Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

"Your system is infected!" / Advanced Virus Remover [Sol

Started by Joe Klaus , Dec 02 2009 08:58 AM

  • This topic is locked This topic is locked

#1
Joe Klaus
Posted 02 December 2009 - 08:58 AM

Joe Klaus

    Member

  • Member
  • PipPip
  • 22 posts
Hi Geeks to Go, thanks in advance for all of your help!

Description of Problem:
Green Desktop Background with text reading: "Your System Is Infected! System has been stopped due to a serious malfunction. Spyware activity has been detected. It is recommended to use spyware removal tool to prevent data loss. Do not use computer before all spyware removed."

Large red X in lower right tray, with popup reading "Click here to protect your compute from spyware! Your computer is infected! Windows has detected an infection of spyware! It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you."

Also seeing an "error" popup frequently when attempting to access files. "WARNING: Application cannot be executed. The file is infected. Please activate your antivirus software."

Finally, a series of popups was launched initially when the virus was seen, offering an "Advanced Virus Removal" software package to clean the system.

Steps Taken:
-When virus popups began, I immediately disconnected computer from internet and network.
-Attempted to run Microsoft Malicious Spyware Toolkit. Application encountered a serious error and failed approximately 50% of the way while scanning Windows Media Player 9's .exe.
-Downloaded and ran Malwarebytes' Anti-Malware Quick Scan per the suggestion of another site. Re-ran the quick scan again after restart. (12 problems found first time, 9 second time)
-Began running Malwarebyte's Full Scan.
-Discovered your forum while scan was running, read through Cleaning Guide, and noticed the instruction not to run a full scan. Aborted the Full Scan approximately 1 hour into scan.
-Followed steps 1-5 of Cleaning Guide.

MBAM Log:
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

12/1/2009 12:51:25 PM
mbam-log-2009-12-01 (12-51-25).txt

Scan type: Quick Scan
Objects scanned: 132086
Time elapsed: 6 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Root Repeal Log:
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/01 19:01
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9DE7000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8b0e8410

#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba12887e

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x8b0e7930

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x8b0e78b8

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8b0e86e0

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x8b0e7b88

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x8b0e79a8

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x8b0e8488

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x8b0e8320

#: 192 Function Name: NtRenameKey
Status: Hooked by "<unknown>" at address 0x8b0e7b10

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8b0e8578

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x8b0e7a98

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8b0e87d0

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8b0e85f0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xba128bfe

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8b0e8758

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8b0e8500

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8b0e8848

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8b0e8668

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8b0e8398

Hidden Services
-------------------
Service Name: xmyxjh
Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs

==EOF==

OTL Log:
OTL logfile created on: 12/1/2009 7:05:44 PM - Run 1
OTL by OldTimer - Version 3.1.11.4 Folder = C:\Documents and Settings\klausj.TRD\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 127.88 Gb Free Space | 54.91% Space Free | Partition Type: NTFS
Drive D: | 2.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TRDPC27
Current User Name: klausj
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/01 13:41:50 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\klausj.TRD\Desktop\OTL.exe
PRC - [2009/12/01 08:19:44 | 00,027,136 | ---- | M] () -- C:\WINDOWS\system32\winupdate86.exe
PRC - [2009/09/21 10:00:51 | 01,028,432 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/05/07 04:09:48 | 01,597,608 | ---- | M] (Euro Plus d.o.o.) -- C:\Program Files\Common Files\EuroPlus Shared\LblServices.exe
PRC - [2009/03/27 23:03:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2008/11/24 21:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 21:31:10 | 29,263,712 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2008/11/24 21:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/11 18:54:31 | 00,623,992 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
PRC - [2007/12/03 15:28:27 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2007/10/12 08:34:56 | 00,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2007/02/05 17:52:10 | 00,849,280 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\ipoint.exe
PRC - [2007/01/30 04:54:36 | 16,116,224 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe
PRC - [2007/01/15 16:00:58 | 00,403,520 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe
PRC - [2007/01/15 16:00:56 | 00,879,680 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
PRC - [2007/01/15 16:00:22 | 03,086,400 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Enterprise\Spy Sweeper\SPYSWEEPER.EXE
PRC - [2007/01/04 15:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/11/21 19:08:52 | 00,813,912 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\itype.exe
PRC - [2006/03/17 10:30:26 | 00,102,400 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe
PRC - [2006/02/28 12:42:38 | 00,229,376 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2006/02/28 07:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe
PRC - [2005/09/09 03:24:30 | 00,102,400 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
PRC - [2005/09/09 01:18:10 | 00,057,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
PRC - [2005/02/16 16:15:20 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe


========== Modules (SafeList) ==========

MOD - [2009/12/01 13:41:50 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\klausj.TRD\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/09/21 10:00:51 | 01,028,432 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/05/07 04:09:48 | 01,597,608 | ---- | M] (Euro Plus d.o.o.) -- C:\Program Files\Common Files\EuroPlus Shared\LblServices.exe -- (LabelServices)
SRV - [2009/03/27 23:03:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2008/11/24 21:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 21:31:10 | 29,263,712 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS)
SRV - [2008/11/24 21:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 21:31:08 | 00,045,408 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2007/12/05 15:29:41 | 00,085,096 | ---- | M] (Autodesk) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2007/12/03 15:28:27 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2007/10/12 08:34:56 | 00,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)
SRV - [2007/02/12 00:15:08 | 00,902,760 | ---- | M] (Autodesk, Inc.) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe -- (Autodesk Network Licensing Service)
SRV - [2007/01/15 16:00:56 | 00,879,680 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe -- (WebrootCommAgentService)
SRV - [2007/01/15 16:00:22 | 03,086,400 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Enterprise\Spy Sweeper\spysweeper.exe -- (WebrootSpySweeperService)
SRV - [2007/01/04 15:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/12/02 05:17:54 | 02,805,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon80)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/02/28 12:42:38 | 00,229,376 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2005/09/09 03:24:30 | 00,102,400 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor4.0)
SRV - [2004/10/22 05:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D0 FB 02 D8 48 E5 C9 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = trd2:8080

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20090920.2

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/10/28 12:00:24 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/10/28 12:00:24 | 00,000,000 | ---D | M]

[2009/01/09 15:27:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\Mozilla\Extensions
[2008/05/07 14:43:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\Mozilla\Firefox\Profiles\06f6kspi.default\extensions
[2009/11/30 11:44:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\Mozilla\Firefox\Profiles\8792pi9w.default\extensions
[2009/09/28 07:37:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\Mozilla\Firefox\Profiles\8792pi9w.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2009/11/30 11:44:36 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/04/16 11:07:12 | 00,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [EEventManager] C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Seagull Drivers] C:\WINDOWS\ssdal_nc.exe ()
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SpySweeperEnterprise] C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.EXE (Webroot Software, Inc.)
O4 - HKLM..\Run: [Synchronization Manager] C:\WINDOWS\System32\mobsync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\winhelper86.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\System32\winhelper86.dll ()
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} http://www.3dpublish...ingsEnglish.cab (EModelNonVersionSpecificViewControl Class)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = trd.corp.bimba.com
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\WRNotifier: DllName - WRLogonNtf.DLL - C:\WINDOWS\System32\WRLogonNtf.DLL (Webroot Software, Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/21 06:41:20 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{2f212fb2-dea0-11de-b62e-001d605b0a0f}\Shell\AutoRun\command - "" = J:\Install FreeAgent Tools.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/11/20 22:20:01 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: xmyxjh - C:\WINDOWS\system32\dlawzm.dll ()

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17736372391510016)

