Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Trojan backdoor virus [Closed]

Started by PeggyV , Mar 26 2009 09:46 AM

This topic is locked

#16
PeggyV

Posted 29 March 2009 - 04:54 PM

Member

Topic Starter
Member
15 posts

Hello -- Here's the Moveit log and the Cureit.csv. (I was a little confused on the instructions for CureIt -- After the final scan, I didn't see a choice to "move incurable", so I chose "delete"):

Error: Unable to interpret < CODE> in the current context!
========== PROCESSES ==========
Process explorer.exe killed successfully.
Unable to kill process: :Services
Unable to kill process: :Reg
Unable to kill process: :Files
Unable to kill process: C:\Program Files\Symantec AntiVirus\dl.vbe
Unable to kill process: C:\Program Files\Symantec AntiVirus\s.vbs
Unable to kill process: C:\WINDOWS\system32\Ipripv32.dll
Unable to kill process: C:\WINDOWS\system32\Nwsapv32.dll
Unable to kill process: C:\WINDOWS\system32\WmdmPv32.dll
Unable to kill process: :Commands
Unable to kill process: [purity]
Unable to kill process: [emptytemp]
Unable to kill process: [start explorer]
Unable to kill process: [Reboot]

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03292009_101545

dwrcs.exe;c:\windows\system32;Program.RemoteAdmin;Incurable.Moved.;
01580000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Bonke;Deleted.;
01640000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Tool.RestoreSDT;Incurable.Deleted.;
025C0001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;BackDoor.PcClient.687;Deleted.;
025C0002.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;BackDoor.PcClient.687;Deleted.;
025C0003.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.PWS.Legmir.2465;Deleted.;
027C0001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0003.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0004.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0005.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0006.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0007.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0008.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0009.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.MulDrop.28476;Deleted.;
027C000A.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C000B.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C000C.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C000D.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C000E.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C000F.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0010.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0011.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0012.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0013.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0014.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0015.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0016.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0017.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.117;Deleted.;
027C0018.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0019.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C001A.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C001B.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C001C.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C001D.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C001E.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C001F.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0020.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0021.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0022.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Tool.RestoreSDT;Incurable.Deleted.;
027C0023.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Tool.RestoreSDT;Incurable.Deleted.;
027C0024.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0025.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0026.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0027.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0028.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
027C0029.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
04580000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.134;Deleted.;
04D80000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Bonke;Deleted.;
05A40000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.134;Deleted.;
05A40001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.PWS.Legmir.2465;Deleted.;
08100001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.117;Deleted.;
08100002.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
08100003.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
08100004.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
08100005.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.116;Deleted.;
08100006.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Tool.RestoreSDT;Incurable.Deleted.;
08100007.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Tool.RestoreSDT;Incurable.Deleted.;
08100008.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.121;Deleted.;
08100009.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Tool.RestoreSDT;Incurable.Deleted.;
08380000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.DownLoader.24004;Deleted.;
08880000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Tool.RestoreSDT;Incurable.Deleted.;
09400000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.DownLoad.9874;Deleted.;
09AC0000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;BackDoor.Pigeon.11728;Deleted.;
0B5C0000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Qhost.89;Deleted.;
0B5C0001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.MulDrop.29481;Deleted.;
0B5C0002.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;BackDoor.Pigeon.6620;Deleted.;
0B5C0003.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.MulDrop.28476;Deleted.;
0B5C0004.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.MulDrop.28476;Deleted.;
0B5C0005.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Qhost.89;Deleted.;
0B5C0006.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.MulDrop.29481;Deleted.;
0B5C0007.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;BackDoor.Pigeon.6620;Deleted.;
0C040000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Win32.HLLO.Blop.5;Deleted.;
0C040001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Click.24514;Deleted.;
0C040002.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.108;Deleted.;
0C040003.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.113;Deleted.;
0C040004.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.121;Deleted.;
0C040006.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;BackDoor.Beizhu.2504;Deleted.;
0CF80000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Siggen.2060;Deleted.;
0CF80001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Siggen.2060;Deleted.;
0DD00000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Click.24514;Deleted.;
0DD40000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Tool.RestoreSDT;Incurable.Deleted.;
0DD40002.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.121;Deleted.;
0DD40003.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Tool.RestoreSDT;Incurable.Deleted.;
0DD40004.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Tool.RestoreSDT;Incurable.Deleted.;
0DD40005.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.113;Deleted.;
0DD40006.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.121;Deleted.;
0DD40007.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Click.24514;Deleted.;
0DD40008.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;DDoS.Attack.121;Deleted.;
0E100000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Packed.471;Deleted.;
0E900000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;BackDoor.Graybird;Deleted.;
0FE00000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Tool.RestoreSDT;Incurable.Deleted.;
5FEC3BF1.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\17440000;Tool.RestoreSDT;Incurable.Deleted.;
05.exe.bac_a00416;C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine;BackDoor.Pigeon.11728;Deleted.;
18467.exe.bac_a00416;C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine;DDoS.Attack.137;Deleted.;
20081.exe.bac_a00416;C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine;BackDoor.Pigeon.11728;Deleted.;
41.exe.bac_a00416;C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine;DDoS.Attack.137;Deleted.;
6334.exe.bac_a00416;C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine;DDoS.Attack.137;Deleted.;
atgpeu.fsl.bac_a00416;C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine;BackDoor.PcClient.593;Deleted.;
dikqnt.fdf.bac_a00416;C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine;Trojan.DownLoad.3557;Deleted.;
ljcbol.dll.bac_a00416;C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine;Trojan.Siggen.2060;Deleted.;
nrifnn.fsl.bac_a00416;C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine;BackDoor.PcClient.593;Deleted.;
slztel.fsl.bac_a00416;C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine;BackDoor.PcClient.593;Deleted.;
snmp.sys.bac_a00416;C:\Documents and Settings\jokoloc\.housecall6.6\Quarantine;Trojan.Click.23496;Deleted.;
A0000034.EXE;C:\System Volume Information\_restore{72E5FCBB-1D29-4B49-84E9-9E805B9853E3}\RP2;Program.PsExec.170;Incurable.Deleted.;
A0000178.EXE;C:\System Volume Information\_restore{72E5FCBB-1D29-4B49-84E9-9E805B9853E3}\RP3;Program.PsExec.170;Incurable.Deleted.;
A0000193.EXE;C:\System Volume Information\_restore{72E5FCBB-1D29-4B49-84E9-9E805B9853E3}\RP3;Program.PsExec.170;Incurable.Deleted.;
A0001274.exe;C:\System Volume Information\_restore{72E5FCBB-1D29-4B49-84E9-9E805B9853E3}\RP4;Program.RemoteAdmin;Incurable.Deleted.;

Thanks,

~Peggy V.

#17
Rorschach112

Posted 30 March 2009 - 08:39 AM

Ralphie

Retired Staff
47,710 posts

seemed to have a problem with the OTM3 step

Can you delete these files

C:\Program Files\Symantec AntiVirus\dl.vbe
C:\Program Files\Symantec AntiVirus\s.vbs
C:\WINDOWS\system32\Ipripv32.dll
C:\WINDOWS\system32\Nwsapv32.dll
C:\WINDOWS\system32\WmdmPv32.dll

#18
PeggyV

Posted 30 March 2009 - 02:00 PM

Member

Topic Starter
Member
15 posts

Hello -- Yes, I was able to delete all 5 of those files. Anything else?

Thanks,

~Peggy V.

