documents and settings\Owner\Application Data\GetRightToGo

2011-03-10 09:08 . 2011-03-19 17:30 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll

2011-03-10 09:08 . 2011-03-19 17:30 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll

2011-03-10 09:08 . 2011-03-19 17:30 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll

2011-03-10 09:08 . 2011-03-19 17:30 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll

2011-03-10 09:08 . 2011-03-19 17:30 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll

2011-03-10 09:08 . 2011-03-19 17:30 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll

2011-03-10 09:08 . 2011-03-19 17:30 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll

2011-03-10 09:08 . 2011-03-19 17:30 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll

2011-03-09 08:06 . 2011-03-09 08:06 -------- d-----w- c:\program files\iPod

2011-03-09 08:03 . 2011-03-09 08:03 -------- d-----w- c:\program files\Bonjour

2011-03-04 20:54 . 2011-03-04 21:21 -------- d-----w- c:\documents and settings\Owner\Application Data\yoclient

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-23 19:58 . 2009-08-18 19:30 564632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\wlidui.dll

2011-03-23 19:58 . 2009-08-18 19:24 18328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2011-03-15 04:05 . 2011-01-23 10:21 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-03-09 06:56 . 2009-05-09 03:48 138440 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2011-03-09 06:56 . 2009-07-06 09:44 270856 ----a-w- c:\windows\system32\PnkBstrB.xtr

2011-03-09 06:56 . 2009-05-09 03:47 270856 ----a-w- c:\windows\system32\PnkBstrB.exe

2011-03-07 20:22 . 2009-05-09 03:47 270856 ----a-w- c:\windows\system32\PnkBstrB.ex0

2011-02-23 08:33 . 2011-02-23 08:33 81920 ----a-w- c:\windows\system32\nvwddi.dll

2011-02-23 08:33 . 2011-02-23 08:33 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll

2011-02-23 08:33 . 2011-02-23 08:33 277608 ----a-w- c:\windows\system32\nvmccs.dll

2011-02-23 08:33 . 2011-02-23 08:33 156776 ----a-w- c:\windows\system32\nvsvc32.exe

2011-02-23 08:33 . 2011-02-23 08:33 145000 ----a-w- c:\windows\system32\nvcolor.exe

2011-02-23 08:33 . 2011-02-23 08:33 13880424 ----a-w- c:\windows\system32\nvcpl.dll

2011-02-23 08:33 . 2011-02-23 08:33 111208 ----a-w- c:\windows\system32\nvmctray.dll

2011-02-23 08:27 . 2011-01-25 20:42 941160 ----a-w- c:\windows\system32\nvdispco322090.dll

2011-02-23 08:27 . 2011-01-25 20:42 837736 ----a-w- c:\windows\system32\nvgenco322040.dll

2011-02-23 08:27 . 2009-11-28 10:10 61440 ----a-w- c:\windows\system32\OpenCL.dll

2011-02-23 08:27 . 2009-11-28 10:10 13004800 ----a-w- c:\windows\system32\nvcompiler.dll

2011-02-23 08:27 . 2009-08-14 14:42 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll

2011-02-23 08:27 . 2009-03-27 17:03 9888384 ----a-w- c:\windows\system32\drivers\nv4_mini.sys

2011-02-23 08:27 . 2009-03-27 17:03 6398720 ----a-w- c:\windows\system32\nv4_disp.dll

2011-02-23 08:27 . 2009-03-27 17:03 2916968 ----a-w- c:\windows\system32\nvcuvid.dll

2011-02-23 08:27 . 2008-10-07 20:33 4980736 ----a-w- c:\windows\system32\nvcuda.dll

2011-02-23 08:27 . 2008-10-07 20:33 1958400 ----a-w- c:\windows\system32\nvapi.dll

2011-02-23 08:27 . 2008-10-07 20:33 14671872 ----a-w- c:\windows\system32\nvoglnt.dll

2011-02-09 13:53 . 2008-04-14 12:00 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-03 04:40 . 2010-04-16 15:54 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-02-03 02:19 . 2010-04-16 15:54 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-02-02 07:58 . 2009-05-06 23:28 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2009-05-06 23:28 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-20 20:55 . 2009-05-09 03:48 138056 ----a-w- c:\documents and settings\Owner\Application Data\PnkBstrK.sys

