Webshlock

chipperone · Apr 16, 2011

I have recently been downloading music and have picked up this malware somewhere along the line. I am unable to do much (I can't even launch ATF cleaner). Is there anybody who can help? I only found out the name because I was clearing out my temporary internet files and this refused to delete, a quick google search told me what it was, but not how to remove it.

BeeCeeBee · Apr 16, 2011

I know this has come up before so while you are waiting for a better reply than I can give you may want to have a read of the following thread. Please just read it. Do not add to it. http://computerhelpforums.net/topic/13505-recycler-or-webshlock-trojan/

BeeCeeBee · Apr 16, 2011

It does seem that the topic that I mentioned above did not play itself out. Since this is in Malware Removal I would urge you to start the process in the following topic and Starbuck will be able to help you. http://computerhelpforums.net/topic/13814-preparation-for-malware-removal-help/

chipperone · Apr 16, 2011

Thanks, will begin this process now

chipperone · Apr 16, 2011

I was unable to do anything mentioned in the process, none of the programs would launch after being downloaded. The only thing I can use right now is internet explorer.

BeeCeeBee · Apr 16, 2011

I have sent a PM to Starbuck but keep in mind that it is the weekend. In the meantime have you tried going into safe mode and running the programs from there?

chipperone · Apr 17, 2011

Thanks, I would love to go into safe mode but am not sure how to. I don't get the option on startup and don't know how to trigger it manually.

DSTM (Dougie) · Apr 17, 2011

Here are Instructions to enter Safe Mode for your OS.

Select "Safe Mode with Networking" from the Menu.

http://www.microsoft...e.mspx?mfr=true

chipperone · Apr 17, 2011

When I followed the instructions I was given the following boot menu:

Select first boot device

IDE-0 :ST340014A
CD/DVD-0 :ATAPI CD-ROM MAX 56X
NETWORK

[Up/Dn] Select [RETURN] Boot [ESC] Cancel

DSTM (Dougie) · Apr 17, 2011

OK try this. May take you a couple of goes to get it right.

As your computer restarts but before Windows launches, press F8 repeatedly.

Use the arrow keys to highlight the appropriate safe mode option, which is "Safe Mode with Networking" then press ENTER.

Once you have got this far, be patient and Windows will eventually appear in Safe Mode.

starbuck · Apr 17, 2011

Hi chipperone

I only found out the name because I was clearing out my temporary internet files and this refused to delete
Click to expand...

Do you have Avast installed by any chance?

none of the programs would launch after being downloaded. The only thing I can use right now is internet explorer.
Click to expand...

So you can access your system in normal mode?

Download RogueKiller and save it to your desktop.

Close al running processes

Double click RogueKiller icon to run the program
Vista/Win7 users should right click the icon and select Run as Administrator.

When prompted, type 1 (SCAN) and then press Enter

A report will open, please copy and paste this report in your next reply.

A copy of the RKreport.txt can be found on your desktop.

Note:
If RogueKiller is blocked, do not hesitate to try running it again.
If it still fails to run, right click on the downloaded icon and select 'Rename'.....rename it to winlogon and try again.

In your next reply, please submit:
RKreport.txt

Thanks.

chipperone · Apr 17, 2011

RogueKiller V4.3.9 [04/16/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: biac user 3 [Admin rights]
Mode: Scan -- Date : 04/17/2011 13:58:11

Bad processes: 1
[APPDT/TMP/DESKTOP] cIe01804aOkDd01804.exe -- c:\documents and settings\all users\application data\cie01804aokdd01804\cie01804aokdd01804.exe -> KILLED

Registry Entries: 2
[APPDT/TMP/DESKTOP] HKCU\[...]\RunOnce : cIe01804aOkDd01804 (C:\Documents and Settings\All Users\Application Data\cIe01804aOkDd01804\cIe01804aOkDd01804.exe) -> FOUND
[APPDT/TMP/DESKTOP] HKUS\S-1-5-21-1993962763-1343024091-854245398-1003[...]\RunOnce : cIe01804aOkDd01804 (C:\Documents and Settings\All Users\Application Data\cIe01804aOkDd01804\cIe01804aOkDd01804.exe) -> FOUND

HOSTS File:
127.0.0.1 localhost

Finished : << RKreport[1].txt >>
RKreport[1].txt

I had to rename it before it would run, thanks. What do I do next?