========== Files/Folders - Created Within 14 Days ==========

[2009/12/01 18:58:27 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/12/01 18:57:46 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/12/01 18:50:42 | 00,341,504 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\klausj.TRD\Desktop\TFC.exe
[2009/12/01 18:50:42 | 00,021,504 | ---- | C] (Doug Knox) -- C:\Documents and Settings\klausj.TRD\Desktop\SysRestorePoint.exe
[2009/12/01 18:50:41 | 00,535,552 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\klausj.TRD\Desktop\OTL.exe
[2009/12/01 18:50:41 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\klausj.TRD\Desktop\RootRepeal.exe
[2009/12/01 18:50:38 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\klausj.TRD\Desktop\erunt_setup.exe
[2009/12/01 12:30:21 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Visual Studio 2005Projects
[2009/12/01 08:58:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\klausj.TRD\Application Data\Malwarebytes
[2009/12/01 08:58:19 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/01 08:58:18 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/01 08:58:18 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/01 08:58:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/11/19 15:22:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\klausj.TRD\Desktop\Carolina Print Ad
[2009/11/19 11:33:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\klausj.TRD\Desktop\ERP
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/12/01 19:00:01 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\klausj.TRD\Desktop\settings.dat
[2009/12/01 18:56:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\AVR10.exe
[2009/12/01 18:56:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\41.exe
[2009/12/01 18:56:17 | 00,195,547 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/12/01 18:56:17 | 00,002,854 | ---- | M] () -- C:\WINDOWS\System32\critical_warning.html
[2009/12/01 18:55:57 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/01 18:53:09 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/01 18:53:08 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/01 18:52:23 | 09,961,472 | -H-- | M] () -- C:\Documents and Settings\klausj.TRD\NTUSER.DAT
[2009/12/01 18:52:20 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\klausj.TRD\ntuser.ini
[2009/12/01 18:35:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\11942.exe
[2009/12/01 18:15:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\2995.exe
[2009/12/01 17:55:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\491.exe
[2009/12/01 17:35:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\9961.exe
[2009/12/01 17:15:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\16827.exe
[2009/12/01 16:55:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\23281.exe
[2009/12/01 16:35:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\28145.exe
[2009/12/01 16:15:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\5705.exe
[2009/12/01 15:55:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\24464.exe
[2009/12/01 15:35:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\26962.exe
[2009/12/01 15:15:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\29358.exe
[2009/12/01 14:55:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\11478.exe
[2009/12/01 14:35:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\15724.exe
[2009/12/01 14:15:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\19169.exe
[2009/12/01 13:55:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\26500.exe
[2009/12/01 13:41:50 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\klausj.TRD\Desktop\OTL.exe
[2009/12/01 13:37:23 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\klausj.TRD\Desktop\RootRepeal.exe
[2009/12/01 13:35:57 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\klausj.TRD\Desktop\erunt_setup.exe
[2009/12/01 13:35:36 | 00,021,504 | ---- | M] (Doug Knox) -- C:\Documents and Settings\klausj.TRD\Desktop\SysRestorePoint.exe
[2009/12/01 13:35:14 | 00,341,504 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\klausj.TRD\Desktop\TFC.exe
[2009/12/01 13:35:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\6334.exe
[2009/12/01 13:15:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\18467.exe
[2009/12/01 13:14:01 | 03,574,016 | ---- | M] () -- C:\Documents and Settings\klausj.TRD\Desktop\svchost.exe
[2009/12/01 13:09:31 | 00,292,352 | ---- | M] () -- C:\Documents and Settings\klausj.TRD\Desktop\e5s8zybl.exe
[2009/12/01 12:31:28 | 00,277,374 | ---- | M] () -- C:\Documents and Settings\klausj.TRD\Desktop\CurrentSettings-2009-12-01.vssettings
[2009/12/01 12:31:14 | 00,281,543 | ---- | M] () -- C:\Documents and Settings\klausj.TRD\Desktop\Exported-2009-12-01.vssettings
[2009/12/01 08:58:22 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/01 08:20:00 | 00,022,528 | ---- | M] () -- C:\WINDOWS\System32\winhelper86.dll
[2009/12/01 08:19:44 | 00,027,136 | ---- | M] () -- C:\WINDOWS\System32\winupdate86.exe
[2009/12/01 08:19:44 | 00,027,136 | ---- | M] () -- C:\WINDOWS\System32\winlogon86.exe
[2009/11/30 16:13:40 | 00,048,652 | ---- | M] () -- C:\Documents and Settings\klausj.TRD\Desktop\82-0000000018085E2EF038274F95197952BFD4E22F0700D7250C.pdf
[2009/11/30 15:26:51 | 00,004,096 | -H-- | M] () -- C:\Documents and Settings\klausj.TRD\Local Settings\Application Data\keyfile3.drm
[2009/11/30 11:00:48 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/11/30 09:55:35 | 04,928,000 | ---- | M] () -- C:\Documents and Settings\klausj.TRD\Desktop\TRD_Master_Data_Load_TA (CRP1 Data Load).xls
[2009/11/23 16:16:42 | 09,572,352 | ---- | M] () -- C:\Documents and Settings\klausj.TRD\Desktop\Excel_Multiple_Array_Lookup.xls
[2009/11/23 11:07:15 | 00,000,751 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/20 22:23:33 | 00,000,224 | ---- | M] () -- C:\WINDOWS\QScreenCapt.ini
[2009/11/19 15:21:57 | 13,847,040 | ---- | M] () -- C:\Documents and Settings\klausj.TRD\Desktop\TRD_Master_Data_Load_TA.xls
[2009/11/19 08:26:57 | 01,460,025 | ---- | M] () -- C:\Documents and Settings\klausj.TRD\Desktop\Pricing_Binder1.pdf
[2009/11/18 12:11:33 | 00,054,209 | ---- | M] () -- C:\Documents and Settings\klausj.TRD\Desktop\SPEC61001 Model (1).pdf
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/01 19:00:01 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Desktop\settings.dat
[2009/12/01 18:56:17 | 00,002,854 | ---- | C] () -- C:\WINDOWS\System32\critical_warning.html
[2009/12/01 18:35:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\11942.exe
[2009/12/01 18:15:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\2995.exe
[2009/12/01 17:55:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\491.exe
[2009/12/01 17:35:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\9961.exe
[2009/12/01 17:15:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\16827.exe
[2009/12/01 16:55:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\23281.exe
[2009/12/01 16:35:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\28145.exe
[2009/12/01 16:15:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\5705.exe
[2009/12/01 15:55:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\24464.exe
[2009/12/01 15:35:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\26962.exe
[2009/12/01 15:15:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\29358.exe
[2009/12/01 14:55:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\11478.exe
[2009/12/01 14:35:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\15724.exe
[2009/12/01 14:15:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\19169.exe
[2009/12/01 13:14:34 | 03,574,016 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Desktop\svchost.exe
[2009/12/01 13:14:34 | 00,292,352 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Desktop\e5s8zybl.exe
[2009/12/01 12:31:28 | 00,277,374 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Desktop\CurrentSettings-2009-12-01.vssettings
[2009/12/01 12:31:14 | 00,281,543 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Desktop\Exported-2009-12-01.vssettings
[2009/12/01 10:07:26 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\26500.exe
[2009/12/01 09:47:26 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\6334.exe
[2009/12/01 09:27:26 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\18467.exe
[2009/12/01 09:07:26 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\AVR10.exe
[2009/12/01 08:58:22 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/01 08:20:08 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\41.exe
[2009/12/01 08:19:59 | 00,022,528 | ---- | C] () -- C:\WINDOWS\System32\winhelper86.dll
[2009/12/01 08:19:47 | 00,027,136 | ---- | C] () -- C:\WINDOWS\System32\winupdate86.exe
[2009/12/01 08:19:47 | 00,027,136 | ---- | C] () -- C:\WINDOWS\System32\winlogon86.exe
[2009/11/30 16:13:40 | 00,048,652 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Desktop\82-0000000018085E2EF038274F95197952BFD4E22F0700D7250C.pdf
[2009/11/30 09:31:26 | 04,928,000 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Desktop\TRD_Master_Data_Load_TA (CRP1 Data Load).xls
[2009/11/23 16:16:41 | 09,572,352 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Desktop\Excel_Multiple_Array_Lookup.xls
[2009/11/19 08:26:57 | 01,460,025 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Desktop\Pricing_Binder1.pdf
[2009/11/18 12:11:33 | 00,054,209 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Desktop\SPEC61001 Model (1).pdf
[2009/10/15 16:08:58 | 00,004,096 | -H-- | C] () -- C:\Documents and Settings\klausj.TRD\Local Settings\Application Data\keyfile3.drm
[2009/08/27 09:03:41 | 00,182,580 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Application Data\debuggee.mdmp
[2009/03/03 12:45:38 | 00,000,031 | ---- | C] () -- C:\WINDOWS\bluevoda.ini
[2008/05/07 15:13:06 | 00,026,624 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/05/07 15:13:06 | 00,000,133 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Local Settings\Application Data\fusioncache.dat
[2008/05/07 14:43:10 | 00,012,800 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Application Data\Settings.cfg
[2008/02/14 09:47:26 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\cdTextCtl.dll
[2008/01/07 11:56:51 | 00,000,224 | ---- | C] () -- C:\WINDOWS\QScreenCapt.ini
[2007/12/03 16:36:00 | 00,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2007/12/03 16:10:38 | 00,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2007/12/03 16:07:50 | 00,000,025 | ---- | C] () -- C:\WINDOWS\PERF4490.ini
[2007/12/03 15:51:19 | 00,000,520 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/11/21 07:08:20 | 00,015,924 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2007/11/21 07:08:20 | 00,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2007/11/21 07:08:08 | 00,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2007/10/04 19:14:00 | 01,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/10/04 19:14:00 | 01,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/10/04 19:14:00 | 01,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/10/04 19:14:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/10/04 19:14:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/09/13 02:06:04 | 00,159,590 | RHS- | C] () -- C:\WINDOWS\System32\dlawzm.dll
[2007/01/12 04:14:56 | 00,022,720 | ---- | C] () -- C:\WINDOWS\System32\haspds_msi.dll
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1996/04/03 13:33:26 | 00,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== LOP Check ==========

[2008/03/24 13:51:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Autodesk
[2009/10/02 15:17:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
[2009/07/29 10:41:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EuroPlus
[2009/07/29 10:41:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Font Downloader
[2007/12/05 08:21:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
[2009/02/13 10:16:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PTI
[2007/12/03 14:48:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Quark
[2008/03/25 09:56:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/08/19 10:57:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZipSE
[2009/07/29 10:42:39 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{5AA6E508-1A21-48C7-82CA-3E8E1188D6C5}
[2009/09/18 09:59:28 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
[2008/08/05 10:09:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\Autodesk
[2009/03/23 13:14:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\Canneverbe_Limited
[2008/05/07 14:43:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\Dynamic
[2009/05/29 13:48:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\EDrawings
[2008/05/07 14:43:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\EPSON
[2008/05/07 14:43:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\Opera
[2008/05/07 14:43:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\Quark
[2009/11/05 14:47:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\SiteClasses
[2009/11/05 14:47:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\Sites
[2008/05/07 14:43:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\Viewpoint
[2008/05/07 14:43:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\vmntoolbar
[2009/11/30 11:00:48 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2006/02/28 07:00:00 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2006/02/28 07:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2007/09/13 02:09:28 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=5FD8684F1C5DD26509383F6CCDAEE3A3 -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2006/02/28 07:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
< End of report >

