[san141]

Hi all,

Whenever I click on a URL from a google search I end up being redirected to some other random site, usually shopping or an error message or a page with "this website has been moved to...," etc. There are probably a number of different types of these viruses so I'm not quite sure how to identify the kind I have and how to go about removing it and with what tools/programs. Also:

-Windows is updated
-Full scan with Windows Defender
-Full system scan with Mcafee
-Full scan with Ad-Aware
-Full scan with Maleware Bytes Anti-Malware
-Ran CC Cleaner

Bellow are my Maleware Bytes, Rooter, and OTListIt Logs:

*Maleware Bytes Log*
------------------------

Malwarebytes' Anti-Malware 1.36
Database version: 2046
Windows 5.1.2600 Service Pack 3

4/26/2009 6:39:33 PM
mbam-log-2009-04-26 (18-39-33).txt

Scan type: Quick Scan
Objects scanned: 91008
Time elapsed: 5 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

*Rooter*
----------

Microsoft Windows XP Professional (5.1.2600) Service Pack 3

A:\ [Removable] (Total:0 Mo/Free:0 Mo)
C:\ [Fixed] - NTFS - (Total:182983 Mo/Free:463 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
F:\ [Removable] (Total:0 Mo/Free:0 Mo)
G:\ [Removable] (Total:0 Mo/Free:0 Mo)
H:\ [Fixed] - FAT32 - (Total:7781 Mo/Free:2242 Mo)
I:\ [Removable] (Total:0 Mo/Free:0 Mo)
J:\ [Removable] (Total:0 Mo/Free:0 Mo)
L:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
M:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)

Sun 04/26/2009|18:41

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\SYSTEM32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Windows Defender\MsMpEng.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\CTSvcCDA.EXE
---------- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
---------- C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
---------- c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
---------- c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
---------- C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
---------- C:\Program Files\McAfee\MSK\MskSrver.exe
---------- C:\WINDOWS\system32\nvsvc32.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\Program Files\Canon\CAL\CALMAIN.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- c:\PROGRA~1\mcafee.com\agent\mcagent.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\WINDOWS\AGRSMMSG.exe
---------- C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
---------- C:\WINDOWS\system32\rundll32.exe
---------- C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
---------- C:\WINDOWS\RTHDCPL.EXE
---------- C:\WINDOWS\system32\CTHELPER.EXE
---------- C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
---------- C:\Program Files\Windows Defender\MSASCui.exe
---------- C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
---------- C:\Program Files\iTunes\iTunesHelper.exe
---------- C:\WINDOWS\system32\RUNDLL32.EXE
---------- C:\Program Files\Messenger\msmsgs.exe
---------- C:\Program Files\WallpaperToy\Wallpapertoy.Exe
---------- C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
---------- C:\Program Files\iPod\bin\iPodService.exe
---------- C:\Program Files\McAfee\MPF\MPFSrv.exe
---------- C:\Program Files\Windows Live\Messenger\msnmsgr.exe
---------- C:\Program Files\Windows Live\Contacts\wlcomm.exe
---------- C:\Program Files\Winamp\winamp.exe
---------- C:\WINDOWS\System32\igfxsrvc.exe
---------- C:\Program Files\Mozilla Firefox\firefox.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!


----------------------\\ Cracks & Keygens..

C:\DOCUME~1\Ian\Local Settings\Temporary Internet Files\Content.IE5\T7BNLD0A\asphaltcrackvehiclepile-507248-lw[1].jpg
C:\DOCUME~1\Ian\Local Settings\Temporary Internet Files\Content.IE5\WPC9IBW5\asphaltcrackvehiclepile-507248-lw[1].jpg


1 - "C:\Rooter$\Rooter_1.txt" - Sun 04/26/2009|18:43

----------------------\\ Scan completed at 18:43



*OTListIt2*
------------


OTListIt logfile created on: 4/26/2009 6:47:25 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\Ian\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.23 Gb Available Physical Memory | 61.44% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 3070 4095;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 178.69 Gb Total Space | 36.50 Gb Free Space | 20.43% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 7.60 Gb Total Space | 2.19 Gb Free Space | 28.83% Space Free | Partition Type: FAT32
I: Drive not present or media not loaded

Computer Name: MIKE
Current User Name: Ian
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\CTSvcCDA.EXE (Creative Technology Ltd)
PRC - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe ()
PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MSK\MskSrver.exe (McAfee, Inc.)
PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
PRC - c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\AGRSMMSG.exe (Agere Systems)
PRC - C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
PRC - C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
PRC - C:\WINDOWS\system32\CTHELPER.EXE (Creative Technology Ltd)
PRC - C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE (Creative Technology Ltd)
PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
PRC - C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe (Elaborate Bytes AG)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
PRC - C:\Program Files\WallpaperToy\Wallpapertoy.Exe (Microsoft Corp.)
PRC - C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
PRC - C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Live\Contacts\wlcomm.exe (Microsoft Corporation)
PRC - C:\Program Files\Winamp\winamp.exe (Nullsoft)
PRC - C:\WINDOWS\System32\igfxsrvc.exe (Intel Corporation)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Documents and Settings\Ian\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (Adobe LM Service [On_Demand | Stopped]) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe Systems)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (CCALib8 [Auto | Running]) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (Creative Service for CDROM Access [Auto | Running]) -- C:\WINDOWS\system32\CTSvcCDA.EXE (Creative Technology Ltd)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (iPod Service [On_Demand | Running]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (Lavasoft Ad-Aware Service [Auto | Stopped]) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (MBackMonitor [On_Demand | Stopped]) -- C:\Program Files\McAfee\MBK\MBackMonitor.exe (McAfee)
SRV - (McAfee SiteAdvisor Service [Auto | Running]) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe ()
SRV - (mcmscsvc [Auto | Running]) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (McNASvc [Auto | Running]) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
SRV - (McODS [On_Demand | Stopped]) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McProxy [Auto | Running]) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McShield [Unknown | Running]) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
SRV - (McSysmon [On_Demand | Running]) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (MpfService [On_Demand | Running]) -- C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
SRV - (MSK80Service [Auto | Running]) -- C:\Program Files\McAfee\MSK\MskSrver.exe (McAfee, Inc.)
SRV - (NBService [On_Demand | Stopped]) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (Nero AG)
SRV - (NMIndexingService [On_Demand | Stopped]) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (Nero AG)
SRV - (NVSvc [Auto | Running]) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (QBCFMonitorService [Disabled | Stopped]) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)
SRV - (QBFCService [On_Demand | Stopped]) -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe (Intuit Inc.)
SRV - (RoxLiveShare9 [Auto | Stopped]) -- File not found
SRV - (WinDefend [Auto | Running]) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (AgereSoftModem [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\AGRSM.sys (Agere Systems)
DRV - (aslm75 [System | Running]) -- C:\WINDOWS\system32\drivers\aslm75.sys ()
DRV - (ctac32k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ctac32k.sys (Creative Technology Ltd)
DRV - (ctaud2k [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ctaud2k.sys (Creative Technology Ltd)
DRV - (ctdvda2k [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\ctdvda2k.sys (Creative Technology Ltd)
DRV - (ctprxy2k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ctprxy2k.sys (Creative Technology Ltd)
DRV - (ctsfm2k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ctsfm2k.sys (Creative Technology Ltd)
DRV - (e1express [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\e1e5132.sys (Intel Corporation)
DRV - (ElbyCDIO [System | Running]) -- C:\WINDOWS\System32\Drivers\ElbyCDIO.sys (Elaborate Bytes AG)
DRV - (emupia [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\emupia2k.sys (Creative Technology Ltd)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (ha10kx2k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ha10kx2k.sys (Creative Technology Ltd)
DRV - (hap16v2k [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\hap16v2k.sys (Creative Technology Ltd)
DRV - (HdAudAddService [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\HdAudio.sys (Windows ® Server 2003 DDK provider)
DRV - (HDAudBus [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (Windows ® Server 2003 DDK provider)
DRV - (ialm [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ialmnt5.sys (Intel Corporation)
DRV - (IntcAzAudAddService [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (iteatapi [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (Lbd [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (mfeavfk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfebopk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mfehidk [System | Running]) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mferkdk [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (mfesmfk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfesmfk.sys (McAfee, Inc.)
DRV - (MPFP [System | Running]) -- C:\WINDOWS\System32\Drivers\Mpfp.sys (McAfee, Inc.)
DRV - (MTsensor [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ASACPI.sys ()
DRV - (nv [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)
DRV - (oreans32 [System | Running]) -- C:\WINDOWS\system32\drivers\oreans32.sys ()
DRV - (ossrv [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ctoss2k.sys (Creative Technology Ltd.)
DRV - (PfDetNT [Auto | Running]) -- C:\WINDOWS\System32\drivers\PfModNT.sys (Creative Technology Ltd.)
DRV - (PID_0920 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\LV532AV.SYS (Logitech Inc.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (RimVSerPort [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\RimSerial.sys (Research in Motion Ltd)
DRV - (ROOTMODEM [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\RootMdm.sys (Microsoft Corporation)
DRV - (SbcpHid [Auto | Running]) -- C:\WINDOWS\system32\Drivers\SbcpHid.sys ()
DRV - (Secdrv [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (StillCam [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\serscan.sys (Microsoft Corporation)
DRV - (symlcbrd [Auto | Running]) -- C:\WINDOWS\system32\drivers\symlcbrd.sys (Symantec Corporation)
DRV - (VClone [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\VClone.sys (Elaborate Bytes AG)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...p...&ar=msnhome
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?wl=true
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,AutoSearch = http://ie.search.msn...autosearch.aspx
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\PROGRAM FILES\MCAFEE\SITEADVISOR [2009/03/30 18:45:53 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.9\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/04/22 21:31:23 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.9\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/04/22 21:31:23 | 00,000,000 | ---D | M]

