[Seshennu]

Hello, and first off, thank you very much for taking time out of your day to look at this.

I've been having trouble for some time now. It started off about a month ago with AVG warning me about a "Trojan horse Rootkit-Agent.DZ" periodically. AVG never found it during its daily scans, and eventually it stopped warning me about it entirely, so I figured, hey! maybe it's gone. Unfortunately, about a week or two later, whenever I went to open Firefox (and IE as well), I would get warnings from AVG about something called "Trojan horse Agent2.MKA"

The file is located at C:\WINDOWS\System32\long string of gibberish.dll. If you want that string of gibberish, I have it written down, but in hopes of not stretching the page, I've left it out. Going to that folder and looking for this file turns up absolutely nothing, so I can't delete it. It also seems to be opening twice, or at least that's what AVG says. Again, this thing is never found during daily scans, only when opening IE or Firefox.

Windows Update also seems to not be updating at all -- any attempts end up with a failure message. IE searches are also redirected for some reason. There might be more IE troubles, but I almost never use that browser, so I can't be sure.

Steps taken:
TFC - Ran successfully, 144MB deleted.
SysRestorePoint - Was unsuccessful, and I got the following .txt error message file:

See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.Runtime.InteropServices.COMException (0x80070422): The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
at Microsoft.VisualBasic.CompilerServices.LateBinding.LateGet(Object o, Type objType, String name, Object[] args, String[] paramnames, Boolean[] CopyBack)
at Microsoft.VisualBasic.CompilerServices.NewLateBinding.LateGet(Object Instance, Type Type, String MemberName, Object[] Arguments, String[] ArgumentNames, Type[] TypeArguments, Boolean[] CopyBack)
at SysRestorePoint.Module1.CreateRestorePoint()
at SysRestorePoint.Form1.Form1_Load(Object eventSender, EventArgs eventArgs)
at System.EventHandler.Invoke(Object sender, EventArgs e)
at System.Windows.Forms.Form.OnLoad(EventArgs e)
at System.Windows.Forms.Form.OnCreateControl()
at System.Windows.Forms.Control.CreateControl(Boolean fIgnoreVisible)
at System.Windows.Forms.Control.CreateControl()
at System.Windows.Forms.Control.WmShowWindow(Message& m)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ScrollableControl.WndProc(Message& m)
at System.Windows.Forms.ContainerControl.WndProc(Message& m)
at System.Windows.Forms.Form.WmShowWindow(Message& m)
at System.Windows.Forms.Form.WndProc(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


************** Loaded Assemblies **************
mscorlib
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3074 (QFE.050727-3000)
CodeBase: file:///C:/Windows/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll
----------------------------------------
SysRestorePoint
Assembly Version: 1.3.0.0
Win32 Version: 1.3.0.0
CodeBase: file:///C:/Users/Seshennu/Desktop/SysRestorePoint.exe
----------------------------------------
Microsoft.VisualBasic
Assembly Version: 8.0.0.0
Win32 Version: 8.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.VisualBasic/8.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualBasic.dll
----------------------------------------
System
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Windows.Forms
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Runtime.Remoting
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Runtime.Remoting/2.0.0.0__b77a5c561934e089/System.Runtime.Remoting.dll
----------------------------------------
System.Configuration
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Configuration/2.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Xml
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3074 (QFE.050727-3000)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

<configuration>
<system.windows.forms jitDebugging="true" />
</configuration>

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.


ERUNT - Ran successfully, it says the files were backed up at C:\WINDOWS\ERDNT\7-17-2009
/Preparation steps

1. MBAM - Unsuccessful. Both pages could not be loaded (the download link and the homepage), and showed the message "Server not found". Other websites seem to be loading just fine.

2. Viruses/Trojans - Again, AVG shows nothing but the occasional "warnings" in its daily scans, usually just things attached to cookies (adware?) that get sent to the Virus Vault.

3. Windows Updates - Can't update at all.

4. Reboot - Does absolutely nothing, except restart my computer. 8D;

5. Rootkit Detection - I tried to run this twice, to no success. I got the following errors:

Error Message 1: ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x00429430
Attempt to write to address: 0x011d9000

Error Message 2: ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x00429430
Attempt to write to address: 0x00d79000