OTL Extras:
OTL Extras logfile created on: 12/1/2009 7:05:44 PM - Run 1
OTL by OldTimer - Version 3.1.11.4 Folder = C:\Documents and Settings\klausj.TRD\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 127.88 Gb Free Space | 54.91% Space Free | Partition Type: NTFS
Drive D: | 2.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TRDPC27
Current User Name: klausj
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.scr [@ = AutoCADScriptFile] -- C:\WINNT\system32\NOTEPAD.EXE File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1796:TCP" = 1796:TCP:*:Enabled:qukab

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"1796:TCP" = 1796:TCP:*:Enabled:qukab

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Visicom Media\AceFTP 3 Freeware\Aceftp3free.exe" = C:\Program Files\Visicom Media\AceFTP 3 Freeware\Aceftp3free.exe:*:Enabled:AceFTP v3 -- (Visicom Media Inc.)
"C:\Program Files\Internet Explorer\iexplore.exe" = C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer -- (Microsoft Corporation)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\Common Files\EuroPlus Shared\LblServices.exe" = C:\Program Files\Common Files\EuroPlus Shared\LblServices.exe:*:Enabled:Label Services -- (Euro Plus d.o.o.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Computer, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{7C5123A9-30A8-4C44-89CA-A8C87A1FCC91}" = CorelDRAW Graphics Suite X3
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{0650BB10-BCF4-400A-85EE-04097E3046C6}" = Adobe Setup
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{0E4BC542-9CFD-4E97-B586-9F1E5516E7B9}" = Microsoft IntelliPoint 6.1
"{11C98E1A-EC91-4B38-B44C-C562292D8453}" = Adobe Premiere Elements 2.0
"{1389C6A4-4965-4AEC-9175-08B54A10FA48}" = Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
"{15EFEBF6-E414-33EB-8710-A04AD1302BF8}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Web - enu
"{172423F9-522A-483A-AD65-03600CE4CA4F}" = Microsoft Works 6-9 Converter
"{1BCEA516-B4C5-4B2D-BFA0-AB7910BAD862}" = Adobe ExtendScript Toolkit 2
"{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"{2274624C-5B38-41AD-AD27-CEC0924EB628}" = Adobe Setup
"{23959E96-A80F-4172-A655-210E9BB7BFBE}" = MSDN Library for Visual Studio 2005
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}" = EPSON Scan Assistant
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{32A72502-BC2C-4C39-ACEA-BC3D463F0697}" = EN
"{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}" = SQL Server System CLR Types
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{437AB8E0-FB69-4222-B280-A64F3DE22591}" = Microsoft Visual Studio 2005 Professional Edition - ENU
"{44D4AF75-6870-41F5-9181-662EA05507E1}" = Microsoft Document Explorer 2005
"{48F22622-1CC2-4A83-9C1E-644DD96F832D}" = EPSON Event Manager
"{4E98F23B-1328-4322-A6EC-2EDC8FC3A4FE}" = FontNav
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{5545EEE1-FA36-4F76-B6BE-5696E7F4E2D6}" = VBA (2627.01)
"{55CD7DFE-1A9C-4C67-813B-FDABDBF75064}" = Webroot Spy Sweeper Enterprise Client
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{5783F2D6-7028-0409-0000-0060B0CE6BBA}" = DWG TrueView 2009
"{5783F2D7-6001-0409-0002-0060B0CE6BBA}" = AutoCAD 2008 - English
"{625386A4-B6B6-4911-A6E8-23189C3F2D15}" = Microsoft .NET Compact Framework 2.0
"{67EDD823-135A-4D59-87BD-950616D6E857}" = EPSON Copy Utility 3
"{68A35043-C55A-4237-88C9-37EE1C63ED71}" = Microsoft Visual J# 2.0 Redistributable Package
"{6C531060-84FB-4F96-8F33-29DF020632EB}" = Microsoft .NET Compact Framework 1.0 SP3 Developer
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{75CC3CEC-171F-4AAE-98D1-C82435E42174}" = NiceLabel 5
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{78B75C6D-E53C-424C-BF83-4B63BD4A6682}" = Microsoft Device Emulator version 1.0 - ENU
"{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}" = Adobe Dreamweaver CS3
"{7C5123A9-30A8-4C44-89CA-A8C87A1FCC91}" = CorelDRAW Graphics Suite X3
"{7CCEBC24-62DB-4280-A8EC-BFA49F167920}" = Software Update for Web Folders
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{7EC003A3-51E9-4019-BEC0-DF99B0DF5CCF}" = NVDVD
"{896D642C-7125-44F0-AC49-A23ABF82209C}" = CDBurnerXP Pro 3
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{8EDBA74D-0686-4C99-BFDD-F894678E5102}" = Adobe Common File Installer
"{8FFC924C-ED06-44CB-8867-3CA778ECE903}" = Adobe Help Center 2.0
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-0021-0000-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer 2007
"{90120000-0021-0409-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9A33B83D-FFC4-44CF-BEEF-632DECEF2FCD}" = Microsoft SQL Server Database Publishing Wizard 1.3
"{9A346205-EA92-4406-B1AB-50379DA3F057}" = Autodesk DWF Viewer 7
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A38048C6-89D1-44EC-BC95-E95DD4A19B5E}" = QuarkXPress 7.31
"{AC76BA86-1033-0000-7760-000000000003}" = Adobe Acrobat 8 Professional
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BB65C393-C76E-4F06-9B0C-2124AA8AF97B}" = Adobe Flash Player 9 ActiveX
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C314764F-2C47-44DA-BE37-F48BB7322BE4}_is1" = Screen Video Recorder 1.5
"{C40ECA0A-90C4-4B11-A28D-0F81A99C5A74}" = Data Dynamics ActiveReports for .NET 3.0
"{C6DB11F1-EBD1-3AA4-A44D-55630E1E6FDA}" = Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU
"{C73A3AB4-99A4-45E5-B77F-09A3065E0D6A}" = Microsoft IntelliType Pro 6.1
"{C94E45B0-6AA6-4FB9-9AAE-22085F631880}" = VBA
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 SP1 with KB886903 Hotfix
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D504303A-717D-414C-BA9F-FE01093E2EF8}" = Adobe Setup
"{D88857C8-B36B-42CE-AC26-9FFFEEDB181A}" = RssReader
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{E86BC406-944E-41F6-ADE6-2C136734C96B}" = EPSON File Manager
"{EBB7C1C1-D439-4D9B-9FDC-954C10F266B0}" = Adobe Photoshop Elements 4.0
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}" = Update Manager
"{F5E87B12-3C27-452F-8E78-21D42164FD83}" = Microsoft SQL Server 2008 Management Objects
"AceFTP 3 Freeware" = AceFTP 3 Freeware
"Ad-Aware" = Ad-Aware
"Adobe Acrobat 8 Professional" = Adobe Acrobat 8.1.2 Professional
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 4" = Adobe Photoshop Elements 4.0
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"Adobe_5bc0f8414ec36c555a3e7e5ec2e225e" = Adobe ExtendScript Toolkit 2
"Adobe_7328fdfcb73660ec8b11d5a3d5c6232" = Adobe Dreamweaver CS3
"Adobe_cbb2ea61da9c780bd7e47a5230a9ed7" = Adobe Stock Photos CS3
"Audacity_is1" = Audacity 1.2.6
"AutoCAD 2008 - English" = AutoCAD 2008 - English
"Autodesk Express Viewer" = Autodesk Express Viewer
"BlueVoda_Website_Builder_1.0" = BlueVoda Website Builder 10.2
"CamStudio" = CamStudio
"Click'N Design 3D (V5)" = Click'N Design 3D (V5)
"DWG TrueView 2009" = DWG TrueView 2009
"EPSON Scanner" = EPSON Scan
"ERUNT_is1" = ERUNT 1.1j
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Document Explorer 2005" = Microsoft Document Explorer 2005
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual J# 2.0 Redistributable Package" = Microsoft Visual J# 2.0 Redistributable Package
"Microsoft Visual Studio 2005 Professional Edition - ENU" = Microsoft Visual Studio 2005 Professional Edition - ENU
"Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU" = Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU
"Mozilla Firefox (3.0.15)" = Mozilla Firefox (3.0.15)
"MSDN Library for Visual Studio 2005" = MSDN Library for Visual Studio 2005
"NiceLabel 5" = NiceLabel 5
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PremElem20" = Adobe Premiere Elements 2.0
"ViewpointMediaPlayer" = Viewpoint Media Player
"VisualWebDeveloper" = Microsoft Visual Studio Web Authoring Component
"vmntoolbar" = VMN Toolbar
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinZip Self-Extractor" = WinZip Self-Extractor
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ESPN Java Check" = ESPN Java Check
"GoToMeeting" = GoToMeeting 4.0.0.320
"JFreeChart 1.0.8 Demo" = JFreeChart 1.0.8 Demo

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/1/2009 1:14:33 PM | Computer Name = TRDPC27 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 12/1/2009 1:35:03 PM | Computer Name = TRDPC27 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 12/1/2009 1:35:04 PM | Computer Name = TRDPC27 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 12/1/2009 1:36:07 PM | Computer Name = TRDPC27 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 12/1/2009 2:52:51 PM | Computer Name = TRDPC27 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 12/1/2009 2:52:51 PM | Computer Name = TRDPC27 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 12/1/2009 2:54:46 PM | Computer Name = TRDPC27 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 12/1/2009 8:53:10 PM | Computer Name = TRDPC27 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 12/1/2009 8:53:10 PM | Computer Name = TRDPC27 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 12/1/2009 8:55:53 PM | Computer Name = TRDPC27 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

[ System Events ]
Error - 12/1/2009 8:51:19 PM | Computer Name = TRDPC27 | Source = Service Control Manager | ID = 7034
Description = The SQL Server VSS Writer service terminated unexpectedly. It has
done this 1 time(s).

