[eyedoc71]

Security check log

Results of screen317's Security Check version 0.98.9
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!


``````````````````````````````
Anti-malware/Other Utilities Check:
CA Yahoo! Anti-Spy (remove only)
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java 2 Runtime Environment, SE v1.4.2_03
Adobe Flash Player 10
Adobe Reader 7.1.0
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent


``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````


Update acrobat reader, after seeing this.

Edited by eyedoc71, 22 August 2009 - 09:55 PM.

[Advertisements]

Hi eyedoc71,

Doesn't look like you had much luck with AVG, can you try Avast or Avira? We need to get an antivirus on your system.

After you do that.

1) TFC

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

2) JavaRa

Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

3) Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, adware, dialers, and other riskware
  • Archives
  • E-mail databases
• Click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View report... at the bottom.
• Click the Save report... button.
  
  
  
  
• Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

In your reply I would like to see copied and pasted,

1) Kaspersky log
2) Antivirus status

[chamber]

Hi eyedoc71,

Doesn't look like you had much luck with AVG, can you try Avast or Avira? We need to get an antivirus on your system.

After you do that.

1) TFC

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

2) JavaRa

Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

3) Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, adware, dialers, and other riskware
  • Archives
  • E-mail databases
• Click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View report... at the bottom.
• Click the Save report... button.
  
  
  
  
• Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

In your reply I would like to see copied and pasted,

1) Kaspersky log
2) Antivirus status

[eyedoc71]

Kaspersky log and AVG log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, August 23, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, August 23, 2009 22:03:11
Records in database: 2681757
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: Infected:
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 55124
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 03:03:15


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\beep.sys.vir Infected: Backdoor.Win32.UltimateDefender.igv 1
C:\WINDOWS\system32\drivers\wanatw4.sys Infected: Rootkit.Win32.Agent.ozw 1

Selected area has been scanned.



AVG


Scan "Scheduled scan" was finished.
Infections;"12";"12";"0"
Folders selected for scanning:;"Scan whole computer"
Scan started:;"Sunday, August 23, 2009, 2:00:00 AM"
Scan finished:;"Sunday, August 23, 2009, 3:58:45 AM (1 hour(s) 58 minute(s) 44 second(s))"
Total object scanned:;"455611"
User who launched the scan:;"SYSTEM"

Infections
File;"Infection";"Result"
C:\Qoobox\Quarantine\C\ekxfnpkm.exe.vir;"Trojan horse Generic14.AABF";"Moved to Virus Vault"
C:\Qoobox\Quarantine\C\Program Files\AdvancedVirusRemover\PAVRM.exe.vir;"Trojan horse Generic14.YYO";"Moved to Virus Vault"
C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir;"Trojan horse Downloader.Zlob.AOFP";"Moved to Virus Vault"
C:\Qoobox\Quarantine\C\WINDOWS\svchast.exe.vir;"Trojan horse Downloader.Zlob.AODL";"Moved to Virus Vault"
C:\Qoobox\Quarantine\C\WINDOWS\system32\AVR09.exe.vir;"Trojan horse Generic14.YYO";"Moved to Virus Vault"
C:\Qoobox\Quarantine\C\WINDOWS\system32\dddesot.dll.vir;"Trojan horse Generic14.RKO";"Moved to Virus Vault"
C:\Qoobox\Quarantine\C\WINDOWS\system32\msxml71.dll.vir;"Trojan horse Downloader.Generic8.BIWH";"Moved to Virus Vault"
C:\Qoobox\Quarantine\C\WINDOWS\system32\tapi.nfo.vir;"Trojan horse PSW.Generic7.VFY";"Moved to Virus Vault"
C:\Qoobox\Quarantine\C\WINDOWS\system32\winhelper.dll.vir;"Trojan horse Generic14.XDU";"Moved to Virus Vault"
C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate.exe.vir;"Trojan horse SHeur2.AXJN";"Moved to Virus Vault"
C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir;"Trojan horse Generic14.AADX";"Moved to Virus Vault"
C:\Qoobox\Quarantine\C\yihw.exe.vir;"Trojan horse SpamBot.W";"Moved to Virus Vault"

Edited by eyedoc71, 23 August 2009 - 10:27 PM.