#19
Rorschach112

Posted 30 March 2009 - 03:14 PM

Ralphie

Retired Staff
47,710 posts

yep bit more

Download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Open the OTScanIt2 folder and double-click on OTScanIt.exe to start the program. Make sure you close all other programs and don't use the PC while the scan runs.
Under File Age at the top, change it from 30 days to 90 days
Under Additional Scans check the boxes beside Reg - ActiveX StubPath, Reg - App Paths, Reg - ColumnHandlers, Reg - Desktop Components, Reg - Disabled MS Config Items, Reg - File Associations, Reg - ICQ Agent, Reg - NetSvcs, Reg - Print Monitors, Reg - Protocol Filters, Reg - Protocol Handlers, Reg - SafeBoot Minimal, Reg - SafeBoot Network, Reg - Session Manager Settings, Reg - Winsock2 Catalogs, File - Lop Check, File - Purity Scan, Files - Signature Check, and Evnt - EventViewer Logs ( Last 10 Errors).
Under Rootkit Search change it to Yes
Under the Custom Scans box at the bottom left paste the following in

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost
%systemroot%\*.lte
%systemroot%\*.smf
%systemroot%\*.tsp
%systemroot%\Prefetch\*.* /s
%systemroot%\system32\drivers\*.dat
%systemroot%\system32\*.aef
%systemroot%\system32\drivers\*.aef
%systemroot%\Temp\bca4e2da.$$$
%systemroot%\Temp\ed47fa.$
%systemroot%\Temp\fa56d7ec.$$$
%systemroot%\Temp\*.$$$
%systemroot%\System32\antiwpa.dll
%systemroot%\SYSTEM32\wpa.dll
%systemroot%\setup\scripts\biestart.exe
%systemroot%\system32\drivers\royal.sys
%System%\AcroIeHelpe.dll
%SYSTEMDRIVE%\*.epk
%systemroot%\*.epk
%systemroot%\system32\*.epk
%systemroot%\system32\bb*.dat
%systemroot%\system32\cookie*.dat
%systemroot%\system32\kaxs.dat
%systemroot%\system32\ps*.dat
%systemroot%\system32\*32.sys
%systemroot%\*.dr
%SYSTEMDRIVE%\*.dr
%systemroot%\system32\*.dr
%systemroot%\system32\nods32.dll
%systemroot%\*.res
%SYSTEMDRIVE%\*.res
%systemroot%\system32\*.res
%systemroot%\system32\sockins32.dll
%systemroot%\system32\Spool\*.*
%systemroot%\system32\Spool\*.exe
%systemroot%\system32\Spool\*.rar /s
%systemroot%\system32\Spool\*.zip /s
%systemroot%\system32\Spool\*.dat /s
%ProgramFiles%\MSN Messenger\*.zip
%ProgramFiles%\MSN Messenger\*.exe
%ProgramFiles%\MSN Messenger\*.rar.
%SYSTEMDRIVE%\*.zip
%SYSTEMDRIVE%\*.rar
%SYSTEMDRIVE%\*.exe
%SYSTEMDRIVE%\*.dll
%systemroot%\*.zip
%systemroot%\*.rar
%systemroot%\system32\*.zip
%systemroot%\system32\*.rar
%PROGRAMFILES%\*.*
%DESKTOP%\*.zip
%DESKTOP%\*.rar
%DESKTOP%\*.exe
%PROGRAMFILES%\Common Files\*.*
%PROGRAMFILES%\Common Files\*bak*.
%systemroot%\SYSTEM32\*bak*.
%PROGRAMFILES%\*bak*.
%systemroot%\ime\imjp8_1\*bak*.
%PROGRAMFILES%\QuickTime\*bak*.
%PROGRAMFILES%\Viewpoint\Viewpoint Manager\*bak*.
%PROGRAMFILES%\Analog Devices\Core\*bak*.
%SYSTEMDRIVE%\hp\KBD\*bak*.
%PROGRAMFILES%\Adobe\Photoshop Album Starter Edition\3.2\Apps\*bak*.
%PROGRAMFILES%\BillP Studios\WinPatrol\*bak*.
%PROGRAMFILES%\BroadJump\Client Foundation\*bak*.
%PROGRAMFILES%\Common Files\Real\Update_OB\*bak*.
%PROGRAMFILES%\Common Files\Sonic\Update Manager\*bak*.
%PROGRAMFILES%\\Google\GoogleToolbarNotifier\*bak*.
%PROGRAMFILES%\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\*bak*.
%PROGRAMFILES%\Yahoo!\Messenger\*bak*.
%USERNAME%\*.zip
%USERNAME%\*.rar
%USERNAME%\*.exe
%USERPROFILE%\*.zip
%USERPROFILE%\*.rar
%USERPROFILE%\*.exe
%ALLUSERSPROFILE%\*.zip
%ALLUSERSPROFILE%\*.rar
%ALLUSERSPROFILE%\*.exe
%SYSTEMDRIVE%\*.
%PROGRAMFILES%\*.
%PROGRAMFILES%\Internet Explorer\*.*
%PROGRAMFILES%\Internet Explorer\PLUGINS\*.*
%PROGRAMFILES%\Internet Explorer\*.zip /s
%PROGRAMFILES%\Internet Explorer\*.rar /s
%PROGRAMFILES%\Internet Explorer\*.exe /s
%SYSTEMDRIVE%\*.dat
%SYSTEMDRIVE%\*.sys
%SYSTEMROOT%\*.dat
%SYSTEMROOT%\*.sys
%systemroot%\system32\drivers\*.exe /s
%systemroot%\system32\drivers\*.zip /s
%systemroot%\system32\drivers\*.rar /s
%systemroot%\system\*.exe /s
%systemroot%\system\*.zip /s
%systemroot%\system\*.rar /s
%systemroot%\AppPatch\*.exe /s
%systemroot%\AppPatch\*.zip /s
%systemroot%\AppPatch\*.rar /s
%systemroot%\Cache\*.*
%systemroot%\Downloaded Program Files\*.*
%systemroot%\Fonts\*.exe /s
%systemroot%\Fonts\*.zip /s
%systemroot%\Fonts\*.rar /s
%systemroot%\Fonts\*.dll /s
%systemroot%\Help\*.exe /s
%systemroot%\Help\*.zip /s
%systemroot%\Help\*.rar /s
%systemroot%\Tasks\*.*
%APPDATA%\*.sys
%APPDATA%\Google\*.*
%systemroot%\system32\serauth1.dll
%systemroot%\system32\serauth2.dll
%systemroot%\system32\sysaudio.sys
%systemroot%\system32\wdmaud.sys
%systemroot%\system32\aeaudio.sys
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32|system32\serauth1.dll /rs
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32|system32\serauth2.dll /rs
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32|system32\sysaudio.sys /rs
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32|system32\aeaudio.sys /rs
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32|system32\wdmaud.sys /rs
%PROGRAMFILES%\*TinyProxy*.
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla|extensions /rs
%systemroot%\system32\inf\*.exe /s
%systemroot%\system32\inf\*.zip /s
%systemroot%\system32\inf\*.rar /s
%systemroot%\system32\inf\*.dll /s
%APPDATA%\Opera\Opera\profile\widgets\*.*
%PROGRAMFILES%\Opera\program\plugins\*.* /s
%APPDATA%\Opera\Opera\profile\toolbar\*.* /s
%systemroot%\Web\*.exe /s
%systemroot%\Web\*.dat /s
%systemroot%\Web\*.dll /s
%systemroot%\Web\*.sys /s
%systemroot%\Web\*.zip /s
%systemroot%\Web\*.rar /s
%systemroot%\Wbem\*.exe /s
%systemroot%\Wbem\*.rar /s
%systemroot%\Wbem\*.zip /s
%systemroot%\Wbem\*.dll /s
%systemroot%\Wbem\*.sys /s
%systemroot%\Wbem\*.dat /s
%systemroot%\twain_32\*.exe
%systemroot%\twain_32\*.dat
%systemroot%\twain_32\*.dll
%systemroot%\twain_32\*.sys /s
%systemroot%\twain_32\*.zip /s
%systemroot%\twain_32\*.rar /s
%systemroot%\system\*.sys /s
%systemroot%\system\*.dat /s
%systemroot%\WinSxS\*.exe /s
%systemroot%\WinSxS\*.dat /s
%systemroot%\WinSxS\*.sys /s
%systemroot%\WinSxS\*.zip /s
%systemroot%\WinSxS\*.rar /s
%systemroot%\Sun\*.dll /s
%systemroot%\Sun\*.rar /s
%systemroot%\Sun\*.zip /s
%systemroot%\Sun\*.exe /s
%systemroot%\Sun\*.sys /s
%systemroot%\Sun\*.dat /s
%systemroot%\srchasst\*.rar /s
%systemroot%\srchasst\*.zip /s
%systemroot%\srchasst\*.exe /s
%systemroot%\srchasst\*.dat /s
%systemroot%\srchasst\*.sys /s