Error - 12/1/2009 8:51:19 PM | Computer Name = TRDPC27 | Source = Service Control Manager | ID = 7034
Description = The Viewpoint Manager Service service terminated unexpectedly. It
has done this 1 time(s).

Error - 12/1/2009 8:51:19 PM | Computer Name = TRDPC27 | Source = Service Control Manager | ID = 7034
Description = The Webroot CommAgent Service service terminated unexpectedly. It
has done this 1 time(s).

Error - 12/1/2009 8:51:20 PM | Computer Name = TRDPC27 | Source = Service Control Manager | ID = 7034
Description = The FLEXnet Licensing Service service terminated unexpectedly. It
has done this 1 time(s).

Error - 12/1/2009 8:51:21 PM | Computer Name = TRDPC27 | Source = Service Control Manager | ID = 7034
Description = The Webroot Spy Sweeper Engine service terminated unexpectedly. It
has done this 2 time(s).

Error - 12/1/2009 8:53:10 PM | Computer Name = TRDPC27 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain TRD due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 12/1/2009 8:53:17 PM | Computer Name = TRDPC27 | Source = Service Control Manager | ID = 7023
Description = The Center Security service terminated with the following error: %%1114

Error - 12/1/2009 8:53:17 PM | Computer Name = TRDPC27 | Source = Service Control Manager | ID = 7034
Description = The Webroot Spy Sweeper Engine service terminated unexpectedly. It
has done this 1 time(s).

Error - 12/1/2009 8:53:33 PM | Computer Name = TRDPC27 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/1/2009 8:53:33 PM | Computer Name = TRDPC27 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.


< End of report >



Thank you very much for taking the time to assist me with this issue!
  • 0

Advertisements

#2
fenzodahl512
Posted 02 December 2009 - 09:38 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, my name is fenzodahl512 and welcome to Geekstogo..

Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..




OTL Fix step

Open OTL then do below..

Copy/paste the following into the Costum Scans/Fixes box and then click on Run Fix button.

:processes
explorer.exe

:OTL
PRC - [2009/12/01 08:19:44 | 00,027,136 | ---- | M] () -- C:\WINDOWS\system32\winupdate86.exe
O4 - HKLM..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\winhelper86.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\System32\winhelper86.dll ()
[2009/12/01 18:56:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\AVR10.exe
[2009/12/01 18:56:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\41.exe
[2009/12/01 18:56:17 | 00,195,547 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/12/01 18:56:17 | 00,002,854 | ---- | M] () -- C:\WINDOWS\System32\critical_warning.html
[2009/12/01 18:35:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\11942.exe
[2009/12/01 18:15:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\2995.exe
[2009/12/01 17:55:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\491.exe
[2009/12/01 17:35:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\9961.exe
[2009/12/01 17:15:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\16827.exe
[2009/12/01 16:55:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\23281.exe
[2009/12/01 16:35:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\28145.exe
[2009/12/01 16:15:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\5705.exe
[2009/12/01 15:55:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\24464.exe
[2009/12/01 15:35:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\26962.exe
[2009/12/01 15:15:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\29358.exe
[2009/12/01 14:55:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\11478.exe
[2009/12/01 14:35:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\15724.exe
[2009/12/01 14:15:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\19169.exe
[2009/12/01 13:55:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\26500.exe
[2009/12/01 13:35:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\6334.exe
[2009/12/01 13:15:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\18467.exe
[2009/12/01 13:14:01 | 03,574,016 | ---- | M] () -- C:\Documents and Settings\klausj.TRD\Desktop\svchost.exe
[2009/12/01 13:09:31 | 00,292,352 | ---- | M] () -- C:\Documents and Settings\klausj.TRD\Desktop\e5s8zybl.exe
[2009/12/01 08:20:00 | 00,022,528 | ---- | M] () -- C:\WINDOWS\System32\winhelper86.dll
[2009/12/01 08:19:44 | 00,027,136 | ---- | M] () -- C:\WINDOWS\System32\winupdate86.exe
[2009/12/01 08:19:44 | 00,027,136 | ---- | M] () -- C:\WINDOWS\System32\winlogon86.exe
[2009/12/01 18:56:17 | 00,002,854 | ---- | C] () -- C:\WINDOWS\System32\critical_warning.html
[2009/12/01 18:35:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\11942.exe
[2009/12/01 18:15:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\2995.exe
[2009/12/01 17:55:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\491.exe
[2009/12/01 17:35:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\9961.exe
[2009/12/01 17:15:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\16827.exe
[2009/12/01 16:55:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\23281.exe
[2009/12/01 16:35:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\28145.exe
[2009/12/01 16:15:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\5705.exe
[2009/12/01 15:55:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\24464.exe
[2009/12/01 15:35:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\26962.exe
[2009/12/01 15:15:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\29358.exe
[2009/12/01 14:55:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\11478.exe
[2009/12/01 14:35:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\15724.exe
[2009/12/01 14:15:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\19169.exe
[2009/12/01 13:14:34 | 03,574,016 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Desktop\svchost.exe
[2009/12/01 13:14:34 | 00,292,352 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Desktop\e5s8zybl.exe
[2009/12/01 10:07:26 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\26500.exe
[2009/12/01 09:47:26 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\6334.exe
[2009/12/01 09:27:26 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\18467.exe
[2009/12/01 09:07:26 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\AVR10.exe
[2009/12/01 08:20:08 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\41.exe
[2009/12/01 08:19:59 | 00,022,528 | ---- | C] () -- C:\WINDOWS\System32\winhelper86.dll
[2009/12/01 08:19:47 | 00,027,136 | ---- | C] () -- C:\WINDOWS\System32\winupdate86.exe
[2009/12/01 08:19:47 | 00,027,136 | ---- | C] () -- C:\WINDOWS\System32\winlogon86.exe

:commands
[purity]
[emptytemp]
[start explorer]
[reboot]

Let it run the fix. A log will then pop-up to your screen after the fix finish.. If it needs a reboot, just let it.. Post that log in your next reply...
  • 0

#3
Joe Klaus
Posted 02 December 2009 - 09:53 AM

Joe Klaus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thank you very much for your help so far fenzodahl512, I greatly appreciate it!

OTL Log:
All processes killed
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== OTL ==========
No active process named winupdate86.exe was found!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\winupdate86.exe deleted successfully.
C:\WINDOWS\system32\winupdate86.exe moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\ deleted successfully.
C:\WINDOWS\system32\winhelper86.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\ deleted successfully.
File C:\WINDOWS\System32\winhelper86.dll not found.
C:\WINDOWS\system32\AVR10.exe moved successfully.
C:\WINDOWS\system32\41.exe moved successfully.
C:\WINDOWS\system32\nvapps.xml moved successfully.
File C:\WINDOWS\System32\critical_warning.html not found.
C:\WINDOWS\system32\11942.exe moved successfully.
C:\WINDOWS\system32\2995.exe moved successfully.
C:\WINDOWS\system32\491.exe moved successfully.
C:\WINDOWS\system32\9961.exe moved successfully.
C:\WINDOWS\system32\16827.exe moved successfully.
C:\WINDOWS\system32\23281.exe moved successfully.
C:\WINDOWS\system32\28145.exe moved successfully.
C:\WINDOWS\system32\5705.exe moved successfully.
C:\WINDOWS\system32\24464.exe moved successfully.
C:\WINDOWS\system32\26962.exe moved successfully.
C:\WINDOWS\system32\29358.exe moved successfully.
C:\WINDOWS\system32\11478.exe moved successfully.
C:\WINDOWS\system32\15724.exe moved successfully.
C:\WINDOWS\system32\19169.exe moved successfully.
C:\WINDOWS\system32\26500.exe moved successfully.
C:\WINDOWS\system32\6334.exe moved successfully.
C:\WINDOWS\system32\18467.exe moved successfully.
File C:\Documents and Settings\klausj.TRD\Desktop\svchost.exe not found.
C:\Documents and Settings\klausj.TRD\Desktop\e5s8zybl.exe moved successfully.
File C:\WINDOWS\System32\winhelper86.dll not found.
File C:\WINDOWS\System32\winupdate86.exe not found.
C:\WINDOWS\system32\winlogon86.exe moved successfully.
File C:\WINDOWS\System32\critical_warning.html not found.
File C:\WINDOWS\System32\11942.exe not found.
File C:\WINDOWS\System32\2995.exe not found.
File C:\WINDOWS\System32\491.exe not found.
File C:\WINDOWS\System32\9961.exe not found.
File C:\WINDOWS\System32\16827.exe not found.
File C:\WINDOWS\System32\23281.exe not found.
File C:\WINDOWS\System32\28145.exe not found.
File C:\WINDOWS\System32\5705.exe not found.
File C:\WINDOWS\System32\24464.exe not found.
File C:\WINDOWS\System32\26962.exe not found.
File C:\WINDOWS\System32\29358.exe not found.
File C:\WINDOWS\System32\11478.exe not found.
File C:\WINDOWS\System32\15724.exe not found.
File C:\WINDOWS\System32\19169.exe not found.
File C:\Documents and Settings\klausj.TRD\Desktop\svchost.exe not found.
File C:\Documents and Settings\klausj.TRD\Desktop\e5s8zybl.exe not found.
File C:\WINDOWS\System32\26500.exe not found.
File C:\WINDOWS\System32\6334.exe not found.
File C:\WINDOWS\System32\18467.exe not found.
File C:\WINDOWS\System32\AVR10.exe not found.
File C:\WINDOWS\System32\41.exe not found.
File C:\WINDOWS\System32\winhelper86.dll not found.
File C:\WINDOWS\System32\winupdate86.exe not found.
File C:\WINDOWS\System32\winlogon86.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: administrator.TRD
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Dennis

User: klausj
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: klausj.TRD
->Temp folder emptied: 790193 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 9386567 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 1428 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 9.85 mb

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\: LSP stack updated.