[2008/09/05 08:53:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ian\Application Data\mozilla\Extensions
[2008/09/05 08:53:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ian\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2005/10/09 00:27:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ian\Application Data\mozilla\Firefox\Profiles\1ejsuzs4.default\extensions
[2005/10/09 00:27:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ian\Application Data\mozilla\Firefox\Profiles\1ejsuzs4.default\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/04/25 22:28:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ian\Application Data\mozilla\Firefox\Profiles\ij048ut4.Mike\extensions
[2008/12/30 12:02:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ian\Application Data\mozilla\Firefox\Profiles\ij048ut4.Mike\extensions\{0200c2a9-70da-4f6d-b527-f5f7d7877228}
[2008/12/30 16:46:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ian\Application Data\mozilla\Firefox\Profiles\ij048ut4.Mike\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2008/03/03 22:54:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ian\Application Data\mozilla\Firefox\Profiles\ij048ut4.Mike\extensions\[email protected]
[2009/04/25 22:28:20 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/04/22 21:31:23 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2007/08/12 22:59:48 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
[2009/04/02 20:30:14 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{D96AD17F-A5D2-452A-8576-6CA5BDB1309C}
[2009/04/22 21:31:17 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/04/22 21:31:17 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/03/07 11:28:40 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/03/07 11:28:40 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/03/07 11:28:40 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/03/07 11:28:40 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/03/07 11:28:40 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/03/07 11:28:40 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/03/07 11:28:40 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (811 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 82.98.231.89 browser-security.microsoft.com
O1 - Hosts: 82.98.231.89 best-click-scanner.info
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - Reg Error: Key error. File not found
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" (Adobe Systems Inc.)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe (Agere Systems)
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent (Microsoft Corporation)
O4 - HKLM..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 (Microsoft Corporation)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey (McAfee, Inc.)
O4 - HKLM..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide (McAfee, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] nwiz.exe /install ()
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r (Creative Technology Ltd)
O4 - HKLM..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe (SAMSUNG ELECTRONICS)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE (Creative Technology Ltd.)
O4 - HKLM..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s (Elaborate Bytes AG)
O4 - HKLM..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide (Microsoft Corporation)
O4 - HKCU..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h File not found
O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
O4 - HKCU..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1 (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Canada)
O4 - Startup: C:\Documents and Settings\Ian\Start Menu\Programs\Startup\Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe (Microsoft Corp.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [Bluetooth Namespace] - C:\WINDOWS\system32\wshbth.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Sites: ([]msn in My Computer)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Reg Error: Key error.)
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zon...wn.cab56986.cab (Solitaire Showdown Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1155758786875 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zon...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\vipukeyu.dll) - C:\WINDOWS\system32\vipukeyu.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\SYSTEM32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 () - file:///C:/DOCUME~1/Ian/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Components:1 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {88485281-8b4b-4f8d-9ede-82e29a064277} - C:\Program Files\MarkAny\ContentSafer\MACSMANAGER.dll (MarkAny Cooperation.)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O32 - Autorun File - H:\AUTOEXEC.BAT () - [ FAT32 ]
O32 - Autorun File - H:\Autorun.inf () - [ FAT32 ]
O33 - MountPoints2\{4bc357ca-382f-11da-8981-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{4bc357ca-382f-11da-8981-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (sprestrt) - C:\WINDOWS\System32\sprestrt.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (sprestrt) - C:\WINDOWS\System32\sprestrt.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 30 Days ==========