%systemroot%\Shellnew\*.rar /s
%systemroot%\Shellnew\*.zip /s
%systemroot%\Shellnew\*.dat /s
%systemroot%\Shellnew\*.exe /s
%systemroot%\Shellnew\*.sys /s
%systemroot%\Shellnew\*.dll /s
%systemroot%\Security\*.rar /s
%systemroot%\Security\*.zip /s
%systemroot%\Security\*.dat /s
%systemroot%\Security\*.exe /s
%systemroot%\Security\*.sys /s
%systemroot%\Security\*.dll /s
%systemroot%\Resources\*.rar /s
%systemroot%\Resources\*.zip /s
%systemroot%\Resources\*.dat /s
%systemroot%\Resources\*.exe /s
%systemroot%\Resources\*.sys /s
%systemroot%\Repair\*.sys /s
%systemroot%\Repair\*.exe /s
%systemroot%\Repair\*.dll /s
%systemroot%\Repair\*.zip /s
%systemroot%\Repair\*.rar /s
%systemroot%\Registration\*.exe /s
%systemroot%\Registration\*.dat /s
%systemroot%\Registration\*.zip /s
%systemroot%\Registration\*.rar /s
%systemroot%\Registration\*.dll /s
%systemroot%\Registration\*.sys /s
%systemroot%\RegisteredPackages\*.rar /s
%systemroot%\RegisteredPackages\*.zip /s
%systemroot%\pss\*.rar /s
%systemroot%\pss\*.zip /s
%systemroot%\pss\*.exe /s
%systemroot%\pss\*.dll /s
%systemroot%\pss\*.dat /s
%systemroot%\pss\*.sys /s
%systemroot%\Provisioning\*.rar /s
%systemroot%\Provisioning\*.zip /s
%systemroot%\Provisioning\*.exe /s
%systemroot%\Provisioning\*.sys /s
%systemroot%\Provisioning\*.dat /s
%systemroot%\Provisioning\*.dll /s
%systemroot%\PIF\*.*
%systemroot%\PeerNet\*.rar /s
%systemroot%\PeerNet\*.zip /s
%systemroot%\PeerNet\*.dat /s
%systemroot%\PeerNet\*.sys /s
%systemroot%\PeerNet\*.exe /s
%systemroot%\PcTel\*.rar /s
%systemroot%\PcTel\*.zip /s
%systemroot%\Offline Web Pages\*.exe /s
%systemroot%\Offline Web Pages\*.zip /s
%systemroot%\Offline Web Pages\*.rar /s
%systemroot%\Offline Web Pages\*.sys /s
%systemroot%\Offline Web Pages\*.dat /s
%systemroot%\network diagnostic\*.sys /s
%systemroot%\network diagnostic\*.rar /s
%systemroot%\network diagnostic\*.zip /s
%systemroot%\network diagnostic\*.dat /s
%systemroot%\mui\*.*
%systemroot%\msapps\*.*
%systemroot%\msagent\*.zip /s
%systemroot%\msagent\*.rar /s
%systemroot%\msagent\*.sys /s
%systemroot%\msagent\*.dat /s
%systemroot%\minidump\*.*
%systemroot%\media\*.sys /s
%systemroot%\media\*.dat /s
%systemroot%\media\*.rar /s
%systemroot%\media\*.zip /s
%systemroot%\media\*.exe /s
%systemroot%\media\*.dll /s
%systemroot%\Help\*.sys /s
%systemroot%\Help\*.dat /s
%systemroot%\ie7\*.sys /s
%systemroot%\ie7\*.zip /s
%systemroot%\ie7\*.rar /s
%systemroot%\ie7\*.dat /s
%systemroot%\ie7updates\*.sys /s
%systemroot%\ie7updates\*.zip /s
%systemroot%\ie7updates\*.rar /s
%systemroot%\ime\*.sys /s
%systemroot%\ime\*.zip /s
%systemroot%\ime\*.rar /s
%systemroot%\inf\*.sys /s
%systemroot%\inf\*.dat /s
%systemroot%\installer\*.sys /s
%systemroot%\installer\*.zip /s
%systemroot%\installer\*.rar /s
%systemroot%\installer\*.dat /s
%systemroot%\internet logs\*.sys /s
%systemroot%\Cursors\*.rar /s
%systemroot%\Cursors\*.sys /s
%systemroot%\Cursors\*.exe /s
%systemroot%\Cursors\*.dat /s
%systemroot%\Cursors\*.zip /s
%systemroot%\Cursors\*.vbs /s
%systemroot%\Cursors\*.dll /s
%systemroot%\Config\*.*
%systemroot%\Config\*.rar /s
%systemroot%\Config\*.sys /s
%systemroot%\Config\*.exe /s
%systemroot%\Config\*.dat /s
%systemroot%\internet logs\*.dat /s
%systemroot%\Assembly\*sys /s
%systemroot%\Assembly\*.rar /s
%systemroot%\internet logs\*.rar /s
%systemroot%\AppPatch\*.sys
%systemroot%\AppPatch\*.dat
%systemroot%\internet logs\*.zip /s
%systemroot%\internet logs\*.exe /s
%systemroot%\internet logs\*.dll /s
%systemroot%\l2schemas\*.sys /s
%systemroot%\l2schemas\*.dat /s
%systemroot%\l2schemas\*.rar /s
%systemroot%\l2schemas\*.zip /s
%systemroot%\l2schemas\*.exe /s
%systemroot%\l2schemas\*.dll /s
%systemroot%\Fonts\*.dat /s
%systemroot%\Fonts\*.sys /s
%systemroot%\Debug\*.rar /s
%systemroot%\Debug\*.sys /s
%systemroot%\Debug\*.exe /s
%systemroot%\Debug\*.dat /s
%systemroot%\Debug\*.zip /s
%systemroot%\Debug\*.dll /s
%systemroot%\ehome\*.dll /s
%systemroot%\ehome\*.sys /s
%systemroot%\ehome\*.rar /s
%systemroot%\ehome\*.dat /s
%systemroot%\ehome\*.zip /s
%systemroot%\Connection Wizard\*.dat /s
%systemroot%\Connection Wizard\*.exe /s
%systemroot%\Connection Wizard\*.sys /s
%systemroot%\Connection Wizard\*.rar /s
%systemroot%\Connection Wizard\*.zip /s
%systemroot%\Connection Wizard\*.*
%systemroot%\system32\1025\*.*
%systemroot%\system32\1028\*.*
%systemroot%\system32\1031\*.*
%systemroot%\system32\1033\*.exe
%systemroot%\system32\1033\*.sys
%systemroot%\system32\1033\*.zip
%systemroot%\system32\1033\*.rar
%systemroot%\system32\1033\*.dat
%systemroot%\system32\1037\*.*
%systemroot%\system32\1041\*.*
%systemroot%\system32\1042\*.*
%systemroot%\system32\1054\*.*
%systemroot%\system32\2052\*.*
%systemroot%\system32\3076\*.*
%systemroot%\system32\appmgmt\*.exe /s
%systemroot%\system32\appmgmt\*.sys /s
%systemroot%\system32\appmgmt\*.dll /s
%systemroot%\system32\appmgmt\*.dat /s
%systemroot%\system32\appmgmt\*.zip /s
%systemroot%\system32\appmgmt\*.rar /s
%systemroot%\system32\bits\*.rar /s
%systemroot%\system32\bits\*.zip /s
%systemroot%\system32\bits\*.exe /s
%systemroot%\system32\bits\*.dat /s
%systemroot%\system32\bits\*.sys /s
%systemroot%\system32\catroot\*.rar /s
%systemroot%\system32\catroot\*.zip /s
%systemroot%\system32\catroot\*.dll /s
%systemroot%\system32\catroot\*.sys /s
%systemroot%\system32\catroot\*.exe /s
%systemroot%\system32\catroot\*.dat /s
%systemroot%\system32\catroot2\*.rar /s
%systemroot%\system32\catroot2\*.zip /s
%systemroot%\system32\catroot2\*.exe /s
%systemroot%\system32\catroot2\*.dat /s
%systemroot%\system32\catroot2\*.dll /s
%systemroot%\system32\catroot2\*.sys /s
%systemroot%\system32\com\*.sys /s
%systemroot%\system32\com\*.zip /s
%systemroot%\system32\com\*.rar /s
%systemroot%\system32\config\*.rar /s
%systemroot%\system32\config\*.zip /s
%systemroot%\system32\config\*.sys /s
%systemroot%\system32\config\*.dll /s
%systemroot%\system32\config\*.exe /s
%systemroot%\system32\dhcp\*.*
%systemroot%\system32\DirectX\*.rar /s
%systemroot%\system32\DirectX\*.zip /s
%systemroot%\system32\DirectX\*.sys /s
%systemroot%\system32\DirectX\*.dll /s
%systemroot%\system32\DirectX\*.exe /s
%systemroot%\system32\DirectX\*.dat /s
%systemroot%\system32\Dllcache\*.zip /s
%systemroot%\system32\Dllcache\*.rar /s
%systemroot%\system32\drivers\*.dat