Also; yes I do use avast, I was told by a friend it was the best free antivirus available.

starbuck · Apr 17, 2011

Hi chipperone

yes I do use avast, I was told by a friend it was the best free antivirus available.
Click to expand...

Webshlock is actually created by Avast, that is why i asked.
But i had a feeling that something else was the actual cause of the problem.... seems i was right.

Step 1

Close all the running processes

Double click RogueKiller icon to run the program
Vista/Win7 users should right click the icon and select Run as Administrator.

When prompted, type 2 (Delete) and then press Enter

A report will open, please copy and paste this report in your next reply.

A copy of the RKreport.txt can be found on your desktop.

Step 2
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

This is an example, you may rename ComboFix to anything you want.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
For more information read:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Then:

Double click on Combo-Fix.exe & follow the prompts.

Vista/Win7 users should right click on the icon and select Run as Administrator.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If running Vista/Win7, you may not see this screen

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks

chipperone · Apr 17, 2011

Here are the reports, My pc is already running faster and not getting so many pop-ups. Thanks. Is there anything else which needs to be done?

RogueKiller V4.3.9 [04/16/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: biac user 3 [Admin rights]
Mode: Remove -- Date : 04/17/2011 15:59:58

Bad processes: 0

Registry Entries: 1
[APPDT/TMP/DESKTOP] HKCU\[...]\RunOnce : cIe01804aOkDd01804 (C:\Documents and Settings\All Users\Application Data\cIe01804aOkDd01804\cIe01804aOkDd01804.exe) -> DELETED

HOSTS File:
127.0.0.1 localhost

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

ComboFix 11-04-16.03 - biac user 3 17/04/2011 16:16:09.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.503.287 [GMT 1:00]
Running from: c:\documents and settings\biac user 3\Desktop\fixnow.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\cIe01804aOkDd01804
c:\documents and settings\All Users\Application Data\cIe01804aOkDd01804\cIe01804aOkDd01804
c:\documents and settings\All Users\Application Data\cIe01804aOkDd01804\cIe01804aOkDd01804.exe
c:\documents and settings\biac user 3\WINDOWS
c:\windows\command
c:\windows\desktop
c:\windows\inf\internet
c:\windows\system\Color
.
.
((((((((((((((((((((((((( Files Created from 2011-03-17 to 2011-04-17 )))))))))))))))))))))))))))))))
.
.
2011-03-25 05:30 . 2011-03-25 05:30 -------- d-----w- c:\program files\Veoh Networks
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2003-02-11 23:27 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2003-02-11 23:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2003-02-11 23:06 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2003-02-11 23:06 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2003-02-11 23:05 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2003-02-11 23:05 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2003-02-11 23:05 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2003-02-11 23:05 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2003-02-11 23:06 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-05-10 12:34 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2003-02-11 23:05 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2003-02-11 23:06 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2003-02-11 23:05 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2003-02-11 23:05 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2003-02-11 23:05 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 21:40 . 2010-05-10 15:05 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2010-05-10 15:05 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2003-02-11 23:25 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2003-02-11 23:25 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2003-02-11 23:06 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-03-24 2423752]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-01-13 3396624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-06-21 202256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-9-5 65588]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"ERSvc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
.
R0 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [11/11/2010 21:21 691696]
R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\SYSTEM32\DRIVERS\tffsport.sys [31/05/2010 14:47 149376]
R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [13/06/2010 12:17 294608]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [13/06/2010 12:17 17744]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]
S3 DIGIRPS;Digi PortServer Driver;c:\windows\SYSTEM32\DRIVERS\digirlpt.sys [31/05/2010 14:52 42432]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-04-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1993962763-1343024091-854245398-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
2011-04-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1993962763-1343024091-854245398-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sky.com/
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\biac user 3\Application Data\Mozilla\Firefox\Profiles\t1zbb1nc.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-MagicDisc 2.7.106 - c:\progra~1\MAGICD~1\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-17 16:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Swearware\backup\winsock2\Parameters]
@DACL=(02 0000)
@SACL=
"WinSock_Registry_Version"="2.0"
"Current_NameSpace_Catalog"="NameSpace_Catalog5"
"Current_Protocol_Catalog"="Protocol_Catalog9"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(660)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-04-17 16:23:30
ComboFix-quarantined-files.txt 2011-04-17 15:23
.
Pre-Run: 27,547,476,480 bytes free
Post-Run: 27,526,316,032 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" oexecute=optin /fastdetect
.
- - End Of File - - F048C867C496487BF49DA06F9F204900