[6 C:\WINDOWS\System32\*.tmp files]
[11 C:\WINDOWS\*.tmp files]
[2009/04/26 18:41:16 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/04/26 18:34:52 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\DOCUME~1\Ian\Desktop\OTListIt2.exe
[2009/04/26 18:34:39 | 00,267,612 | ---- | C] () -- C:\DOCUME~1\Ian\Desktop\Rooter.exe
[2009/04/26 18:19:06 | 00,001,734 | ---- | C] () -- C:\DOCUME~1\Ian\Desktop\HijackThis.lnk
[2009/04/26 18:02:36 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\DOCUME~1\Ian\Desktop\HJTInstall.exe
[2009/04/26 16:52:57 | 00,000,000 | ---D | C] -- C:\DOCUME~1\Ian\Desktop\Bat for lashes - Fur and gold
[2009/04/26 00:23:33 | 00,000,000 | ---D | C] -- C:\DOCUME~1\Ian\Desktop\Adele - 19
[2009/04/26 00:22:43 | 00,000,000 | ---D | C] -- C:\DOCUME~1\Ian\Desktop\Robert Plant & Alison Krauss - Raising Sand
[2009/04/26 00:07:21 | 00,046,592 | ---- | C] () -- C:\DOCUME~1\Ian\Desktop\Stereotyping and Success.doc
[2009/04/26 00:05:49 | 00,043,520 | ---- | C] () -- C:\DOCUME~1\Ian\Desktop\The Secrets of Storytelling.doc
[2009/04/25 23:28:00 | 00,210,322 | ---- | C] () -- C:\DOCUME~1\Ian\Desktop\Unconscious Thought and Creativity.pdf
[2009/04/24 23:59:03 | 00,000,000 | ---D | C] -- C:\DOCUME~1\Ian\Desktop\Fever Ray - Fever Ray
[2009/04/24 23:58:15 | 00,000,000 | ---D | C] -- C:\DOCUME~1\Ian\Desktop\Bat For Lashes - Two Suns
[2009/04/24 23:57:33 | 00,000,000 | ---D | C] -- C:\DOCUME~1\Ian\Desktop\Dan Deacon - Bromst
[2009/04/24 23:57:29 | 00,000,000 | ---D | C] -- C:\DOCUME~1\Ian\My Documents\Recent Downloads
[2009/04/24 19:48:51 | 00,001,172 | ---- | C] () -- C:\DOCUME~1\Ian\My Documents\[email protected] Sharing Folders Archive.lnk
[2009/04/24 16:25:59 | 00,001,839 | ---- | C] () -- C:\DOCUME~1\Ian\Desktop\Windows Live Messenger .lnk
[2009/04/24 16:10:41 | 03,426,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_32.dll
[2009/04/24 16:10:28 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server Compact Edition
[2009/04/24 16:07:49 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2009/04/24 16:07:34 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live SkyDrive
[2009/04/24 15:57:06 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
[2009/04/23 21:34:38 | 04,637,291 | ---- | C] () -- C:\DOCUME~1\Ian\Desktop\CasaBatllo_0170.JPG
[2009/04/16 20:55:57 | 00,045,568 | ---- | C] () -- C:\DOCUME~1\Ian\My Documents\wordsforprint.xls
[2009/04/16 10:16:50 | 00,019,968 | ---- | C] () -- C:\DOCUME~1\Ian\My Documents\Canadian Schools.doc
[2009/04/16 10:16:32 | 00,019,968 | ---- | C] () -- C:\DOCUME~1\Ian\My Documents\Australian Schools.doc
[2009/04/13 15:32:43 | 00,000,000 | ---D | C] -- C:\DOCUME~1\Ian\My Documents\Pimsleur Spanish I, II, III, & Plus (Complete Course)
[2009/04/13 11:32:21 | 00,001,548 | ---- | C] () -- C:\DOCUME~1\Ian\Desktop\CCleaner.lnk
[2009/04/13 11:32:20 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/04/10 13:28:45 | 00,000,732 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\EOS Utility.lnk
[2009/04/10 13:27:39 | 00,000,923 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\ZoomBrowser EX.lnk
[2009/04/10 13:27:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
[2009/04/10 13:22:36 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Canon
[2009/04/04 17:00:12 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/04/04 16:59:03 | 00,015,688 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/04/04 14:05:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ian\Application Data\Malwarebytes
[2009/04/04 14:05:42 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/04 14:05:42 | 00,000,696 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/04 14:05:39 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/04 14:05:38 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/04 14:05:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/04/04 12:17:59 | 00,064,160 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/04/04 12:17:45 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/04/04 12:14:38 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
[2009/04/04 12:14:37 | 00,000,867 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Ad-Aware.lnk
[2009/04/04 12:14:26 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/04/04 12:14:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/04/03 00:19:49 | 24,768,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/03/29 22:47:09 | 06,342,783 | ---- | C] () -- C:\DOCUME~1\Ian\My Documents\Sam Roberts - Brother Down.mp3
[2009/03/29 18:37:40 | 00,455,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2009/03/29 18:36:54 | 01,106,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml3.dll
[2009/03/29 18:31:17 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2009/03/29 18:12:30 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us
[2009/03/29 18:12:29 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2009/03/29 18:12:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2009/03/29 18:12:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2009/03/29 18:07:44 | 00,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic
[2009/03/29 17:56:06 | 00,121,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xmllite.dll
[2009/03/29 17:56:03 | 00,276,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wmphoto.dll
[2009/03/29 17:56:01 | 00,069,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wlanapi.dll
[2009/03/29 17:56:00 | 00,347,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\windowscodecsext.dll
[2009/03/29 17:55:59 | 00,712,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\windowscodecs.dll
[2009/03/29 17:55:50 | 00,053,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tsgqec.dll
[2009/03/29 17:55:50 | 00,050,688 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tspkg.dll
[2009/03/29 17:55:37 | 00,032,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\setupn.exe
[2009/03/29 17:55:37 | 00,010,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\sffp_mmc.sys
[2009/03/29 17:55:33 | 00,290,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rhttpaa.dll
[2009/03/29 17:55:31 | 00,076,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qutil.dll
[2009/03/29 17:55:31 | 00,061,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rasqec.dll
[2009/03/29 17:55:29 | 00,291,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qagentrt.dll
[2009/03/29 17:55:29 | 00,150,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qagent.dll
[2009/03/29 17:55:29 | 00,062,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qcliprov.dll
[2009/03/29 17:55:27 | 00,412,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\photometadatahandler.dll
[2009/03/29 17:55:25 | 00,144,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\onex.dll
[2009/03/29 17:55:16 | 00,193,024 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\napmontr.dll
[2009/03/29 17:55:16 | 00,176,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\napstat.exe
[2009/03/29 17:55:16 | 00,030,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\napipsec.dll
[2009/03/29 17:55:14 | 01,307,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msxml6.dll
[2009/03/29 17:55:14 | 01,307,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml6.dll
[2009/03/29 17:55:14 | 00,079,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msxml6r.dll
[2009/03/29 17:55:14 | 00,079,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml6r.dll
[2009/03/29 17:55:12 | 00,155,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mssha.dll
[2009/03/29 17:55:12 | 00,076,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msshavmsg.dll
[2009/03/29 17:54:58 | 00,397,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mmcex.dll
[2009/03/29 17:54:58 | 00,184,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\microsoft.managementconsole.dll
[2009/03/29 17:54:58 | 00,106,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mmcfxcommon.dll
[2009/03/29 17:54:58 | 00,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mmcperf.exe
[2009/03/29 17:54:45 | 00,037,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\l2gpstore.dll
[2009/03/29 17:54:44 | 00,061,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kmsvc.dll
[2009/03/29 17:54:44 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdpash.dll
[2009/03/29 17:54:44 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdnepr.dll
[2009/03/29 17:54:43 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdiultn.dll
[2009/03/29 17:54:43 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdbhc.dll
[2009/03/29 17:54:42 | 00,380,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\irprops.cpl
[2009/03/29 17:54:41 | 00,102,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dpcdll.dll
[2009/03/29 17:54:41 | 00,024,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pidgen.dll
[2009/03/29 17:54:33 | 00,010,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\smtpapi.dll
[2009/03/29 17:54:33 | 00,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rwnh.dll
[2009/03/29 17:54:33 | 00,000,974 | ---- | C] () -- C:\WINDOWS\System32\pid.inf
[2009/03/29 17:54:17 | 00,184,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eapp3hst.dll
[2009/03/29 17:54:17 | 00,180,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eapphost.dll
[2009/03/29 17:54:17 | 00,126,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eappcfg.dll
[2009/03/29 17:54:17 | 00,094,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eappgnui.dll
[2009/03/29 17:54:17 | 00,059,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eapqec.dll
[2009/03/29 17:54:17 | 00,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eappprxy.dll
[2009/03/29 17:54:17 | 00,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eapsvc.dll
[2009/03/29 17:54:17 | 00,030,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eapolqec.dll
[2009/03/29 17:54:14 | 00,650,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3ui.dll
[2009/03/29 17:54:14 | 00,132,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3svc.dll
[2009/03/29 17:54:14 | 00,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3cfg.dll
[2009/03/29 17:54:14 | 00,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3msm.dll
[2009/03/29 17:54:14 | 00,039,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3gpclnt.dll
[2009/03/29 17:54:14 | 00,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3api.dll
[2009/03/29 17:54:14 | 00,009,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3dlg.dll
[2009/03/29 17:54:12 | 00,039,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dimsroam.dll
[2009/03/29 17:54:12 | 00,019,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dimsntfy.dll
[2009/03/29 17:54:11 | 00,048,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dhcpqec.dll
[2009/03/29 17:54:09 | 00,012,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\credssp.dll
[2009/03/29 17:54:02 | 00,233,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\azroles.dll
[2009/03/29 17:53:52 | 00,136,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\aaclient.dll
[2009/03/29 17:50:49 | 04,915,254 | -H-- | C] () -- C:\WINDOWS\System32\toyhide.bmp
[2009/03/29 17:45:28 | 00,000,682 | ---- | C] () -- C:\Documents and Settings\Ian\Start Menu\Programs\Startup\Wallpaper Changer.lnk
[2009/03/29 17:45:27 | 00,187,072 | ---- | C] (Microsoft, Corp.) -- C:\WINDOWS\walltoyUninst.exe
[2009/03/29 17:45:27 | 00,000,000 | ---D | C] -- C:\Program Files\WallpaperToy
[2009/01/04 23:17:32 | 00,033,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\oreans32.sys
[2008/10/19 21:30:07 | 00,000,034 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/05/12 21:53:16 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/05/12 21:50:16 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/05/12 21:50:16 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/05/12 21:50:08 | 00,831,488 | ---- | C] () -- C:\WINDOWS\System32\divx_xx0a.dll
[2008/05/12 21:49:02 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007/10/08 22:43:24 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\ahook.dll
[2007/09/14 02:35:31 | 00,006,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASLM75.SYS
[2007/09/01 23:30:35 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/06/09 18:00:54 | 00,015,387 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2007/05/16 22:12:48 | 00,299,008 | ---- | C] () -- C:\WINDOWS\System32\LAME_MP3.dll
[2006/09/20 22:21:24 | 00,053,312 | ---- | C] () -- C:\WINDOWS\System32\upddrv9x.dll
[2006/09/04 13:17:38 | 00,000,026 | ---- | C] () -- C:\WINDOWS\dvdSanta.INI
[2006/09/04 00:10:39 | 00,003,082 | ---- | C] () -- C:\WINDOWS\System32\affv208325p1now.sys
[2006/08/17 20:09:02 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS66.DLL
[2006/08/16 15:32:02 | 00,000,058 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/08/16 15:27:39 | 00,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2006/08/16 15:24:51 | 00,000,136 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2006/07/30 13:21:01 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2006/07/07 15:30:22 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\ts.dll
[2006/06/20 17:25:51 | 01,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/06/20 17:25:51 | 01,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/06/20 17:25:48 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/06/20 17:25:45 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/06/20 17:25:43 | 01,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/06/20 17:25:42 | 00,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/04/01 23:35:53 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2006/03/01 02:43:27 | 00,000,019 | ---- | C] () -- C:\WINDOWS\SoundConverter.INI
[2005/11/14 00:16:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2005/10/19 20:42:45 | 00,135,168 | R--- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005/10/18 00:43:16 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/10/14 05:56:50 | 00,921,600 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2005/10/14 05:56:50 | 00,344,064 | ---- | C] () -- C:\WINDOWS\System32\xvid.dll
[2005/10/14 05:56:50 | 00,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2005/10/14 05:56:50 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2005/10/14 05:56:50 | 00,155,136 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2005/10/14 05:56:50 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\Ogg.dll
[2005/10/14 05:56:48 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\MMSwitch.dll
[2004/12/20 11:08:28 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2004/12/20 11:03:26 | 00,679,936 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2003/12/22 02:41:42 | 00,015,866 | ---- | C] () -- C:\WINDOWS\System32\aud2_gw.ini
[2003/11/26 01:11:08 | 00,000,029 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2003/11/13 05:54:38 | 00,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2003/03/21 05:56:12 | 00,000,194 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2003/01/07 18:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/05/17 18:18:30 | 00,124,928 | ---- | C] () -- C:\WINDOWS\System32\mp4fil32.dll
[2002/05/02 16:23:07 | 00,038,176 | ---- | C] () -- C:\WINDOWS\System32\drivers\SbcpHid.sys
[2001/12/31 23:42:17 | 00,018,742 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2001/12/31 23:42:17 | 00,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2001/12/31 23:42:08 | 00,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2001/08/23 08:00:00 | 00,000,840 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/23 08:00:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\SYSTEM.INI