OTL by OldTimer - Version 3.1.11.4 log created on 12022009_094555

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_7c0.dat not found!
File move failed. C:\WINDOWS\temp\hlktmp scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Additional Information:
Error Message at Startup:
RUNDLL
An exception occurred while trying to run "C:\WINDOWS\system32\NvCpl.dll,NvStartup"
  • 0

#4
fenzodahl512
Posted 02 December 2009 - 10:30 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Run Malwarebytes' again and remove everything that it found.. Then re-run OTL as you did the first time and post the resultant log here :)
  • 0

#5
Joe Klaus
Posted 02 December 2009 - 11:32 AM

Joe Klaus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thank you again fenzodahl512, things are looking better!

MBAM Log
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

12/2/2009 11:16:52 AM
mbam-log-2009-12-02 (11-16-52).txt

Scan type: Quick Scan
Objects scanned: 136718
Time elapsed: 3 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


OTL Log
OTL logfile created on: 12/2/2009 11:19:14 AM - Run 2
OTL by OldTimer - Version 3.1.11.4 Folder = C:\Documents and Settings\klausj.TRD\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 127.72 Gb Free Space | 54.84% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive Z: | 101.75 Gb Total Space | 26.50 Gb Free Space | 26.04% Space Free | Partition Type: NTFS

Computer Name: TRDPC27
Current User Name: klausj
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/01 13:41:50 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\klausj.TRD\Desktop\OTL.exe
PRC - [2009/10/28 12:00:21 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/09/21 10:00:52 | 00,520,024 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2009/09/21 10:00:51 | 01,028,432 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/05/07 04:09:48 | 01,597,608 | ---- | M] (Euro Plus d.o.o.) -- C:\Program Files\Common Files\EuroPlus Shared\LblServices.exe
PRC - [2009/03/27 23:03:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2008/11/24 21:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 21:31:10 | 29,263,712 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2008/11/24 21:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/11 18:54:31 | 00,623,992 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
PRC - [2007/12/03 15:28:27 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2007/10/12 08:34:56 | 00,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2007/02/05 17:52:10 | 00,849,280 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\ipoint.exe
PRC - [2007/01/30 04:54:36 | 16,116,224 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe
PRC - [2007/01/15 16:00:58 | 00,403,520 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe
PRC - [2007/01/15 16:00:56 | 00,879,680 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
PRC - [2007/01/15 16:00:22 | 03,086,400 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Enterprise\Spy Sweeper\SPYSWEEPER.EXE
PRC - [2007/01/04 15:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/11/21 19:08:52 | 00,813,912 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\itype.exe
PRC - [2006/03/17 10:30:26 | 00,102,400 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe
PRC - [2006/02/28 12:42:38 | 00,229,376 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2006/02/28 07:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe
PRC - [2005/09/09 03:24:30 | 00,102,400 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
PRC - [2005/09/09 01:18:10 | 00,057,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
PRC - [2005/02/16 16:15:20 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe


========== Modules (SafeList) ==========

MOD - [2009/12/01 13:41:50 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\klausj.TRD\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/09/21 10:00:51 | 01,028,432 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/05/07 04:09:48 | 01,597,608 | ---- | M] (Euro Plus d.o.o.) -- C:\Program Files\Common Files\EuroPlus Shared\LblServices.exe -- (LabelServices)
SRV - [2009/03/27 23:03:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2009/03/21 08:06:58 | 00,159,590 | RHS- | M] () -- C:\WINDOWS\system32\dlawzm.dll -- (xmyxjh)
SRV - [2008/11/24 21:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 21:31:10 | 29,263,712 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS)
SRV - [2008/11/24 21:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 21:31:08 | 00,045,408 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2007/12/05 15:29:41 | 00,085,096 | ---- | M] (Autodesk) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2007/12/03 15:28:27 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2007/10/12 08:34:56 | 00,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)
SRV - [2007/02/12 00:15:08 | 00,902,760 | ---- | M] (Autodesk, Inc.) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe -- (Autodesk Network Licensing Service)
SRV - [2007/01/15 16:00:56 | 00,879,680 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe -- (WebrootCommAgentService)
SRV - [2007/01/15 16:00:22 | 03,086,400 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Enterprise\Spy Sweeper\spysweeper.exe -- (WebrootSpySweeperService)
SRV - [2007/01/04 15:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/12/02 05:17:54 | 02,805,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon80)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/02/28 12:42:38 | 00,229,376 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2005/09/09 03:24:30 | 00,102,400 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor4.0)
SRV - [2004/10/22 05:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D0 FB 02 D8 48 E5 C9 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = trd2:8080

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20090920.2

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/10/28 12:00:24 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/10/28 12:00:24 | 00,000,000 | ---D | M]

[2009/01/09 15:27:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\Mozilla\Extensions
[2008/05/07 14:43:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\Mozilla\Firefox\Profiles\06f6kspi.default\extensions
[2009/11/30 11:44:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\Mozilla\Firefox\Profiles\8792pi9w.default\extensions
[2009/09/28 07:37:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\Mozilla\Firefox\Profiles\8792pi9w.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2009/11/30 11:44:36 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/04/16 11:07:12 | 00,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [EEventManager] C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Seagull Drivers] C:\WINDOWS\ssdal_nc.exe ()
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SpySweeperEnterprise] C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.EXE (Webroot Software, Inc.)
O4 - HKLM..\Run: [Synchronization Manager] C:\WINDOWS\System32\mobsync.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} http://www.3dpublish...ingsEnglish.cab (EModelNonVersionSpecificViewControl Class)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.50.250
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = trd.corp.bimba.com
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\WRNotifier: DllName - WRLogonNtf.DLL - C:\WINDOWS\System32\WRLogonNtf.DLL (Webroot Software, Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/21 06:41:20 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/07/03 08:14:19 | 05,337,088 | ---- | M] () - Z:\Automated Sales Reports 2008 -seems to be fixed.xls -- [ NTFS ]
O32 - AutoRun File - [2006/11/01 12:50:00 | 05,080,576 | ---- | M] () - Z:\Automated Sales Reports.xls -- [ NTFS ]
O33 - MountPoints2\{2f212fb2-dea0-11de-b62e-001d605b0a0f}\Shell\AutoRun\command - "" = J:\Install FreeAgent Tools.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/11/20 22:20:01 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: xmyxjh - C:\WINDOWS\system32\dlawzm.dll ()

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17736372391510016)