starbuck · Feb 4, 2014

Hi chipperone

Is there anything else which needs to be done?
Click to expand...

Yep, let's get a better look at things now.

Download OTL to your desktop.
right click on the link and select 'Save Link/Target As'.

if you have problems, try this download link:
OTL

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

When the window appears, underneath Output at the top change it to Minimal Output.

Check the boxes beside LOP Check and Purity Check

.

.
.

Now copy the lines in bold below.

netsvcs
msconfig
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\system32\*.exe /lockedfiles
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.

.
.

Click the Run Scan button.

Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.

Don't forget to add both reports in next reply.

Thanks

chipperone · Apr 17, 2011

ready for more

OTL logfile created on: 17/04/2011 17:52:25 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\biac user 3\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

503.00 Mb Total Physical Memory | 290.00 Mb Available Physical Memory | 58.00% Memory free
654.00 Mb Paging File | 502.00 Mb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 180 360 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 36.13 Gb Total Space | 25.65 Gb Free Space | 70.98% Space Free | Partition Type: NTFS
Drive D: | 1.13 Gb Total Space | 1.12 Gb Free Space | 99.15% Space Free | Partition Type: NTFS

Computer Name: BIAC-EEEE3A9182 | User Name: biac user 3 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\biac user 3\Desktop\OTL.scr (OldTimer Tools)
PRC - C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\biac user 3\Desktop\OTL.scr (OldTimer Tools)
MOD - C:\Program Files\Alwil Software\Avast5\snxhk.dll (AVAST Software)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
SRV - (npggsvc) -- C:\WINDOWS\System32\GameMon.des (INCA Internet Co., Ltd.)

========== Driver Services (SafeList) ==========

DRV - (aswSP) -- C:\WINDOWS\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswTdi) -- C:\WINDOWS\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswMon2) -- C:\WINDOWS\System32\drivers\aswmon2.sys (AVAST Software)
DRV - (aswRdr) -- C:\WINDOWS\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (Aavmker4) -- C:\WINDOWS\System32\drivers\aavmker4.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys ()
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (mcdbus) -- C:\WINDOWS\SYSTEM32\DRIVERS\mcdbus.sys (MagicISO, Inc.)
DRV - (tffsport) -- C:\WINDOWS\system32\DRIVERS\tffsport.sys (M-Systems)
DRV - (NPPTNT2) -- C:\WINDOWS\SYSTEM32\npptNT2.sys (INCA Internet Co., Ltd.)
DRV - (S3SavageNB) -- C:\WINDOWS\SYSTEM32\DRIVERS\s3gnbm.sys (S3 Graphics, Inc.)
DRV - (VIAudio) VIA AC'97 Audio Controller (WDM) -- C:\WINDOWS\SYSTEM32\DRIVERS\viaudio.sys (VIA Technologies, Inc.)
DRV - (viaagp1) -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)
DRV - (DIGIRPS) -- C:\WINDOWS\SYSTEM32\DRIVERS\digirlpt.sys (Digi International, Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.sky.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "google.com"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/25 05:21:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/25 05:21:44 | 000,000,000 | ---D | M]