========== Files - Modified Within 30 Days ==========

[6 C:\WINDOWS\System32\*.tmp files]
[11 C:\WINDOWS\*.tmp files]
[2009/04/26 18:35:10 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\DOCUME~1\Ian\Desktop\OTListIt2.exe
[2009/04/26 18:34:40 | 00,267,612 | ---- | M] () -- C:\DOCUME~1\Ian\Desktop\Rooter.exe
[2009/04/26 18:19:06 | 00,001,734 | ---- | M] () -- C:\DOCUME~1\Ian\Desktop\HijackThis.lnk
[2009/04/26 18:02:44 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\DOCUME~1\Ian\Desktop\HJTInstall.exe
[2009/04/26 17:39:20 | 04,915,254 | -H-- | M] () -- C:\WINDOWS\System32\toyhide.bmp
[2009/04/26 16:18:59 | 00,032,164 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000001-00000000-0000000A-00001102-00000004-20041102}.rfx
[2009/04/26 16:18:59 | 00,032,164 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000001-00000000-0000000A-00001102-00000004-20041102}.rfx
[2009/04/26 16:18:59 | 00,030,888 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000001-00000000-0000000A-00001102-00000004-20041102}.rfx
[2009/04/26 16:18:59 | 00,030,888 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000001-00000000-0000000A-00001102-00000004-20041102}.rfx
[2009/04/26 16:18:59 | 00,002,064 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2009/04/26 16:18:59 | 00,002,064 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2009/04/26 16:18:59 | 00,000,384 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000001-00000000-0000000A-00001102-00000004-20041102}.dat
[2009/04/26 16:18:59 | 00,000,384 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000001-00000000-0000000A-00001102-00000004-20041102}.dat
[2009/04/26 16:18:57 | 04,935,309 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-0000000A-00001102-00000004-20041102}.CDF
[2009/04/26 16:15:17 | 00,002,497 | ---- | M] () -- C:\DOCUME~1\Ian\Desktop\WORD.lnk
[2009/04/26 08:35:14 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/04/26 08:35:13 | 00,018,457 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/04/26 08:34:21 | 00,002,335 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2009/04/26 08:34:04 | 00,196,884 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/04/26 08:33:51 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/26 08:32:14 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/26 08:32:04 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/26 00:07:21 | 00,046,592 | ---- | M] () -- C:\DOCUME~1\Ian\Desktop\Stereotyping and Success.doc
[2009/04/26 00:05:49 | 00,043,520 | ---- | M] () -- C:\DOCUME~1\Ian\Desktop\The Secrets of Storytelling.doc
[2009/04/25 23:28:02 | 00,210,322 | ---- | M] () -- C:\DOCUME~1\Ian\Desktop\Unconscious Thought and Creativity.pdf
[2009/04/25 12:18:53 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/04/25 12:18:16 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/04/25 10:19:45 | 00,001,172 | ---- | M] () -- C:\DOCUME~1\Ian\My Documents\[email protected] Sharing Folders Archive.lnk
[2009/04/25 08:54:14 | 00,248,696 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/04/25 00:03:12 | 00,002,137 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\iTunes.lnk
[2009/04/24 16:25:59 | 00,001,839 | ---- | M] () -- C:\DOCUME~1\Ian\Desktop\Windows Live Messenger .lnk
[2009/04/24 16:24:47 | 00,065,032 | ---- | M] () -- C:\Documents and Settings\Ian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/04/24 16:08:41 | 00,000,891 | ---- | M] () -- C:\DOCUME~1\Ian\My Documents\My Sharing Folders.lnk
[2009/04/24 12:58:01 | 00,073,216 | ---- | M] () -- C:\DOCUME~1\Ian\My Documents\Movies.doc
[2009/04/23 21:34:42 | 04,637,291 | ---- | M] () -- C:\DOCUME~1\Ian\Desktop\CasaBatllo_0170.JPG
[2009/04/22 14:02:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/04/20 20:50:59 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/04/20 20:50:47 | 00,192,512 | ---- | M] () -- C:\Documents and Settings\Ian\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/16 20:55:57 | 00,045,568 | ---- | M] () -- C:\DOCUME~1\Ian\My Documents\wordsforprint.xls
[2009/04/16 20:47:43 | 00,062,976 | ---- | M] () -- C:\DOCUME~1\Ian\My Documents\words.xls
[2009/04/16 10:17:14 | 00,019,968 | ---- | M] () -- C:\DOCUME~1\Ian\My Documents\Australian Schools.doc
[2009/04/16 10:17:00 | 00,019,968 | ---- | M] () -- C:\DOCUME~1\Ian\My Documents\Canadian Schools.doc
[2009/04/15 01:31:21 | 00,000,336 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/04/13 11:32:22 | 00,001,548 | ---- | M] () -- C:\DOCUME~1\Ian\Desktop\CCleaner.lnk
[2009/04/11 11:18:39 | 00,008,192 | -HS- | M] () -- C:\WINDOWS\Thumbs.db
[2009/04/10 19:04:02 | 00,482,967 | ---- | M] () -- C:\DOCUME~1\Ian\My Documents\ISO1_DVD.nri
[2009/04/10 14:29:47 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2009/04/10 14:29:47 | 00,000,232 | -H-- | M] () -- C:\sqmdata14.sqm
[2009/04/10 14:00:44 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2009/04/10 14:00:44 | 00,000,232 | -H-- | M] () -- C:\sqmdata13.sqm
[2009/04/10 13:28:45 | 00,000,732 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\EOS Utility.lnk
[2009/04/10 13:27:39 | 00,000,923 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\ZoomBrowser EX.lnk
[2009/04/08 16:46:35 | 00,477,966 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/08 16:46:35 | 00,408,792 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/08 16:46:35 | 00,064,314 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/04 14:05:42 | 00,000,696 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/04 12:14:37 | 00,000,867 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Ad-Aware.lnk
[2009/04/02 23:47:55 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\bileyawu
[2009/04/02 23:41:25 | 04,289,850 | -H-- | M] () -- C:\Documents and Settings\Ian\Local Settings\Application Data\IconCache.db
[2009/04/01 01:00:47 | 00,000,328 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2009/04/01 01:00:45 | 00,001,503 | ---- | M] () -- C:\DOCUME~1\Ian\Desktop\Paint.lnk
[2009/03/31 17:03:33 | 00,000,034 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[2009/03/31 10:20:20 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/03/29 23:01:52 | 00,000,840 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/03/29 18:34:47 | 00,000,074 | -HS- | M] () -- C:\DOCUME~1\Ian\My Documents\desktop.ini
[2009/03/29 18:23:10 | 02,096,751 | ---- | M] () -- C:\WINDOWS\iis6.BAK
[2009/03/29 18:07:24 | 00,250,048 | RHS- | M] () -- C:\ntldr
[2009/03/29 17:45:28 | 00,000,682 | ---- | M] () -- C:\Documents and Settings\Ian\Start Menu\Programs\Startup\Wallpaper Changer.lnk
[2009/03/29 17:44:52 | 00,187,072 | ---- | M] (Microsoft, Corp.) -- C:\WINDOWS\walltoyUninst.exe
[2009/03/27 19:37:01 | 00,002,303 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\IKEA Home Planner.lnk
< End of report >