========== Files/Folders - Created Within 14 Days ==========

[2009/12/02 09:45:55 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/12/02 09:43:42 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\klausj.TRD\Desktop\erunt-setup.exe
[2009/12/01 18:58:27 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/12/01 18:57:46 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/12/01 18:50:42 | 00,341,504 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\klausj.TRD\Desktop\TFC.exe
[2009/12/01 18:50:42 | 00,021,504 | ---- | C] (Doug Knox) -- C:\Documents and Settings\klausj.TRD\Desktop\SysRestorePoint.exe
[2009/12/01 18:50:41 | 00,535,552 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\klausj.TRD\Desktop\OTL.exe
[2009/12/01 18:50:41 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\klausj.TRD\Desktop\RootRepeal.exe
[2009/12/01 18:50:38 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\klausj.TRD\Desktop\erunt_setup.exe
[2009/12/01 12:30:21 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Visual Studio 2005Projects
[2009/12/01 08:58:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\klausj.TRD\Application Data\Malwarebytes
[2009/12/01 08:58:19 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/01 08:58:18 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/01 08:58:18 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/01 08:58:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/11/19 15:22:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\klausj.TRD\Desktop\Carolina Print Ad
[2009/11/19 11:33:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\klausj.TRD\Desktop\ERP
[2009/11/18 17:53:42 | 00,000,000 | ---D | C] -- Z:\New Folder (2)
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/12/02 09:47:29 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/02 09:47:06 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/02 09:47:05 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/02 09:46:29 | 09,961,472 | -H-- | M] () -- C:\Documents and Settings\klausj.TRD\NTUSER.DAT
[2009/12/02 09:46:26 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\klausj.TRD\ntuser.ini
[2009/12/02 09:43:42 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\klausj.TRD\Desktop\erunt-setup.exe
[2009/12/02 09:43:24 | 00,794,112 | ---- | M] () -- C:\Documents and Settings\klausj.TRD\Desktop\The_Comedian.exe
[2009/12/02 09:36:25 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\17673.exe
[2009/12/02 09:16:25 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\30333.exe
[2009/12/02 08:56:25 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\31322.exe
[2009/12/02 08:36:25 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\23811.exe
[2009/12/02 08:16:25 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\28703.exe
[2009/12/02 07:56:25 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\9894.exe
[2009/12/02 07:36:25 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\17035.exe
[2009/12/02 07:16:25 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\26299.exe
[2009/12/02 06:56:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\25667.exe
[2009/12/02 06:36:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\19912.exe
[2009/12/02 06:16:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\1869.exe
[2009/12/02 05:56:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\11538.exe
[2009/12/02 05:36:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\14771.exe
[2009/12/02 05:16:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\21726.exe
[2009/12/02 04:56:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\5447.exe
[2009/12/02 04:36:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\19895.exe
[2009/12/02 04:16:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\19718.exe
[2009/12/02 03:56:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\18716.exe
[2009/12/02 03:36:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\17421.exe
[2009/12/02 03:16:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\12382.exe
[2009/12/02 02:56:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\292.exe
[2009/12/02 02:36:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\153.exe
[2009/12/02 02:16:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\3902.exe
[2009/12/02 01:56:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\14604.exe
[2009/12/02 01:36:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\32391.exe
[2009/12/02 01:16:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\5436.exe
[2009/12/02 00:56:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\4827.exe
[2009/12/01 19:00:01 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\klausj.TRD\Desktop\settings.dat
[2009/12/01 13:41:50 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\klausj.TRD\Desktop\OTL.exe
[2009/12/01 13:37:23 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\klausj.TRD\Desktop\RootRepeal.exe
[2009/12/01 13:35:57 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\klausj.TRD\Desktop\erunt_setup.exe
[2009/12/01 13:35:36 | 00,021,504 | ---- | M] (Doug Knox) -- C:\Documents and Settings\klausj.TRD\Desktop\SysRestorePoint.exe
[2009/12/01 13:35:14 | 00,341,504 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\klausj.TRD\Desktop\TFC.exe
[2009/12/01 12:31:28 | 00,277,374 | ---- | M] () -- C:\Documents and Settings\klausj.TRD\Desktop\CurrentSettings-2009-12-01.vssettings
[2009/12/01 12:31:14 | 00,281,543 | ---- | M] () -- C:\Documents and Settings\klausj.TRD\Desktop\Exported-2009-12-01.vssettings
[2009/12/01 08:58:22 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/11/30 16:13:40 | 00,048,652 | ---- | M] () -- C:\Documents and Settings\klausj.TRD\Desktop\82-0000000018085E2EF038274F95197952BFD4E22F0700D7250C.pdf
[2009/11/30 15:26:51 | 00,004,096 | -H-- | M] () -- C:\Documents and Settings\klausj.TRD\Local Settings\Application Data\keyfile3.drm
[2009/11/30 11:00:48 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/11/30 09:55:35 | 04,928,000 | ---- | M] () -- C:\Documents and Settings\klausj.TRD\Desktop\TRD_Master_Data_Load_TA (CRP1 Data Load).xls
[2009/11/23 16:16:42 | 09,572,352 | ---- | M] () -- C:\Documents and Settings\klausj.TRD\Desktop\Excel_Multiple_Array_Lookup.xls
[2009/11/23 11:07:15 | 00,000,751 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/20 22:23:33 | 00,000,224 | ---- | M] () -- C:\WINDOWS\QScreenCapt.ini
[2009/11/20 09:50:55 | 03,639,052 | ---- | M] () -- Z:\Dennis_Version_2.pdf
[2009/11/19 15:21:57 | 13,847,040 | ---- | M] () -- C:\Documents and Settings\klausj.TRD\Desktop\TRD_Master_Data_Load_TA.xls
[2009/11/19 08:26:57 | 01,460,025 | ---- | M] () -- C:\Documents and Settings\klausj.TRD\Desktop\Pricing_Binder1.pdf
[2009/11/18 12:11:33 | 00,054,209 | ---- | M] () -- C:\Documents and Settings\klausj.TRD\Desktop\SPEC61001 Model (1).pdf
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/02 09:43:15 | 00,794,112 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Desktop\The_Comedian.exe
[2009/12/02 09:36:25 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\17673.exe
[2009/12/02 09:16:25 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\30333.exe
[2009/12/02 08:56:25 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\31322.exe
[2009/12/02 08:36:25 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\23811.exe
[2009/12/02 08:16:25 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\28703.exe
[2009/12/02 07:56:25 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\9894.exe
[2009/12/02 07:36:25 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\17035.exe
[2009/12/02 07:16:25 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\26299.exe
[2009/12/02 06:56:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\25667.exe
[2009/12/02 06:36:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\19912.exe
[2009/12/02 06:16:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\1869.exe
[2009/12/02 05:56:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\11538.exe
[2009/12/02 05:36:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\14771.exe
[2009/12/02 05:16:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\21726.exe
[2009/12/02 04:56:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\5447.exe
[2009/12/02 04:36:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\19895.exe
[2009/12/02 04:16:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\19718.exe
[2009/12/02 03:56:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\18716.exe
[2009/12/02 03:36:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\17421.exe
[2009/12/02 03:16:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\12382.exe
[2009/12/02 02:56:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\292.exe
[2009/12/02 02:36:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\153.exe
[2009/12/02 02:16:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\3902.exe
[2009/12/02 01:56:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\14604.exe
[2009/12/02 01:36:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\32391.exe
[2009/12/02 01:16:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\5436.exe
[2009/12/02 00:56:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\4827.exe
[2009/12/01 19:00:01 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Desktop\settings.dat
[2009/12/01 12:31:28 | 00,277,374 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Desktop\CurrentSettings-2009-12-01.vssettings
[2009/12/01 12:31:14 | 00,281,543 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Desktop\Exported-2009-12-01.vssettings
[2009/12/01 08:58:22 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/11/30 16:13:40 | 00,048,652 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Desktop\82-0000000018085E2EF038274F95197952BFD4E22F0700D7250C.pdf
[2009/11/30 09:31:26 | 04,928,000 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Desktop\TRD_Master_Data_Load_TA (CRP1 Data Load).xls
[2009/11/23 16:16:41 | 09,572,352 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Desktop\Excel_Multiple_Array_Lookup.xls
[2009/11/20 09:50:54 | 03,639,052 | ---- | C] () -- Z:\Dennis_Version_2.pdf
[2009/11/19 08:26:57 | 01,460,025 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Desktop\Pricing_Binder1.pdf
[2009/11/18 12:11:33 | 00,054,209 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Desktop\SPEC61001 Model (1).pdf
[2009/10/15 16:08:58 | 00,004,096 | -H-- | C] () -- C:\Documents and Settings\klausj.TRD\Local Settings\Application Data\keyfile3.drm
[2009/08/27 09:03:41 | 00,182,580 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Application Data\debuggee.mdmp
[2009/03/03 12:45:38 | 00,000,031 | ---- | C] () -- C:\WINDOWS\bluevoda.ini
[2008/05/07 15:13:06 | 00,026,624 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/05/07 15:13:06 | 00,000,133 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Local Settings\Application Data\fusioncache.dat
[2008/05/07 14:43:10 | 00,012,800 | ---- | C] () -- C:\Documents and Settings\klausj.TRD\Application Data\Settings.cfg
[2008/02/14 09:47:26 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\cdTextCtl.dll
[2008/01/07 11:56:51 | 00,000,224 | ---- | C] () -- C:\WINDOWS\QScreenCapt.ini
[2007/12/03 16:36:00 | 00,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2007/12/03 16:10:38 | 00,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2007/12/03 16:07:50 | 00,000,025 | ---- | C] () -- C:\WINDOWS\PERF4490.ini
[2007/12/03 15:51:19 | 00,000,520 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/11/21 07:08:20 | 00,015,924 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2007/11/21 07:08:20 | 00,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2007/11/21 07:08:08 | 00,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2007/10/04 19:14:00 | 01,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/10/04 19:14:00 | 01,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/10/04 19:14:00 | 01,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/10/04 19:14:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/10/04 19:14:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/09/13 02:06:04 | 00,159,590 | RHS- | C] () -- C:\WINDOWS\System32\dlawzm.dll
[2007/01/12 04:14:56 | 00,022,720 | ---- | C] () -- C:\WINDOWS\System32\haspds_msi.dll
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1996/04/03 13:33:26 | 00,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== LOP Check ==========

[2008/03/24 13:51:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Autodesk
[2009/10/02 15:17:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
[2009/07/29 10:41:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EuroPlus
[2009/07/29 10:41:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Font Downloader
[2007/12/05 08:21:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
[2009/02/13 10:16:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PTI
[2007/12/03 14:48:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Quark
[2008/03/25 09:56:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/08/19 10:57:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZipSE
[2009/07/29 10:42:39 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{5AA6E508-1A21-48C7-82CA-3E8E1188D6C5}
[2009/09/18 09:59:28 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
[2008/08/05 10:09:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\Autodesk
[2009/03/23 13:14:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\Canneverbe_Limited
[2008/05/07 14:43:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\Dynamic
[2009/05/29 13:48:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\EDrawings
[2008/05/07 14:43:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\EPSON
[2008/05/07 14:43:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\Opera
[2008/05/07 14:43:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\Quark
[2009/11/05 14:47:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\SiteClasses
[2009/11/05 14:47:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\Sites
[2008/05/07 14:43:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\Viewpoint
[2008/05/07 14:43:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\klausj.TRD\Application Data\vmntoolbar
[2009/11/30 11:00:48 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2006/02/28 07:00:00 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2006/02/28 07:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2007/09/13 02:09:28 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=5FD8684F1C5DD26509383F6CCDAEE3A3 -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2006/02/28 07:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
< End of report >
  • 0

#6
fenzodahl512
Posted 03 December 2009 - 06:43 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
OTL Fix step

Open OTL then do below..

Copy/paste the following into the Costum Scans/Fixes box and then click on Run Fix button.