[2010/06/02 22:20:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\biac user 3\Application Data\Mozilla\Extensions
[2011/02/27 11:36:36 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\biac user 3\Application Data\Mozilla\Firefox\Profiles\t1zbb1nc.default\extensions
[2011/04/15 14:53:53 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/10 16:05:15 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/19 11:17:02 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2011/03/07 21:27:07 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2010/05/10 16:04:53 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/02/02 22:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/11/12 20:40:19 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/11/12 20:40:19 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/11/12 20:40:19 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/11/12 20:40:19 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2011/04/17 16:20:56 | 000,000,027 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/02/19 11:22:26 | 000,000,194 | -HS- | M] () - C:\AUTOEXEC.BAK -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - Services: "wscsvc"
MsConfig - Services: "ERSvc"
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 2
MsConfig - State: "startup" - 0

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (54619756233228288)

========== Files/Folders - Created Within 30 Days ==========

[2011/04/17 17:50:33 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\biac user 3\Desktop\OTL.scr
[2011/04/17 16:14:49 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/04/17 16:13:19 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/04/17 16:13:19 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/04/17 16:13:19 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/04/17 16:13:19 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/04/17 16:13:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/04/17 16:11:45 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/17 13:58:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\biac user 3\Desktop\RK_Quarantine
[2011/04/16 18:38:24 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\biac user 3\Desktop\TFC.exe
[2011/04/16 17:20:33 | 000,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\biac user 3\Desktop\HJTInstall.exe
[2011/04/16 17:18:09 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\biac user 3\Desktop\ATF-Cleaner.exe
[2011/03/25 06:30:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\biac user 3\Start Menu\Programs\Veoh Networks, Inc
[2011/03/25 06:30:42 | 000,000,000 | ---D | C] -- C:\Program Files\Veoh Networks

========== Files - Modified Within 30 Days ==========

[2011/04/17 17:50:42 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\biac user 3\Desktop\OTL.scr
[2011/04/17 16:20:56 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/04/17 16:14:57 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/04/17 16:02:09 | 004,323,312 | R--- | M] () -- C:\Documents and Settings\biac user 3\Desktop\fixnow.exe
[2011/04/17 14:22:44 | 000,000,290 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1993962763-1343024091-854245398-1003.job
[2011/04/17 14:22:42 | 000,000,298 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1993962763-1343024091-854245398-1003.job
[2011/04/17 14:21:35 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/17 14:21:34 | 528,011,264 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/17 13:56:20 | 001,099,264 | ---- | M] () -- C:\Documents and Settings\biac user 3\Desktop\winlogon.exe
[2011/04/16 18:39:19 | 001,228,854 | ---- | M] () -- C:\fsqwr.bmp
[2011/04/16 18:38:41 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\biac user 3\Desktop\TFC.exe
[2011/04/16 17:54:35 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\biac user 3\Desktop\ATF-Cleaner.exe
[2011/04/16 17:20:34 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\biac user 3\Desktop\HJTInstall.exe
[2011/04/16 09:14:49 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/13 15:42:22 | 000,122,928 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/13 11:43:08 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/04/13 09:14:35 | 000,023,040 | ---- | M] () -- C:\Documents and Settings\biac user 3\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/27 08:47:03 | 000,312,378 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/27 08:47:03 | 000,040,448 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

========== Files Created - No Company Name ==========

[2011/04/17 16:14:57 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/04/17 16:14:53 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/04/17 16:13:19 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/04/17 16:13:19 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/04/17 16:13:19 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/04/17 16:13:19 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/04/17 16:13:19 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/04/17 16:02:09 | 004,323,312 | R--- | C] () -- C:\Documents and Settings\biac user 3\Desktop\fixnow.exe
[2011/04/17 13:56:15 | 001,099,264 | ---- | C] () -- C:\Documents and Settings\biac user 3\Desktop\winlogon.exe
[2011/04/16 17:43:02 | 001,228,854 | ---- | C] () -- C:\fsqwr.bmp
[2010/06/26 16:43:47 | 000,165,376 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010/06/06 21:49:53 | 000,023,040 | ---- | C] () -- C:\Documents and Settings\biac user 3\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/04/16 10:07:34 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/04/12 10:36:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2007/04/12 10:34:48 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2004/09/17 17:37:42 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2003/02/12 02:34:44 | 000,023,357 | -H-- | C] () -- C:\Program Files\folder.htt
[2003/02/12 02:21:01 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\UnAudioNT.dll
[2003/02/12 00:36:33 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2003/02/12 00:26:59 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2003/02/12 00:17:19 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/02/12 00:16:18 | 000,122,928 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/02/12 00:06:24 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2003/02/12 00:06:14 | 000,312,378 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/02/12 00:06:14 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2003/02/12 00:06:14 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/02/12 00:06:14 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2003/02/12 00:06:12 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2003/02/12 00:06:10 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2003/02/12 00:06:06 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/02/12 00:05:56 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2003/02/12 00:05:56 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2003/02/12 00:05:39 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2003/02/12 00:05:24 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin

========== LOP Check ==========

[2010/06/13 12:16:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/11/11 21:20:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2010/09/14 13:35:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2010/10/19 19:13:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCPitstop
[2010/07/10 17:15:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\biac user 3\Application Data\CheckPoint
[2010/11/20 11:42:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\biac user 3\Application Data\DAEMON Tools Lite
[2010/07/12 11:15:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\biac user 3\Application Data\FOG Downloader
[2010/10/26 10:28:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\biac user 3\Application Data\GetRightToGo
[2010/12/09 20:55:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\biac user 3\Application Data\Kalydo
[2010/05/14 09:50:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\biac user 3\Application Data\Opera
[2011/04/12 23:01:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\biac user 3\Application Data\uTorrent
[2010/10/11 11:56:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\biac user 3\Application Data\vghd

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2004/02/19 11:22:26 | 000,000,194 | -HS- | M] () -- C:\AUTOEXEC.BAK
[2003/02/12 02:26:37 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2011/04/17 16:14:57 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2004/08/11 13:01:00 | 000,078,149 | -HS- | M] () -- C:\BOOTLOG.PRV
[2004/08/11 13:09:50 | 000,077,492 | -HS- | M] () -- C:\BOOTLOG.TXT
[2003/02/12 00:08:20 | 000,000,512 | -HS- | M] () -- C:\BOOTSECT.DOS
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2011/04/17 16:23:31 | 000,010,527 | ---- | M] () -- C:\ComboFix.txt
[2000/06/08 18:00:00 | 000,093,040 | -HS- | M] () -- C:\command.com
[2004/02/19 11:22:26 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2003/02/12 02:31:24 | 000,046,116 | -HS- | M] () -- C:\DETLOG.TXT
[2003/10/28 16:05:18 | 000,004,717 | -HS- | M] () -- C:\ffastun.ffa
[2003/10/28 16:05:16 | 000,081,920 | -HS- | M] () -- C:\ffastun.ffl
[2003/10/28 16:05:18 | 000,794,624 | -HS- | M] () -- C:\ffastun0.ffx
[2011/04/16 18:39:19 | 001,228,854 | ---- | M] () -- C:\fsqwr.bmp
[2011/04/17 14:21:34 | 528,011,264 | -HS- | M] () -- C:\hiberfil.sys
[2000/06/08 18:00:00 | 000,110,080 | RHS- | M] () -- C:\io.sys
[2003/02/12 02:16:58 | 000,000,022 | -HS- | M] () -- C:\MSDOS.---
[2003/02/12 02:33:18 | 000,001,660 | RHS- | M] () -- C:\MSDOS.SYS
[2003/02/12 02:35:56 | 000,013,492 | -HS- | M] () -- C:\NETLOG.TXT
[2004/08/04 07:38:34 | 000,047,564 | RHS- | M] () -- C:\ntdetect.com
[2010/05/10 19:49:15 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2011/04/17 14:21:33 | 188,743,680 | -HS- | M] () -- C:\pagefile.sys
[2003/02/12 02:16:16 | 000,013,157 | -HS- | M] () -- C:\SETUPLOG.OLD
[2003/02/12 00:03:24 | 000,182,175 | -HS- | M] () -- C:\SETUPLOG.TXT
[2003/02/12 02:16:16 | 000,007,809 | -HS- | M] () -- C:\SUHDLOG.---
[2003/02/12 02:27:12 | 000,007,809 | -HS- | M] () -- C:\SUHDLOG.DAT
[2003/02/12 02:27:10 | 000,471,072 | -HS- | M] () -- C:\SYSTEM.1ST
[2003/02/12 02:33:04 | 000,049,152 | -HS- | M] () -- C:\VIDEOROM.BIN