2011-01-20 20:46 . 2010-10-06 14:28 2601752 ----a-w- c:\windows\system32\pbsvc_moh.exe

2011-01-15 07:01 . 2009-05-09 03:47 75136 ----a-w- c:\windows\system32\PnkBstrA.exe

2011-01-13 09:41 . 2011-01-25 19:48 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll

2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2011-03-19 17:30 . 2011-03-10 09:08 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files\Steam\steam.exe" [2010-11-17 1242448]

"Timezone"="c:\program files\Microsoft Time Zone\TimeZone.exe" [2004-10-19 712704]

"StarcraftCalendar"="c:\program files\brn\ScCalendar\StarcraftCalendar.exe" [2011-03-12 4382208]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-02-23 111208]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-02-23 13880424]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\Curse\\CurseClient.exe"=

"c:\\Program Files\\Steam\\steamapps\\goten1201\\condition zero deleted scenes\\hl.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Steam\\steamapps\\goten1201\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\company of heroes\\RelicCOH -dev.exe"=

"c:\\Program Files\\Heroes of Newerth\\hon.exe"=

"c:\\Program Files\\Verizon\\FIOS\\smartaccess\\FIOS.exe"=

"c:\\Program Files\\Verizon\\FIOS\\smartaccess\\restartFIOS.exe"=

"c:\\Program Files\\Steam\\steamapps\\goten1201\\half-life 2 deathmatch\\hl2.exe"=

"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=

"c:\\Program Files\\Steam\\steamapps\\goten1201\\half-life blue shift\\hl.exe"=

"c:\\WINDOWS\\Downloaded Program Files\\ijjiOptimizer.exe"=

"c:\\Program Files\\Steam\\steam.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\daupdatersvc.service.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\red faction guerrilla\\rfg.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\stalker call of pripyat\\bin\\xrEngine.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\stalker clear sky\\bin\\xrEngine.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\mass effect\\Binaries\\MassEffect.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\mass effect\\docs\\EA Help\\Electronic_Arts_Technical_Support.htm"=

"c:\\Program Files\\Steam\\steamapps\\goten1201\\half-life\\hl.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dragon age orgins character creator\\DAOriginsLauncher.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dragon age orgins character creator\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=

"c:\\Program Files\\Steam\\steamapps\\common\\stalker shadow of chernobyl\\bin\\XR_3DA.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\stalker call of pripyat\\Stalker-COP.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\red faction guerrilla\\rfg_launcher.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\grand theft auto iv\\GTAIV\\GTAIV.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\grand theft auto iv episodes from liberty city\\EFLC\\EFLC.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\grand theft auto san andreas\\gta-sa.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\grand theft auto vice city\\gta-vc.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\grand theft auto iv episodes from liberty city\\EFLC\\LaunchEFLC.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\mass effect 2\\Binaries\\MassEffect2.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\mass effect 2\\MassEffect2Launcher.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\mass effect 2\\docs\\EA Help\\Electronic_Arts_Technical_Support.htm"=

"c:\\Program Files\\Steam\\steamapps\\goten1201\\counterstrike source beta\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\street fighter iv\\SF4Launcher.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\street fighter iv\\StreetFighterIV.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\grand theft auto iv\\GTAIV\\LaunchGTAIV.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\puzzle quest\\Puzzle Quest.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\DAOrigins.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\DAOriginsLauncher.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\docs\\EA Help\\Electronic_Arts_Technical_Support.htm"=

"c:\\Program Files\\Steam\\steamapps\\common\\grand theft auto 3\\gta3.exe"=

"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=

"c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\foreign legion (buckets of blood)\\Foreign Legion.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\worms reloaded\\WormsReloaded.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\global agenda live\\Binaries\\GlobalAgenda.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\dead rising 2\\deadrising2.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\serious sam hd the first encounter\\Bin\\SamHD_Demo.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\sid meier's civilization v\\CivilizationV.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\puzzlequest2\\PuzzleQuest2.exe"=

"c:\\Documents and Settings\\Owner\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\swarm.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\alien swarm\\srcds.exe"=