:processes
explorer.exe

:services
xmyxjh

:OTL
NetSvcs: xmyxjh - C:\WINDOWS\system32\dlawzm.dll ()
[2009/12/02 09:36:25 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\17673.exe
[2009/12/02 09:16:25 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\30333.exe
[2009/12/02 08:56:25 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\31322.exe
[2009/12/02 08:36:25 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\23811.exe
[2009/12/02 08:16:25 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\28703.exe
[2009/12/02 07:56:25 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\9894.exe
[2009/12/02 07:36:25 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\17035.exe
[2009/12/02 07:16:25 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\26299.exe
[2009/12/02 06:56:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\25667.exe
[2009/12/02 06:36:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\19912.exe
[2009/12/02 06:16:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\1869.exe
[2009/12/02 05:56:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\11538.exe
[2009/12/02 05:36:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\14771.exe
[2009/12/02 05:16:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\21726.exe
[2009/12/02 04:56:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\5447.exe
[2009/12/02 04:36:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\19895.exe
[2009/12/02 04:16:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\19718.exe
[2009/12/02 03:56:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\18716.exe
[2009/12/02 03:36:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\17421.exe
[2009/12/02 03:16:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\12382.exe
[2009/12/02 02:56:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\292.exe
[2009/12/02 02:36:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\153.exe
[2009/12/02 02:16:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\3902.exe
[2009/12/02 01:56:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\14604.exe
[2009/12/02 01:36:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\32391.exe
[2009/12/02 01:16:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\5436.exe
[2009/12/02 00:56:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\4827.exe
[2009/12/02 09:36:25 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\17673.exe
[2009/12/02 09:16:25 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\30333.exe
[2009/12/02 08:56:25 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\31322.exe
[2009/12/02 08:36:25 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\23811.exe
[2009/12/02 08:16:25 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\28703.exe
[2009/12/02 07:56:25 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\9894.exe
[2009/12/02 07:36:25 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\17035.exe
[2009/12/02 07:16:25 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\26299.exe
[2009/12/02 06:56:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\25667.exe
[2009/12/02 06:36:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\19912.exe
[2009/12/02 06:16:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\1869.exe
[2009/12/02 05:56:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\11538.exe
[2009/12/02 05:36:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\14771.exe
[2009/12/02 05:16:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\21726.exe
[2009/12/02 04:56:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\5447.exe
[2009/12/02 04:36:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\19895.exe
[2009/12/02 04:16:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\19718.exe
[2009/12/02 03:56:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\18716.exe
[2009/12/02 03:36:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\17421.exe
[2009/12/02 03:16:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\12382.exe
[2009/12/02 02:56:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\292.exe
[2009/12/02 02:36:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\153.exe
[2009/12/02 02:16:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\3902.exe
[2009/12/02 01:56:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\14604.exe
[2009/12/02 01:36:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\32391.exe
[2009/12/02 01:16:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\5436.exe
[2009/12/02 00:56:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\4827.exe

:commands
[purity]
[emptytemp]
[start explorer]
[reboot]

Let it run the fix. A log will then pop-up to your screen after the fix finish.. If it needs a reboot, just let it.. Post that log in your next reply...




Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..
  • 0

#7
Joe Klaus
Posted 03 December 2009 - 08:47 AM

Joe Klaus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thank you fenzodahl512, it feels like we're making great progress! I really appreciate your assistance!

OTL Fix Log
All processes killed
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== SERVICES/DRIVERS ==========
Service xmyxjh stopped successfully!
Service xmyxjh deleted successfully!
========== OTL ==========
xmyxjh removed from NetSvcs value successfully!
File move failed. C:\WINDOWS\system32\dlawzm.dll scheduled to be moved on reboot.
C:\WINDOWS\system32\17673.exe moved successfully.
C:\WINDOWS\system32\30333.exe moved successfully.
C:\WINDOWS\system32\31322.exe moved successfully.
C:\WINDOWS\system32\23811.exe moved successfully.
C:\WINDOWS\system32\28703.exe moved successfully.
C:\WINDOWS\system32\9894.exe moved successfully.
C:\WINDOWS\system32\17035.exe moved successfully.
C:\WINDOWS\system32\26299.exe moved successfully.
C:\WINDOWS\system32\25667.exe moved successfully.
C:\WINDOWS\system32\19912.exe moved successfully.
C:\WINDOWS\system32\1869.exe moved successfully.
C:\WINDOWS\system32\11538.exe moved successfully.
C:\WINDOWS\system32\14771.exe moved successfully.
C:\WINDOWS\system32\21726.exe moved successfully.
C:\WINDOWS\system32\5447.exe moved successfully.
C:\WINDOWS\system32\19895.exe moved successfully.
C:\WINDOWS\system32\19718.exe moved successfully.
C:\WINDOWS\system32\18716.exe moved successfully.
C:\WINDOWS\system32\17421.exe moved successfully.
C:\WINDOWS\system32\12382.exe moved successfully.
C:\WINDOWS\system32\292.exe moved successfully.
C:\WINDOWS\system32\153.exe moved successfully.
C:\WINDOWS\system32\3902.exe moved successfully.
C:\WINDOWS\system32\14604.exe moved successfully.
C:\WINDOWS\system32\32391.exe moved successfully.
C:\WINDOWS\system32\5436.exe moved successfully.
C:\WINDOWS\system32\4827.exe moved successfully.
File C:\WINDOWS\System32\17673.exe not found.
File C:\WINDOWS\System32\30333.exe not found.
File C:\WINDOWS\System32\31322.exe not found.
File C:\WINDOWS\System32\23811.exe not found.
File C:\WINDOWS\System32\28703.exe not found.
File C:\WINDOWS\System32\9894.exe not found.
File C:\WINDOWS\System32\17035.exe not found.
File C:\WINDOWS\System32\26299.exe not found.
File C:\WINDOWS\System32\25667.exe not found.
File C:\WINDOWS\System32\19912.exe not found.
File C:\WINDOWS\System32\1869.exe not found.
File C:\WINDOWS\System32\11538.exe not found.
File C:\WINDOWS\System32\14771.exe not found.
File C:\WINDOWS\System32\21726.exe not found.
File C:\WINDOWS\System32\5447.exe not found.
File C:\WINDOWS\System32\19895.exe not found.
File C:\WINDOWS\System32\19718.exe not found.
File C:\WINDOWS\System32\18716.exe not found.
File C:\WINDOWS\System32\17421.exe not found.
File C:\WINDOWS\System32\12382.exe not found.
File C:\WINDOWS\System32\292.exe not found.
File C:\WINDOWS\System32\153.exe not found.
File C:\WINDOWS\System32\3902.exe not found.
File C:\WINDOWS\System32\14604.exe not found.
File C:\WINDOWS\System32\32391.exe not found.
File C:\WINDOWS\System32\5436.exe not found.
File C:\WINDOWS\System32\4827.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: administrator.TRD
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Dennis

User: klausj
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: klausj.TRD
->Temp folder emptied: 817190 bytes
->Temporary Internet Files folder emptied: 1837056 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 30788166 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 8407915 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 222200993 bytes

Total Files Cleaned = 251.93 mb


OTL by OldTimer - Version 3.1.11.4 log created on 12032009_080638

Files\Folders moved on Reboot...
C:\WINDOWS\system32\dlawzm.dll moved successfully.
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_238.dat not found!
File move failed. C:\WINDOWS\temp\hlktmp scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Combo-Fix Log
ComboFix 09-12-02.08 - klausj 12/03/2009 8:26.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2866 [GMT -6:00]
Running from: c:\documents and settings\klausj.TRD\Desktop\12-01-09 Virus Fix\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Thumbs.db

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :)
.
((((((((((((((((((((((((( Files Created from 2009-11-03 to 2009-12-03 )))))))))))))))))))))))))))))))
.

2009-12-02 00:57 . 2009-12-02 15:44 -------- d-----w- c:\program files\ERUNT
2009-12-01 18:30 . 2009-12-01 18:30 -------- d-----w- c:\windows\system32\Visual Studio 2005Projects
2009-12-01 17:37 . 2008-04-13 19:40 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys
2009-12-01 17:37 . 2008-04-13 19:40 43904 ----a-w- c:\windows\system32\drivers\sbp2port.sys
2009-12-01 14:58 . 2009-12-01 14:58 -------- d-----w- c:\documents and settings\klausj.TRD\Application Data\Malwarebytes
2009-12-01 14:58 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-01 14:58 . 2009-12-01 14:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-01 14:58 . 2009-12-01 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-01 14:58 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-02 19:14 . 2008-01-07 17:50 -------- d-----w- c:\program files\Howies Quick Screen Capture
2009-11-30 17:00 . 2009-09-21 16:01 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-17 17:38 . 2007-12-03 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-11-05 20:47 . 2008-05-07 20:43 -------- d-----w- c:\documents and settings\klausj.TRD\Application Data\SiteClasses
2009-11-05 20:47 . 2008-05-07 20:43 -------- d-----w- c:\documents and settings\klausj.TRD\Application Data\Sites
2009-10-16 16:00 . 2009-09-21 16:00 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-09-29 18:32 . 2008-05-07 21:17 70984 ----a-w- c:\documents and settings\klausj.TRD\g2mdlhlpx.exe
2009-09-21 16:00 . 2009-09-21 16:00 562552 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-09-21 16:00 . 2009-09-21 16:00 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-09-21 16:00 . 2009-09-21 16:00 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-09-21 16:00 . 2009-09-21 16:00 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-09-21 16:00 . 2009-09-21 16:00 1028432 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-09-17 19:53 . 2009-09-17 19:53 3262 ----a-r- c:\documents and settings\klausj.TRD\Application Data\Microsoft\Installer\{D88857C8-B36B-42CE-AC26-9FFFEEDB181A}\_4ae13d6c.exe
2009-09-17 19:53 . 2009-09-17 19:53 3262 ----a-r- c:\documents and settings\klausj.TRD\Application Data\Microsoft\Installer\{D88857C8-B36B-42CE-AC26-9FFFEEDB181A}\_294823.exe
2009-09-17 19:53 . 2009-09-17 19:53 3262 ----a-r- c:\documents and settings\klausj.TRD\Application Data\Microsoft\Installer\{D88857C8-B36B-42CE-AC26-9FFFEEDB181A}\_18be6784.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Seagull Drivers"="ssdal_nc.exe startup" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13684736]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 102400]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"SpySweeperEnterprise"="c:\program files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.EXE" [2007-01-15 403520]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 86016]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-01-30 16116224]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-28 1657376]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Norman ZANDA"=2 (0x2)
"Norman NJeeves"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1796:TCP"= 1796:TCP:qukab

