Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: once badly infected-not sure what now  (Read 17738 times)

0 Members and 1 Guest are viewing this topic.

bouncier

    Topic Starter


    Rookie

    once badly infected-not sure what now
    « on: July 29, 2010, 07:59:21 AM »
    Hi, I have windows xp sp3.  I have IE8 and was using MSN to connect to internet through dial up.  I then changed to Juno. 
    I believe this is when I started having problems like
    "this program cannot display the webpage" and
    when trying to go to msinfo32, i get "not a valid win32 application. 

    First malicious infection, approx 1 year ago, then 2 months
    then a week ago.  I immediately activiated the malicious
    software removal tool from Microsoft and had Microsoft
    Security Essentials in place.  I removed 136 infections. 
    I have continued removing for the past week until I found you. 
    I have several programs blocked through Online Armour-how can
    I know if ok to let them back in?

    I read the page before removing malware by evil fantasy -
    and here I am.  I don't know if I am still infected, but when
    I try to go to certain sites as stated above, I get the "This
    program cannot display the webpage", and when I try to open
    msinfo32.

    Code: [Select]
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/28/2010 at 01:14 AM

    Application Version : 4.41.1000

    Core Rules Database Version : 5278
    Trace Rules Database Version: 3090

    Scan type       : Complete Scan
    Total Scan Time : 00:35:14

    Memory items scanned      : 417
    Memory threats detected   : 0
    Registry items scanned    : 5108
    Registry threats detected : 0
    File items scanned        : 60018
    File threats detected     : 3

    Adware.Tracking Cookie
    C:\Documents and Settings\bouncier\Cookies\bouncier@tribalfusion[2].txt
    C:\Documents and Settings\bouncier\Cookies\bouncier@liveperson[1].txt
    C:\Documents and Settings\bouncier\Cookies\bouncier@doubleclick[1].txt

    Code: [Select]
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4365

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    7/29/2010 6:12:51 AM
    mbam-log-2010-07-29 (06-12-51).txt

    Scan type: Quick scan
    Objects scanned: 129822
    Time elapsed: 4 minute(s), 46 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    Code: [Select]
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:03:59 AM, on 7/29/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Emsisoft\Online Armor\OAcat.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Emsisoft\Online Armor\oasrv.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\netdde.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Emsisoft\Online Armor\oaui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Juno\exec.exe
    C:\Program Files\Emsisoft\Online Armor\OAhlp.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\SUPERAntiSpyware\4b651a78-21c2-4dec-bf0c-e953de5e0cc5.com
    C:\Program Files\Juno\exec.exe
    C:\Program Files\Juno\qsacc\x1exec.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\sniper.exe\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.juno.com/search?action=minisearch&source=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.juno.com/search?action=minisearch&source=minisearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.juno.com/search?action=minisearch&source=minisearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = searchap.untd.com;127.0.0.1;localhost;*microsoft.com;
    *windowsupdate.com;*wustat.windows.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;
    *.nai.com;*.networkassociates.com;cf.netzero.net;qs.netzero.net;*.quicken.com;feed.untd.com;*.pogo.com;<local>
    R3 - URLSearchHook: (no name) - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Pop-up Blocker - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\Juno\qsacc\X1IEBHO.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    O2 - BHO: Juno Toolbar Helper - {FE3098B1-04A3-41fd-8CA9-BEA39CB14C87} - C:\Program Files\Juno\ucreg.dll
    O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\Toolbar.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Emsisoft\Online Armor\oaui.exe"
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Juno_uoltray] C:\Program Files\Juno\exec.exe regrun
    O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] E:\registry\RegistryBooster 2\RegistryBooster.exe /S
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/228
    O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\Juno\qsacc\appres.dll/227
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O15 - Trusted Zone: *.download.com
    O15 - Trusted Zone: http://www.softpedia.com
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E8831E24-1AC2-4246-A40F-A353DC4B410C}: NameServer = 64.136.52.73 64.136.44.73
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Emsisoft\Online Armor\OAcat.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Emsisoft\Online Armor\oasrv.exe

    --
    End of file - 7873 bytes
    These are the infections that remain quarantined and/or disinfected/removed from this last week.

    Code: [Select]
    Virus:HTML/Allaple.A
    BrowserModifier:Win32/Zwangi
    Exploit:Java/CVE-2008-5353.GG
    Exploit:Java/CVE-2009-3867.DT
    Exploit:Java/CVE-2009-3867.CJ
    Exploit:Java/CVE-2008-5353.AJ
    Exploit:Java/CVE-2008-5353.BO
    Exploit:Java/CVE-2009-3867.DP
    Exploit:Java/CVE-2009-3867.BX
    Exploit:Java/CVE-2009-3867.DN
    TrojanDownloader:Java/OpenConnection.AK
    Exploit:Win32/Pdfjsc.FU
    Trojan:Win32/Rundis.gen!A
    TrojanDownloader:Win32/Abgade.A
    TrojanDownloader:Win32/Cutwail.BC
    TrojanDownloader:Win32/Cutwail.BA
    Virus:Win32/Virut.BN
    Virus:Win32/Virut.BM
    TrojanClicker:Win32/Refpron.A
    Backdoor:Win32/Refpron.I
    Trojan:Win32/Puzlice.A
    Exploit:HTML/IframeRef.gen
    PWS:Win32/Frethog.MK
    Trojan:Win32/Comame
    TrojanDownloader:Java/OpenConnection.AK
    Worm:Win32/Allaple.A
    TrojanDropper:Win32/small.NM

    « Last Edit: August 03, 2010, 06:12:39 PM by SuperDave »

    SuperDave

    • Malware Removal Specialist
    • Moderator


    • Genius
    • Thanked: 1020
    • Certifications: List
    • Experience: Expert
    • OS: Windows 10
    Re: once badly infected-not sure what now
    « Reply #1 on: July 29, 2010, 06:43:02 PM »
    Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

    1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
    2. The fixes are specific to your problem and should only be used for this issue on this machine.
    3. If you don't know or understand something, please don't hesitate to ask.
    4. Please DO NOT run any other tools or scans while I am helping you.
    5. It is important that you reply to this thread. Do not start a new topic.
    6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
    7. Absence of symptoms does not mean that everything is clear.

    Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

    Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

    Exit out of MessengerDisable then delete the two files that were put on the desktop.