Extras

OTListIt Extras logfile created on: 4/26/2009 6:47:25 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\Ian\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.23 Gb Available Physical Memory | 61.44% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 3070 4095;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 178.69 Gb Total Space | 36.50 Gb Free Space | 20.43% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 7.60 Gb Total Space | 2.19 Gb Free Space | 28.83% Space Free | Partition Type: FAT32
I: Drive not present or media not loaded

Computer Name: MIKE
Current User Name: Ian
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
"DisableMonitoring" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
"DisableMonitoring" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"67:UDP" = 67:UDP:*:Enabled:DHCP Discovery Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)
C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call (Microsoft Corporation)
C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync (Microsoft Corporation)
C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent File not found
C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer File not found
C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire (Lime Wire, LLC)
C:\Program Files\InterVideo\DVD6\WinDVD.exe:*:Enabled:WinDVD File not found
C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger (Microsoft Corporation)
C:\Program Files\Sierra\FEAR\fpupdate.exe:*:Enabled:fpupdate File not found
C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus (Azureus Inc)
C:\WINDOWS\system32\muzapp.exe:*:Enabled:MUZ AOD APP player (Musiccity Co.Ltd.)
C:\WINDOWS\system32\rtcshare.exe:*:Enabled:RTC App Sharing (Microsoft Corporation)
C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting® (Microsoft Corporation)
C:\Documents and Settings\Ian\Local Settings\Temp\WZSE2.TMP\SymNRT.exe:*:Enabled:Symantec Removal Utility File not found
C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager (iAnywhere Solutions, Inc.)
C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes (Apple Inc.)
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent (McAfee, Inc.)
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)
C:\WINDOWS\explorer.exe:*:Enabled:Explorer (Microsoft Corporation)
C:\WINDOWS\system32\CTHELPER.EXE:*:Enabled:CTHELPER (Creative Technology Ltd)
C:\Program Files\Windows Defender\MSASCui.exe:*:Enabled:MSASCui (Microsoft Corporation)
C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call (Microsoft Corporation)
C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync (Microsoft Corporation)
C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160" = Canon MP160
"{184E7118-0295-43C4-B72C-1D54AA75AAF7}" = Windows Live Mail
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{22FB6750-ADDF-4726-B67F-6901E1991033}" = Nero 7 Ultra Edition
"{318AB667-3230-41B5-A617-CB3BF748D371}" = iTunes
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C52E7DA-C431-4239-B66B-1BF703D5B194}" = Windows Live Photo Gallery
"{49FC50FC-F965-40D9-89B4-CBFF80941033}" = Windows Movie Maker 2.0
"{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}" = Junk Mail filter update
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{56F3E1FF-54FE-4384-A153-6CCABA097814}" = Creative MediaSource
"{625386A4-B6B6-4911-A6E8-23189C3F2D15}" = Microsoft .NET Compact Framework 2.0
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
"{6C531060-84FB-4F96-8F33-29DF020632EB}" = Microsoft .NET Compact Framework 1.0 SP3 Developer
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{78B75C6D-E53C-424C-BF83-4B63BD4A6682}" = Microsoft Device Emulator version 1.0 - ENU
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7E545666-F422-45FD-B3DF-C0B99A1A579F}" = QuickBooks Pro 2008
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A1BF9950-8CDB-468E-83FA-EACFB00EA7D5}" = Windows Live Sync
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{AC76BA86-7AD7-1033-7B44-A70500000002}" = Adobe Reader 7.0.7
"{AF0A387A-5727-4820-B80B-7596E3D15E66}" = Sound Blaster Audigy 2 ZS
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{C20CE592-B0F8-4D20-BF31-0151CA6331A6}" = Samsung Media Studio
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}" = WinZip 11.1
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E7310F2E-C551-4FAB-BA07-EAC2E158B1BB}" = IKEA Home Planner
"{EBCCE08A-B3EE-40E7-96D7-31741D481015}" = No One Lives Forever 2
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F958CA02-BB40-4007-894B-258729456EE4}" = QuickTime
"Ad-Aware" = Ad-Aware
"Adobe Acrobat 7.0 Professional" = Adobe Acrobat 7.0.8 Professional
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agere Systems Soft Modem" = Agere Systems PCI Soft Modem
"ASUS Probe V2.25.02" = ASUS Probe V2.25.02
"Azureus" = Azureus
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CCleaner" = CCleaner (remove only)
"Cool's_Codec_pack_4.12" = Codec Pack - All In 1 6.0.3.0
"Creative Driver" = Creative Driver
"CSCLIB" = Canon Camera Support Core Library
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Shrink_is1" = DVD Shrink 3.2
"EOS Utility" = Canon Utilities EOS Utility
"Free M4a to MP3 Converter_is1" = Free M4a to MP3 Converter 6.0
"HijackThis" = HijackThis 2.0.2
"Lame MP3 Codec (for the ACM)" = Lame ACM MP3 Codec
"LimeWire" = LimeWire 4.18.8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.0.9)" = Mozilla Firefox (3.0.9)
"MP Navigator 3.0" = Canon MP Navigator 3.0
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"NVIDIA Drivers" = NVIDIA Drivers
"PhotoStitch" = Canon Utilities PhotoStitch
"PROSet" = Intel® PRO Network Connections Drivers
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"TubeSock" = TubeSock 1.0.8.0
"VirtualCloneDrive" = VirtualCloneDrive
"VLC media player" = VideoLAN VLC media player 0.8.6f
"WallpaperToy" = Wallpaper Changer for Windows XP
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XviD_is1" = XviD MPEG-4 Video Codec
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/18/2009 1:37:00 AM | Computer Name = MIKE | Source = MPSampleSubmission | ID = 5000
Description =