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/18/2009 10:00 AM 64160]
R2 LabelServices;Label Services;c:\program files\Common Files\EuroPlus Shared\LblServices.exe [5/7/2009 4:09 AM 1597608]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/25/2008 9:56 AM 24652]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 8:49 AM 1028432]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 5:17 AM 2805000]
.
Contents of the 'Scheduled Tasks' folder

2009-11-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 16:00]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = trd2:8080
uInternet Settings,ProxyOverride = <local>
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\klausj.TRD\Application Data\Mozilla\Firefox\Profiles\8792pi9w.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-NiceLabel 5 - c:\documents and settings\All Users\Application Data\{5AA6E508-1A21-48C7-82CA-3E8E1188D6C5}\NiceLabel 5.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI
AddRemove-_{7C5123A9-30A8-4C44-89CA-A8C87A1FCC91} - c:\program files\Corel\CorelDRAW Graphics Suite 13\Programs\MSILauncher {7C5123A9-30A8-4C44-89CA-A8C87A1FCC91}
AddRemove-ESPN Java Check - c:\windows\system32\javaws.exe
AddRemove-JFreeChart 1.0.8 Demo - c:\windows\system32\javaws.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-03 08:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\WRLogonNtf.DLL

- - - - - - - > 'lsass.exe'(828)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-12-03 08:40
ComboFix-quarantined-files.txt 2009-12-03 14:40

Pre-Run: 137,172,389,888 bytes free
Post-Run: 137,149,001,728 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 276AAE81D93DE833165BD6B9F37653B5
  • 0

#8
fenzodahl512
Posted 03 December 2009 - 09:20 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Just a little bit more..


1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Rootkit::
C:\WINDOWS\temp\hlktmp

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1796:TCP"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#9
Joe Klaus
Posted 03 December 2009 - 09:42 AM

Joe Klaus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts

[*]A new HijackThis log.

I don't believe I've used HijackThis yet. Could you please provide instructions on how to perform this step?

Thanks!
  • 0

#10
fenzodahl512
Posted 03 December 2009 - 09:51 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Ooppss... Sorry, leave the HijackThis part alone and do the rest :) :)
  • 0

Advertisements

#11
Joe Klaus
Posted 03 December 2009 - 09:53 AM

Joe Klaus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
:)

ComboFix Log
ComboFix 09-12-02.08 - klausj 12/03/2009 9:29.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2708 [GMT -6:00]
Running from: c:\documents and settings\klausj.TRD\Desktop\12-01-09 Virus Fix\Combo-Fix.exe
Command switches used :: c:\documents and settings\klausj.TRD\Desktop\12-01-09 Virus Fix\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2009-11-03 to 2009-12-03 )))))))))))))))))))))))))))))))
.

2009-12-02 15:45 . 2009-12-02 15:45 -------- d-----w- C:\_OTL
2009-12-02 00:57 . 2009-12-02 15:44 -------- d-----w- c:\program files\ERUNT
2009-12-01 18:30 . 2009-12-01 18:30 -------- d-----w- c:\windows\system32\Visual Studio 2005Projects
2009-12-01 17:37 . 2008-04-13 19:40 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys
2009-12-01 17:37 . 2008-04-13 19:40 43904 ----a-w- c:\windows\system32\drivers\sbp2port.sys
2009-12-01 14:58 . 2009-12-01 14:58 -------- d-----w- c:\documents and settings\klausj.TRD\Application Data\Malwarebytes
2009-12-01 14:58 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-01 14:58 . 2009-12-01 14:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-01 14:58 . 2009-12-01 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-01 14:58 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-02 19:14 . 2008-01-07 17:50 -------- d-----w- c:\program files\Howies Quick Screen Capture
2009-11-30 17:00 . 2009-09-21 16:01 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-17 17:38 . 2007-12-03 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-11-05 20:47 . 2008-05-07 20:43 -------- d-----w- c:\documents and settings\klausj.TRD\Application Data\SiteClasses
2009-11-05 20:47 . 2008-05-07 20:43 -------- d-----w- c:\documents and settings\klausj.TRD\Application Data\Sites
2009-10-16 16:00 . 2009-09-21 16:00 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-09-29 18:32 . 2008-05-07 21:17 70984 ----a-w- c:\documents and settings\klausj.TRD\g2mdlhlpx.exe
2009-09-21 16:00 . 2009-09-21 16:00 562552 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-09-21 16:00 . 2009-09-21 16:00 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-09-21 16:00 . 2009-09-21 16:00 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-09-21 16:00 . 2009-09-21 16:00 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-09-21 16:00 . 2009-09-21 16:00 1028432 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-09-17 19:53 . 2009-09-17 19:53 3262 ----a-r- c:\documents and settings\klausj.TRD\Application Data\Microsoft\Installer\{D88857C8-B36B-42CE-AC26-9FFFEEDB181A}\_4ae13d6c.exe
2009-09-17 19:53 . 2009-09-17 19:53 3262 ----a-r- c:\documents and settings\klausj.TRD\Application Data\Microsoft\Installer\{D88857C8-B36B-42CE-AC26-9FFFEEDB181A}\_294823.exe
2009-09-17 19:53 . 2009-09-17 19:53 3262 ----a-r- c:\documents and settings\klausj.TRD\Application Data\Microsoft\Installer\{D88857C8-B36B-42CE-AC26-9FFFEEDB181A}\_18be6784.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-12-03_14.35.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-07 01:24 . 2009-08-07 01:24 53472 c:\windows\SoftwareDistribution\SelfUpdate\Default\wuauclt.exe
+ 2009-08-07 01:24 . 2009-08-07 01:24 96480 c:\windows\SoftwareDistribution\SelfUpdate\Default\cdm.dll
+ 2009-08-07 01:23 . 2009-08-07 01:23 575704 c:\windows\SoftwareDistribution\SelfUpdate\Default\wuapi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Seagull Drivers"="ssdal_nc.exe startup" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13684736]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 102400]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"SpySweeperEnterprise"="c:\program files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.EXE" [2007-01-15 403520]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 86016]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-01-30 16116224]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-28 1657376]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Norman ZANDA"=2 (0x2)
"Norman NJeeves"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/18/2009 10:00 AM 64160]
R2 LabelServices;Label Services;c:\program files\Common Files\EuroPlus Shared\LblServices.exe [5/7/2009 4:09 AM 1597608]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/25/2008 9:56 AM 24652]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 8:49 AM 1028432]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 5:17 AM 2805000]
.
Contents of the 'Scheduled Tasks' folder

2009-11-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 16:00]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = trd2:8080
uInternet Settings,ProxyOverride = <local>
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\klausj.TRD\Application Data\Mozilla\Firefox\Profiles\8792pi9w.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-03 09:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\WRLogonNtf.DLL

- - - - - - - > 'lsass.exe'(824)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(6068)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Webroot\Enterprise\Spy Sweeper\commagent.exe
c:\program files\Webroot\Enterprise\Spy Sweeper\spysweeper.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-12-03 09:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-03 15:42
ComboFix2.txt 2009-12-03 14:40

Pre-Run: 137,166,381,056 bytes free
Post-Run: 137,126,264,832 bytes free

- - End Of File - - 6A8E9B52982C5D47E93F0325362D3635
  • 0

#12
fenzodahl512
Posted 03 December 2009 - 10:05 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Well.. How's the computer now? :)

Please do this step before you sleep or when you don't use the computer as it will take quite a while..

Go to Kaspersky Online Scanner

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases

5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
  • 0

#13
Joe Klaus
Posted 03 December 2009 - 10:38 AM

Joe Klaus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Overall things are running very smoothly... no browser redirects, no malicious looking popups, and windows update works now too! Thank you very much for the quick and incredible assistance, you are awesome!!! The only potential issue I see is a popup when Windows launches...

RUNDLL
An exception occurred while trying to run "C:\WINDOWS\system32\NvCpl.dll,NvStartup"


Other than that, things look fantastic! I'll set up the Kaspersky Online Scanner when I'm done on the computer today and will post a result log tomorrow. To confirm, I should make sure any external HD's are connected and running when I perform this scan? Also, should my thumb drive be attached and scanned?


Thank you!!
  • 0

#14
fenzodahl512
Posted 03 December 2009 - 10:39 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts

An exception occurred while trying to run "C:\WINDOWS\system32\NvCpl.dll,NvStartup"


Ok, pls remind me of this after you run Kaspersky Online.. It should be a simple registry fix :)


To confirm, I should make sure any external HD's are connected and running when I perform this scan? Also, should my thumb drive be attached and scanned?


Yup.. That's better :)

Edited by fenzodahl512, 03 December 2009 - 10:40 AM.

  • 0

#15
Joe Klaus
Posted 04 December 2009 - 08:04 AM

Joe Klaus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hrmm... I began the Kaspersky Online scan last night, and came back to the computer this morning, which was at a Windows login screen. I don't see any logs, etc saved to my desktop... does this mean the scan did not run successfully for some reason?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP