WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93117 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

INFECTED PLEASE HELP

Started by MARIANNE97 , Nov 07 2011 01:03 AM

Page 3 of 5
1
2
3
4
5

This topic is locked

61 replies to this topic

#31 MARIANNE97

Authentic Member

Authentic Member
36 posts

Posted 12 November 2011 - 03:04 PM

Hello Jontom

After reading your post again about scanning with malwarebytes I understood what you meant...Sometimes it takes me a minute to process. We went out and bought these sticks new to help along with this process and I think that their ok after scanning them

I will send you the logs that I recieved when scanning them below. The other machines are behaving ok but I would love to make sure that they are clean just in case that nasty bug is hiding from us. The infected machine is working ok as well except for the error that Avast picked up it is not finding any other bugs. The scan that I sent you in the last post...Was that the Eset scan? It's wierd that it just seemed to appear on the desktop and was saying something about a fatal error in java? Also the Avast icon has disappeared from where it usually is...I remember that happening once before a long time ago and can't remember what I did to get it back. I'm just trying to make sure that you have all the info that you need

I really appreciate you helping with all of this...You've been GREAT thus far!

(MBAM LOG 1 E & F drive 1st memory stick)

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8143

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/11/2011 9:47:17 PM
mbam-log-2011-11-11 (21-47-17).txt

Scan type: Full scan (E:\|F:\|)
Objects scanned: 181099
Time elapsed: 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

(MBAM LOG 2 E & F drive second memory stick)

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8143

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/11/2011 9:46:01 PM
mbam-log-2011-11-11 (21-46-00).txt

Scan type: Full scan (E:\|F:\|)
Objects scanned: 181107
Time elapsed: 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Thumbnails

Advertisements

Register to Remove

#32 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 13 November 2011 - 08:21 AM

Hello MARIANNE97

The flash drive scans look good

The other machines are behaving ok but I would love to make sure that they are clean just in case that nasty bug is hiding from us

If they are not displaying any symptoms they should be okay, but as a precaution you could always run MBAM and ESET on them. If anything is detected let me know.

The file which could not be accessed by AVAST may be related to a Windows update.

The scan that I sent you in the last post...Was that the Eset scan?
It's wierd that it just seemed to appear on the desktop and was saying something about a fatal error in java?

No, that was not the ESET scan log. As I mentioned, no log is produced when no infetion is found. I am not sure where that Java log came from but an issue with Java may not be malware related (your MBAM ans ESET scans are clean and the machine is no longer displaying any symptoms of infection).

Lets proceed as follows:

JavaRa
- Download JavaRa.Zip* from the link below and save it to your Desktop:
http://sourceforge.n...Ra.zip/download
- Double click the file you downloaded and extract the contents to the desktop. This will create a new Folder, JavaRa *on your desktop*.
- Double click this new Folder to open it, then double click JavaRa.exe to execute the program.
- Click the button "Remove Older Versions".
- Agree to the cleanup operation by clicking "Yes". After a moment, a notice will appear that a log file has been produced. Click "OK". Close the Notepad file that opens.
- Click the button "Other Tasks". Choose these options:
Remove Useless JRE Files
Open JavaRa Logfile
- Click "Go". When it finishes, click OK to close the panel. A logfile will open.
- Please post the contents of that log in your next reply.
- Exit the program.
OTL
- Please scan the machine once more with OTL.
Please post the JavaRa log and the OTL log in your next reply.

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

#33 MARIANNE97

Authentic Member

Authentic Member
36 posts

Posted 13 November 2011 - 07:09 PM

Hello

Ty for all of the answers ...I get paranoid sometimes

lol but I guess better safe than sorry.

Ok here are the logs from JavaRa and OTL

(JAVARA LOG)

JavaRa 1.14 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Wed May 27 12:49:07 2009

------------------------------------

Finished reporting.

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sun Nov 13 19:51:10 2011

Found and removed: C:\Documents and Settings\Owner\Application Data\Sun\Java\jre1.6.0_14

Found and removed: C:\Documents and Settings\Owner\Application Data\Sun\Java\jre1.6.0_15

Found and removed: C:\Documents and Settings\Owner\Application Data\Sun\Java\jre1.6.0_19

------------------------------------

Finished reporting.