%systemroot%\system32\drivers\*.exe /s
%systemroot%\system32\drivers\*.zip /s
%systemroot%\system32\drivers\*.rar /s
%systemroot%\system32\drvstore\*.dat
%systemroot%\system32\drvstore\*.exe /s
%systemroot%\system32\drvstore\*.zip /s
%systemroot%\system32\drvstore\*.rar /s
%systemroot%\system32\en\*.dat /s
%systemroot%\system32\en\*.exe /s
%systemroot%\system32\en\*.zip /s
%systemroot%\system32\en\*.rar /s
%systemroot%\system32\en\*.sys /s
%systemroot%\system32\en\*.sys /s
%systemroot%\system32\en\*.dat /s
%systemroot%\system32\en-us\*.exe /s
%systemroot%\system32\en-us\*.zip /s
%systemroot%\system32\en-us\*.rar /s
%systemroot%\system32\en-us\*.dll /s
%systemroot%\system32\export\*.*
%systemroot%\system32\GroupPolicy\*.sys /s
%systemroot%\system32\GroupPolicy\*.dat /s
%systemroot%\system32\GroupPolicy\*.exe /s
%systemroot%\system32\GroupPolicy\*.zip /s
%systemroot%\system32\GroupPolicy\*.rar /s
%systemroot%\system32\GroupPolicy\*.dll /s
%systemroot%\system32\ias\*.sys /s
%systemroot%\system32\ias\*.dat /s
%systemroot%\system32\ias\*.exe /s
%systemroot%\system32\ias\*.zip /s
%systemroot%\system32\ias\*.rar /s
%systemroot%\system32\ias\*.dll /s
%systemroot%\system32\icsxml\*.sys /s
%systemroot%\system32\icsxml\*.dat /s
%systemroot%\system32\icsxml\*.exe /s
%systemroot%\system32\icsxml\*.zip /s
%systemroot%\system32\icsxml\*.rar /s
%systemroot%\system32\icsxml\*.dll /s
%systemroot%\system32\ime\*.sys /s
%systemroot%\system32\ime\*.dat /s
%systemroot%\system32\ime\*.zip /s
%systemroot%\system32\ime\*.rar /s
%systemroot%\system32\inetsrv\*.sys /s
%systemroot%\system32\inetsrv\*.dat /s
%systemroot%\system32\inetsrv\*.exe /s
%systemroot%\system32\inetsrv\*.zip /s
%systemroot%\system32\inetsrv\*.rar /s
%systemroot%\system32\LogFiles\*.sys /s
%systemroot%\system32\LogFiles\*.dat /s
%systemroot%\system32\LogFiles\*.exe /s
%systemroot%\system32\LogFiles\*.zip /s
%systemroot%\system32\LogFiles\*.rar /s
%systemroot%\system32\LogFiles\*.dll /s
%systemroot%\system32\Macromed\*.sys /s
%systemroot%\system32\Macromed\*.dat /s
%systemroot%\system32\Macromed\*.zip /s
%systemroot%\system32\Macromed\*.rar /s
%systemroot%\system32\Microsoft\*.sys /s
%systemroot%\system32\Microsoft\*.dat /s
%systemroot%\system32\Microsoft\*.exe /s
%systemroot%\system32\Microsoft\*.zip /s
%systemroot%\system32\Microsoft\*.rar /s
%systemroot%\system32\Microsoft\*.dll /s
%systemroot%\system32\Msdtc\*.sys /s
%systemroot%\system32\Msdtc\*.dat /s
%systemroot%\system32\Msdtc\*.exe /s
%systemroot%\system32\Msdtc\*.zip /s
%systemroot%\system32\Msdtc\*.rar /s
%systemroot%\system32\Msdtc\*.dll /s
%systemroot%\system32\Mui\*.sys /s
%systemroot%\system32\Mui\*.dat /s
%systemroot%\system32\Mui\*.exe /s
%systemroot%\system32\Mui\*.zip /s
%systemroot%\system32\Mui\*.rar /s
%systemroot%\system32\npp\*.sys /s
%systemroot%\system32\npp\*.dat /s
%systemroot%\system32\npp\*.zip /s
%systemroot%\system32\npp\*.rar /s
%systemroot%\system32\NtMsData\*.sys /s
%systemroot%\system32\NtMsData\*.dat /s
%systemroot%\system32\NtMsData\*.exe /s
%systemroot%\system32\NtMsData\*.zip /s
%systemroot%\system32\NtMsData\*.rar /s
%systemroot%\system32\NtMsData\*.dll /s
%systemroot%\system32\oobe\*.sys /s
%systemroot%\system32\oobe\*.dat /s
%systemroot%\system32\oobe\*.zip /s
%systemroot%\system32\oobe\*.rar /s
%systemroot%\system32\PreInstall\*.sys /s
%systemroot%\system32\PreInstall\*.dat /s
%systemroot%\system32\PreInstall\*.exe /s
%systemroot%\system32\PreInstall\*.zip /s
%systemroot%\system32\PreInstall\*.rar /s
%systemroot%\system32\PreInstall\*.dll /s
%systemroot%\system32\ras\*.sys /s
%systemroot%\system32\ras\*.dat /s
%systemroot%\system32\ras\*.exe /s
%systemroot%\system32\ras\*.zip /s
%systemroot%\system32\ras\*.rar /s
%systemroot%\system32\ras\*.dll /s
%systemroot%\system32\ReInstallBackups\*.dat /s
%systemroot%\system32\ReInstallBackups\*.zip /s
%systemroot%\system32\ReInstallBackups\*.rar /s
%systemroot%\system32\Restore\*.sys /s
%systemroot%\system32\Restore\*.zip /s
%systemroot%\system32\Restore\*.rar /s
%systemroot%\system32\Restore\*.dll /s
%systemroot%\system32\Scripting\*.sys /s
%systemroot%\system32\Scripting\*.dat /s
%systemroot%\system32\Scripting\*.exe /s
%systemroot%\system32\Scripting\*.zip /s
%systemroot%\system32\Scripting\*.rar /s
%systemroot%\system32\Scripting\*.dll /s
%systemroot%\system32\Setup\*.sys /s
%systemroot%\system32\Setup\*.dat /s
%systemroot%\system32\Setup\*.exe /s
%systemroot%\system32\Setup\*.zip /s
%systemroot%\system32\Setup\*.rar /s
%systemroot%\system32\ShellExt\*.*
%systemroot%\system32\SoftwareDistribution\*.sys /s
%systemroot%\system32\SoftwareDistribution\*.dat /s
%systemroot%\system32\SoftwareDistribution\*.exe /s
%systemroot%\system32\SoftwareDistribution\*.zip /s
%systemroot%\system32\SoftwareDistribution\*.rar /s
%systemroot%\system32\URTTEmp\*.sys /s
%systemroot%\system32\URTTEmp\*.dat /s
%systemroot%\system32\URTTEmp\*.zip /s
%systemroot%\system32\URTTEmp\*.rar /s
%systemroot%\system32\USMT\*.sys /s
%systemroot%\system32\USMT\*.dat /s
%systemroot%\system32\USMT\*.zip /s
%systemroot%\system32\USMT\*.rar /s
%systemroot%\system32\Wbem\*.sys /s
%systemroot%\system32\Wbem\*.zip /s
%systemroot%\system32\Wbem\*.rar /s
%systemroot%\system32\Wins\*.*
%systemroot%\system32\Xircom\*.*
%systemroot%\system32\XPSViewer\*.sys /s
%systemroot%\system32\XPSViewer\*.dat /s
%systemroot%\system32\XPSViewer\*.zip /s
%systemroot%\system32\XPSViewer\*.rar /s
%systemroot%\system32\XPSViewer\*.dll /s
%COMMONPROGRAMFILES%\*.sys /s
%COMMONPROGRAMFILES%\*.zip /s
%COMMONPROGRAMFILES%\*.rar /s
%COMMONPROGRAMFILES%\*.*
%ProgramFiles%\Movie Maker\*.dll
%DriveLetter%\RECYCLER\*S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d*.
%systemroot%\java\apps\*.*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
%systemroot%\winstart.bat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\VxD
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts|Startup /rs
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MPRServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
%systemroot%\system32\basequu32.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BootVerificationProgram
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\ChkDskPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath
Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way