Error - 4/19/2009 1:37:00 AM | Computer Name = MIKE | Source = MPSampleSubmission | ID = 5000
Description =

Error - 4/20/2009 1:37:00 AM | Computer Name = MIKE | Source = MPSampleSubmission | ID = 5000
Description =

Error - 4/21/2009 1:37:00 AM | Computer Name = MIKE | Source = MPSampleSubmission | ID = 5000
Description =

Error - 4/21/2009 7:39:39 PM | Computer Name = MIKE | Source = MPSampleSubmission | ID = 5000
Description =

Error - 4/22/2009 1:45:00 AM | Computer Name = MIKE | Source = MPSampleSubmission | ID = 5000
Description =

Error - 4/23/2009 1:45:00 AM | Computer Name = MIKE | Source = MPSampleSubmission | ID = 5000
Description =

Error - 4/24/2009 1:45:00 AM | Computer Name = MIKE | Source = MPSampleSubmission | ID = 5000
Description =

Error - 4/24/2009 3:59:50 PM | Computer Name = MIKE | Source = MsiInstaller | ID = 10005
Description = Product: Windows Live Mail -- The installer has encountered an unexpected
error installing this package. This may indicate a problem with this package. The
error code is 2762. The arguments are: , ,

Error - 4/25/2009 1:45:01 AM | Computer Name = MIKE | Source = MPSampleSubmission | ID = 5000
Description =

[ System Events ]
Error - 4/24/2009 1:45:00 AM | Computer Name = MIKE | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 4/24/2009 1:45:00 AM | Computer Name = MIKE | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 4/24/2009 3:59:43 PM | Computer Name = MIKE | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 4/25/2009 12:13:21 AM | Computer Name = MIKE | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 4/25/2009 1:45:00 AM | Computer Name = MIKE | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 4/25/2009 1:45:00 AM | Computer Name = MIKE | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 4/25/2009 2:54:05 AM | Computer Name = MIKE | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 4/25/2009 8:56:02 AM | Computer Name = MIKE | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the NVSvc service.

Error - 4/26/2009 12:03:48 AM | Computer Name = MIKE | Source = Print | ID = 6161
Description = The document Microsoft Word - Document1 owned by Ian failed to print
on printer Canon MP160 Printer. Data type: NT EMF 1.008. Size of the spool file
in bytes: 173688. Number of bytes printed: 83056. Total number of pages in the
document: 4. Number of pages printed: 0. Client machine: \\MIKE. Win32 error code
returned by the print processor: 13 (0xd).

Error - 4/26/2009 1:44:35 AM | Computer Name = MIKE | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}


< End of report >


Thanks!!!

Edited by san141, 26 April 2009 - 06:34 PM.

[Advertisements]

Hi,

Please do the following:


Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Double-click GooredFix.exe to run it.
• Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.


NEXT

Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please advise.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



Please make sure you include the GooredFix log as well as the Combo Fix log in your next reply as well as describe how your computer is running now

[CatByte]

Hi,

Please do the following:


Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Double-click GooredFix.exe to run it.
• Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.


NEXT

Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please advise.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



Please make sure you include the GooredFix log as well as the Combo Fix log in your next reply as well as describe how your computer is running now

[san141]

Ok, I ran the GooredFix and all went well. I pasted the log down bellow for now. When I tried to run ComboFix I got a download error each time, on each of the three links.

The first error was something about not being able to change the contents of the desktop and the next time I got this -->

"C:\Documents and Settings\Ian\Desktop\ComboFix.exe could not be saved, because an unknown error occurred.

Try saving to a different location."

Then when I tried to go back and click on any of the links to download again I got a "file not found" in Firefox. Are there any settings I should change first before I try to download? I read another post about a similar problem and it seems that I might have needed to rename combofix.exe before saving but I'll need another link.

*GooredFix Log*
------------------
GooredFix v1.92 by jpshortstuff
Log created at 22:18 on 26/04/2009 running Option #1 (Ian)
Firefox version 3.0.9 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{D96AD17F-A5D2-452A-8576-6CA5BDB1309C}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.9\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.9\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor"

Edited by san141, 26 April 2009 - 08:44 PM.

[CatByte]

Ok, let me fix that goored entry first and reset your hosts file then I will give you another version of Combofix to download

Please do this:

Please double-click GooredFix.exe on your Desktop to run it.

• Select "2. Fix Goored" by typing 2 and pressing Enter.
• Make sure all instances of Firefox are closed at this point.
• Type y at the prompt and press Enter again.
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.


NEXT

Please download HostsXpert
* Unzip HostsXpert to it's own folder a convenient place such as C:\HostsXpert
* Run HostsXpert.exe
* Click: Make Writable? in the upper left corner.
* Click: Restore MVPs Hosts
* Click: Replace
* Click: OK
* Click: Make ReadOnly
* Close HostsXpert.

If needed Tutorial


NEXT

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Then

Please download ComboFix from Here or Here to your Desktop.
**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
• When finished, it will produce a report for you.  
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Edited by CatByte, 26 April 2009 - 08:59 PM.

[san141]

Here's the Goored Log you asked me to post:

GooredFix v1.92 by jpshortstuff
Log created at 22:58 on 26/04/2009 running Option #2 (Ian)
Firefox version 3.0.9 (en-US)
(Subsequent Run)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.9\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.9\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor"

------------------

I ran HostsExpert and noticed that the make writable option was already enabled. Then instead of a tab labeled "Restore MVPs Hosts" the only one available was "Restore MS Hosts file." So I clicked on that instead, then clicked on "make read only" and then exited. Then I went to Run and put in Combofix /u and there was nothing found. After that, when I tried to download from the links I got the same error message "not found." Not sure what to do next...

Thanks for your help so far

[CatByte]

OK,

did you run the option #2 on GooredFix? as that wasn't the log I expected from option #2, so perhaps it didn't run correctly?

If not please try running option two again.

We'll give comboFix another try, if this won't download we'll try another tool,

you might try doing it in safe mode with networking


Next do this

NOTE: worksnow is actually Combofix renamed so you will be able download and run Combofix

Download worksnow from HERE:


* IMPORTANT !!! Save worksnow to your Desktop



[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs


[*]Double click on worksnow & follow the prompts.

Note: worksnow will run without the Recovery Console installed.

Note: Combofix will run without the Recovery Console installed.


[*]As part of it's process, combofix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
[/list]
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
"copy/paste" a new HijackThis log file into this thread as well.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it at least 20-30 minutes to finish if needed.