    ====================================

    Open HijackThis and select Do a system scan only

    Place a check mark next to the following entries: (if there)

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*
    windowsupdate.com;*wustat.windows.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.
    nai.com;*.networkassociates.com;cf.netzero.net;qs.netzero.net;*.
    quicken.com;feed.untd.com;*.pogo.com;<local>
    R3 - URLSearchHook: (no name) - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /
    background

    Internet Explorer's security is based upon a set of zones.
    Each zone has different security in terms of what scripts and applications
    can be run from a site that is in that zone. There is a security zone called
    the Trusted Zone. This zone has the lowest security and allows
    scripts and applications from sites in this zone to run without your
    knowledge
    . It is therefore a popular setting for malware
    sites to use so that future infections can be easily done on your
    computer without your knowledge as these sites will be in the
    Trusted Zone
    . Therefore, I recommend that nothing be allowed
    in the trusted zone. If you agree, please place a check mark in front
    of these two lines.

    O15 - Trusted Zone: *.download.com
    O15 - Trusted Zone: http://www.softpedia.com


    Important: Close all open windows except for HijackThis and then click Fix checked.

    Once completed, exit HijackThis.

    ===================================

    Please download ComboFix from BleepingComputer.com

    Alternate link: GeeksToGo.com

    Alternate link: Forospyware.com

    Rename ComboFix.exe to commy.exe before you save it to your Desktop
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools ]A guide to do this can be found here
    • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


    • Click on Yes, to continue scanning for malware.
    • When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.
    « Last Edit: August 03, 2010, 06:18:35 PM by SuperDave »
    Windows 8 and Windows 10 dual boot with two SSD's

    bouncier

      Topic Starter


      Rookie

      Re: once badly infected-not sure what now
      « Reply #2 on: July 30, 2010, 11:39:21 PM »
      Dave--I sent PM to you cuz I could not see the Reply at the bottom of this post...Ok, went to Major Geeks to download the messenger removal.  A popup stated that the application configuration was incorrect and that reinstalling the application might solve the problem????  I tried 5 or 8 times but to no avail.  So I stand as you left me...

      SuperDave

      • Malware Removal Specialist
      • Moderator


      • Genius
      • Thanked: 1020
      • Certifications: List
      • Experience: Expert
      • OS: Windows 10
      Re: once badly infected-not sure what now
      « Reply #3 on: July 31, 2010, 05:18:53 PM »
      Just skip the Windows Messenger part and continue with the rest, please.
      Windows 8 and Windows 10 dual boot with two SSD's

      bouncier

        Topic Starter


        Rookie

        Re: once badly infected-not sure what now
        « Reply #4 on: August 02, 2010, 12:41:10 PM »
        Ok, I am attempting to send commy log here:

        ComboFix 10-07-30.02 - bouncier 07/31/2010   2:44.1.1 - x86
        Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1919.1426 [GMT -6:00]
        Running from: c:\documents and settings\bouncier\desktop\commy.exe
        Command switches used :: /stepdel
        AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
        FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
        .

        (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
        .

        c:\documents and settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
        c:\windows\system32\87ghd.log
        c:\windows\system32\b55v0.log
        c:\windows\system32\dfttuyo.txt
        c:\windows\system32\Install.txt
        D:\install.exe

        .
        (((((((((((((((((((((((((   Files Created from 2010-06-28 to 2010-07-31  )))))))))))))))))))))))))))))))
        .

        2010-07-29 14:38 . 2010-07-29 14:38   --------   d-----w-   c:\program files\Novel Games
        2010-07-29 12:59 . 2010-07-29 12:59   388096   ----a-r-   c:\documents and settings\bouncier\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
        2010-07-29 12:59 . 2010-07-29 13:02   --------   d-----w-   c:\program files\Trend Micro
        2010-07-29 11:49 . 2010-07-29 11:49   --------   d-----w-   c:\documents and settings\bouncier\Application Data\Malwarebytes
        2010-07-29 11:49 . 2010-04-29 21:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
        2010-07-29 11:49 . 2010-07-29 11:49   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
        2010-07-29 11:49 . 2010-04-29 21:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
        2010-07-29 11:49 . 2010-07-29 11:49   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
        2010-07-28 05:50 . 2010-07-28 06:01   --------   d-----w-   c:\documents and settings\All Users\Application Data\Yahoo! Companion
        2010-07-28 05:50 . 2010-07-28 05:50   --------   d-----w-   c:\program files\CCleaner
        2010-07-28 04:48 . 2010-07-29 14:18   --------   d-----w-   c:\documents and settings\bouncier\Application Data\OnlineArmor
        2010-07-28 04:48 . 2010-07-28 05:13   --------   d-----w-   c:\documents and settings\All Users\Application Data\OnlineArmor
        2010-07-28 04:48 . 2010-07-07 18:25   22600   ----a-w-   c:\windows\system32\drivers\OAmon.sys
        2010-07-28 04:48 . 2010-07-07 18:25   28232   ----a-w-   c:\windows\system32\drivers\OAnet.sys
        2010-07-28 04:48 . 2010-07-07 18:25   236104   ----a-w-   c:\windows\system32\drivers\OADriver.sys
        2010-07-28 04:48 . 2010-07-28 04:48   --------   d-----w-   c:\program files\Emsisoft
        2010-07-28 00:15 . 2010-07-28 00:15   --------   d-----w-   c:\program files\WON
        2010-07-27 14:01 . 2010-07-27 14:01   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
        2010-07-27 07:45 . 2010-07-27 07:45   --------   d-----w-   c:\documents and settings\bouncier\Local Settings\Application Data\Help
        2010-07-27 02:05 . 2010-07-27 02:15   --------   d-----w-   c:\program files\Exterminate It!
        2010-07-26 20:27 . 2010-07-26 20:27   --------   d-----w-   c:\documents and settings\bouncier\Application Data\Uniblue
        2010-07-26 18:42 . 2010-07-26 18:43   --------   dc-h--w-   c:\windows\ie8
        2010-07-26 05:19 . 2010-07-26 05:19   --------   d-----w-   c:\program files\ESET
        2010-07-25 23:34 . 2010-07-25 23:34   --------   d-----w-   c:\program files\ACW
        2010-07-25 21:08 . 2010-06-02 10:55   74072   ----a-w-   c:\windows\system32\XAPOFX1_5.dll
        2010-07-25 21:08 . 2010-06-02 10:55   527192   ----a-w-   c:\windows\system32\XAudio2_7.dll
        2010-07-25 21:08 . 2010-06-02 10:55   239960   ----a-w-   c:\windows\system32\xactengine3_7.dll
        2010-07-25 21:08 . 2010-05-26 17:41   248672   ----a-w-   c:\windows\system32\d3dx11_43.dll
        2010-07-25 21:08 . 2010-05-26 17:41   2106216   ----a-w-   c:\windows\system32\D3DCompiler_43.dll
        2010-07-25 21:08 . 2010-05-26 17:41   1868128   ----a-w-   c:\windows\system32\d3dcsx_43.dll
        2010-07-25 21:08 . 2010-05-26 17:41   470880   ----a-w-   c:\windows\system32\d3dx10_43.dll
        2010-07-25 21:08 . 2010-05-26 17:41   1998168   ----a-w-   c:\windows\system32\D3DX9_43.dll
        2010-07-25 20:20 . 2010-07-25 20:20   --------   d-----w-   c:\documents and settings\bouncier\Local Settings\Application Data\FixItCenter
        2010-07-25 20:02 . 2010-07-25 20:02   --------   d-----w-   c:\windows\MATS
        2010-07-25 20:02 . 2010-07-25 20:02   --------   d-----w-   c:\program files\Microsoft Fix it Center
        2010-07-25 07:32 . 2010-07-25 07:34   --------   d-----w-   c:\windows\system32\NtmsData
        2010-07-25 05:22 . 2010-07-25 14:24   --------   d-----w-   c:\program files\Free Window Registry Repair
        2010-07-25 02:01 . 2010-07-25 19:08   --------   d-----w-   c:\documents and settings\bouncier\Application Data\ElevatedDiagnostics
        2010-07-25 00:48 . 2010-07-25 00:48   --------   d-----w-   c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
        2010-07-24 10:21 . 2010-07-28 06:34   63488   ----a-w-   c:\documents and settings\bouncier\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
        2010-07-24 10:21 . 2010-07-24 10:21   52224   ----a-w-   c:\documents and settings\bouncier\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
        2010-07-24 10:21 . 2010-07-28 06:34   117760   ----a-w-   c:\documents and settings\bouncier\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
        2010-07-24 10:05 . 2010-07-24 10:05   --------   d-----w-   c:\documents and settings\bouncier\Application Data\SUPERAntiSpyware.com
        2010-07-24 10:05 . 2010-07-24 10:05   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
        2010-07-24 10:05 . 2010-07-31 06:43   --------   d-----w-   c:\program files\SUPERAntiSpyware
        2010-07-24 05:00 . 2010-07-24 05:00   --------   d-----w-   c:\documents and settings\All Users\Application Data\RegCure
        2010-07-24 05:00 . 2010-07-24 05:01   --------   d-----w-   c:\program files\RegCure
        2010-07-24 04:31 . 2010-07-24 04:31   --------   d-----w-   c:\program files\Common Files\Java
        2010-07-24 03:07 . 2010-06-14 14:31   744448   -c----w-   c:\windows\system32\dllcache\helpsvc.exe
        2010-07-24 02:53 . 2010-07-24 02:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\Juno
        2010-07-24 02:34 . 2006-08-11 20:41   225280   ----a-w-   c:\documents and settings\bouncier\Application Data\U3\0000167A6773D0BF\0DE4F643-C398-46ec-9339-2362F2311932\Exec\U3Action.exe
        2010-07-24 02:34 . 2006-05-26 07:53   19456   ----a-w-   c:\documents and settings\bouncier\Application Data\U3\0000167A6773D0BF\0DE4F643-C398-46ec-9339-2362F2311932\Exec\skypeshutdown.exe
        2010-07-24 02:34 . 2006-08-16 22:51   19647528   ----a-w-   c:\documents and settings\bouncier\Application Data\U3\0000167A6773D0BF\0DE4F643-C398-46ec-9339-2362F2311932\Exec\Skype.exe
        2010-07-24 02:34 . 2005-09-27 20:57   24064   ----a-w-   c:\documents and settings\bouncier\Application Data\U3\0000167A6773D0BF\0DE4F643-C398-46ec-9339-2362F2311932\Exec\hostClnUpNoOp.exe
        2010-07-24 02:32 . 2007-10-23 15:27   110592   ----a-w-   c:\documents and settings\bouncier\Application Data\U3\temp\cleanup.exe
        2010-07-24 02:27 . 2008-05-02 16:41   3493888   ---ha-w-   c:\documents and settings\bouncier\Application Data\U3\temp\Launchpad Removal.exe
        2010-07-24 02:10 . 2010-07-25 04:27   --------   d-----w-   c:\program files\Cleopatras Palace
        2010-07-24 02:09 . 2010-07-24 02:10   --------   d-----w-   c:\program files\Bonjour
        2010-07-24 02:08 . 2010-07-24 02:08   --------   d-----w-   c:\program files\iTunes
        2010-07-24 02:08 . 2010-07-24 02:08   --------   d-----w-   c:\program files\iPod