[chamber]

Hi,

Looking better. How are things running?

Please download OTM

• Save it to your desktop.
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes
  explorer.exe
  
  :Services
  
  :Reg
  
  :Files
  C:\WINDOWS\system32\drivers\wanatw4.sys
  
  :Commands
  [purity]
  [emptytemp]
  [Reboot]

• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

After that run OTL again and select Minimal Output and run a Quick Scan

[eyedoc71]

Things are much better thanks! I think we are pretty much there.

OTM:

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\WINDOWS\system32\drivers\wanatw4.sys moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Lamont
->Temp folder emptied: 247344252 bytes
->Temporary Internet Files folder emptied: 19590720 bytes
->Java cache emptied: 13647468 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: Owner
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 736 bytes
RecycleBin emptied: 129389062 bytes

Total Files Cleaned = 391.04 mb


OTM by OldTimer - Version 3.0.0.6 log created on 08242009_084438

Files moved on Reboot...

Registry entries deleted on Reboot...



OTL:


OTL logfile created on: 8/24/2009 9:02:09 AM - Run 3
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Lamont\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.37 Mb Total Physical Memory | 68.05 Mb Available Physical Memory | 13.52% Memory free
1.20 Gb Paging File | 0.80 Gb Available in Paging File | 66.87% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.00 Gb Total Space | 18.43 Gb Free Space | 54.19% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DCLJT891
Current User Name: Lamont
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\System32\wltrysvc.exe ()
PRC - C:\WINDOWS\System32\bcmwltry.exe (Dell Inc)
PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe (Dell Inc.)
PRC - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (Rocket Division Software)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\WINDOWS\System32\wbem\wmiprvse.exe (Microsoft Corporation)
PRC - C:\Program Files\AVG\AVG8\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
PRC - C:\Program Files\internet explorer\iexplore.exe (Microsoft Corporation)
PRC - C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
PRC - C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
PRC - C:\WINDOWS\System32\igfxsrvc.exe (Intel Corporation)
PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
PRC - C:\WINDOWS\System32\WLTRAY.exe (Dell Inc)
PRC - C:\Program Files\Dell\QuickSet\quickset.exe ()
PRC - C:\WINDOWS\System32\dla\tfswctrl.exe (Sonic Solutions)
PRC - C:\Program Files\Belkin\Wireless Mouse Driver\MOUSE32A.EXE ()
PRC - C:\Program Files\Yahoo!\YOP\yop.exe (Yahoo! Inc.)
PRC - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
PRC - C:\Program Files\internet explorer\iexplore.exe (Microsoft Corporation)
PRC - C:\Program Files\Yahoo!\browser\ycommon.exe (Yahoo!, Inc.)
PRC - C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
PRC - C:\Documents and Settings\Lamont\Desktop\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (avg8wd [Auto | Running]) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (idsvc [Unknown | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (NICCONFIGSVC [Auto | Running]) -- C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe (Dell Inc.)
SRV - (StarWindService [Auto | Running]) -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (Rocket Division Software)
SRV - (wltrysvc [Auto | Running]) -- C:\WINDOWS\System32\wltrysvc.exe ()
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)
SRV - (YahooAUService [Auto | Running]) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://www.google.com/ig/dell?hl=en

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...m...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/07/12 09:03:29 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/08/23 13:42:25 | 00,000,000 | ---D | M]


O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe ()
O4 - HKLM..\Run: [Dell Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe (Dell Inc)
O4 - HKLM..\Run: [dla] C:\WINDOWS\System32\dla\tfswctrl.exe (Sonic Solutions)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [LWBMOUSE] C:\Program Files\Belkin\Wireless Mouse Driver\MOUSE32A.EXE ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [YOP] C:\Program Files\Yahoo!\YOP\yop.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 50 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.micr.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcaf...01/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1197915349765 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1197915339796 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.micros...ntent/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 12:04:08 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 14 Days ==========

[2009/08/24 08:44:38 | 00,000,000 | ---D | C] -- C:\_OTM
[2009/08/24 08:41:13 | 00,408,064 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Lamont\Desktop\OTM.exe
[2009/08/23 21:32:39 | 00,003,414 | ---- | C] () -- C:\Documents and Settings\Lamont\Desktop\avglog.csv
[2009/08/23 21:23:36 | 00,003,110 | ---- | C] () -- C:\Documents and Settings\Lamont\Desktop\Kaspersky.html
[2009/08/22 22:14:52 | 00,000,000 | -H-D | C] -- C:\$AVG8.VAULT$
[2009/08/22 22:06:11 | 00,011,952 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/08/22 22:06:11 | 00,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk
[2009/08/22 22:06:10 | 00,108,552 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/08/22 22:06:02 | 00,335,240 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/08/22 22:06:00 | 00,027,784 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/08/22 22:05:36 | 40,120,667 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/08/22 22:05:34 | 00,068,038 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/08/22 22:05:32 | 00,463,779 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/08/22 22:05:28 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/08/22 22:05:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2009/08/22 22:05:07 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
[2009/08/22 22:05:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg8
[2009/08/22 20:14:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2009/08/22 20:14:40 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2009/08/22 20:11:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2009/08/22 20:11:23 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/08/22 20:06:08 | 00,838,360 | ---- | C] () -- C:\Documents and Settings\Lamont\Desktop\SecurityCheck.exe
[2009/08/22 15:49:23 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/08/22 15:49:18 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/08/22 14:12:55 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/08/22 14:12:52 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/08/22 14:12:48 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/08/22 14:10:53 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/08/22 14:10:03 | 03,182,166 | R--- | C] () -- C:\Documents and Settings\Lamont\Desktop\ComboFix.exe
[2009/08/22 13:33:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Lamont\Local Settings\Application Data\Yahoo
[2009/08/22 13:04:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Lamont\Application Data\AVG8
[2009/08/22 12:50:53 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2009/08/22 12:41:02 | 00,000,000 | --SD | C] -- C:\Combo-Fix
[2009/08/22 10:36:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Lamont\Application Data\Malwarebytes
[2009/08/22 10:36:20 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/22 10:36:17 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/22 10:36:16 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/08/22 10:36:16 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/08/22 10:36:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/08/22 10:34:27 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Lamont\Desktop\HijackThis.lnk
[2009/08/22 10:34:27 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/08/22 09:53:24 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\dllcache\cache
[2009/08/22 09:08:07 | 00,229,376 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/08/22 09:08:07 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/08/22 09:08:07 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/08/22 09:08:07 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/08/22 09:08:07 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/08/22 09:08:07 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/08/22 09:08:07 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/08/22 09:07:07 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/08/22 08:46:42 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Lamont\Desktop\HJTInstall.exe
[2009/08/21 18:48:53 | 00,145,408 | ---- | C] () -- C:\Documents and Settings\Lamont\Desktop\SysProt.exe
[2009/08/21 18:45:57 | 00,288,768 | ---- | C] () -- C:\Documents and Settings\Lamont\Desktop\gmer.exe
[2009/08/21 18:42:31 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/08/21 18:38:37 | 00,046,080 | ---- | C] () -- C:\Documents and Settings\Lamont\Desktop\Win32kDiag.exe
[2009/08/21 12:19:23 | 00,000,000 | -HS- | C] () -- C:\1415949542
[2009/08/20 18:06:00 | 00,000,000 | ---D | C] -- C:\spoolerlogs
[2009/08/19 08:25:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Lamont\Desktop\avz4
[2009/08/18 18:13:52 | 00,102,148 | ---- | C] () -- C:\Documents and Settings\Lamont\Desktop\SystemLook.exe
[2009/08/17 17:37:08 | 00,186,880 | ---- | C] (CEXX.ORG) -- C:\Documents and Settings\Lamont\Desktop\LSPFix.exe
[2009/08/16 15:40:27 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2009/08/16 15:40:27 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2009/08/16 15:24:24 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Lamont\Desktop\settings.dat
[2009/08/16 15:23:43 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/08/16 15:23:12 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\Lamont\Desktop\NTREGOPT.lnk
[2009/08/16 15:23:12 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Lamont\Desktop\ERUNT.lnk
[2009/08/16 15:23:11 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/08/16 14:27:01 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Lamont\Desktop\RootRepeal.exe
[2009/08/16 14:15:38 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Lamont\Desktop\OTL.exe
[2009/08/16 14:14:33 | 00,021,504 | ---- | C] (Doug Knox) -- C:\Documents and Settings\Lamont\Desktop\SysRestorePoint.exe
[2009/08/16 14:14:22 | 00,272,384 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Lamont\Desktop\TFC.exe

========== Files - Modified Within 14 Days ==========

[2009/08/24 08:49:21 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/08/24 08:47:49 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/24 08:47:45 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/24 08:47:44 | 52,789,2480 | -HS- | M] () -- C:\hiberfil.sys
[2009/08/24 08:41:21 | 00,408,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lamont\Desktop\OTM.exe