[san141]

Ok, I ran GooredFix option 2 again but the Log looks the same (bellow). Worksnow/Combofix downloaded this time and ran successfully. A HiJack This log is also here as you requested.

*Goored Log*

GooredFix v1.92 by jpshortstuff
Log created at 23:25 on 26/04/2009 running Option #2 (Ian)
Firefox version 3.0.9 (en-US)
(Subsequent Run)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.9\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.9\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor"

---------------------------

*Combofix Log*

ComboFix 09-04-25.A3 - Ian 04/26/2009 23:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1468 [GMT -4:00]
Running from: c:\documents and settings\Ian\Desktop\worksnow.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

H:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OREANS32
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-4-27 )))))))))))))))))))))))))))))))
.

2009-04-27 03:01 . 2009-04-27 03:01 -------- d-----w C:\HostsExpert
2009-04-26 22:41 . 2009-04-26 22:43 -------- d-----w C:\Rooter$
2009-04-24 20:25 . 2009-04-27 00:52 -------- d-----w c:\documents and settings\Ian\Tracing
2009-04-24 20:10 . 2006-11-29 17:06 3426072 ----a-w c:\windows\system32\d3dx9_32.dll
2009-04-24 20:10 . 2009-04-24 20:10 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-04-24 20:07 . 2009-04-24 20:07 -------- d-----w c:\program files\Microsoft
2009-04-24 20:07 . 2009-04-24 20:07 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-24 19:57 . 2009-04-24 19:57 -------- d-----w c:\program files\Common Files\Windows Live
2009-04-10 17:27 . 2009-04-10 17:27 -------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-04-10 17:22 . 2009-04-10 17:22 -------- d-----w c:\program files\Common Files\Canon
2009-04-04 21:00 . 2009-04-04 21:00 -------- d-----w c:\program files\Trend Micro
2009-04-04 18:05 . 2009-04-04 18:05 -------- d-----w c:\documents and settings\Ian\Application Data\Malwarebytes
2009-04-04 18:05 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-04 18:05 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-04 18:05 . 2009-04-13 15:46 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-04 18:05 . 2009-04-04 18:05 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-04 18:03 . 2009-04-04 18:03 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SACore
2009-04-04 16:14 . 2009-04-26 23:45 -------- d-----w c:\program files\Lavasoft
2009-04-04 16:14 . 2009-04-26 23:45 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-29 22:37 . 2008-10-24 11:21 455296 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-03-29 22:36 . 2008-09-04 17:15 1106944 -c----w c:\windows\system32\dllcache\msxml3.dll
2009-03-29 22:12 . 2009-03-29 22:12 -------- d-----w c:\windows\system32\scripting
2009-03-29 22:12 . 2009-03-29 22:12 -------- d-----w c:\windows\system32\en
2009-03-29 22:12 . 2009-03-29 22:12 -------- d-----w c:\windows\l2schemas
2009-03-29 21:56 . 2008-04-14 00:12 276992 ------w c:\windows\system32\wmphoto.dll
2009-03-29 21:56 . 2008-04-14 00:12 69120 ------w c:\windows\system32\wlanapi.dll
2009-03-29 21:56 . 2008-07-11 08:55 347648 ------w c:\windows\system32\windowscodecsext.dll
2009-03-29 21:54 . 2008-04-14 00:12 33792 ------w c:\windows\system32\mmcperf.exe
2009-03-29 21:53 . 2008-04-14 00:11 136192 ------w c:\windows\system32\aaclient.dll
2009-03-29 21:50 . 2009-04-26 21:39 4915254 ---ha-w c:\windows\system32\toyhide.bmp
2009-03-29 21:45 . 2009-03-31 20:09 -------- d-----w c:\program files\WallpaperToy
2009-03-29 21:45 . 2009-03-29 21:44 187072 ----a-w c:\windows\walltoyUninst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 02:19 . 2007-05-04 04:01 -------- d-----w c:\documents and settings\Ian\Application Data\Azureus
2009-04-26 22:43 . 2009-04-26 22:43 3587 ----a-w C:\Rooter.txt
2009-04-26 12:32 . 2009-04-06 12:07 2908 ----a-w C:\aaw7boot.log
2009-04-25 03:10 . 2005-10-10 16:54 -------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-04-25 01:32 . 2009-01-25 20:10 -------- d-----w c:\documents and settings\Ian\Application Data\LimeWire
2009-04-24 20:24 . 2005-10-09 04:24 65032 ----a-w c:\documents and settings\Ian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-24 20:11 . 2008-02-09 21:33 -------- d-----w c:\program files\Windows Live
2009-04-17 23:44 . 2008-08-23 15:57 -------- d-----w c:\program files\McAfee
2009-04-17 04:48 . 2009-04-17 04:17 137 ----a-w C:\VundoFix.txt
2009-04-14 13:48 . 2007-05-11 03:50 -------- d-----w c:\program files\Azureus
2009-04-10 18:29 . 2008-02-20 00:54 232 ---ha-w C:\sqmdata14.sqm
2009-04-10 18:29 . 2008-02-20 00:54 244 ---ha-w C:\sqmnoopt14.sqm
2009-04-10 18:00 . 2008-02-05 03:09 244 ---ha-w C:\sqmnoopt13.sqm
2009-04-10 18:00 . 2008-02-05 03:09 232 ---ha-w C:\sqmdata13.sqm
2009-04-10 17:28 . 2008-09-07 21:58 -------- d-----w c:\program files\Canon
2009-03-29 22:16 . 2005-10-09 02:42 86327 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-03-29 22:07 . 2002-08-29 05:05 250048 --sha-r C:\ntldr
2009-03-29 12:59 . 2008-06-12 05:21 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-27 23:33 . 2009-02-21 20:08 -------- d-----w c:\program files\IKEA HomePlanner
2009-03-25 15:06 . 2008-08-23 15:58 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 15:06 . 2008-08-23 15:58 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 15:06 . 2008-08-23 15:58 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 15:06 . 2008-08-23 15:58 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 15:05 . 2008-08-23 15:58 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-10 21:59 . 2009-03-10 21:59 1510 ----a-w c:\windows\Sketchpad Preferences.dat
2009-02-26 20:16 . 2008-02-05 01:29 244 ---ha-w C:\sqmnoopt12.sqm
2009-02-26 20:16 . 2008-02-05 01:29 232 ---ha-w C:\sqmdata12.sqm
2009-02-26 20:09 . 2008-01-20 01:42 244 ---ha-w C:\sqmnoopt11.sqm
2009-02-26 20:09 . 2008-01-20 01:42 232 ---ha-w C:\sqmdata11.sqm
2009-02-26 20:06 . 2008-01-01 21:16 244 ---ha-w C:\sqmnoopt10.sqm
2009-02-26 20:06 . 2008-01-01 21:16 232 ---ha-w C:\sqmdata10.sqm
2009-02-26 20:01 . 2007-12-03 00:37 232 ---ha-w C:\sqmdata09.sqm
2009-02-26 20:01 . 2007-12-03 00:37 244 ---ha-w C:\sqmnoopt09.sqm
2009-02-26 19:59 . 2007-12-01 05:17 232 ---ha-w C:\sqmdata08.sqm
2009-02-26 19:59 . 2007-12-01 05:17 244 ---ha-w C:\sqmnoopt08.sqm
2009-02-26 19:59 . 2007-11-01 22:16 172 ---ha-w C:\sqmdata07.sqm
2009-02-26 19:59 . 2007-11-01 22:16 244 ---ha-w C:\sqmnoopt07.sqm
2009-02-26 19:59 . 2007-09-15 23:13 244 ---ha-w C:\sqmnoopt06.sqm
2009-02-26 19:59 . 2007-09-15 23:13 232 ---ha-w C:\sqmdata06.sqm
2009-02-26 19:59 . 2007-09-01 21:17 244 ---ha-w C:\sqmnoopt05.sqm
2009-02-26 19:59 . 2007-09-01 21:17 232 ---ha-w C:\sqmdata05.sqm
2009-02-26 19:58 . 2007-08-16 23:06 244 ---ha-w C:\sqmnoopt04.sqm
2009-02-26 19:58 . 2007-08-16 23:06 232 ---ha-w C:\sqmdata04.sqm
2009-02-26 14:26 . 2007-07-19 10:19 244 ---ha-w C:\sqmnoopt03.sqm
2009-02-26 14:26 . 2007-07-19 10:19 232 ---ha-w C:\sqmdata03.sqm
2009-02-26 14:22 . 2007-07-19 10:19 244 ---ha-w C:\sqmnoopt02.sqm
2009-02-26 14:22 . 2007-07-19 10:19 232 ---ha-w C:\sqmdata02.sqm
2009-02-26 13:56 . 2007-07-19 04:20 244 ---ha-w C:\sqmnoopt01.sqm
2009-02-26 13:56 . 2007-07-19 04:20 232 ---ha-w C:\sqmdata01.sqm
2009-02-09 11:13 . 2002-08-29 06:14 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 23:03 . 2009-02-06 23:03 307576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 22:52 . 2009-02-06 22:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2008-10-21 18:10 . 2008-10-21 18:10 126 ----a-w c:\documents and settings\Ian\Local Settings\Application Data\fusioncache.dat
2008-02-26 03:07 . 2008-02-26 03:07 18725 ----a-w c:\program files\Readme.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-13 483328]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2005-11-03 98304]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2005-11-03 118784]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 132624]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2008-06-29 52168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-02-27 16005120]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-12-26 1657376]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2004-03-11 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMidi"="MIDIDEF.EXE" - c:\windows\MIDIDEF.EXE [2003-06-20 49152]