6. OTL - Ran successfully, although I did not get an Extras.txt file, as mentioned in the Guide.

OTL logfile created on: 7/17/2009 12:42:10 PM - Run 1
OTL by OldTimer - Version 3.0.8.0 Folder = C:\Users\Seshennu\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.94 Gb Total Physical Memory | 1.35 Gb Available Physical Memory | 69.87% Memory free
4.00 Gb Paging File | 3.36 Gb Available in Paging File | 84.04% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 105.20 Gb Total Space | 47.63 Gb Free Space | 45.27% Space Free | Partition Type: NTFS
Drive D: | 74.53 Gb Total Space | 30.45 Gb Free Space | 40.86% Space Free | Partition Type: NTFS
Drive E: | 6.59 Gb Total Space | 0.61 Gb Free Space | 9.31% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LAWLIET
Current User Name: Seshennu
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2008/12/04 03:42:00 | 00,203,296 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe
PRC - [2009/07/02 08:20:51 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2006/11/24 19:34:16 | 00,270,431 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
PRC - [2009/02/06 17:38:36 | 00,266,240 | ---- | M] () -- C:\Windows\System32\CSHelper.exe
PRC - [2006/11/28 18:10:12 | 00,063,080 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
PRC - [2009/07/02 08:20:56 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/05/07 23:11:20 | 00,594,712 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2006/10/19 17:52:24 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2007/04/26 01:21:22 | 00,537,520 | ---- | M] ( ) -- C:\Windows\System32\lxddcoms.exe
PRC - [2007/01/04 17:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2007/07/10 06:28:08 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\DRIVERS\xaudio.exe
PRC - [2009/07/02 08:20:53 | 00,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2006/11/24 19:34:20 | 00,118,877 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
PRC - [2006/05/02 18:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
PRC - [2009/07/02 08:20:55 | 00,692,504 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2008/10/29 02:20:29 | 02,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\Explorer.EXE
PRC - [2008/07/01 21:52:47 | 01,006,264 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2008/03/28 02:05:00 | 01,045,800 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2006/11/24 19:33:52 | 00,167,936 | ---- | M] (CyberLink Corp.) -- C:\Program Files\HP\QuickPlay\QPService.exe
PRC - [2006/11/06 14:58:18 | 00,159,744 | ---- | M] ( Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
PRC - [2006/10/18 13:56:54 | 00,317,152 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
PRC - [2006/10/18 13:32:36 | 00,472,800 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
PRC - [2009/07/02 08:20:52 | 01,948,440 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2005/07/15 17:48:33 | 00,479,232 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Gmail Notifier\gnotify.exe
PRC - [2007/05/04 02:38:34 | 00,291,760 | ---- | M] () -- C:\Program Files\Lexmark 2500 Series\lxddmon.exe
PRC - [2007/03/05 03:40:25 | 00,020,480 | ---- | M] (Lexmark) -- C:\Program Files\Lexmark 2500 Series\lxddamon.exe
PRC - [2009/03/02 21:59:26 | 00,247,296 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\wmiprvse.exe
PRC - [2007/05/08 17:24:20 | 00,054,840 | ---- | M] (Hewlett-Packard) -- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
PRC - [2009/03/09 05:19:17 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2008/12/15 18:03:03 | 00,342,848 | ---- | M] (BitTorrent, Inc.) -- C:\Users\Seshennu\Program Files\DNA\btdna.exe
PRC - [2006/10/10 20:44:10 | 00,034,520 | ---- | M] (Hewlett Packard) -- C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
PRC - [2006/11/02 14:24:10 | 00,491,606 | ---- | M] () -- C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
PRC - [2008/03/28 02:06:00 | 00,095,528 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
PRC - [2009/07/02 08:20:55 | 00,692,504 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/07/17 12:41:02 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Users\Seshennu\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2006/06/26 13:50:08 | 00,126,976 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe -- (AddFiltr [On_Demand | Stopped])
SRV - [2009/07/02 08:20:53 | 00,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])
SRV - [2009/07/02 08:20:51 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2006/11/24 19:34:16 | 00,270,431 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe -- (CLCapSvc [Auto | Running])
SRV - [2008/07/27 14:00:25 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2006/11/24 19:34:20 | 00,118,877 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe -- (CLSched [Auto | Running])
SRV - File not found -- -- (CLTNetCnService [Auto | Stopped])
SRV - [2009/02/06 17:38:36 | 00,266,240 | ---- | M] () -- C:\Windows\System32\CSHelper.exe -- (CSHelper [Auto | Running])
SRV - [2006/11/02 08:35:28 | 00,291,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehRecvr.exe -- (ehRecvr [On_Demand | Stopped])
SRV - [2006/11/02 08:35:29 | 00,131,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched [On_Demand | Stopped])
SRV - [2006/11/02 08:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart [Auto | Stopped])
SRV - [2006/11/02 05:46:13 | 00,989,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wevtsvc.dll -- (Eventlog [Auto | Running])
SRV - [2008/06/19 21:18:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2006/11/28 18:10:12 | 00,063,080 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe -- (HP Health Check Service [Auto | Running])
SRV - [2006/05/02 18:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe -- (hpqwmiex [Auto | Running])
SRV - [2004/10/22 07:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/06/19 21:17:49 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2006/10/19 17:52:24 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])
SRV - [2007/04/26 01:21:42 | 00,099,248 | ---- | M] (Lexmark International, Inc.) -- C:\Windows\System32\spool\DRIVERS\W32X86\3\lxddserv.exe -- (lxddCATSCustConnectService [Auto | Stopped])
SRV - [2007/04/26 01:21:22 | 00,537,520 | ---- | M] ( ) -- C:\Windows\System32\lxddcoms.exe -- (lxdd_device [Auto | Running])
SRV - [2008/06/19 21:17:50 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/12/04 03:42:00 | 00,203,296 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe -- (nvsvc [Auto | Running])
SRV - [2006/11/06 17:31:14 | 00,887,544 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9 [On_Demand | Stopped])
SRV - [2006/11/01 15:17:32 | 00,073,728 | R--- | M] (MicroVision Development, Inc.) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr [On_Demand | Stopped])
SRV - [2007/01/04 17:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Auto | Running])
SRV - [2008/07/01 21:52:46 | 00,265,912 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend [Auto | Running])
SRV - [2006/11/02 08:36:04 | 00,895,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - [2007/07/10 06:28:08 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\DRIVERS\xaudio.exe -- (XAudioService [Auto | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gaiaonline.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://seshennu.livejournal.com/friends?show=P&filter=0"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1
FF - prefs.js..extensions.enabledItems: elemhidehelper@adblockplus.org:1.0.6
FF - prefs.js..extensions.enabledItems: {44d0a1b4-9c90-4f86-ac92-8680b5d6549e}:0.6.3.11
FF - prefs.js..extensions.enabledItems: {ad4ee9e5-49c7-4589-acf3-db9fa76a95c9}:2.1.3
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.071101000055
FF - prefs.js..extensions.enabledItems: oldAddBookmarkBehavior@alice:2.0
FF - prefs.js..extensions.enabledItems: {37E4D8EA-8BDA-4831-8EA1-89053939A250}:2.2.0.2
FF - prefs.js..extensions.enabledItems: {ada4b710-8346-4b82-8199-5de2b400a6ae}:1.9.1
FF - prefs.js..extensions.enabledItems: snaplinks@snaplinks.mozdev.org:1.0.2
FF - prefs.js..extensions.enabledItems: {46868735-c3fa-47ce-8ce7-cce51a66aceb}:1.2
FF - prefs.js..extensions.enabledItems: {0df7b3bb-9581-44bb-835f-061a29ec8a46}:2.1.20090625
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.1
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 8118
FF - prefs.js..network.proxy.socks: "127.0.0.1"
FF - prefs.js..network.proxy.socks_port: 9050
FF - prefs.js..network.proxy.socks_remote_dns: true
FF - prefs.js..network.proxy.ssl: "127.0.0.1"
FF - prefs.js..network.proxy.ssl_port: 8118


FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/07/02 08:21:21 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/02/18 17:04:02 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.1\extensions\\Components: C:\Program Files\Firefox\components [2009/07/17 10:15:45 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.1\extensions\\Plugins: C:\Program Files\Firefox\plugins [2009/07/17 10:15:45 | 00,000,000 | ---D | M]

[2009/06/16 16:55:19 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Extensions
[2009/06/16 16:55:19 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/07/16 22:26:58 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions
[2009/06/29 20:20:28 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions\{0df7b3bb-9581-44bb-835f-061a29ec8a46}
[2009/05/27 17:43:00 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
[2009/07/07 16:50:39 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions\{44d0a1b4-9c90-4f86-ac92-8680b5d6549e}
[2009/07/06 10:41:49 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions\{46868735-c3fa-47ce-8ce7-cce51a66aceb}
[2009/07/06 10:32:15 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions\{ad4ee9e5-49c7-4589-acf3-db9fa76a95c9}
[2009/07/06 11:03:16 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}
[2009/07/13 22:04:37 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/07/07 00:21:37 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions\elemhidehelper@adblockplus.org
[2009/01/30 11:58:03 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions\moveplayer@movenetworks.com
[2009/07/06 10:57:12 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions\oldAddBookmarkBehavior@alice
[2009/07/06 10:11:33 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions\snaplinks@snaplinks.mozdev.org
[2009/06/09 12:15:29 | 00,001,741 | ---- | M] () -- C:\Users\Seshennu\AppData\Roaming\Mozilla\FireFox\Profiles\hcnl7txo.default\searchplugins\aol-search.xml
[2009/07/06 10:01:22 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2008/06/30 15:28:54 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
[2008/07/14 09:38:10 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2008/12/12 17:41:08 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009/04/07 21:48:52 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2007/04/10 17:21:08 | 00,163,256 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\np-mswmp.dll
[2008/12/05 23:52:44 | 00,114,688 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\np32dsw.dll
[2009/01/07 13:16:58 | 00,609,280 | ---- | M] (ArtistScope) -- C:\Program Files\mozilla firefox\plugins\npArtistScope42.dll
[2008/09/03 20:11:24 | 00,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\mozilla firefox\plugins\npbittorrent.dll
[2009/03/09 05:19:09 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2008/11/06 12:33:48 | 01,332,224 | ---- | M] (DivX,Inc.) -- C:\Program Files\mozilla firefox\plugins\npdivx32.dll
[2008/06/10 20:03:38 | 00,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\mozilla firefox\plugins\npDivxPlayerPlugin.dll
[2008/10/14 22:33:30 | 00,095,600 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2007/04/16 13:07:12 | 00,180,293 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npViewpoint.dll

O1 HOSTS File: (761 bytes) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe (Google Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HP-Diags] C:\Program Files\Hewlett-Packard\HP Battery Check\HPDOM\HPDiags.exe (Hewlett-Packard)
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [lxddamon] C:\Program Files\Lexmark 2500 Series\lxddamon.exe (Lexmark)
O4 - HKLM..\Run: [lxddmon.exe] C:\Program Files\Lexmark 2500 Series\lxddmon.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [QlbCtrl] File not found
O4 - HKLM..\Run: [QPService] C:\Program Files\HP\QuickPlay\QPService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe File not found
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Aim6] C:\Program Files\AIM6\aim6.exe (AOL LLC)
O4 - HKCU..\Run: [BitTorrent DNA] C:\Users\Seshennu\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
O4 - HKLM..\RunOnce: [Launcher] C:\Windows\SMINST\launcher.exe (soft thinks)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Windows\System32\wshbth.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.231,85.255.112.98
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - AppInit_DLLs: (avgrsstx.dll) - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/12/19 11:45:18 | 00,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/09/11 10:18:54 | 00,000,340 | -HS- | M] () - E:\AUTOMODE -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 14 Days ==========

[3 C:\ProgramData\*.tmp files]
[2009/07/17 12:40:51 | 00,514,560 | ---- | C] (OldTimer Tools) -- C:\Users\Seshennu\Desktop\OTL.exe
[2009/07/17 12:37:55 | 00,469,504 | ---- | C] ( ) -- C:\Users\Seshennu\Desktop\RootRepeal.exe
[2009/07/17 12:29:44 | 00,000,000 | ---D | C] -- C:\Windows\ERDNT
[2009/07/17 12:28:55 | 00,000,735 | ---- | C] () -- C:\Users\Seshennu\Desktop\NTREGOPT.lnk
[2009/07/17 12:28:54 | 00,000,716 | ---- | C] () -- C:\Users\Seshennu\Desktop\ERUNT.lnk
[2009/07/17 12:28:51 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/07/17 12:21:22 | 00,021,504 | ---- | C] (Doug Knox) -- C:\Users\Seshennu\Desktop\SysRestorePoint.exe
[2009/07/17 12:18:47 | 00,265,216 | ---- | C] (OldTimer Tools) -- C:\Users\Seshennu\Desktop\TFC.exe
[2009/07/09 22:31:01 | 00,000,746 | ---- | C] () -- C:\Users\Seshennu\Desktop\Jarte.lnk
[2009/07/09 21:43:41 | 00,000,000 | ---D | C] -- C:\Users\Seshennu\AppData\Local\Apple Computer
[2009/07/09 21:42:32 | 00,000,000 | ---D | C] -- C:\ProgramData\Apple Computer
[2009/07/09 21:42:32 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/07/06 10:04:51 | 00,001,652 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2009/07/06 10:04:44 | 00,000,000 | ---D | C] -- C:\Program Files\Firefox