"c:\\Program Files\\GRETECH\\GomTVStreamer\\GomTVStreamerLive.exe"=

"c:\\Program Files\\Steam\\steamapps\\goten1201\\source sdk base 2007\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\borderlands\\Binaries\\Borderlands.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\magic the gathering - duels of the planeswalkers\\DotP.exe"=

"c:\\Program Files\\Steam\\steamapps\\goten1201\\counter-strike\\hl.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\autopatcher.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\autopatcher2.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\autopatcherx.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\autopatchery.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\poker night at the inventory\\CelebrityPoker.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\global agenda live\\Binaries\\LauncherBin\\HiRezLauncherUI.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\flight_control_hd\\flightControl_win32.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\rhythm zone\\rhythmzone.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\beat hazard\\BeatHazard.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\lara croft and the guardian of light\\lcgol.exe"=

"c:\\Program Files\\EA Games\\Battlefield Play4Free\\BFP4f.exe"=

"c:\\Program Files\\Electronic Arts\\Medal of Honor

Link to post
Share on other sites

Yes, you can try that. Please let me know how things are after that.

Can you please rerun OTL (without OTH), click the NONE button, then change the value under extra registry to "use safelist" and click Run Scan. Post me the resulting extra.txt

Link to post
Share on other sites

Yes, you can try that. Please let me know how things are after that.

Can you please rerun OTL (without OTH), click the NONE button, then change the value under extra registry to "use safelist" and click Run Scan. Post me the resulting extra.txt

I have attached extras.txt

Also after running Dial-A-Fix with the instructions from the other thread I posted, Windows Automatic Updates now shows as on correctly in Security Center. I am able to run it and use the microsoft update url correctly with no errors and I even downloaded a small update to test it successfully.

Extras.Txt

Link to post
Share on other sites

That is all looking very good. Do you have any problem left?

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      Note - when ESET doesn't find any threats, no report will be created.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

That is all looking very good. Do you have any problem left?

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      Note - when ESET doesn't find any threats, no report will be created.
    11. Push the esetBack.png button.
    12. Push esetFinish.png




      C:\System Volume Information\_restore{7B6091FF-43CD-4D90-A19C-B497E33EDC0B}\RP640\A0149343.exe a variant of Win32/Kryptik.MEO trojan cleaned by deleting - quarantined
      C:\System Volume Information\_restore{7B6091FF-43CD-4D90-A19C-B497E33EDC0B}\RP640\A0149342.exe	a variant of Win32/Kryptik.MEO trojan	cleaned by deleting - quarantined

      I disabled Microsoft Security Essentials because it prompted me that it could conflict with the scan. The scan went through well and I enabled MSE after the scan with no problems.
      I don't seem to have any more problems.
Link to post
Share on other sites

I forgot to ask, should I delete the quarantine list in MalwareBytes antimalware that has the 6 previously listed entries that were deleted successfuly? I also have a missing MUI reference to the old ljm.exe virus. Should I delete that registery key, /fix it using CCleaner's registery fix option?

Link to post
Share on other sites

I also have a missing MUI reference to the old ljm.exe virus. Should I delete that registery key, /fix it using CCleaner's registery fix option?

I do not recommend using any registry cleaner! Please copy/paste me the detection in this case, so I can see if it needs action or not.

This infection hooks up file extensions and using a registry cleaner to clean up "left overs" can do quite some damage.

You can delete the quarantined items by MBAM, although, they can do no harm this way.

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Please run OTL and click the Cleanup button. This will remove all logs and tools we used.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

Hmm, after rebooting my computer without touching registry keys at all, that prompt seems to be gone. No missing MUI reference from the MUI cache. From what I remember it was a reference to C:\Documents and Settings\Owner\Local Settings\Application Data\ljm.exe in HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache.

I will follow the instructions on tool removal.

Link to post
Share on other sites

I suspected as much. :)

This particular registry key, stores keys that were recently accessed. You can see it like browsing history. This does not mean that the keys/values are actually there and they are cleaned up automatically. Even if they are there, these keys can do absolutely no harm.

Please let me know if you have any other questions!

Link to post
Share on other sites

Nope that should be all. I think I will have to uninstall ESET as well since I had to use the installer version because I use a different browser than IE but that should be just like every other uninstall.

Thank you so much for your help. Hope to donate when I can.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.