[2009/08/24 08:37:48 | 40,120,667 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/08/23 21:32:39 | 00,003,414 | ---- | M] () -- C:\Documents and Settings\Lamont\Desktop\avglog.csv
[2009/08/23 21:23:36 | 00,003,110 | ---- | M] () -- C:\Documents and Settings\Lamont\Desktop\Kaspersky.html
[2009/08/23 17:28:48 | 00,068,038 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/08/23 08:34:58 | 00,272,384 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lamont\Desktop\TFC.exe
[2009/08/23 03:09:13 | 00,229,376 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/08/22 22:06:11 | 00,011,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/08/22 22:06:11 | 00,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk
[2009/08/22 22:06:10 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/08/22 22:06:03 | 00,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/08/22 22:06:00 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/08/22 22:05:34 | 00,463,779 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/08/22 22:05:32 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/08/22 20:06:08 | 00,838,360 | ---- | M] () -- C:\Documents and Settings\Lamont\Desktop\SecurityCheck.exe
[2009/08/22 15:45:51 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/08/22 15:45:15 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/08/22 14:12:55 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/08/22 14:10:03 | 03,182,166 | R--- | M] () -- C:\Documents and Settings\Lamont\Desktop\ComboFix.exe
[2009/08/22 10:36:20 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/22 10:34:27 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Lamont\Desktop\HijackThis.lnk
[2009/08/22 09:56:25 | 00,031,896 | ---- | M] () -- C:\Documents and Settings\Lamont\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/08/22 08:46:50 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Lamont\Desktop\HJTInstall.exe
[2009/08/21 18:38:41 | 00,046,080 | ---- | M] () -- C:\Documents and Settings\Lamont\Desktop\Win32kDiag.exe
[2009/08/21 18:37:55 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/08/21 12:19:23 | 00,000,000 | -HS- | M] () -- C:\1415949542
[2009/08/18 18:13:52 | 00,102,148 | ---- | M] () -- C:\Documents and Settings\Lamont\Desktop\SystemLook.exe
[2009/08/17 21:12:18 | 00,186,880 | ---- | M] (CEXX.ORG) -- C:\Documents and Settings\Lamont\Desktop\LSPFix.exe
[2009/08/17 10:36:30 | 00,288,768 | ---- | M] () -- C:\Documents and Settings\Lamont\Desktop\gmer.exe
[2009/08/16 15:40:27 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2009/08/16 15:24:24 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Lamont\Desktop\settings.dat
[2009/08/16 15:23:12 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\Lamont\Desktop\NTREGOPT.lnk
[2009/08/16 15:23:12 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Lamont\Desktop\ERUNT.lnk
[2009/08/16 14:22:53 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/08/16 14:15:41 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lamont\Desktop\OTL.exe
[2009/08/16 14:14:33 | 00,021,504 | ---- | M] (Doug Knox) -- C:\Documents and Settings\Lamont\Desktop\SysRestorePoint.exe
[2009/08/13 11:14:18 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Lamont\Desktop\RootRepeal.exe

========== LOP Check ==========

[2009/08/22 22:05:05 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2008/11/23 10:35:21 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{56759C22-EA1E-4BE5-A903-72F67D450F43}
[2007/01/05 21:42:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA
[2007/05/25 19:52:42 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2006/04/07 16:15:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Dell
[2008/11/23 17:40:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DVD Shrink
[2007/02/08 22:04:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
[2006/01/24 18:54:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Intuit
[2004/08/10 12:13:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
[2006/01/24 18:53:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/11/23 21:25:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vsosdk
[2009/08/22 13:04:40 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Lamont\Application Data
[2006/03/08 22:45:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lamont\Application Data\Corel Photo Album
[2006/03/09 23:39:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lamont\Application Data\CyberLink
[2008/11/23 17:30:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lamont\Application Data\dvdcss
[2007/02/28 23:41:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lamont\Application Data\ImgBurn
[2006/03/08 22:36:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lamont\Application Data\Leadertech
[2008/12/23 19:42:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lamont\Application Data\Move Networks
[2007/02/11 18:53:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lamont\Application Data\OfficeUpdate12
[2008/12/04 22:17:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lamont\Application Data\RipIt4Me
[2006/04/08 21:21:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lamont\Application Data\SlySoft
[2009/07/14 20:58:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lamont\Application Data\U3
[2009/02/16 13:19:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lamont\Application Data\Vso
[2004/08/04 04:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2006/03/03 11:16:09 | 00,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\ISP signup reminder 1.job
[2009/08/24 08:47:49 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Lamont\Desktop\LSPFix.exe:SummaryInformation
< End of report >

[chamber]

Looks good to me.