========== Files - Modified Within 14 Days ==========

[3 C:\ProgramData\*.tmp files]
[2009/07/17 12:41:02 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Users\Seshennu\Desktop\OTL.exe
[2009/07/17 12:39:52 | 00,716,948 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/07/17 12:39:52 | 00,618,648 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/07/17 12:39:52 | 00,104,024 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/07/17 12:35:55 | 00,042,088 | ---- | M] () -- C:\ProgramData\nvModes.001
[2009/07/17 12:35:54 | 00,000,146 | ---- | M] () -- C:\Users\Public\Documents\hpqp.ini
[2009/07/17 12:35:41 | 00,000,266 | -H-- | M] () -- C:\Windows\tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
[2009/07/17 12:34:41 | 00,003,200 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/07/17 12:34:41 | 00,003,200 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/07/17 12:34:39 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/07/17 12:34:34 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/07/17 12:33:32 | 00,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2009/07/17 12:33:27 | 03,611,663 | -H-- | M] () -- C:\Users\Seshennu\AppData\Local\IconCache.db
[2009/07/17 12:28:55 | 00,000,735 | ---- | M] () -- C:\Users\Seshennu\Desktop\NTREGOPT.lnk
[2009/07/17 12:28:54 | 00,000,716 | ---- | M] () -- C:\Users\Seshennu\Desktop\ERUNT.lnk
[2009/07/17 12:21:26 | 00,021,504 | ---- | M] (Doug Knox) -- C:\Users\Seshennu\Desktop\SysRestorePoint.exe
[2009/07/17 12:18:58 | 00,265,216 | ---- | M] (OldTimer Tools) -- C:\Users\Seshennu\Desktop\TFC.exe
[2009/07/17 10:16:37 | 00,034,071 | ---- | M] () -- C:\Windows\System32\drivers\Avg\microavi.avg
[2009/07/17 10:16:36 | 38,260,694 | ---- | M] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2009/07/14 20:31:09 | 00,042,088 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2009/07/14 17:21:09 | 00,132,608 | ---- | M] () -- C:\Users\Seshennu\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/12 21:39:46 | 00,469,504 | ---- | M] ( ) -- C:\Users\Seshennu\Desktop\RootRepeal.exe
[2009/07/06 10:04:51 | 00,001,652 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk

========== LOP Check ==========

[2009/07/02 08:21:30 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming
[2008/09/28 22:54:27 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\.bsnes
[2008/06/30 14:14:21 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\acccore
[2008/07/18 19:51:06 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\Amazon
[2009/01/08 01:26:23 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\Azureus
[2009/07/05 00:54:06 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\BitTorrent
[2008/07/07 14:58:22 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\CyberLink
[2008/07/03 15:13:50 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\DAEMON Tools
[2009/07/17 12:45:55 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\DNA
[2008/12/26 01:00:43 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\dvdcss
[2008/08/26 19:28:44 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\FaxCtr
[2009/07/15 14:14:57 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\Jarte
[2008/08/24 22:07:04 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\Lexmark Productivity Studio
[2006/11/02 08:37:34 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\Media Center Programs
[2009/02/07 10:15:27 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mIRC
[2008/07/01 15:54:00 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\NCH Software
[2009/06/17 14:58:58 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\OpenOffice.org2
[2008/07/03 21:50:14 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\Roxio
[2009/07/17 12:34:39 | 00,000,006 | -H-- | M] () -- C:\Windows\Tasks\SA.DAT
[2009/07/17 12:33:32 | 00,032,584 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2009/07/17 12:35:41 | 00,000,266 | -H-- | M] () -- C:\Windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job

========== Purity Check ==========


< End of report >


Again, thank you for your time. Any and all help is very appreciated. =)

[Essexboy]

Hi there as the malware is hidden from that scan I will use a big hammer first and see what that reveals. If you have problems running or downloading this programme let me know

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
  
• Double click on AVZ.exe to run it.
  
• Run an update by clicking the Auto Update button on the Right of the Log window:
  
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
  
  
• Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Analysis" check box.
  
• Click on the “Execute selected scripts”.
  
• Automatic scanning, healing and system check will be executed.
  
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
  
• All applications will work properly after the system restart.

When restarted

• Start AVZ.
  
  
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
  
• Click on the "Execute selected scripts".
  
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both zip files to your next post

To attach a file, do the following:

• Click Add Reply
  
• Under the reply panel is the Attachments Panel
  
• Browse for the attachment file you want to upload, then click the green Upload button
  
• Once it has uploaded, click the Manage Current Attachments drop down box
  
• Click on to insert the attachment into your post

[Seshennu]

I got another error message trying to load the page: "The connection to the server was reset while the page was loading." All other websites look fine. Do you think you can upload it to mediafire or something?

[Seshennu]

Sorry this took so long -- I ended up having to get to a uninfected PC and downloading AVZ onto a thumbdrive to install here. Well... Whatever works, I guess.

Here are the requested zips:
 virusinfo_syscure.zip (21.19K)
Number of downloads: 58
 virusinfo_syscheck.zip (20.93K)
Number of downloads: 42

[Essexboy]

I am afraid that result was not promising - you may have a file infector, this would involve a full reformat as the only way to cure it, However, I would like to confirm my suspicions first. As you can access another computer, download Dr Web to your thumb drive - but rename it to Dr Web.com first. Once downloaded run it from the thumbdrive. This can be run from safe mode

Download Dr.Web CureIt to the desktop:

• Doubleclick the drweb-cureit icon to start the program.
  
• press start
  
• Allow the program to run the initial express scan
  
• This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
  Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
  
  
• Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
  
• Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
  
• During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
  Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
  
  
• Once the scan is complete, on the menu bar, click file and choose report list.
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
  
• Close Dr.Web Cureit.
  
• Please post the Dr.Web.txt report in your next reply

[Seshennu]

Just an update -- I ran Dr.Web successfully, but when going to save the report list, my laptop shut down and began checking the drives for something (consistency, I think?). When it restarted, I got the following from a "Windows has recovered..." error (posting just in case it's relevant):

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6000.2.0.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: 19
BCP1: 00000021
BCP2: D7F68000
BCP3: 00048D50
BCP4: 001F0000
OS Version: 6_0_6000
Service Pack: 0_0
Product: 768_1

Files that help describe the problem:
C:\WINDOWS\Minidump\Mini071809-01.dmp
C:\Users\Seshennu\AppData\Local\Temp\WER-493665-0.sysdata.xml
C:\Users\Seshennu\AppData\Local\Temp\WERD651.tmp.version.txt


From what I remember, Dr.Web found 4 infected files, and moved 3(?) of them. I don't get the AVG warnings when opening IE or Firefox, although Windows Update still won't update and IE searches are still being redirected.

Whatever next step I'll have to take, I'm afraid I (probably) won't be able to do until Monday, as I'll be attending my grandfather's 80th tomorrow.

Have a good weekend!

[Essexboy]

In that case the good news is that you do not have a file infector So now I can start the cleaning process

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[Seshennu]

For the life of me, I couldn't figure out how to completely close AVG before running ComboFix. I closed the system tray, but it still came up as active when I started ComboFix. I uninstalled it for the time being, but now that it's installed again, Resident Shield won't activate, and Windows Security Center won't "turn on" AVG, no matter how many times I click "Turn on now". -- Scratch that, rebooting seems to have cleared up that problem completely. AVG is updated and seems to be running smoothly.

On the plus side, whatever ComboFix did, it got rid of the IE searches redirecting and I can access the websites I couldn't before. So I guess things are starting to get better, thank you for that. =)

 ComboFix.txt (22.83K)
Number of downloads: 64

[Essexboy]

Still one to get rid of and it is a file infector - so on completion of this I will need you to run an additional AV scan

1. Please open Notepad

• Click Start , then Run
  
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\IsDrv122.sys

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
  
• A new OTListit log.

THEN

Download Dr.Web CureIt to the desktop:

• Doubleclick the drweb-cureit icon to start the program.
  
• press start
  
• Allow the program to run the initial express scan
  
• This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
  Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
  
  
• Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
  
• Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
  
• During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
  Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
  
  
• Once the scan is complete, on the menu bar, click file and choose report list.
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
  
• Close Dr.Web Cureit.
  
• Please post the Dr.Web.txt report in your next reply

[Seshennu]

Good evening! OTL log posted first, the ComboFix and DrWeb attachments at the very bottom.