        2010-07-23 20:14 . 2010-07-24 02:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\Juno(2)
        2010-07-23 00:23 . 2010-07-24 02:07   --------   d-----w-   c:\program files\TropicaCasino
        2010-07-22 22:44 . 2010-07-24 02:07   --------   d-----w-   c:\program files\Slots Jungle Casino
        2010-07-20 18:49 . 2010-07-24 02:08   --------   d-----w-   c:\program files\iPod(2)
        2010-07-20 18:49 . 2010-07-24 02:08   --------   d-----w-   c:\program files\iTunes(2)
        2010-07-20 18:47 . 2010-07-24 02:08   --------   d-----w-   c:\program files\Bonjour(2)
        2010-07-20 07:14 . 2010-07-24 02:08   --------   d-----w-   c:\documents and settings\bouncier\Application Data\CasinoStates
        2010-07-20 07:14 . 2010-07-24 02:08   --------   d-----w-   c:\documents and settings\All Users\Application Data\CasinoStates
        2010-07-19 23:38 . 2010-07-24 02:53   --------   d-----w-   c:\program files\Juno
        2010-07-19 23:38 . 2010-07-24 02:53   --------   d-----w-   C:\JunoInstaller
        2010-07-19 19:54 . 2010-07-19 20:11   109976   ----a-w-   c:\windows\hpoins08.dat
        2010-07-19 19:54 . 2006-01-24 07:11   7577   ------w-   c:\windows\hpomdl08.dat
        2010-07-19 11:39 . 2010-07-19 11:39   --------   d-----w-   c:\documents and settings\bouncier2\Local Settings\Application Data\PCHealth
        2010-07-19 10:04 . 2010-07-19 10:04   --------   d-----w-   c:\documents and settings\bouncier2\Local Settings\Application Data\Apple Computer
        2010-07-19 10:04 . 2010-07-19 10:04   20456   ----a-w-   c:\documents and settings\bouncier2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
        2010-07-19 10:03 . 2010-07-19 10:03   --------   d-----w-   c:\documents and settings\bouncier2\IETldCache
        2010-07-19 10:03 . 2010-07-24 02:09   --------   d-----w-   c:\documents and settings\bouncier2\Local Settings\Application Data\Microsoft
        2010-07-19 10:03 . 2010-07-24 02:09   --------   d-s---w-   c:\documents and settings\bouncier2
        2010-07-18 20:36 . 2010-07-24 02:10   --------   d-----w-   c:\program files\Cleopatras Palace(2)
        2010-07-18 06:11 . 2010-07-24 02:35   --------   d-----w-   c:\program files\NetZeroInstaller
        2010-07-18 06:04 . 2010-07-24 10:59   --------   d-----w-   c:\documents and settings\bouncier\Application Data\U3
        2010-07-17 21:34 . 2010-07-18 06:29   86   ---h--w-   c:\windows\popcreg.dat
        2010-07-17 21:34 . 2010-07-18 06:29   32   ----a-w-   c:\windows\popcinfot.dat
        2010-07-17 20:24 . 2010-07-17 20:24   --------   d-----w-   c:\program files\PopCap Games
        2010-07-13 17:40 . 2010-07-24 02:12   --------   d-----w-   c:\program files\RTF Convertor
        2010-07-13 14:23 . 2010-07-25 13:59   --------   d-----w-   c:\documents and settings\bouncier\Application Data\GlarySoft
        2010-07-13 14:23 . 2010-07-25 13:59   --------   d-----w-   c:\program files\Glary Registry Repair
        2010-07-13 01:25 . 2010-07-24 02:12   --------   d-----w-   c:\program files\AZ RTF to PDF Converter
        2010-07-08 22:53 . 2006-02-28 12:00   1677824   -c--a-w-   c:\windows\system32\dllcache\chsbrkr.dll
        2010-07-08 22:53 . 2006-02-28 12:00   1677824   ----a-w-   c:\windows\system32\chsbrkr.dll
        2010-07-08 22:53 . 2006-02-28 12:00   838144   -c--a-w-   c:\windows\system32\dllcache\chtbrkr.dll
        2010-07-08 22:53 . 2006-02-28 12:00   838144   ----a-w-   c:\windows\system32\chtbrkr.dll
        2010-07-08 22:53 . 2006-02-28 12:00   70656   -c--a-w-   c:\windows\system32\dllcache\korwbrkr.dll
        2010-07-08 22:53 . 2006-02-28 12:00   70656   ----a-w-   c:\windows\system32\korwbrkr.dll
        2010-07-08 22:53 . 2006-02-28 12:00   98304   -c--a-w-   c:\windows\system32\dllcache\msir3jp.dll
        2010-07-08 22:53 . 2006-02-28 12:00   98304   ----a-w-   c:\windows\system32\msir3jp.dll
        2010-07-08 22:51 . 2006-02-28 12:00   57398   -c--a-w-   c:\windows\system32\dllcache\imjpdadm.exe
        2010-07-08 22:51 . 2006-02-28 12:00   45109   -c--a-w-   c:\windows\system32\dllcache\imjpuex.exe
        2010-07-08 22:50 . 2006-02-28 12:00   6656   -c--a-w-   c:\windows\system32\dllcache\c_is2022.dll
        2010-07-08 22:50 . 2006-02-28 12:00   6656   ----a-w-   c:\windows\system32\c_is2022.dll
        2010-07-08 22:49 . 2001-08-18 04:36   8704   -c--a-w-   c:\windows\system32\dllcache\kbdjpn.dll
        2010-07-08 22:49 . 2001-08-18 04:36   8704   ----a-w-   c:\windows\system32\kbdjpn.dll
        2010-07-08 22:49 . 2001-08-18 04:36   8192   -c--a-w-   c:\windows\system32\dllcache\kbdkor.dll
        2010-07-08 22:49 . 2001-08-18 04:36   8192   ----a-w-   c:\windows\system32\kbdkor.dll
        2010-07-08 22:49 . 2001-08-17 20:55   6144   -c--a-w-   c:\windows\system32\dllcache\kbd101c.dll
        2010-07-08 22:49 . 2001-08-17 20:55   6144   ----a-w-   c:\windows\system32\kbd101c.dll
        2010-07-08 22:49 . 2001-08-17 20:55   5632   -c--a-w-   c:\windows\system32\dllcache\kbd103.dll
        2010-07-08 22:49 . 2001-08-17 20:55   5632   ----a-w-   c:\windows\system32\kbd103.dll
        2010-07-08 22:49 . 2001-08-17 20:55   6144   -c--a-w-   c:\windows\system32\dllcache\kbd101b.dll
        2010-07-08 22:49 . 2001-08-17 20:55   6144   ----a-w-   c:\windows\system32\kbd101b.dll
        2010-07-08 22:49 . 2008-04-14 00:09   6144   -c--a-w-   c:\windows\system32\dllcache\kbd106.dll
        2010-07-08 22:49 . 2008-04-14 00:09   6144   ----a-w-   c:\windows\system32\kbd106.dll
        2010-07-08 00:08 . 2010-07-25 04:27   --------   d-----w-   c:\program files\VIP Lounge
        2010-07-07 07:28 . 2010-07-27 02:49   --------   d-----w-   c:\documents and settings\bouncier\Application Data\Apple Computer
        2010-07-07 07:28 . 2009-05-18 19:17   26600   ----a-w-   c:\windows\system32\drivers\GEARAspiWDM.sys
        2010-07-07 07:28 . 2008-04-17 18:12   107368   ----a-w-   c:\windows\system32\GEARAspi.dll
        2010-07-07 07:27 . 2010-07-07 07:28   --------   d-----w-   c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
        2010-07-07 07:26 . 2010-07-18 16:52   --------   d-----w-   c:\program files\QuickTime
        2010-07-07 07:26 . 2010-07-24 02:08   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple Computer
        2010-07-07 07:26 . 2010-07-07 07:26   --------   d-----w-   c:\documents and settings\bouncier\Local Settings\Application Data\Apple
        2010-07-07 07:26 . 2010-07-07 07:26   --------   d-----w-   c:\program files\Apple Software Update
        2010-07-07 07:26 . 2010-07-28 05:24   --------   dc----w-   c:\windows\system32\DRVSTORE
        2010-07-07 07:25 . 2010-07-24 02:08   --------   d-----w-   c:\program files\Common Files\Apple
        2010-07-07 07:25 . 2010-07-07 07:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple
        2010-07-07 07:21 . 2010-07-07 07:28   --------   d-----w-   c:\documents and settings\bouncier\Local Settings\Application Data\Apple Computer

        .
        ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
        .
        2010-07-30 13:30 . 2010-07-29 18:48   --------   d-----w-   c:\program files\Common Files\Real
        2010-07-30 13:30 . 2010-07-29 18:48   --------   d-----w-   c:\program files\Real
        2010-07-30 13:30 . 2010-07-30 13:30   --------   d-----w-   c:\documents and settings\bouncier\Application Data\7Spins
        2010-07-30 13:30 . 2010-07-30 13:30   --------   d-----w-   c:\documents and settings\All Users\Application Data\7Spins
        2010-07-30 13:30 . 2010-07-30 13:30   --------   d-----w-   c:\program files\7Spins
        2010-07-30 13:30 . 2010-07-29 21:35   --------   d-----w-   c:\program files\Mozilla Firefox(2)
        2010-07-29 21:36 . 2010-07-29 21:36   0   ----a-w-   c:\windows\nsreg.dat
        2010-07-28 05:50 . 2010-06-22 17:34   --------   d-----w-   c:\program files\Yahoo!
        2010-07-25 22:49 . 2010-03-27 07:00   --------   d--h--w-   c:\program files\InstallShield Installation Information
        2010-07-25 22:34 . 2010-03-27 06:58   --------   d-----w-   c:\program files\Common Files\InstallShield
        2010-07-25 13:34 . 2010-04-04 08:17   --------   d-----w-   c:\program files\Ask.com
        2010-07-25 04:27 . 2010-07-01 05:57   --------   d-----w-   c:\program files\WinPalace
        2010-07-24 04:31 . 2010-04-20 05:49   --------   d-----w-   c:\program files\Java
        2010-07-24 02:17 . 2010-04-04 00:44   --------   d-----w-   c:\documents and settings\All Users\Application Data\SpeedBit
        2010-07-19 12:14 . 2010-03-27 06:20   76487   ----a-w-   c:\windows\pchealth\helpctr\OfflineCache\index.dat
        2010-07-18 23:35 . 2010-04-05 21:19   --------   d-----w-   c:\program files\Eusing Free Registry Cleaner
        2010-07-18 23:06 . 2010-04-29 09:53   --------   d-----w-   c:\program files\Vegascasino21
        2010-07-18 22:53 . 2010-03-27 20:10   --------   d-----w-   c:\program files\Atlantis
        2010-07-18 18:42 . 2010-03-27 07:22   --------   d-----w-   c:\documents and settings\bouncier\Application Data\ATI
        2010-07-18 04:45 . 2010-04-05 16:07   83   ----a-w-   c:\windows\popcinfo.dat
        2010-07-09 20:29 . 2010-03-27 07:23   20456   ----a-w-   c:\documents and settings\bouncier\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
        2010-07-06 00:09 . 2010-06-06 00:02   --------   d-----w-   c:\documents and settings\bouncier\Application Data\HpUpdate
        2010-06-29 02:18 . 2010-03-27 20:21   --------   d-----w-   c:\program files\Microsoft Security Essentials
        2010-06-23 02:31 . 2010-06-22 17:35   --------   d-----w-   c:\documents and settings\All Users\Application Data\Yahoo!
        2010-06-22 17:34 . 2010-06-22 17:34   --------   d-----w-   c:\documents and settings\bouncier\Application Data\Yahoo!
        2010-06-22 10:36 . 2010-04-20 05:50   423656   ----a-w-   c:\windows\system32\deployJava1.dll
        2010-06-20 17:58 . 2010-06-19 02:08   --------   d-----w-   c:\program files\Microsoft Silverlight
        2010-06-19 02:08 . 2010-06-19 02:08   --------   d-----w-   c:\program files\Microsoft SQL Server
        2010-06-18 23:36 . 2010-06-18 23:32   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
        2010-06-18 23:36 . 2010-06-18 23:36   193824   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\VBExpress\9.0\1033\ResourceCache.dll
        2010-06-18 23:35 . 2010-06-18 23:35   416   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
        2010-06-18 23:34 . 2010-06-18 23:32   --------   d-----w-   c:\program files\Microsoft Visual Studio 9.0
        2010-06-18 23:32 . 2010-06-18 23:32   --------   d-----w-   c:\program files\Microsoft.NET
        2010-06-18 23:32 . 2010-06-18 23:32   --------   d-----w-   c:\program files\Microsoft SDKs
        2010-06-16 02:01 . 2010-06-16 02:01   72504   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
        2010-06-14 14:31 . 2010-03-27 06:18   744448   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
        2010-06-09 04:21 . 2010-06-09 04:21   --------   d-----w-   c:\program files\Common Files\Software Update Utility
        2010-06-09 04:16 . 2010-06-09 04:15   --------   d-----w-   c:\documents and settings\bouncier\Application Data\acccore
        2010-06-09 04:14 . 2010-06-09 04:14   --------   d-----w-   c:\documents and settings\All Users\Application Data\AIM
        2010-06-09 04:14 . 2010-06-09 04:14   --------   d-----w-   c:\program files\AIM
        2010-06-09 04:14 . 2010-06-09 04:13   --------   d-----w-   c:\program files\Common Files\AOL
        2010-06-01 17:37 . 2010-03-28 09:00   221568   ------w-   c:\windows\system32\MpSigStub.exe
        2010-05-27 01:52 . 2010-05-27 01:52   503808   ----a-w-   c:\documents and settings\bouncier\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-70f5cbff-n\msvcp71.dll
        2010-05-27 01:52 . 2010-05-27 01:52   499712   ----a-w-   c:\documents and settings\bouncier\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-70f5cbff-n\jmc.dll
        2010-05-27 01:52 . 2010-05-27 01:52   348160   ----a-w-   c:\documents and settings\bouncier\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-70f5cbff-n\msvcr71.dll
        2010-05-27 01:48 . 2010-05-27 01:48   61440   ----a-w-   c:\documents and settings\bouncier\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-66666ea4-n\decora-sse.dll
        2010-05-27 01:48 . 2010-05-27 01:48   12800   ----a-w-   c:\documents and settings\bouncier\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-66666ea4-n\decora-d3d.dll
        2010-05-19 10:26 . 2010-05-19 10:26   32608   ----a-w-   c:\windows\king-uninstall.exe
        2010-05-18 22:35 . 2010-05-18 22:35   91424   ----a-w-   c:\windows\system32\dnssd.dll
        2010-05-18 22:35 . 2010-05-18 22:35   75040   ----a-w-   c:\windows\system32\jdns_sd.dll
        2010-05-18 22:35 . 2010-05-18 22:35   197920   ----a-w-   c:\windows\system32\dnssdX.dll
        2010-05-18 22:35 . 2010-05-18 22:35   107808   ----a-w-   c:\windows\system32\dns-sd.exe
        2010-05-06 10:41 . 2006-02-28 12:00   916480   ----a-w-   c:\windows\system32\wininet.dll
        2010-05-06 10:41 . 2006-02-28 12:00   916480   ----a-w-   c:\windows\system32\wininet(2)(2).dll
        2010-05-06 10:41 . 2006-02-28 12:00   1209344   ----a-w-   c:\windows\system32\urlmon(2)(2).dll
        2010-05-06 10:41 . 2009-03-08 10:32   1985536   ----a-w-   c:\windows\system32\iertutil(2)(2).dll
        2010-05-06 10:41 . 2009-03-08 10:39   11076096   ----a-w-   c:\windows\system32\ieframe(2)(2).dll
        2010-05-06 02:02 . 2010-04-29 09:59   77824   ----a-w-   c:\documents and settings\bouncier\Application Data\Vegascasino21\download\update.exe
        2010-05-06 02:02 . 2010-04-29 09:59   77824   ----a-w-   c:\documents and settings\All Users\Application Data\Vegascasino21\download\update.exe
        .