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2010/11/11 21:21:12 | 000,691,696 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys

< %systemroot%\system32\*.exe /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2003/02/12 00:13:14 | 000,094,208 | ---- | M] () -- C:\WINDOWS\SYSTEM32\config\default.sav
[2003/02/12 00:13:14 | 000,659,456 | ---- | M] () -- C:\WINDOWS\SYSTEM32\config\software.sav
[2003/02/12 00:13:14 | 000,872,448 | ---- | M] () -- C:\WINDOWS\SYSTEM32\config\system.sav

< %PROGRAMFILES%\* >
[2003/02/12 02:34:46 | 000,000,271 | -HS- | M] () -- C:\Program Files\desktop.ini
[2003/02/12 02:34:46 | 000,023,357 | -H-- | M] () -- C:\Program Files\folder.htt

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/03/25 05:21:34 | 000,552,376 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/03/25 05:21:34 | 000,552,376 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/03/25 05:21:34 | 000,552,376 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/03/25 05:21:25 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/03/25 05:21:25 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/03/25 05:21:25 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/02/18 12:49:53 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/02/18 12:49:53 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/02/18 12:49:53 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/03/25 05:21:34 | 000,552,376 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/03/25 05:21:34 | 000,552,376 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/03/25 05:21:34 | 000,552,376 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/03/25 05:21:25 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/03/25 05:21:25 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/03/25 05:21:25 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/02/18 12:49:53 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/02/18 12:49:53 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/02/18 12:49:53 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< >

< >

< End of report >

OTL Extras logfile created on: 17/04/2011 17:52:25 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\biac user 3\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

503.00 Mb Total Physical Memory | 290.00 Mb Available Physical Memory | 58.00% Memory free
654.00 Mb Paging File | 502.00 Mb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 180 360 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 36.13 Gb Total Space | 25.65 Gb Free Space | 70.98% Space Free | Partition Type: NTFS
Drive D: | 1.13 Gb Total Space | 1.12 Gb Free Space | 99.15% Space Free | Partition Type: NTFS

Computer Name: BIAC-EEEE3A9182 | User Name: biac user 3 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = Opera.HTML] -- Reg Error: Key error. File not found
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
https [open] -- "C:\Program Files\Opera\opera.exe" "%1"
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" = C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:*:Enabled:Veoh Web Player -- (Veoh Networks)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00170409-78E1-11D2-B60F-006097C998E7}" = Microsoft Word 2000
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 24
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{56364334-9530-11D2-BFFC-00C04FA329AA}" = Microsoft Works 2000
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.3
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{C5DD42DC-5402-11D3-8072-00C04FA329AA}" = Word in Works Suite add-in
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"avast5" = avast! Free Antivirus
"EPSON Printer and Utilities" = EPSON Printer Software
"EPSON Scanner" = EPSON Scan
"ie8" = Windows Internet Explorer 8
"KLiteCodecPack_is1" = K-Lite Codec Pack 6.9.0 (Basic)
"Mozilla Firefox (3.6.16)" = Mozilla Firefox (3.6.16)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"RealPlayer 12.0" = RealPlayer
"uTorrent" = µTorrent
"Vbrfix" = VBRFix (Moonbase Edition)
"Veoh Web Player Beta" = Veoh Web Player
"VIA Audio Driver Setup Program" = VIA Audio Driver Setup Program
"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast Ethernet Adapter
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"Works2kSetup" = Microsoft Works 2000 Setup Launcher
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"KalydoPlayer" = Kalydo Player 3.08.01

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 04/09/2010 12:06:30 | Computer Name = BIAC-EEEE3A9182 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.18939, fault address 0x003100d1.

Error - 18/10/2010 09:35:09 | Computer Name = BIAC-EEEE3A9182 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.3909, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x0000100b.

Error - 19/10/2010 10:05:00 | Computer Name = BIAC-EEEE3A9182 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.3909, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x0000100b.