OTL logfile created on: 7/20/2009 3:38:58 PM - Run 2
OTL by OldTimer - Version 3.0.8.0 Folder = C:\Users\Seshennu\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18783)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.94 Gb Total Physical Memory | 1.19 Gb Available Physical Memory | 61.33% Memory free
4.00 Gb Paging File | 3.35 Gb Available in Paging File | 83.87% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 105.20 Gb Total Space | 47.79 Gb Free Space | 45.43% Space Free | Partition Type: NTFS
Drive D: | 74.53 Gb Total Space | 30.51 Gb Free Space | 40.93% Space Free | Partition Type: NTFS
Drive E: | 6.59 Gb Total Space | 0.61 Gb Free Space | 9.31% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LAWLIET
Current User Name: Seshennu
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2008/12/04 03:42:00 | 00,203,296 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe
PRC - [2006/11/24 19:34:16 | 00,270,431 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
PRC - [2009/02/06 17:38:36 | 00,266,240 | ---- | M] () -- C:\Windows\System32\CSHelper.exe
PRC - [2006/11/28 18:10:12 | 00,063,080 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
PRC - [2006/10/19 17:52:24 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2007/04/26 01:21:22 | 00,537,520 | ---- | M] ( ) -- C:\Windows\System32\lxddcoms.exe
PRC - [2007/01/04 17:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2007/07/10 06:28:08 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\DRIVERS\xaudio.exe
PRC - [2006/11/24 19:34:20 | 00,118,877 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
PRC - [2006/05/02 18:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
PRC - [2008/07/01 21:52:47 | 01,006,264 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2008/03/28 02:05:00 | 01,045,800 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2006/11/24 19:33:52 | 00,167,936 | ---- | M] (CyberLink Corp.) -- C:\Program Files\HP\QuickPlay\QPService.exe
PRC - [2006/11/06 14:58:18 | 00,159,744 | ---- | M] ( Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
PRC - [2006/10/18 13:56:54 | 00,317,152 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
PRC - [2006/10/18 13:32:36 | 00,472,800 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
PRC - [2005/07/15 17:48:33 | 00,479,232 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Gmail Notifier\gnotify.exe
PRC - [2007/03/05 03:40:25 | 00,020,480 | ---- | M] (Lexmark) -- C:\Program Files\Lexmark 2500 Series\lxddamon.exe
PRC - [2007/05/08 17:24:20 | 00,054,840 | ---- | M] (Hewlett-Packard) -- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
PRC - [2009/03/09 05:19:17 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2008/12/15 18:03:03 | 00,342,848 | ---- | M] (BitTorrent, Inc.) -- C:\Users\Seshennu\Program Files\DNA\btdna.exe
PRC - [2006/10/10 20:44:10 | 00,034,520 | ---- | M] (Hewlett Packard) -- C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
PRC - [2009/03/02 21:59:26 | 00,247,296 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\wmiprvse.exe
PRC - [2006/11/02 14:24:10 | 00,491,606 | ---- | M] () -- C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
PRC - [2008/03/28 02:06:00 | 00,095,528 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
PRC - [2008/07/27 14:00:25 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
PRC - [2008/10/29 02:20:29 | 02,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\Explorer.exe
PRC - [2009/07/17 10:15:43 | 00,908,280 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Firefox\firefox.exe
PRC - [2009/07/17 12:41:02 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Users\Seshennu\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2006/06/26 13:50:08 | 00,126,976 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe -- (AddFiltr [On_Demand | Stopped])
SRV - [2006/11/24 19:34:16 | 00,270,431 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe -- (CLCapSvc [Auto | Running])
SRV - [2008/07/27 14:00:25 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [Auto | Running])
SRV - [2006/11/24 19:34:20 | 00,118,877 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe -- (CLSched [Auto | Running])
SRV - File not found -- -- (CLTNetCnService [Auto | Stopped])
SRV - [2009/02/06 17:38:36 | 00,266,240 | ---- | M] () -- C:\Windows\System32\CSHelper.exe -- (CSHelper [Auto | Running])
SRV - [2006/11/02 08:35:28 | 00,291,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehRecvr.exe -- (ehRecvr [On_Demand | Stopped])
SRV - [2006/11/02 08:35:29 | 00,131,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched [On_Demand | Stopped])
SRV - [2006/11/02 08:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart [Auto | Stopped])
SRV - [2006/11/02 05:46:13 | 00,989,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wevtsvc.dll -- (Eventlog [Auto | Running])
SRV - [2008/06/19 21:18:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2006/11/28 18:10:12 | 00,063,080 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe -- (HP Health Check Service [Auto | Running])
SRV - [2006/05/02 18:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe -- (hpqwmiex [Auto | Running])
SRV - [2004/10/22 07:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/06/19 21:17:49 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2006/10/19 17:52:24 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])
SRV - [2007/04/26 01:21:42 | 00,099,248 | ---- | M] (Lexmark International, Inc.) -- C:\Windows\System32\spool\DRIVERS\W32X86\3\lxddserv.exe -- (lxddCATSCustConnectService [Auto | Stopped])
SRV - [2007/04/26 01:21:22 | 00,537,520 | ---- | M] ( ) -- C:\Windows\System32\lxddcoms.exe -- (lxdd_device [Auto | Running])
SRV - [2008/06/19 21:17:50 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/12/04 03:42:00 | 00,203,296 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe -- (nvsvc [Auto | Running])
SRV - [2006/11/06 17:31:14 | 00,887,544 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9 [On_Demand | Stopped])
SRV - [2006/11/01 15:17:32 | 00,073,728 | R--- | M] (MicroVision Development, Inc.) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr [On_Demand | Stopped])
SRV - [2007/01/04 17:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Auto | Running])
SRV - [2008/07/01 21:52:46 | 00,265,912 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend [Auto | Running])
SRV - [2006/11/02 08:36:04 | 00,895,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - [2007/07/10 06:28:08 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\DRIVERS\xaudio.exe -- (XAudioService [Auto | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gaiaonline.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://seshennu.livejournal.com/friends?show=P&filter=0"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1
FF - prefs.js..extensions.enabledItems: elemhidehelper@adblockplus.org:1.0.6
FF - prefs.js..extensions.enabledItems: {ad4ee9e5-49c7-4589-acf3-db9fa76a95c9}:2.1.3
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.071101000055
FF - prefs.js..extensions.enabledItems: oldAddBookmarkBehavior@alice:2.0
FF - prefs.js..extensions.enabledItems: {46868735-c3fa-47ce-8ce7-cce51a66aceb}:1.2
FF - prefs.js..extensions.enabledItems: {37E4D8EA-8BDA-4831-8EA1-89053939A250}:2.2.0.2
FF - prefs.js..extensions.enabledItems: {ada4b710-8346-4b82-8199-5de2b400a6ae}:1.9.1
FF - prefs.js..extensions.enabledItems: snaplinks@snaplinks.mozdev.org:1.0.2
FF - prefs.js..extensions.enabledItems: {0df7b3bb-9581-44bb-835f-061a29ec8a46}:2.1.20090625
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.1
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 8118
FF - prefs.js..network.proxy.socks: "127.0.0.1"
FF - prefs.js..network.proxy.socks_port: 9050
FF - prefs.js..network.proxy.socks_remote_dns: true
FF - prefs.js..network.proxy.ssl: "127.0.0.1"
FF - prefs.js..network.proxy.ssl_port: 8118


FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/07/20 13:36:31 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.1\extensions\\Components: C:\Program Files\Firefox\components [2009/07/17 10:15:45 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.1\extensions\\Plugins: C:\Program Files\Firefox\plugins [2009/07/17 10:15:45 | 00,000,000 | ---D | M]