        ------- Sigcheck -------

        [7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
        [7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\fa06e29c141c84f43a95ba02f93d3774\ctfmon.exe
        [-] 2008-04-14 . 81A23C9F7FA7D6B9D927ED6E78A57878 . 15872 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
        [7] 2006-02-28 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe
        .
        (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
        .
        .
        *Note* empty entries & legit default entries are not shown
        REGEDIT4

        [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 0]
        "Juno_uoltray"="c:\program files\Juno\exec.exe" [2009-10-05 1779712]
        "Uniblue RegistryBooster 2"="e:\registry\RegistryBooster 2\RegistryBooster.exe" [2008-05-05 1923352]

        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "RTHDCPL"="RTHDCPL.EXE" [2007-04-10 16129536]
        "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
        "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 123648]
        "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
        "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
        "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
        "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
        "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
        "@OnlineArmor GUI"="c:\program files\Emsisoft\Online Armor\oaui.exe" [2010-07-07 6854984]

        [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
        "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

        [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
        "RunNarrator"="Narrator.exe" [2008-04-14 53760]

        [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
        "{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\Emsisoft\ONLINE~1\oaevent.dll" [2010-07-07 924488]

        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
        2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

        [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
        "EnableFirewall"= 0 (0x0)

        [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
        "c:\\Program Files\\AIM\\aim.exe"=
        "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
        "c:\\Program Files\\iTunes\\iTunes.exe"=
        "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
        "c:\\WINDOWS\\system32\\sessmgr.exe"=
        "c:\\Documents and Settings\\bouncier\\Application Data\\U3\\0000167A6773D0BF\\0DE4F643-C398-46ec-9339-2362F2311932\\Exec\\Skype.exe"=
        "c:\\Program Files\\Messenger\\msmsgs.exe"=

        R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [7/27/2010 10:48 PM 236104]
        R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [7/27/2010 10:48 PM 22600]
        R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [7/27/2010 10:48 PM 28232]
        R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
        R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
        R2 OAcat;Online Armor Helper Service;c:\program files\Emsisoft\Online Armor\oacat.exe [7/27/2010 10:48 PM 1283400]
        R2 SvcOnlineArmor;Online Armor;c:\program files\Emsisoft\Online Armor\oasrv.exe [7/27/2010 10:48 PM 3364680]
        S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]
        S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [4/10/2010 5:05 PM 266544]
        S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [3/26/2010 5:02 PM 9344]
        S3 SetupNTGLM7X;SetupNTGLM7X;F:\NTGLM7X.SYS [6/23/2006 3:02 AM 28160]
        .
        Contents of the 'Scheduled Tasks' folder

        2010-07-27 c:\windows\Tasks\AppleSoftwareUpdate.job
        - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]

        2010-07-31 c:\windows\Tasks\ConfigExec.job
        - c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 23:05]

        2010-07-31 c:\windows\Tasks\DataUpload.job
        - c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 23:05]

        2010-07-30 c:\windows\Tasks\RegCure Program Check.job
        - c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

        2010-07-29 c:\windows\Tasks\RegCure.job
        - c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

        2010-07-31 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
        - c:\program files\Ask.com\UpdateTask.exe [2009-11-19 22:50]
        .
        .
        ------- Supplementary Scan -------
        .
        uInternet Settings,ProxyOverride = searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;cf.netzero.net;qs.netzero.net;*.quicken.com;*.pogo.com;<local>
        uSearchURL,(Default) = hxxp://search.juno.com/search?action=minisearch&source=minisearch
        Trusted Zone: superslots.com
        TCP: {E8831E24-1AC2-4246-A40F-A353DC4B410C} = 64.136.52.73 64.136.44.73
        .
        - - - - ORPHANS REMOVED - - - -

        Toolbar-Locked - (no file)
        WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
        ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)



        **************************************************************************

        catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
        Rootkit scan 2010-07-31 02:50
        Windows 5.1.2600 Service Pack 3 NTFS

        scanning hidden processes ... 

        scanning hidden autostart entries ...

        scanning hidden files ... 

        scan completed successfully
        hidden files: 0

        **************************************************************************
        .
        --------------------- LOCKED REGISTRY KEYS ---------------------