#20
PeggyV

Posted 30 March 2009 - 08:36 PM

Member

Topic Starter
Member
15 posts

I'm attaching the OTscanit2 log:

Thanks,

~Peggy

Attached Files

OTScanIt.Txt 389.35KB 518 downloads

#21
Rorschach112

Posted 31 March 2009 - 09:49 AM

Ralphie

Retired Staff
47,710 posts

hello

Start OTScanIt2. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Additional Scans - Safe List]
< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YN -> KernelFaultCheck hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
< Session Manager Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
*PendingFileRenameOperations* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\\PendingFileRenameOperations
YN -> \??\C:\Documents and Settings\Em\Local Settings\temp\~DF46CD.tmp [\??\C:\Documents and Settings\Em\Local Settings\temp\~DF46CD.tmp] -> %UserProfile%\Local Settings\temp\~DF46CD.tmp [%UserProfile%\Local Settings\temp\~DF46CD.tmp]
< Session Manager Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
[Files/Folders - Created Within 90 Days]
NY -> DoctorWeb -> %UserProfile%\DoctorWeb
NY -> _OTMoveIt -> %SystemDrive%\_OTMoveIt
NY -> SWXCACLS.exe -> %SystemRoot%\SWXCACLS.exe
NY -> SWREG.exe -> %SystemRoot%\SWREG.exe
NY -> SWSC.exe -> %SystemRoot%\SWSC.exe
NY -> sed.exe -> %SystemRoot%\sed.exe
NY -> fdsv.exe -> %SystemRoot%\fdsv.exe
NY -> grep.exe -> %SystemRoot%\grep.exe
NY -> zip.exe -> %SystemRoot%\zip.exe
NY -> VFIND.exe -> %SystemRoot%\VFIND.exe
NY -> NIRCMD.exe -> %SystemRoot%\NIRCMD.exe
NY -> Qoobox -> %SystemDrive%\Qoobox
[Custom Scans]
*snwery* -> HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\snwery
YN -> snwery ->
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost > ->
*cxkwkp* -> HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\cxkwkp
YN -> cxkwkp ->
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost > ->
*ResMan* -> HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\ResMan
YN -> ResMan ->
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost > ->
*uzdoax* -> HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\uzdoax
YN -> uzdoax ->
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost > ->
*WinErp* -> HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\WinErp
YN -> WinErp ->
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost > ->
*winErs* -> HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\winErs
YN -> winErs ->
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost > ->
*xxcsdl* -> HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\xxcsdl
YN -> xxcsdl ->
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost > ->
*krnlsvc* -> HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\krnlsvc
YN -> MediapCentere ->
YN -> ND SETTINGS\ ->
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost > ->
*Symants* -> HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\Symants
YN -> Symants ->
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost > ->
*netsvc* -> HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\netsvc
YN -> netsvc ->
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost > ->
*irorcj* -> HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\irorcj
YN -> irorcj ->
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost > ->
*arxmxo* -> HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\arxmxo
YN -> arxmxo ->
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost > ->
NY -> _OTMoveIt -> C:\_OTMoveIt
NY -> _OTScanIt -> C:\_OTScanIt
NY -> Qoobox -> C:\Qoobox
[Alternate Data Streams]
NY -> @Alternate Data Stream - 19182 bytes -> %SystemRoot%\commonXP_20080727.vbs:Undo
NY -> @Alternate Data Stream - 21608 bytes -> %SystemRoot%\commonXP_20080824.vbs:Undo
NY -> @Alternate Data Stream - 364 bytes -> %SystemRoot%\commonXP_20080109.vbs:Undo
NY -> @Alternate Data Stream - 6555 bytes -> %SystemRoot%\commonXP_20080327.vbs:Undo
NY -> @Alternate Data Stream - 8 bytes -> %SystemRoot%\commonXP_20080109.vbs:Bookmarks
NY -> @Alternate Data Stream - 8 bytes -> %SystemRoot%\commonXP_20080327.vbs:Bookmarks
NY -> @Alternate Data Stream - 8 bytes -> %SystemRoot%\commonXP_20080727.vbs:Bookmarks
NY -> @Alternate Data Stream - 8 bytes -> %SystemRoot%\commonXP_20080824.vbs:Bookmarks
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

Double-click GooredFix.exe to run it.
Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.