[2009/06/16 16:55:19 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Extensions
[2009/06/16 16:55:19 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/07/20 15:24:59 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions
[2009/06/29 20:20:28 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions\{0df7b3bb-9581-44bb-835f-061a29ec8a46}
[2009/07/20 15:24:59 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/05/27 17:43:00 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
[2009/07/06 10:41:49 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions\{46868735-c3fa-47ce-8ce7-cce51a66aceb}
[2009/07/06 10:32:15 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions\{ad4ee9e5-49c7-4589-acf3-db9fa76a95c9}
[2009/07/06 11:03:16 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}
[2009/07/13 22:04:37 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/07/07 00:21:37 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions\elemhidehelper@adblockplus.org
[2009/01/30 11:58:03 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions\moveplayer@movenetworks.com
[2009/07/06 10:57:12 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions\oldAddBookmarkBehavior@alice
[2009/07/06 10:11:33 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mozilla\Firefox\Profiles\hcnl7txo.default\extensions\snaplinks@snaplinks.mozdev.org
[2009/06/09 12:15:29 | 00,001,741 | ---- | M] () -- C:\Users\Seshennu\AppData\Roaming\Mozilla\FireFox\Profiles\hcnl7txo.default\searchplugins\aol-search.xml
[2009/07/06 10:01:22 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2008/06/30 15:28:54 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
[2008/07/14 09:38:10 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2008/12/12 17:41:08 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009/04/07 21:48:52 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2007/04/10 17:21:08 | 00,163,256 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\np-mswmp.dll
[2008/12/05 23:52:44 | 00,114,688 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\np32dsw.dll
[2009/01/07 13:16:58 | 00,609,280 | ---- | M] (ArtistScope) -- C:\Program Files\mozilla firefox\plugins\npArtistScope42.dll
[2008/09/03 20:11:24 | 00,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\mozilla firefox\plugins\npbittorrent.dll
[2009/03/09 05:19:09 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2008/11/06 12:33:48 | 01,332,224 | ---- | M] (DivX,Inc.) -- C:\Program Files\mozilla firefox\plugins\npdivx32.dll
[2008/06/10 20:03:38 | 00,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\mozilla firefox\plugins\npDivxPlayerPlugin.dll
[2008/10/14 22:33:30 | 00,095,600 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2007/04/16 13:07:12 | 00,180,293 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npViewpoint.dll

O1 HOSTS File: (761 bytes) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll File not found
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe (Google Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HP-Diags] C:\Program Files\Hewlett-Packard\HP Battery Check\HPDOM\HPDiags.exe (Hewlett-Packard)
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [lxddamon] C:\Program Files\Lexmark 2500 Series\lxddamon.exe (Lexmark)
O4 - HKLM..\Run: [lxddmon.exe] C:\Program Files\Lexmark 2500 Series\lxddmon.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [QlbCtrl] File not found
O4 - HKLM..\Run: [QPService] C:\Program Files\HP\QuickPlay\QPService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Aim6] C:\Program Files\AIM6\aim6.exe (AOL LLC)
O4 - HKCU..\Run: [BitTorrent DNA] C:\Users\Seshennu\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
O4 - HKLM..\RunOnce: [Launcher] C:\Windows\SMINST\launcher.exe (soft thinks)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Windows\System32\wshbth.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\Explorer.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/12/19 11:45:18 | 00,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/09/11 10:18:54 | 00,000,340 | -HS- | M] () - E:\AUTOMODE -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 14 Days ==========

[3 C:\ProgramData\*.tmp files]
[2009/07/20 15:33:53 | 00,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2009/07/20 15:33:53 | 00,000,000 | ---D | C] -- C:\Windows\temp
[2009/07/20 15:33:53 | 00,000,000 | ---D | C] -- C:\Users\Seshennu\AppData\Local\temp
[2009/07/20 15:26:33 | 00,000,000 | --SD | C] -- C:\ComboFix
[2009/07/19 22:48:40 | 00,219,648 | ---- | C] () -- C:\Windows\PEV.exe
[2009/07/19 22:48:40 | 00,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2009/07/19 22:48:40 | 00,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2009/07/19 22:48:40 | 00,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2009/07/19 22:48:40 | 00,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2009/07/19 22:48:40 | 00,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2009/07/19 22:48:40 | 00,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2009/07/19 22:48:40 | 00,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2009/07/19 22:30:17 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/07/19 18:01:37 | 03,147,475 | R--- | C] () -- C:\Users\Seshennu\Desktop\ComboFix.exe
[2009/07/17 15:04:20 | 00,000,000 | ---D | C] -- C:\Users\Seshennu\Desktop\avz4
[2009/07/17 15:04:17 | 04,626,422 | ---- | C] () -- C:\Users\Seshennu\Desktop\avz4.zip
[2009/07/17 12:40:51 | 00,514,560 | ---- | C] (OldTimer Tools) -- C:\Users\Seshennu\Desktop\OTL.exe
[2009/07/17 12:37:55 | 00,469,504 | ---- | C] ( ) -- C:\Users\Seshennu\Desktop\RootRepeal.exe
[2009/07/17 12:29:44 | 00,000,000 | ---D | C] -- C:\Windows\ERDNT
[2009/07/17 12:28:55 | 00,000,735 | ---- | C] () -- C:\Users\Seshennu\Desktop\NTREGOPT.lnk
[2009/07/17 12:28:54 | 00,000,716 | ---- | C] () -- C:\Users\Seshennu\Desktop\ERUNT.lnk
[2009/07/17 12:28:51 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/07/17 12:21:22 | 00,021,504 | ---- | C] (Doug Knox) -- C:\Users\Seshennu\Desktop\SysRestorePoint.exe
[2009/07/17 12:18:47 | 00,265,216 | ---- | C] (OldTimer Tools) -- C:\Users\Seshennu\Desktop\TFC.exe
[2009/07/09 22:31:01 | 00,000,746 | ---- | C] () -- C:\Users\Seshennu\Desktop\Jarte.lnk
[2009/07/09 21:43:41 | 00,000,000 | ---D | C] -- C:\Users\Seshennu\AppData\Local\Apple Computer
[2009/07/09 21:42:32 | 00,000,000 | ---D | C] -- C:\ProgramData\Apple Computer
[2009/07/09 21:42:32 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime

========== Files - Modified Within 14 Days ==========

[3 C:\ProgramData\*.tmp files]
[2009/07/20 15:39:15 | 00,042,088 | ---- | M] () -- C:\ProgramData\nvModes.001
[2009/07/20 15:32:20 | 00,000,215 | ---- | M] () -- C:\Windows\system.ini
[2009/07/20 15:30:28 | 00,716,948 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/07/20 15:30:28 | 00,618,648 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/07/20 15:30:28 | 00,104,024 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/07/20 15:24:37 | 00,000,146 | ---- | M] () -- C:\Users\Public\Documents\hpqp.ini
[2009/07/20 15:23:30 | 00,003,200 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/07/20 15:23:30 | 00,003,200 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/07/20 15:23:20 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/07/20 15:23:12 | 00,369,584 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/20 15:22:47 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/07/20 15:21:30 | 00,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2009/07/20 15:21:25 | 02,011,621 | -H-- | M] () -- C:\Users\Seshennu\AppData\Local\IconCache.db
[2009/07/19 18:02:03 | 03,147,475 | R--- | M] () -- C:\Users\Seshennu\Desktop\ComboFix.exe
[2009/07/17 15:03:34 | 04,626,422 | ---- | M] () -- C:\Users\Seshennu\Desktop\avz4.zip
[2009/07/17 12:41:02 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Users\Seshennu\Desktop\OTL.exe
[2009/07/17 12:28:55 | 00,000,735 | ---- | M] () -- C:\Users\Seshennu\Desktop\NTREGOPT.lnk
[2009/07/17 12:28:54 | 00,000,716 | ---- | M] () -- C:\Users\Seshennu\Desktop\ERUNT.lnk
[2009/07/17 12:21:26 | 00,021,504 | ---- | M] (Doug Knox) -- C:\Users\Seshennu\Desktop\SysRestorePoint.exe
[2009/07/17 12:18:58 | 00,265,216 | ---- | M] (OldTimer Tools) -- C:\Users\Seshennu\Desktop\TFC.exe
[2009/07/14 20:31:09 | 00,042,088 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2009/07/14 17:21:09 | 00,132,608 | ---- | M] () -- C:\Users\Seshennu\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/13 05:48:54 | 00,219,648 | ---- | M] () -- C:\Windows\PEV.exe
[2009/07/12 21:39:46 | 00,469,504 | ---- | M] ( ) -- C:\Users\Seshennu\Desktop\RootRepeal.exe

========== LOP Check ==========

[2009/07/19 22:43:19 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming
[2008/09/28 22:54:27 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\.bsnes
[2008/06/30 14:14:21 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\acccore
[2008/07/18 19:51:06 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\Amazon
[2009/01/08 01:26:23 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\Azureus
[2009/07/05 00:54:06 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\BitTorrent
[2008/07/07 14:58:22 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\CyberLink
[2008/07/03 15:13:50 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\DAEMON Tools
[2009/07/20 15:34:07 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\DNA
[2008/12/26 01:00:43 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\dvdcss
[2008/08/26 19:28:44 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\FaxCtr
[2009/07/20 01:12:11 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\Jarte
[2008/08/24 22:07:04 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\Lexmark Productivity Studio
[2006/11/02 08:37:34 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\Media Center Programs
[2009/02/07 10:15:27 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\mIRC
[2008/07/01 15:54:00 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\NCH Software
[2009/06/17 14:58:58 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\OpenOffice.org2
[2008/07/03 21:50:14 | 00,000,000 | ---D | M] -- C:\Users\Seshennu\AppData\Roaming\Roxio
[2009/07/20 15:23:20 | 00,000,006 | -H-- | M] () -- C:\Windows\Tasks\SA.DAT
[2009/07/20 15:21:30 | 00,032,584 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========


< End of report >


 ComboFix.txt (70.21K)
Number of downloads: 59
 DrWeb.txt (638bytes)
Number of downloads: 77

[Essexboy]

Nice that looks good - are you experiencing any problems now ?

[Seshennu]

No problems that I can see. Windows is updating again, searches are going normally, and everything seems to be running quite smoothly. Thank you so much for all your help. Words can't express how happy I am.

Just one question, though: AVG found the three viruses that DrWeb had found and quarantined, and moved them to its own Virus Vault automatically during today's scan. I'm wondering if it's safe for them to be in there, or if I should empty the vault -- but I don't know if that would delete them permanently or if it would just release them again.

Thanks again. =)

[Essexboy]

No they are quite safe in quarantine - they can do no harm

Ok now is the good time

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so..Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep. For Dr Web just delete the programme from your desktop

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Click Start.
  
• Open My Computer.
  
• Select the Tools menu and click Folder Options.
  
• Select the View Tab.
  
• Under the Hidden files and folders heading select Do not show hidden files and folders.
  
• Click Yes to confirm.
  
• Click OK.

VISTA
To manually create a new Restore Point

• Go to Control Panel and select System and Maintenance
  
• Select System
  
• On the left select Advance System Settings and accept the warning if you get one
  
• Select System Protection Tab
  
• Select Create at the bottom
  
• Type in a name i.e. Clean
  
• Select Create

Now we can purge the infected ones

• Go back to the System and Maintenance page
  
• Select Performance Information and Tools
  
• On the left select Open Disk Cleanup
  
• Select Files from all users and accept the warning if you get one
  
• In the drop down box select your main drive i.e. C
  
• For a few moments the system will make some calculations
  
• Select the More Options tab
  
• In the System Restore and Shadow Backups select Clean up
  
• Select Delete on the pop up
  
• Select OK
  
• Select Delete

You are now done

SPRING CLEAN

Download TFC to your desktop

• Open the file and close any other windows.
  
• It will close all programs itself when run, make sure to let it run uninterrupted.
  
• Click the Start button to begin the process. The program should not take long to finish its job
  
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download and run Auslogics Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

• SpywareBlaster to help prevent spyware from installing in the first place.
  
• SuperAntispyware Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

[Seshennu]

This is absolutely amazing. Thank you so much for your help; you're nothing short of a miracle worker, seriously.

[Essexboy]

Shucks

Keep safe now