c:\documents and settings\Ian\Start Menu\Programs\Startup\
Wallpaper Changer.lnk - c:\program files\WallpaperToy\Wallpapertoy.Exe [2009-3-29 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-4-3 25214]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-23 967960]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt\0sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\CTHELPER.EXE"=
"c:\\Program Files\\Windows Defender\\MSASCui.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 Lbd;Lbd; [x]
R0 ntcdrdrv;ntcdrdrv; [x]
R3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\DRIVERS\LV532AV.SYS [2003-09-04 152576]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
S2 PfDetNT;PfDetNT;c:\windows\System32\drivers\PfModNT.sys [2003-03-05 15840]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-23 15:53]

2009-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-23 15:53]

2009-04-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ares - c:\program files\Ares\Ares.exe


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Ian\Application Data\Mozilla\Firefox\Profiles\ij048ut4.Mike\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Ian\Application Data\Mozilla\Firefox\Profiles\ij048ut4.Mike\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 23:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2624)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTSVCCDA.EXE
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2009-04-27 23:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-27 03:42

Pre-Run: 39,885,316,096 bytes free
Post-Run: 40,092,000,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

265 --- E O F --- 2009-04-26 23:07

------------------------------

*Hi-Jack This Log*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:04 PM, on 4/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1155758786875
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Ian/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 11512 bytes

[CatByte]

Hi,

Please do the following

• Please open your MalwareBytes AntiMalware Program
• Click the Update Tab and search for updates
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- very important
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:

Go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

In your next reply please include

• MBAM Log
• Kaspersky report

Please advise how your computer is running now and if there are any other issues outstanding.

[san141]

Hi again,

I ran Maleware Bytes again and nothing turned up. Just finished running the Kapersky scan and one item, a Trojan, was found. Both are posted bellow. Other than that it seems that I'm no longer being directed in google! So something must have worked. Thanks so much. Just need to know how to get rid of this Trojan now (although I'm not sure what effect it's having on my system because I haven't noticed anything yet)... Also, should I be putting the HostsExpert settings back to what they were originally?

Malwarebytes' Anti-Malware 1.36
Database version: 2047
Windows 5.1.2600 Service Pack 3

4/27/2009 12:08:33 PM
mbam-log-2009-04-27 (12-08-33).txt

Scan type: Quick Scan
Objects scanned: 83640
Time elapsed: 5 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------------------------

*Kapersky*

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, April 27, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, April 27, 2009 18:06:07
Records in database: 2083698
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
L:\
M:\

Scan statistics:
Files scanned: 140211
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:25:44


File name / Threat name / Threats count
C:\Documents and Settings\Ian\Local Settings\Application Data\Mozilla\Firefox\Profiles\ij048ut4.Mike\Cache\E3AAB9CAd01 Infected: Trojan.Win32.Agent2.fft 1

The selected area was scanned.

[CatByte]

Hi,

The hosts file can be added from the link in the recommendations that follow.

The infection is located in the firefox cashe, that can be cleared by doing the following

Open Fire fox >Tools > Clear Private Data

I would highlight everything including saved passwords (make sure you know them all first) just to be sure, then click CLEAR PRIVATE DATA NOW.

Then do the following:

Please download ATF Cleaner by Atribune.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.
  
  • If you use Firefox browser
  • Click Firefox at the top and choose: Select All
• Click the Empty Selected button.

Click Exit on the Main menu to close the program.
It's normal after running ATF cleaner that the PC will be slower to boot the first time.




NEXT:

Please download JavaRa to your desktop and unzip it to its own folder.

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button.
• Download and install the latest Java Runtime Environment (JRE) version for your computer.(version 6, update 13)

NEXT

Follow these steps to uninstall Combofix

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

NEXT

Click Start >> Run and then copy/paste the following into the box and hit Enter:
"%userprofile%\Desktop\GooredFix.exe" /uninstall
If any of your security programs query a new Registry/AutoStart value being added please allow the changes.


NEXT


Download ToolsCleaner2 to your desktop and run it ( by de A.Rothstein & Dj Quiou )

• Click the Pt. Restauration button and press OK to the prompts.
• Click the Corbeille button and press OK to the prompt.
• Click the Fichiers temp button and press OK to the prompt.
• Click the Recherche button and let it run ( it may look like it freezes but let it continue )
• Once it is done click the Suppression button and let it remove anything it finds.
• Close the program

NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.

• Keep Windows updated by regularly checking their website at :
  http://windowsupdate.microsoft.com/
  This will ensure your computer has always the latest security updates available installed on your computer.
  
  
• SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
  
  
• SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
  
  
• Make Internet Explorer more secure
  
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
• ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
  
  
• For Firefox, I highly recommend these add-ons to keep your PC even more secure.
  
  • NoScript - for blocking ads and other potential website attacks
  • McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling
  
  
• Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  
  
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  
  
• Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
  
  
• Please read the guide by Rorschach112 on how to prevent malware and about safe computing here

Thank you for your patience, and performing all of the procedures requested.

[san141]

Ok, Mostly went well. The only snag was that Combofix couldn't be found when I tried to run the uninstall. I tried with "workSnow /u" but that didn't work either. Since I installed ComboFix under the name Worksnow (if in fact they are the same) is there some other line I should try running instead? Also, can I just delete OTListIt2 and Rooter off the desktop manually?

[CatByte]

Hi,

the toolscleaner2 program should have cleaned those up, so if there are items remaining just go ahead and delete them manually, tools cleaner 2 also cleans up ComboFix,

The combofix cleanup sets a new restore point, so to be certain we have one, lets do it manually.

Please do the following:

Click Start Menu > Run > type (or copy and paste) the following into the runbox

• %SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next go to Start Menu > Run > type (or copy and paste) the following into the runbox

• cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

Thank-you.

CB

[san141]

Thanks so much for your help! Don't know how else I would have done it.

[CatByte]

You are more than welcome

stay safe

CB

[CatByte]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.