        [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
        @Denied: (A 2) (Everyone)
        @="FlashBroker"
        "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

        [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
        "Enabled"=dword:00000001

        [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
        @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

        [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
        @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
        @Denied: (A 2) (Everyone)
        @="IFlashBroker4"

        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
        @="{00020424-0000-0000-C000-000000000046}"

        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
        @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
        "Version"="1.0"
        .
        --------------------- DLLs Loaded Under Running Processes ---------------------

        - - - - - - - > 'winlogon.exe'(448)
        c:\program files\SUPERAntiSpyware\SASWINLO.DLL
        c:\windows\system32\WININET.dll
        c:\windows\system32\Ati2evxx.dll
        .
        Completion time: 2010-07-31  02:53:52
        ComboFix-quarantined-files.txt  2010-07-31 08:53

        Pre-Run: 189,944,442,880 bytes free
        Post-Run: 190,072,213,504 bytes free

        WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
        [boot loader]
        timeout=2
        default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
        [operating systems]
        c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
        multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

        - - End Of File - - 29FD7BB82A2F041D1E0C216343CA3B48

        SuperDave

        • Malware Removal Specialist
        • Moderator


        • Genius
        • Thanked: 1020
        • Certifications: List
        • Experience: Expert
        • OS: Windows 10
        Re: once badly infected-not sure what now
        « Reply #5 on: August 02, 2010, 01:30:15 PM »
        Registry cleaners (Free Window Registry Repair,  RegCure,Eusing Free Registry Cleaner,Uniblue RegistryBooster  and Glary Registry Repair  ) are extremely powerful applications and their potential for harming your OS far outweighs any small potential for improving your computer's performance.

        There are a number of them available and some are more safe than others. Keep in mind that no two registry cleaners work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad" entry. One cleaner may find entries on your system that will not cause a problem when removed, another may not find the same entries, and still another may want to remove entries required for a program to work. Without research into what the registry entry selected for deletion is, a registry cleaner can end up being an automated method to cause problems with the registry.

        For routine use by those not familiar with the registry, the benefits to your computer are negligible while the potential risks are great.

        Further reading: XP Fixes Myth #1: Registry Cleaners
        If you agree, you should uninstall them.

        =============================

        I strongly recommend that you remove Ask from your computer because it;

        •Promotes its toolbars on sites targeted to kids.

        •Promotes its toolbars through ads that appear to be part of other companies' sites.

        •Promotes its toolbars through other companies' spyware.

        •Installs without any disclosure whatsoever and without any consent whatsoever.

        •Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.

        •Makes confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

        See Here for more info.

        If you choose to follow my recommendation then please go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

        AskBarDis or anything related to Ask

        Then please find and delete this folder in bold (if present):
        C:\Program Files\AskBarDis. or anything related to Ask.
        =====================================

        Re-running ComboFix to remove infections:

        • Close any open browsers.
        • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
        • Open notepad and copy/paste the text in the quotebox below into it:
          Quote
          KillAll::

          DDS::
          Trusted Zone: superslots.com

        • Save this as CFScript.txt, in the same location as ComboFix.exe



        • Referring to the picture above, drag CFScript into ComboFix.exe
        • When finished, it shall produce a log for you at C:\ComboFix.txt
        • I do not need to see the log from this script.
        =====================================

        * Download the following tool: RootRepeal - Rootkit Detector
        * Direct download link is here: RootRepeal.zip

        * Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
        * Click this link to see a list of such programs and how to disable them.

        * Extract the program file to a new folder such as C:\RootRepeal
        * Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
        * Select ALL of the checkboxes and then click OK and it will start scanning your system.
        * If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
        * When done, click on Save Report
        * Save it to the same location where you ran it from, such as C:RootRepeal
        * Save it as rootrepeal.txt
        * Then open that log and select all and copy/paste it back on your next reply please.
        * Close RootRepeal.

        Windows 8 and Windows 10 dual boot with two SSD's

        bouncier

          Topic Starter


          Rookie

          Re: once badly infected-not sure what now
          « Reply #6 on: August 02, 2010, 10:11:12 PM »
          Dave, I ran combofix again as suggested.  It stated that the Recovery system was not installed but ...  I ran this Friday evening and everything was good.  Nonetheless, I went ahead and instructed it to download or update.  I became frozen while internet explorer was tyying to install, update or???  I managed to run a new task from the manager and get passed that.

          The problem??  I am having the same message appear at the end of download as it did with messenger.  The application configuration is incorrect...???

          bouncier

            Topic Starter


            Rookie

            Re: once badly infected-not sure what now
            « Reply #7 on: August 03, 2010, 11:14:23 AM »

            Apparently the error mentioned above, with downloading applications, is a VB C++ problem related to mscrvt files.  I have been researching that issues to see if I can resolve.  Any input you may have would be greatly appreciated.  Anybody. 

            SuperDave, I want to thank you again for helping me with these viral issues.  While they are not gone, my system is running much better.  Thank You!

            SuperDave

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Thanked: 1020
            • Certifications: List
            • Experience: Expert
            • OS: Windows 10
            Re: once badly infected-not sure what now
            « Reply #8 on: August 03, 2010, 01:17:49 PM »
            Just forget about the ComboFix script. We can fix that later. Please run RootRepeal and post the log.
            Windows 8 and Windows 10 dual boot with two SSD's

            bouncier

              Topic Starter


              Rookie

              Re: once badly infected-not sure what now
              « Reply #9 on: August 03, 2010, 01:20:43 PM »
              I'm sorry, I wasn't clear with that, it is the Root Repel program that I cannot download.  Combofix is running fine.

              SuperDave

              • Malware Removal Specialist
              • Moderator


              • Genius
              • Thanked: 1020
              • Certifications: List
              • Experience: Expert
              • OS: Windows 10
              Re: once badly infected-not sure what now
              « Reply #10 on: August 03, 2010, 05:37:03 PM »
              Ok. Please try this.