#22
PeggyV

Posted 31 March 2009 - 11:58 AM

Member

Topic Starter
Member
15 posts

Here's the last 2 logs you requested. The machine didn't want to shut down after the OTScanit2 ran, It tried to reboot, but sat there on a blue screen with a message box that said "saving settings" and wouldn't shut down. I had to force it. (But it has done that periodically.):

[Registry - Additional Scans - Safe List]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ not found.
File not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\\PendingFileRenameOperations not found.
[Files/Folders - Created Within 90 Days]
C:\Documents and Settings\Em\DoctorWeb\Quarantine folder moved successfully.
C:\Documents and Settings\Em\DoctorWeb folder moved successfully.
C:\_OTMoveIt\MovedFiles\03292009_101545 folder moved successfully.
C:\_OTMoveIt\MovedFiles\03292009_101055 folder moved successfully.
C:\_OTMoveIt\MovedFiles\03292009_101002 folder moved successfully.
C:\_OTMoveIt\MovedFiles folder moved successfully.
C:\_OTMoveIt folder moved successfully.
C:\WINDOWS\SWXCACLS.exe moved successfully.
C:\WINDOWS\SWREG.exe moved successfully.
C:\WINDOWS\SWSC.exe moved successfully.
C:\WINDOWS\sed.exe moved successfully.
C:\WINDOWS\fdsv.exe moved successfully.
C:\WINDOWS\grep.exe moved successfully.
C:\WINDOWS\zip.exe moved successfully.
C:\WINDOWS\VFIND.exe moved successfully.
C:\WINDOWS\NIRCMD.exe moved successfully.
C:\Qoobox\Quarantine\Registry_backups folder moved successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32 folder moved successfully.
C:\Qoobox\Quarantine\C\WINDOWS folder moved successfully.
C:\Qoobox\Quarantine\C folder moved successfully.
C:\Qoobox\Quarantine folder moved successfully.
C:\Qoobox\BackEnv folder moved successfully.
C:\Qoobox folder moved successfully.
[Custom Scans]
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\snwery:snwery deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\cxkwkp:cxkwkp deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\ResMan:ResMan deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\uzdoax:uzdoax deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\WinErp:WinErp deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\winErs:winErs deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\xxcsdl:xxcsdl deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\krnlsvc:MediapCentere deleted successfully.
Registry delete failed. HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\krnlsvc:ND SETTINGS\ scheduled to be deleted on reboot.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\Symants:Symants deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\netsvc:netsvc deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\irorcj:irorcj deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\arxmxo:arxmxo deleted successfully.
File/Folder C:\_OTMoveIt not found.
C:\_OTScanIt\MovedFiles\03312009_122859\C__OTMoveIt\MovedFiles\03292009_101545 folder moved successfully.
C:\_OTScanIt\MovedFiles\03312009_122859\C__OTMoveIt\MovedFiles\03292009_101055 folder moved successfully.
C:\_OTScanIt\MovedFiles\03312009_122859\C__OTMoveIt\MovedFiles\03292009_101002 folder moved successfully.
C:\_OTScanIt\MovedFiles\03312009_122859\C__OTMoveIt\MovedFiles folder moved successfully.
C:\_OTScanIt\MovedFiles\03312009_122859\C__OTMoveIt folder moved successfully.
C:\_OTScanIt\MovedFiles\03312009_122859\C_WINDOWS folder moved successfully.
C:\_OTScanIt\MovedFiles\03312009_122859\C_Qoobox\Quarantine\Registry_backups folder moved successfully.
C:\_OTScanIt\MovedFiles\03312009_122859\C_Qoobox\Quarantine\C\WINDOWS\system32 folder moved successfully.
C:\_OTScanIt\MovedFiles\03312009_122859\C_Qoobox\Quarantine\C\WINDOWS folder moved successfully.
C:\_OTScanIt\MovedFiles\03312009_122859\C_Qoobox\Quarantine\C folder moved successfully.
C:\_OTScanIt\MovedFiles\03312009_122859\C_Qoobox\Quarantine folder moved successfully.
C:\_OTScanIt\MovedFiles\03312009_122859\C_Qoobox\BackEnv folder moved successfully.
C:\_OTScanIt\MovedFiles\03312009_122859\C_Qoobox folder moved successfully.
C:\_OTScanIt\MovedFiles\03312009_122859\C_Documents and Settings\Em\DoctorWeb\Quarantine folder moved successfully.
C:\_OTScanIt\MovedFiles\03312009_122859\C_Documents and Settings\Em\DoctorWeb folder moved successfully.
C:\_OTScanIt\MovedFiles\03312009_122859\C_Documents and Settings\Em folder moved successfully.
C:\_OTScanIt\MovedFiles\03312009_122859\C_Documents and Settings folder moved successfully.
C:\_OTScanIt\MovedFiles\03312009_122859\C_\_OTMoveIt folder moved successfully.
C:\_OTScanIt\MovedFiles\03312009_122859\C_\Qoobox folder moved successfully.
C:\_OTScanIt\MovedFiles\03312009_122859\C_ folder moved successfully.
C:\_OTScanIt\MovedFiles\03312009_122859 folder moved successfully.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_183445 scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_182931\Program Files scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_182931 scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile\Local Settings\Temp scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile\Local Settings scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32 scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Program Files scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5 scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\LocalService\Local Settings\Temporary Internet Files scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\LocalService\Local Settings scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\LocalService scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data\Microsoft\Network scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data\Microsoft scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_\_OTListIt scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_\Rooter$ scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_ scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102 scheduled to be moved on reboot.
C:\_OTScanIt\MovedFiles folder moved successfully.
C:\_OTScanIt folder moved successfully.
File/Folder C:\Qoobox not found.
[Alternate Data Streams]
ADS C:\WINDOWS\commonXP_20080727.vbs:Undo deleted successfully.
ADS C:\WINDOWS\commonXP_20080824.vbs:Undo deleted successfully.
ADS C:\WINDOWS\commonXP_20080109.vbs:Undo deleted successfully.
ADS C:\WINDOWS\commonXP_20080327.vbs:Undo deleted successfully.
ADS C:\WINDOWS\commonXP_20080109.vbs:Bookmarks deleted successfully.
ADS C:\WINDOWS\commonXP_20080327.vbs:Bookmarks deleted successfully.
ADS C:\WINDOWS\commonXP_20080727.vbs:Bookmarks deleted successfully.
ADS C:\WINDOWS\commonXP_20080824.vbs:Bookmarks deleted successfully.
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.9.1 fix logfile created on 03312009_122859