(OTL LOG)

OTL logfile created on: 11/13/2011 7:59:58 PM - Run 3
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Owner\Desktop\New Folder
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

895.17 Mb Total Physical Memory | 595.87 Mb Available Physical Memory | 66.56% Memory free
2.12 Gb Paging File | 1.92 Gb Available in Paging File | 90.86% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 51.11 Gb Free Space | 68.59% Space Free | Partition Type: NTFS

Computer Name: OWNER-BZ2MQ7E6C | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner\Desktop\New Folder\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

========== Modules (No Company Name) ==========

MOD - C:\Program Files\Alwil Software\Avast5\defs\11111302\algo.dll ()
MOD - C:\Program Files\Alwil Software\Avast5\defs\11111301\algo.dll ()
MOD - C:\Program Files\Alwil Software\Avast5\defs\11111302\aswRep.dll ()
MOD - C:\Program Files\Alwil Software\Avast5\defs\11111301\aswRep.dll ()
MOD - C:\WINDOWS\system32\nvshell.dll ()

========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)

========== Driver Services (SafeList) ==========

DRV - (aswSnx) -- C:\WINDOWS\System32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswSP) -- C:\WINDOWS\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswRdr) -- C:\WINDOWS\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswTdi) -- C:\WINDOWS\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswMon2) -- C:\WINDOWS\System32\drivers\aswmon2.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (Aavmker4) -- C:\WINDOWS\System32\drivers\aavmker4.sys (AVAST Software)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 15 BD 6E 14 AB DF D9 49 AE 04 01 21 C8 32 35 AA [binary data]
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 15 BD 6E 14 AB DF D9 49 AE 04 01 21 C8 32 35 AA [binary data]
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 15 BD 6E 14 AB DF D9 49 AE 04 01 21 C8 32 35 AA [binary data]
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 15 BD 6E 14 AB DF D9 49 AE 04 01 21 C8 32 35 AA [binary data]
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-854245398-764733703-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-854245398-764733703-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...m...tf8&oe=utf8
IE - HKU\S-1-5-21-854245398-764733703-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://pogo.com/
IE - HKU\S-1-5-21-854245398-764733703-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 15 BD 6E 14 AB DF D9 49 AE 04 01 21 C8 32 35 AA [binary data]
IE - HKU\S-1-5-21-854245398-764733703-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

O1 HOSTS File: ([2011/11/09 14:25:00 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-854245398-764733703-725345543-1003\..\Toolbar\ShellBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-854245398-764733703-725345543-1003\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-854245398-764733703-725345543-1003\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-854245398-764733703-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-854245398-764733703-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKU\S-1-5-21-854245398-764733703-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O7 - HKU\S-1-5-21-854245398-764733703-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-854245398-764733703-725345543-1003\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.syma...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1221784093359 (WUWebControl Class)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.syma...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1256451306250 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} http://lads.myspace....ceUploader2.cab (MySpace Uploader Control)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.72.134 68.87.77.134
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{722AA42D-3320-47D2-A261-FC87E700BDDD}: DhcpNameServer = 68.87.72.134 68.87.77.134
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/18 12:42:24 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2011/11/11 21:25:51 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/11/13 19:54:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\JAVARATHAT WAS EXTRACTED
[2011/11/11 21:50:35 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\UserData
[2011/11/11 21:25:51 | 000,000,000 | RHSD | C] -- C:\autorun.inf
[2011/11/11 14:33:41 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/11/09 15:05:05 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/11/09 14:18:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/11/09 14:18:25 | 000,062,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cdrom.sys
[2011/11/09 13:38:07 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/11/09 06:34:28 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2011/11/09 05:43:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/11/09 05:37:22 | 004,287,742 | R--- | C] (Swearware) -- C:\jontom.com
[2011/11/08 12:09:22 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/11/08 12:07:06 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/11/08 12:07:06 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/11/08 12:07:06 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/11/08 12:07:06 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/11/08 12:06:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/11/08 12:06:49 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/11/07 13:32:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\HijackThis
[2011/11/07 13:12:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\M
[2011/11/07 09:13:17 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/11/07 09:13:17 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/11/07 09:13:17 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/11/07 09:13:17 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/11/07 01:32:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\New Folder
[2011/11/07 01:20:23 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2011/11/07 01:19:12 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
[2011/11/06 19:56:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/11/06 19:48:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/11/06 19:48:36 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/11/06 19:48:36 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/11/06 18:17:43 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\Recent
[2011/11/06 16:55:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/11/06 05:46:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/11/06 05:46:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/10/18 16:30:49 | 000,000,000 | ---D | C] -- C:\extensions
[2011/10/18 16:30:48 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2011/10/18 16:30:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Temp
[2011/10/18 16:30:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Conduit
[2011/10/18 16:29:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\uTorrent
[2011/10/16 03:12:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\SulusGames
[2011/10/16 03:12:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SulusGames
[2011/10/16 03:11:56 | 000,000,000 | ---D | C] -- C:\Program Files\Strange Cases - The Tarot Card Mystery
[2011/10/16 03:11:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Strange Cases - The Tarot Card Mystery
[2011/10/16 03:09:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Big Fish Games
[2011/10/16 03:08:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache

========== Files - Modified Within 30 Days ==========

[2011/11/13 19:46:43 | 000,160,350 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\JavaRa.zip
[2011/11/13 19:40:04 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/11/13 19:39:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/11/13 19:23:42 | 000,041,596 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\1-hour-old-elephant-59607048458.jpg
[2011/11/13 19:21:01 | 000,019,666 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Afraid-60734096333.jpg
[2011/11/13 19:17:24 | 000,045,250 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\1934-60734857571.jpg
[2011/11/13 19:10:44 | 000,080,132 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Health-Care-Solution-60741973701.jpg
[2011/11/13 19:10:14 | 000,074,220 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Cant-read-Chinese-60741208099.jpg
[2011/11/13 19:09:35 | 000,044,049 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Immigration-Hotline-60740638642.jpg
[2011/11/13 19:09:14 | 000,006,665 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Jealous-60994398281.jpg
[2011/11/13 19:08:28 | 000,068,143 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Proof-60742925424.jpg
[2011/11/13 19:07:34 | 000,061,384 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Gun-laws-60808124546.jpg
[2011/11/13 19:07:22 | 000,031,569 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Permit-60742389425.jpg
[2011/11/13 19:07:14 | 000,008,042 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Food-Stamps-60738936319_large.jpg
[2011/11/13 19:06:39 | 000,004,074 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Big-Fat-rear-59950468908_large.jpg
[2011/11/13 19:06:38 | 000,005,015 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\English-or-12-g-60735619035_large.jpg
[2011/11/13 19:06:38 | 000,004,823 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Guns-60734900516_large.jpg
[2011/11/13 19:06:35 | 000,004,778 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Problem-Solved-60738558152_large.jpg
[2011/11/13 19:06:35 | 000,003,935 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Feminine-protection-60739119620_large.jpg
[2011/11/12 17:11:55 | 000,000,339 | RHS- | M] () -- C:\boot.ini
[2011/11/12 16:40:26 | 000,030,986 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Documentapril.rtf
[2011/11/12 00:32:50 | 000,013,209 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Kwicon.gif
[2011/11/12 00:20:52 | 000,016,385 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Jade.gif
[2011/11/12 00:16:26 | 000,016,682 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\oldie00032.gif
[2011/11/11 01:22:57 | 000,018,559 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Can-not-coexist-with-those-who-want-to-kill-youjp-60992563996.jpg
[2011/11/09 14:25:00 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/11/09 14:07:07 | 004,287,742 | R--- | M] (Swearware) -- C:\jontom.com
[2011/11/09 03:21:21 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/11/09 03:20:36 | 000,000,129 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2011/11/08 16:17:41 | 000,433,098 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/11/08 16:17:41 | 000,067,862 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/11/07 13:22:36 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/11/07 09:16:23 | 000,000,223 | ---- | M] () -- C:\Boot.bak
[2011/11/07 01:20:24 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2011/11/07 01:19:13 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
[2011/11/06 20:14:58 | 000,000,194 | -HS- | M] () -- C:\Program Files\Common Files\winset.ini
[2011/11/06 05:07:53 | 000,000,211 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Google.url
[2011/11/05 20:30:38 | 000,035,122 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\funny-facebook-fails-wrap-your-head-around-that-math.jpg
[2011/11/05 20:30:37 | 000,048,042 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\funny-facebook-fails-its-important-to-know-where-to-measure-from.jpg
[2011/11/05 17:46:51 | 000,029,943 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\jeffrey-campbell-lita-shag.jpg
[2011/11/05 03:51:58 | 000,000,179 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\LoudCity.com.url
[2011/11/04 08:20:54 | 000,020,553 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Important Information Regarding the National EAS Test on Nov_ 9.eml
[2011/11/02 19:35:00 | 000,012,734 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\JOB CREATED.jpg
[2011/11/02 19:03:52 | 000,302,346 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Find area code lookup by number on WebShoppingHelper.mht
[2011/10/24 03:18:51 | 000,000,119 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dayam YOU AUTOCORRECT.url
[2011/10/21 21:13:52 | 000,010,467 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\JEALOUS WOMEN.jpg
[2011/10/21 02:47:09 | 000,000,139 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Tippecanoe Waste Removal, Inc Home.url
[2011/10/17 04:03:42 | 000,001,210 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Earmarks Map – 2011 Requests Ending Spending EndingSpending.com.url
[2011/10/17 03:20:21 | 001,333,597 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Jakie_time_out_lol.jpg
[2011/10/15 20:09:32 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl

========== Files Created - No Company Name ==========

[2011/11/13 19:46:46 | 000,160,350 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\JavaRa.zip
[2011/11/13 19:23:54 | 000,041,596 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\1-hour-old-elephant-59607048458.jpg
[2011/11/13 19:22:28 | 000,004,074 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Big-Fat-rear-59950468908_large.jpg
[2011/11/13 19:21:21 | 000,019,666 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Afraid-60734096333.jpg
[2011/11/13 19:17:53 | 000,045,250 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\1934-60734857571.jpg
[2011/11/13 19:16:58 | 000,004,823 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Guns-60734900516_large.jpg
[2011/11/13 19:15:58 | 000,005,015 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\English-or-12-g-60735619035_large.jpg
[2011/11/13 19:14:52 | 000,004,778 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Problem-Solved-60738558152_large.jpg
[2011/11/13 19:14:19 | 000,008,042 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Food-Stamps-60738936319_large.jpg
[2011/11/13 19:13:56 | 000,003,935 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Feminine-protection-60739119620_large.jpg
[2011/11/13 19:11:45 | 000,080,132 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Health-Care-Solution-60741973701.jpg
[2011/11/13 19:10:34 | 000,074,220 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Cant-read-Chinese-60741208099.jpg
[2011/11/13 19:09:51 | 000,044,049 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Immigration-Hotline-60740638642.jpg
[2011/11/13 19:09:23 | 000,006,665 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Jealous-60994398281.jpg
[2011/11/13 19:08:47 | 000,068,143 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Proof-60742925424.jpg
[2011/11/13 19:08:20 | 000,031,569 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Permit-60742389425.jpg
[2011/11/13 19:08:08 | 000,061,384 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Gun-laws-60808124546.jpg
[2011/11/12 00:35:51 | 000,013,209 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Kwicon.gif
[2011/11/12 00:26:18 | 000,016,385 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Jade.gif
[2011/11/12 00:20:32 | 000,016,682 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\oldie00032.gif
[2011/11/11 01:23:13 | 000,018,559 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Can-not-coexist-with-those-who-want-to-kill-youjp-60992563996.jpg
[2011/11/09 14:15:22 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/11/09 03:20:36 | 000,000,129 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/11/08 12:09:27 | 000,000,223 | ---- | C] () -- C:\Boot.bak
[2011/11/08 12:09:26 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/11/08 12:07:06 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/11/08 12:07:06 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/11/08 12:07:06 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/11/08 12:07:06 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/11/08 12:07:06 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/11/07 13:32:19 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/11/07 13:32:19 | 000,000,800 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/11/07 13:32:19 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Outlook Express.lnk
[2011/11/07 13:32:19 | 000,000,680 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\EmailStripper.lnk
[2011/11/07 13:32:19 | 000,000,671 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to XuMouse.lnk
[2011/11/07 13:32:19 | 000,000,211 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Google.url
[2011/11/07 13:32:19 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2011/11/07 13:32:17 | 000,002,391 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office PowerPoint Viewer 2007.lnk
[2011/11/07 13:32:17 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
[2011/11/07 13:32:17 | 000,001,844 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\MSN Explorer.lnk
[2011/11/07 13:32:17 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Apple Software Update.lnk
[2011/11/07 13:32:17 | 000,000,785 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
[2011/11/07 13:32:17 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Acrobat.com.lnk
[2011/11/06 20:03:26 | 000,000,194 | -HS- | C] () -- C:\Program Files\Common Files\winset.ini