              SysProt Antirootkit

              Download
              SysProt Antirootkit from the link below (you will find it at the bottom
              of the page under attachments, or you can get it from one of the
              mirrors).

              http://sites.google.com/site/sysprotantirootkit/

              Unzip it into a folder on your desktop.
              • Double click Sysprot.exe to start the program.
              • Click on the Log tab.
              • In the Write to log box select the following items.
                • Process << Selected
                • Kernel Modules << Selected
                • SSDT << Selected
                • Kernel Hooks << Selected
                • IRP Hooks << NOT Selected
                • Ports << NOT Selected
                • Hidden Files << Selected
              • At the bottom of the page
                • Hidden Objects Only << Selected
              • Click on the Create Log button on the bottom right.
              • After a few seconds a new window should appear.
              • Select Scan Root Drive. Click on the Start button.
              • When it is complete a new window will appear to indicate that the scan is finished.
              • The log will be saved automatically in the same folder Sysprot.exe was

              extracted to. Open the text file and copy/paste the log here.
              [/list]
              Windows 8 and Windows 10 dual boot with two SSD's

              bouncier

                Topic Starter


                Rookie

                Re: once badly infected-not sure what now
                « Reply #11 on: August 03, 2010, 09:18:14 PM »
                Dave, sorry but the SysProt will not download either.  I cannot get anything to download.  I will update if this changes.

                bouncier

                  Topic Starter


                  Rookie

                  Re: once badly infected-not sure what now
                  « Reply #12 on: August 04, 2010, 12:29:58 PM »
                  i have managed to get a working RootRepeal and will be back with the report as soon as i finish.   ;D

                  bouncier

                    Topic Starter


                    Rookie

                    Re: once badly infected-not sure what now
                    « Reply #13 on: August 04, 2010, 12:53:25 PM »
                     ;D
                    ROOTREPEAL (c) AD, 2007-2009
                    ==================================================
                    Scan Start Time:      2010/08/04 12:45
                    Program Version:      Version 1.3.5.0
                    Windows Version:      Windows XP SP3
                    ==================================================

                    Drivers
                    -------------------
                    Name: dump_atapi.sys
                    Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
                    Address: 0xB0508000   Size: 98304   File Visible: No   Signed: -
                    Status: -

                    Name: dump_WMILIB.SYS
                    Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
                    Address: 0xBA5D4000   Size: 8192   File Visible: No   Signed: -
                    Status: -

                    Name: PCI_HAL
                    Image Path: \Driver\PCI_HAL
                    Address: 0x00000000   Size: 0   File Visible: No   Signed: -
                    Status: -

                    Name: rootrepeal.sys
                    Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
                    Address: 0xACBD7000   Size: 49152   File Visible: No   Signed: -
                    Status: -

                    Name: ꎨ詊
                    Image Path: ꎨ詊
                    Address: 0xBA3D0000   Size: 21120   File Visible: No   Signed: -
                    Status: Hidden from the Windows API!

                    Hidden/Locked Files
                    -------------------
                    Path: c:\documents and settings\all users\application data\juno\accelerator\sdi.lg
                    Status: Size mismatch (API: 384706, Raw: 384250)

                    Path: c:\documents and settings\all users\application data\microsoft\microsoft antimalware\support\mpwpptracing.bin
                    Status: Allocation size mismatch (API: 131072, Raw: 65536)

                    SSDT
                    -------------------
                    #: 017   Function Name: NtAllocateVirtualMemory
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069ced0

                    #: 019   Function Name: NtAssignProcessToJobObject
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069d700

                    #: 031   Function Name: NtConnectPort
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069ada0

                    #: 037   Function Name: NtCreateFile
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb06aa9c0

                    #: 046   Function Name: NtCreatePort
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069a8e0

                    #: 047   Function Name: NtCreateProcess
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0697620

                    #: 048   Function Name: NtCreateProcessEx
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0697a30

                    #: 050   Function Name: NtCreateSection
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0696ef0

                    #: 053   Function Name: NtCreateThread
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0698f20

                    #: 057   Function Name: NtDebugActiveProcess
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0699b90

                    #: 068   Function Name: NtDuplicateObject
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069a6f0

                    #: 097   Function Name: NtLoadDriver
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069c490

                    #: 116   Function Name: NtOpenFile
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb06ab040

                    #: 122   Function Name: NtOpenProcess
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0698a20

                    #: 125   Function Name: NtOpenSection
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0697310

                    #: 128   Function Name: NtOpenThread
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0699420

                    #: 137   Function Name: NtProtectVirtualMemory
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069d350

                    #: 145   Function Name: NtQueryDirectoryFile
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069ca70

                    #: 180   Function Name: NtQueueApcThread
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069d8a0

                    #: 199   Function Name: NtRequestPort
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069b9a0

                    #: 200   Function Name: NtRequestWaitReplyPort
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069bf90

                    #: 204   Function Name: NtRestoreKey
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb06aa550

                    #: 206   Function Name: NtResumeThread
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069a340

                    #: 210   Function Name: NtSecureConnectPort
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069b190

                    #: 213   Function Name: NtSetContextThread
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0699970

                    #: 240   Function Name: NtSetSystemInformation
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0699d30

                    #: 249   Function Name: NtShutdownSystem
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069c370

                    #: 253   Function Name: NtSuspendProcess
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069a520

                    #: 254   Function Name: NtSuspendThread
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069a130

                    #: 255   Function Name: NtSystemDebugControl
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0699f40

                    #: 257   Function Name: NtTerminateProcess
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0698c80

                    #: 258   Function Name: NtTerminateThread
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb0699760

                    #: 262   Function Name: NtUnloadDriver
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069c780

                    #: 277   Function Name: NtWriteVirtualMemory
                    Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xb069d520

                    ==EOF==

                    SuperDave

                    • Malware Removal Specialist
                    • Moderator


                    • Genius
                    • Thanked: 1020
                    • Certifications: List
                    • Experience: Expert
                    • OS: Windows 10
                    Re: once badly infected-not sure what now
                    « Reply #14 on: August 04, 2010, 01:14:49 PM »
                    Quote
                    I cannot get anything to download.
                    What happens when you try to download programs? Do you get any error messages?

                    I'd like to scan your machine with ESET OnlineScan

                    •Hold down Control and click on the following link to open ESET OnlineScan in a new window.
                    ESET OnlineScan
                    •Click the button.
                    •For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
                    • Click on to download the ESET Smart Installer. Save it to your desktop.
                    • Double click on the icon on your desktop.
                    •Check
                    •Click the button.
                    •Accept any security warnings from your browser.
                    •Check
                    •Push the Start button.
                    •ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
                    •When the scan completes, push
                    •Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
                    •Push the button.
                    •Push
                    A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

                    Windows 8 and Windows 10 dual boot with two SSD's