Files moved on Reboot...
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_183445 scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_182931\Program Files scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_182931\Program Files scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_182931 scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_183445 scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_182931\Program Files scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_182931 scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_183445 scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_182931\Program Files scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_182931 scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile\Local Settings\Temp scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile\Local Settings\Temp scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile\Local Settings scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile\Local Settings\Temp scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile\Local Settings scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile\Local Settings\Temp scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile\Local Settings scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile\Local Settings\Temp scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile\Local Settings scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32 scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile\Local Settings\Temp scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile\Local Settings scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32 scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Program Files scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5 scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5 scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\LocalService\Local Settings\Temporary Internet Files scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5 scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\LocalService\Local Settings\Temporary Internet Files scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\LocalService\Local Settings scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5 scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\LocalService\Local Settings\Temporary Internet Files scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\LocalService\Local Settings scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\LocalService scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data\Microsoft\Network scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data\Microsoft\Network scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data\Microsoft scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data\Microsoft\Network scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data\Microsoft scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data\Microsoft\Network scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data\Microsoft scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5 scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\LocalService\Local Settings\Temporary Internet Files scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\LocalService\Local Settings scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\LocalService scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data\Microsoft\Network scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data\Microsoft scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_\_OTListIt scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_\Rooter$ scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_\_OTListIt scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_\Rooter$ scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_ scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_183445 scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_182931\Program Files scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles\03262009_182931 scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt\MovedFiles scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C__OTListIt scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile\Local Settings\Temp scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile\Local Settings scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config\systemprofile scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32\config scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS\System32 scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_WINDOWS scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Program Files scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5 scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\LocalService\Local Settings\Temporary Internet Files scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\LocalService\Local Settings scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\LocalService scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data\Microsoft\Network scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data\Microsoft scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users\Application Data scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings\All Users scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_Documents and Settings scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_\_OTListIt scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_\Rooter$ scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102\C_ scheduled to be moved on reboot.
Folder move failed. C:\_OTScanIt\MovedFiles\03272009_091102 scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

Registry entries deleted on Reboot...
Registry delete failed. HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\\krnlsvc:ND SETTINGS\ scheduled to be deleted on reboot.

GooredFix v1.92 by jpshortstuff
Log created at 12:50 on 31/03/2009 running Option #1 (Em)
Firefox version 3.0.7 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

Thanks,

~Peggy V.

#23
Rorschach112

Posted 31 March 2009 - 12:25 PM

Ralphie

Retired Staff
47,710 posts

one final scan

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

#24
PeggyV

Posted 31 March 2009 - 01:47 PM

Member

Topic Starter
Member
15 posts

Hello -- Here's the log:

ComboFix 09-03-31.01 - Em 2009-03-31 14:12:18.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1534.1180 [GMT -5:00]
Running from: c:\documents and settings\Em\Desktop\ComboFix.exe
FW: Symantec Endpoint Protection *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.

2009-03-28 11:10 . 2009-03-28 11:10 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-28 11:10 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-28 11:10 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-27 12:11 . 2009-03-27 12:11 <DIR> d-------- c:\program files\Support Tools
2009-03-27 09:11 . 2009-03-27 09:11 <DIR> d-------- C:\_OTScanIt
2009-03-26 21:19 . 2009-03-27 09:11 <DIR> d-------- c:\windows\OTScanIt2
2009-03-26 20:02 . 2009-03-29 14:58 <DIR> d-------- C:\tshoot
2009-03-26 18:42 . 2009-03-26 18:42 0 --a------ c:\documents and settings\Em\settings.dat
2009-03-24 16:55 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys
2009-03-23 15:32 . 2009-03-23 15:32 <DIR> d-------- c:\windows\ERUNT
2009-03-22 09:37 . 2009-03-22 09:37 <DIR> d-------- c:\documents and settings\Em\Application Data\Malwarebytes
2009-03-21 23:37 . 2009-03-21 23:37 <DIR> d-------- c:\program files\AVG
2009-03-21 11:35 . 2009-03-21 11:45 <DIR> d-------- c:\documents and settings\Em\Application Data\AdobeUM
2009-03-15 13:17 . 2009-03-26 20:11 <DIR> d--hs---- c:\documents and settings\Em\UserData
2009-03-15 12:38 . 2009-03-31 12:28 <DIR> d-------- c:\documents and settings\Em
2009-03-08 14:44 . 2009-03-26 20:12 <DIR> d-------- c:\program files\Lavasoft
2009-03-08 14:44 . 2009-03-26 20:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-08 14:18 . 2009-03-26 20:15 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-08 14:18 . 2009-03-26 20:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-08 12:27 . 2009-03-09 02:53 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-07 16:23 . 2009-03-07 16:23 <DIR> d-------- c:\documents and settings\jokoloc\Application Data\Malwarebytes
2009-03-05 21:48 . 2009-03-05 22:56 <DIR> d-------- c:\documents and settings\jokoloc\.housecall6.6
2009-03-05 21:24 . 2009-03-05 21:24 <DIR> d-------- c:\program files\Trend Micro
2009-03-02 16:01 . 2009-03-02 16:01 0 --a------ c:\windows\nsreg.dat
2009-03-02 15:26 . 2009-03-02 15:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-02 15:23 . 2009-03-05 20:58 <DIR> d-------- c:\program files\VS Revo Group
2009-02-13 18:57 . 2009-02-13 18:57 <DIR> d-------- c:\documents and settings\LocalService\Application Data\AdobeUM
2009-02-09 18:29 . 2009-02-09 18:30 <DIR> d-------- c:\program files\WinSCP3
2009-02-09 18:29 . 2009-02-09 18:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-09 18:22 . 2009-02-09 18:22 <DIR> d-a------ c:\program files\SAV_win
2009-02-09 18:22 . 2009-02-09 18:22 <DIR> d-a------ c:\program files\SAV_VISTA
2009-02-03 20:39 . 2009-03-09 05:19 410,984 --a------ c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 19:37 --------- d-----w c:\program files\Symantec AntiVirus
2009-03-26 19:44 --------- d-----w c:\program files\Java
2009-03-22 05:42 --------- d-----w c:\program files\Microsoft MapPoint
2009-03-22 05:42 --------- d-----w c:\program files\Microsoft Firewall Client 2004
2009-03-22 05:32 --------- d-----w c:\program files\Common Files\Motive
2009-03-22 05:29 --------- d-----w c:\program files\Apple Software Update
2009-03-22 04:04 4,224 ----a-w c:\windows\system32\drivers\beep.sys
2009-03-21 16:28 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-21 14:30 --------- d-----w c:\program files\Microsoft Works
2009-03-08 22:39 --------- d-----w c:\documents and settings\All Users\Application Data\Aventail
2009-03-08 03:04 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-08 02:58 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-08 02:54 --------- d-----w c:\program files\Logitech
2009-03-07 21:17 --------- d-----w c:\documents and settings\jokoloc\Application Data\LimeWire
2009-03-06 01:57 --------- d-----w c:\program files\Common Files\Sonic Shared
2009-03-02 19:23 --------- d-----w c:\program files\Yahoo!
2009-03-02 18:37 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-02-24 21:12 --------- d-----w c:\documents and settings\jokoloc\Application Data\uTorrent
2009-02-22 22:02 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-17 05:31 --------- d-----w c:\program files\Common Files\Adobe
2009-02-09 20:32 10,240 ----a-w c:\windows\system32\Packer.dll
.