[2011/11/06 05:47:25 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/11/05 20:34:15 | 000,035,122 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\funny-facebook-fails-wrap-your-head-around-that-math.jpg
[2011/11/05 20:32:09 | 000,048,042 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\funny-facebook-fails-its-important-to-know-where-to-measure-from.jpg
[2011/11/05 17:52:54 | 000,029,943 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\jeffrey-campbell-lita-shag.jpg
[2011/11/04 08:48:16 | 000,030,986 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Documentapril.rtf
[2011/11/04 08:20:54 | 000,020,553 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Important Information Regarding the National EAS Test on Nov_ 9.eml
[2011/11/02 19:36:28 | 000,012,734 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\JOB CREATED.jpg
[2011/11/02 19:03:47 | 000,302,346 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Find area code lookup by number on WebShoppingHelper.mht
[2011/10/24 03:18:51 | 000,000,119 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dayam YOU AUTOCORRECT.url
[2011/10/21 21:16:50 | 000,010,467 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\JEALOUS WOMEN.jpg
[2011/10/21 02:47:09 | 000,000,139 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Tippecanoe Waste Removal, Inc Home.url
[2011/10/17 04:03:42 | 000,001,210 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Earmarks Map – 2011 Requests Ending Spending EndingSpending.com.url
[2011/10/17 03:20:30 | 001,333,597 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Jakie_time_out_lol.jpg
[2011/01/15 05:33:35 | 000,091,712 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/01/05 17:01:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/09/14 20:12:31 | 000,017,532 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/06/30 22:53:06 | 000,000,797 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Launch Internet Explorer Browser.lnk
[2009/05/25 18:40:40 | 000,000,419 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/05/25 18:40:40 | 000,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2009/05/25 18:38:56 | 000,000,228 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2009/05/25 18:38:56 | 000,000,094 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2009/05/25 18:38:56 | 000,000,050 | ---- | C] () -- C:\WINDOWS\System32\bridf06a.dat
[2009/05/25 18:38:11 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2009/05/25 18:38:11 | 000,000,000 | ---- | C] () -- C:\WINDOWS\brdfxspd.dat
[2009/02/23 21:52:49 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/02/13 00:25:32 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/11/12 03:11:23 | 000,010,240 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/09/19 01:58:51 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\adsubtb.dll
[2008/09/19 01:58:51 | 000,002,150 | ---- | C] () -- C:\WINDOWS\System32\nshxml.ini
[2008/09/18 13:20:44 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2008/09/18 12:56:12 | 000,001,732 | R--- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin
[2008/09/18 12:44:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/09/18 12:39:12 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/09/18 08:35:22 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/09/18 08:34:05 | 000,148,400 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/04/20 08:32:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/04/20 08:32:00 | 001,626,112 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2007/04/20 08:32:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/04/20 08:32:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2007/04/20 08:32:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/04/20 08:32:00 | 001,018,748 | ---- | C] () -- C:\WINDOWS\System32\nvucode.bin
[2007/04/20 08:32:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/04/20 08:32:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2007/04/20 08:32:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2007/04/20 08:32:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2004/08/02 13:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2001/08/23 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 07:00:00 | 000,433,098 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 07:00:00 | 000,067,862 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 07:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/23 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

< End of report >

#34 MARIANNE97

Authentic Member

Authentic Member
36 posts

Posted 13 November 2011 - 07:11 PM

I will also run the MBAM and ESET on the other 2 machines when I return and let you know if all comes up clean

The infected machine is the Mothership of the network.

#35 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 14 November 2011 - 10:37 AM

Hello MARIANNE97

The latest OTL log appears to be clean

Lets remove our tools in the steps below:

Please Uninstall Combofix
- Click on "Start" and then on "Run".
- Now type combofix /uninstall in the run box and click "OK". Please note the space between the "x" and the "/Uninstall", it needs to be there.
Please perform the following cleanup procedure
- Double click on the OTL.exe icon on your desktop to run the program.
- Once OTL has opened, click on the "CleanUp!" button.
- Follow any prompts that you receive.
Removal of Tools
- You no longer need Unhide, TDSSKiller or JavaRa.
- Please delete them from your machine.
I will also run the MBAM and ESET on the other 2 machines when I return and let you know if all comes up clean
No problem

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

#36 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 19 November 2011 - 01:44 PM

Hello MARIANNE97

It has been a few days now. Are the other machines okay?

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

#37 MARIANNE97

Authentic Member

Authentic Member
36 posts

Posted 19 November 2011 - 02:35 PM

Hi Jontom

So sorry that it's taken me this long to get back with you...I have had some serious problems in the last week with my Daughter and they had to be tended to. I ran a scan on one of the other macines and I'm in the process of running a scan on the last one as well. I am shocked to see the results of the scan on this machine but I know that you will know what to do

Thank you

Here is the Eset scan from this machine.

C:\Users\April\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\7d358f61-17ec29b8 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\April\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\7d358f61-289b40ff a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\April\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\7d358f61-357dcad8 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\April\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\7d358f61-3eef030f a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\April\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\7d358f61-4e8adbd5 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\April\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\7d358f61-74f6a4db a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\April\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\58630b2b-225dffcb Java/TrojanDownloader.OpenStream.NCM trojan

#38 MARIANNE97

Authentic Member

Authentic Member
36 posts

Posted 19 November 2011 - 03:04 PM

Hi again

ok here is the Eset scan from machine 3 it found 1 item

Thank you

C:\Users\Owner\Desktop\st-softonic-sntb.exe a variant of Win32/Toolbar.Zugo application

#39 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 19 November 2011 - 05:41 PM

Hello MARIANNE97

So sorry that it's taken me this long to get back with you

Absolutely no problem at all. Family comes first above everything else. I hope your Daughter is well.

I am shocked to see the results of the scan on this machine but I know that you will know what to do

We can take care of those things easily enough.

ESET has detected an infected Java Cache (on machine 2, post number 37) and a single adware detection on another (machine 3, post number 38).

Please let me know what operating system the two machines are running (XP, vista, Win 7) and we will go from there

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

#40 MARIANNE97

Authentic Member

Authentic Member
36 posts

Posted 19 November 2011 - 06:18 PM

Thank you very much for understanding ...I totally agree.

Both machines are laptops that are running Windows 7 Home Premium

Advertisements

Register to Remove

#41 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 19 November 2011 - 06:58 PM

Hello MARIANNE97

Both machines are laptops that are running Windows 7 Home Premium

Okay. We will deal with each machine using separate posts (that way I won't get confused

). Lets take care of machine 2 first:

Machine 2

Please download OTM
Please download OTM by OldTimer by clicking here.
Save the file (called OTM.exe) to your desktop.
Right click on the OTM.exe icon and choose Run As Administrator to run the program.
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Files
C:\Users\April\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\7d358f61-17ec29b8
C:\Users\April\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\7d358f61-289b40ff
C:\Users\April\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\7d358f61-357dcad8
C:\Users\April\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\7d358f61-3eef030f
C:\Users\April\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\7d358f61-4e8adbd5
C:\Users\April\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\7d358f61-74f6a4db
C:\Users\April\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\58630b2b-225dffcb

:Commands
[Purity]
[EmptyTemp]
[Emptyflash]
[Reboot]

Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File -> Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Please post the OTM log in your next reply.

Once you have posted the log we will take care of machine three

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

#42 MARIANNE97

Authentic Member

Authentic Member
36 posts

Posted 19 November 2011 - 07:32 PM

Scan completed

(OTM LOG)

All processes killed
========== FILES ==========
C:\Users\April\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\7d358f61-17ec29b8 moved successfully.
C:\Users\April\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\7d358f61-289b40ff moved successfully.
C:\Users\April\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\7d358f61-357dcad8 moved successfully.
C:\Users\April\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\7d358f61-3eef030f moved successfully.
C:\Users\April\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\7d358f61-4e8adbd5 moved successfully.
C:\Users\April\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\7d358f61-74f6a4db moved successfully.
C:\Users\April\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\58630b2b-225dffcb moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: All Users

User: April
->Temp folder emptied: 25043075 bytes
->Temporary Internet Files folder emptied: 645694898 bytes
->Java cache emptied: 19995107 bytes
->Flash cache emptied: 262885 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56475 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3054 bytes
RecycleBin emptied: 6476650 bytes

Total Files Cleaned = 665.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: April
->Flash cache emptied: 0 bytes

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

OTM by OldTimer - Version 3.1.19.0 log created on 11192011_201404

Files moved on Reboot...
File move failed. C:\windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

#43 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 20 November 2011 - 02:54 AM

Hello MARIANNE97

That log looks okay.

Lets deal with the third machine now:

Machine 3

Please download OTM
Please download OTM by OldTimer by clicking here.
Save the file (called OTM.exe) to your desktop.
Right click on the OTM.exe icon and choose Run As Administrator to run the program.
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Files
C:\Users\Owner\Desktop\st-softonic-sntb.exe

:Commands
[Purity]
[EmptyTemp]
[Emptyflash]
[Reboot]

Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File -> Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Post the OTM log in your next reply.

Please let me know how the machines are running and if there are any noticeable problems.

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

#44 MARIANNE97

Authentic Member

Authentic Member
36 posts

Posted 20 November 2011 - 01:53 PM

Hi Jontom

I completed the scan on machine 3 the results are below. I could not copy from the results window, it froze and would only let me reboot

I did get the log that popped up after the reboot.

(OTM LOG machine 3)

All processes killed
========== FILES ==========
File/Folder C:\Users\Owner\Desktop\st-softonic-sntb.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Owner
->Temp folder emptied: 1127811 bytes
->Temporary Internet Files folder emptied: 234555084 bytes
->Java cache emptied: 34769063 bytes
->Flash cache emptied: 2875367 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50400 bytes
RecycleBin emptied: 523264 bytes

Total Files Cleaned = 261.00 mb

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Owner
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

OTM by OldTimer - Version 3.1.19.0 log created on 11202011_144427

Files moved on Reboot...
C:\Users\Owner\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

#45 JonTom

Teacher Emeritus

Malware Team
5,496 posts

Posted 20 November 2011 - 04:42 PM

Hello MARIANNE97

OTM is reporting that the file couild not be found. Lets make sure that this is definitely the case:

Please search for the following file
NOTE: DO NOT double click on ANY executable (.exe) files in the next step!!!
Right-click your "Start" button and select "Explore".
Navigate to and delete the following file in bold (if present):

C:\Users\Owner\Desktop\st-softonic-sntb.exe <=== Delete this file.

Once deleted, empty your recycle bin.

Please let me know how the machines are running in your next reply

Would you like to help others? Join the Classroom and learn how.

Member of UNITE
Proud Graduate of the WTT Classroom

Body Background

skin color theme