Now for the good news,

Congratulations your logs appear clean!!

Clean up

Follow these steps to uninstall Combofix and tools used in the removal of malware

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

• Download OTC to your desktop and run it
• Click Yes to beginning the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Can you please also list back here any tools that OTC does not remove? You can then delete them.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
• Change the Download unsigned ActiveX controls to Disable
• Change the Initialize and script ActiveX controls not marked as safe to Disable
• Change the Installation of desktop items to Prompt
• Change the Launching programs and files in an IFRAME to Prompt
• Change the Navigate sub-frames across different domains to Prompt
• When all these settings have been made, click on the OK button
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

You should have a good anti spyware program - We recommend MalwareBytes Anti-Malware and SUPERAntiSpyware

MVPS Hosts file The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer

Winpatrol Download and install the free version of Winpatrol. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Spring Cleaning

TFC - Temp File Cleaner by OldTimer - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders

Auslogics Disc Defrag or JKDefrag - Two good disc defragmenters for you to choose from.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

[eyedoc71]

Thank you for helping me!!!

Any advice on how to disinfect my usb drive?

Also, my original computer that infected this on had the same infection (advanced virus remover). I was planning to address one at a time. It has crashed (is in a cycle of continuous restarting and shutdown).
Any advice?

Again thanks alot.

[chamber]

You're very welcome!

Ok,

For the USB. Plug it in before running this

1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.


How long does the other computer stay on line for?

[eyedoc71]

Plug it in before running this. Did i read this right. Plug in infected drive then run program. Not start program and then insert infected drive.

I can boot up the other computer in safe mode, however the normal way i get the windows XP logo and then it restarts before i see the desktop in an endless cycle.

Edited by eyedoc71, 24 August 2009 - 05:01 PM.

[chamber]

OK,

Lets start it in safe mode then.

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
• Double click on AVZ.exe to run it.
• Run an update by clicking the Auto Update button on the Right of the Log window:
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Analysis" check box.
  
• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

When restarted

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
  
• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[eyedoc71]

Either i was mistaken or something is different, however i cannot get to the desktop in safemode. Same thing happens and i get a restart. FYI, windows home xp sp3

[chamber]

Lets see if we can clear some stuff off there in order to allow us to boot in.

OK then two programmes to download

FIRST

ISOBurner this will allow you to burn Dr Web ISO to a cd and make it bootable. Just install the programme, from there on in it is fairly automatic. Instructions

SECOND

Dr Web Live CD Download this and using ISOBurner burn to CD. Usage instructions are here

Having made the bootable CD set your system to boot from CD - Do you know how to do this ?

Once Dr Web starts select Dr.Web LiveCD (Default)

When the system is loaded, check disks or folders you want to scan and press Start

Notes :

The Midnight Commander file manager is used to work with files you need to copy to a safe location. I.e if you need to back them up to a USB storage device

If the operating system failed to configure access to your network, you can do it manually using Networks Configure Manager. Start->Settings->Networks Configure manager. This will enable you to get online if needed

[eyedoc71]

My Cd drive had been on the fritz already before infection. Possibly a floppy option (old computer)?

I also have and external usb dvd drive, i don't know if that can be an option.

Edited by eyedoc71, 25 August 2009 - 09:57 PM.

[chamber]

That would be a good option.

[eyedoc71]

On boot up, dvd drive is not getting recognized, any ideas. Thanks