------- Sigcheck -------

2007-04-16 11:07 986112 09f7cb3687f86edaa4ca081f7ab66c03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
2004-08-04 07:00 983552 888190e31455fad793312f8d087146eb c:\windows\$NtUninstallKB935839$\kernel32.dll
2009-02-09 15:32 984576 3ea8b19f01d786fcae249ea2336fbf39 c:\windows\system32\kernel32.dll
2007-04-16 10:52 984576 a01f9ca902a88f7ced06884174d6419d c:\windows\system32\dllcache\kernel32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 434528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-24 218496]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SetupLD.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sndsrvc.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\spbbcsvc.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vcr32.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vcrmon.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vstskmgr.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vstskmgr.exe ]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\xnlscn.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2076597496-1563261944-1256410061-83411\Scripts\Logon\0\0]
"Script"=REG_Conf.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Firewall Client Management.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Firewall Client Management.lnk
backup=c:\windows\pss\Microsoft Firewall Client Management.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 11:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-03-09 05:19 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Portable Media Serial"=2 (0x2)
"mstsc"=2 (0x2)
"MDM"=2 (0x2)
"LiveUpdate"=3 (0x3)
"LBTServ"=3 (0x3)
"KingDuuBa"=2 (0x2)
"iPassConnectEngine"=3 (0x3)
"idsvc"=3 (0x3)
"HCE13QIBP"=2 (0x2)
"FwcAgent"=2 (0x2)
"DWMRCS"=2 (0x2)
"DgVip_Service"=2 (0x2)
"ClipSrv"=2 (0x2)
"ccwiz"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"SNAC"=3 (0x3)
"SmcService"=2 (0x2)
"NgVpnMgr"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=2 (0x2)
"iPCAgent"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"As32Svc"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"IBMPMSVC"=2 (0x2)
"Lavasoft Ad-Aware Service"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2967:TCP"= 2967:TCP:*:Disabled:Sav Management

R?2 MediapCentere;MS Mediae Control pCenter;c:\windows\System32\svchost.exe -k krnlsvc [2004-08-04 14336]
S2 ResMan;Remote Access Manager Connection ;c:\windows\System32\svchost.exe -k ResMan [2004-08-04 14336]
S2 Symants;Symantec Network Servic;c:\windows\system32\SVCHOST.EXE -k Symants [2004-08-04 14336]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\DRIVERS\ngfilter.sys --> c:\windows\system32\DRIVERS\ngfilter.sys [?]
S3 NgLog;Aventail VPN Logging;c:\windows\system32\DRIVERS\nglog.sys --> c:\windows\system32\DRIVERS\nglog.sys [?]
S3 NgVpn;Aventail VPN Adapter;c:\windows\system32\DRIVERS\ngvpn.sys --> c:\windows\system32\DRIVERS\ngvpn.sys [?]
S4 FwcAgent;Firewall Client Agent;c:\program files\Microsoft Firewall Client 2004\FwcAgent.exe [2004-06-09 115544]

--- Other Services/Drivers In Memory ---

*Deregistered* - Dnsresolve

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
snwery REG_MULTI_SZ
cxkwkp REG_MULTI_SZ
ResMan REG_MULTI_SZ
uzdoax REG_MULTI_SZ
WinErp REG_MULTI_SZ
winErs REG_MULTI_SZ
xxcsdl REG_MULTI_SZ
krnlsvc REG_MULTI_SZ
Symants REG_MULTI_SZ
netsvc REG_MULTI_SZ
irorcj REG_MULTI_SZ
arxmxo REG_MULTI_SZ
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)

.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Microsoft Firewall Client 2004\FwcWsp.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 14:15:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\lqyfef]
"ServiceDll"="%SystemRoot%\System32\slztel.fsl"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Symants]
"ServiceDll"="%SystemRoot%\System32\dikqnt.fdf"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"659BD8E725A05FDCC64118EA787EAA2B534A94FABE"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,76,8c,5c,d5,01,63,41,b9,8d,7a,\
"3A77B377802A4B6183DDE08FDE4AD9AF647A702826"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,76,8c,5c,d5,01,63,41,b9,8d,7a,\

[HKEY_USERS\S-1-5-21-2147800216-2383975547-74669015-1021\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2009-03-31 14:18:33
ComboFix-quarantined-files.txt 2009-03-31 19:17:44
ComboFix2.txt 2009-03-28 01:41:20

Pre-Run: 39,913,345,024 bytes free
Post-Run: 39,900,299,264 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
240 --- E O F --- 2009-01-16 19:08:27

Thanks,

~Peggy V.

#25
Rorschach112

Posted 01 April 2009 - 07:59 AM

Ralphie

Retired Staff
47,710 posts

some things are just not going away

Please download OTMoveIt3 by OldTimer

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes
explorer.exe

:Services
lqyfef
Symants
:Reg
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\lqyfef]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Symants]

:Files
C:\windows\System32\dikqnt.fdf
C:\windows\System32\slztel.fsl
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Please download Runscanner to your desktop and run it.

When the first page comes up select Beginner Mode
On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log file
Call the .run file Scan and save it to your desktop. You will see the .run file on your desktop. Upload that file here.

#26
PeggyV

Posted 01 April 2009 - 08:53 AM

Member

Topic Starter
Member
15 posts

Here's the Moveit log. (The Runscanner file is attached as
scan.run" -- Did you also need it's .log file?):

Error: Unable to interpret < CODE> in the current context!
========== PROCESSES ==========
Process explorer.exe killed successfully.
Unable to kill process: :Services
Unable to kill process: lqyfef
Unable to kill process: Symants
Unable to kill process: :Reg
Unable to kill process: [-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\lqyfef]
Unable to kill process: [-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Symants]
Unable to kill process: :Files
Unable to kill process: C:\windows\System32\dikqnt.fdf
Unable to kill process: C:\windows\System32\slztel.fsl
Unable to kill process: :Commands
Unable to kill process: [purity]
Unable to kill process: [emptytemp]
Unable to kill process: [start explorer]
Unable to kill process: [Reboot]

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 04012009_091452

Thanks,

~Peggy V.

Attached Files

scan.run 124.38KB 274 downloads

#27
Rorschach112

Posted 01 April 2009 - 11:22 AM

Ralphie

Retired Staff
47,710 posts

you are doing the OTM3 step wrong, I have no idea how you are messing it up

You need to paste EVERYTHING that is in the code box, can you do it again

#28
PeggyV

Posted 02 April 2009 - 09:00 AM

Member

Topic Starter
Member
15 posts

"you are doing the OTM3 step wrong, I have no idea how you are messing it up" -- Nope -- I got the same exact results after doing it a second time. Too bad you had to get snarky about this -- I was thinking last night about how nice and patient you'd been, and I was going to send you a big, fat donation. But you had to start insulting me as "messing it up" rather than there being something wrong with the code maybe, or something amiss in the machine environment. So... you can close this thread now, you've obviously taken me as far as your knowledge and patience can go. Thanks anyway....

#29
Rorschach112

Posted 02 April 2009 - 09:05 AM

Ralphie

Retired Staff
47,710 posts

Are you sure you want me to close it ? I was a little impatient but we can still finish it up if you wish

#30
Rorschach112

Posted 02 April 2009 - 09:25 AM

Ralphie

Retired Staff
47,710 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.