Error - 21/10/2010 10:21:52 | Computer Name = BIAC-EEEE3A9182 | Source = EventSystem | ID = 4614
Description = The COM+ Event System detected an inconsistency in its internal state.
The assertion "GetLastError() == 122L" failed at line 162 of d:\comxp_sp3\com\com1x\src\events\shared\sectools.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 21/10/2010 17:58:35 | Computer Name = BIAC-EEEE3A9182 | Source = Application Error | ID = 1000
Description = Faulting application desmume.exe, version 0.0.0.0, faulting module
desmume.exe, version 0.0.0.0, fault address 0x001493e8.

Error - 21/10/2010 18:06:37 | Computer Name = BIAC-EEEE3A9182 | Source = Application Error | ID = 1000
Description = Faulting application desmume.exe, version 0.0.0.0, faulting module
desmume.exe, version 0.0.0.0, fault address 0x001493e8.

Error - 22/10/2010 01:48:47 | Computer Name = BIAC-EEEE3A9182 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.3909, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x0000100b.

Error - 17/11/2010 16:00:58 | Computer Name = BIAC-EEEE3A9182 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.3951, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x0000100b.

[ System Events ]
Error - 17/04/2011 03:33:34 | Computer Name = BIAC-EEEE3A9182 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Java Quick Starter service
to connect.

Error - 17/04/2011 03:33:34 | Computer Name = BIAC-EEEE3A9182 | Source = Service Control Manager | ID = 7000
Description = The Java Quick Starter service failed to start due to the following
error: %%1053

Error - 17/04/2011 04:03:52 | Computer Name = BIAC-EEEE3A9182 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Java Quick Starter service
to connect.

Error - 17/04/2011 04:03:52 | Computer Name = BIAC-EEEE3A9182 | Source = Service Control Manager | ID = 7000
Description = The Java Quick Starter service failed to start due to the following
error: %%1053

Error - 17/04/2011 05:35:11 | Computer Name = BIAC-EEEE3A9182 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.2 for the Network Card with network
address 000AE69F60F4 has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).

Error - 17/04/2011 05:36:14 | Computer Name = BIAC-EEEE3A9182 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Java Quick Starter service
to connect.

Error - 17/04/2011 05:36:14 | Computer Name = BIAC-EEEE3A9182 | Source = Service Control Manager | ID = 7000
Description = The Java Quick Starter service failed to start due to the following
error: %%1053

Error - 17/04/2011 08:52:37 | Computer Name = BIAC-EEEE3A9182 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.2 for the Network Card with network
address 000AE69F60F4 has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).

Error - 17/04/2011 08:53:40 | Computer Name = BIAC-EEEE3A9182 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Java Quick Starter service
to connect.

Error - 17/04/2011 08:53:40 | Computer Name = BIAC-EEEE3A9182 | Source = Service Control Manager | ID = 7000
Description = The Java Quick Starter service failed to start due to the following
error: %%1053

< End of report >

starbuck · Feb 4, 2014

Hi chipperone

Double click on OTL to run it.
Copy the lines in bold below. (make sure that :Otl is on the first line )

tl
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
[2011/04/16 17:43:02 | 001,228,854 | ---- | C] () -- C:\fsqwr.bmp

:Files
ipconfig /flushdns /c

:commands
[emptytemp]
[purity]
[RESETHOSTS]
[EMPTYFLASH]

Return to OTL,

right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.

.

Click the red Run Fix button.

OTL will reboot your system once the fix has completed.

After the reboot, you may need to double click OTL to launch the program and retrieve the log.

Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

if you lose the report, there will be a copy here:
C:\_OTL\MovedFiles

In your next reply, please submit:
OTL fix report
and let me know how the system is running now.

Thanks.

chipperone · Apr 17, 2011

Everything seems back to normal, PC is running faster than I have ever known it to. Thanks for all the help and especially thanks for giving up your sunday to help. Is there anything else I need to do now?

All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.
C:\fsqwr.bmp moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\biac user 3\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\biac user 3\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: biac user 3
->Temp folder emptied: 116224 bytes
->Temporary Internet Files folder emptied: 5568405 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 615 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 65536 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 6.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYFLASH]

User: All Users

User: biac user 3
->Flash cache emptied: 0 bytes

User: Default User

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 04172011_182833

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\biac user 3\Local Settings\Temp\~DF1B5.tmp not found!
File\Folder C:\Documents and Settings\biac user 3\Local Settings\Temp\~DF20A.tmp not found!
File\Folder C:\Documents and Settings\biac user 3\Local Settings\Temp\~DF2D4.tmp not found!
File\Folder C:\Documents and Settings\biac user 3\Local Settings\Temp\~DF2E8.tmp not found!
File\Folder C:\Documents and Settings\biac user 3\Local Settings\Temp\~DF3F8.tmp not found!
File\Folder C:\Documents and Settings\biac user 3\Local Settings\Temp\~DF43D.tmp not found!
File\Folder C:\Documents and Settings\biac user 3\Local Settings\Temp\~DF904D.tmp not found!
File\Folder C:\Documents and Settings\biac user 3\Local Settings\Temp\~DFB9D6.tmp not found!
File\Folder C:\Documents and Settings\biac user 3\Local Settings\Temp\~DFC21D.tmp not found!
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

starbuck · Apr 17, 2011

Thanks for all the help and especially thanks for giving up your sunday to help.
Click to expand...

It's no problem at all, just glad i could be of help.

Let's get an online scan done now just to double check everything.

I'd like you to do an ESET OnlineScan

You may find it beneficial to close your resident AV program before running the scan.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

Click the button.

For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer.
Save it to your desktop.

Double click on the icon on your desktop.

Check

Click the button.

Accept any security warnings from your browser.

Check

Click the Start button.

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, push

Click , and save the file to your desktop using a unique name, such as ESETScan.
Include the contents of this report in your next reply.

Click the button.

Click

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Note:
It's been found that on some systems the Eset's Online Scan fails during the database download ( around 20% )
To prevent this happening:
When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):

Enable Anti-Stealth technology

Edit:
seems some of the screenshots are not showing, just try and follow the instructions and see how it goes.

chipperone · Apr 17, 2011

I followed the instructions as best I could, I hope this is the result you were looking for. The scan found 3 trojans.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=ff0707b49217974c87af196c08826d8a
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-17 06:37:13
# local_time=2011-04-17 07:37:13 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 26635542 26635542 0 0
# compatibility_mode=8192 67108863 100 0 210 210 0 0
# scanned=38922
# found=3
# cleaned=3
# scan_time=2076
C:\Documents and Settings\biac user 3\Desktop\RK_Quarantine\cIe01804aOkDd01804.exe.vir a variant of Win32/Kryptik.MRZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\cIe01804aOkDd01804\cIe01804aOkDd01804.exe.vir a variant of Win32/Kryptik.MRZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{708CFAF8-0059-465D-B119-425C13B17C24}\RP189\A0130645.exe a variant of Win32/Kryptik.MRZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Log in or Sign up

Webshlock

chipperone

BeeCeeBee ADMINISTRATOR IN MEMORY

BeeCeeBee ADMINISTRATOR IN MEMORY

chipperone

chipperone

BeeCeeBee ADMINISTRATOR IN MEMORY

chipperone

DSTM (Dougie) Registered Members

chipperone

DSTM (Dougie) Registered Members

starbuck Rest In Peace Pete Administrator

chipperone

starbuck Rest In Peace Pete Administrator

chipperone

starbuck Rest In Peace Pete Administrator

chipperone

starbuck Rest In Peace Pete Administrator

chipperone

starbuck Rest In Peace Pete Administrator

chipperone

Share This Page

Webshlock

BeeCeeBee ADMINISTRATOR IN MEMORY

BeeCeeBee ADMINISTRATOR IN MEMORY

BeeCeeBee ADMINISTRATOR IN MEMORY

DSTM (Dougie) Registered Members

DSTM (Dougie) Registered Members

starbuck Rest In Peace Pete Administrator

starbuck Rest In Peace Pete Administrator

starbuck Rest In Peace Pete Administrator

starbuck Rest In Peace Pete Administrator

starbuck Rest In Peace Pete Administrator

Share This Page

Useful Searches