Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Located and quarantined Trojan, still crazy bleeps on start up

Started by BearyFaery , Jan 03 2010 01:07 PM

Please log in to reply

#1
BearyFaery

Posted 03 January 2010 - 01:07 PM

New Member

Member
5 posts

Okay hello my name is Natalie and I've been the owner of a Thomas the Train (metaphorically) computer for nearly 6 years and I'd like to keep it alive a bit longer.

Presenting Symptoms: Couldn't run anything even remotely geared towards cleaning my computer. Was running AVG at the time, of course it didn't catch it (says my husband behind me). Everything in my computer slowed down. She's an old baby, so I decided to shut her down and give her a breather. When I cranked it back up it sounded like an Atari "pew pew pew" and I had this screen up saying I have a boot virus and how do I want to proceed blah blah.

Treatment: I booted in safe mode, ran AVG, nothing. Ran Malwarebytes Anti-malware, nothing. Said well okay, reboot in Safe mode with networking, ran Trendmicro house call. It located the [bleep] and said it took care of it. Reboot everything in normal mode, go to run housecall once more just to make sure, and now it won't let me run house call. Won't let me run malwarebytes either. Oh hey, AVG works, but nothing coming up there. Kicked AVG to the curb, downloaded Avast! (love it, like some bands just an anti-virus Arr pirates), gave me trouble downloading, moved to safe mode with networking, installed, then moved BACK to normal mode and ran it. It found the [bleep] again, cleaned it, and here we are running relatively normal. A little slower than before, but things are working again.

HOWEVER.

Residual complications: I still have Atari when I boot up my computer. Makes me think of asteroids. I've run Avast! again! and Malwarebytes and even ccleaner for giggles and it is still showing up nothing. I sit and stare at the bugger sitting in the virus vault, taunting him, wondering if he's like that guy in the movie "Law Abiding Citizen", got into the vault just so he could mess with me even more..

Regardless. I hope this has been entertaining. I put a bit of system info in my profile (I can copy+paste). If you need to more, tell me what it is and where I might find it and hopefully I can oblige you.

Oh, the little [bleep]'s name is Win32:FakeAlert-FW

[Edited for Logs extras came with OTL so I attached it as well, not sure if necessary]

OTL logfile created on: 1/3/2010 4:01:34 PM - Run 1
OTL by OldTimer - Version 3.1.20.2 Folder = C:\Documents and Settings\bearyfaery\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

256.00 Mb Total Physical Memory | 38.00 Mb Available Physical Memory | 15.00% Memory free
620.00 Mb Paging File | 200.00 Mb Available in Paging File | 32.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 11.23 Gb Free Space | 15.07% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 74.52 Gb Total Space | 6.05 Gb Free Space | 8.12% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NATALIE
Current User Name: bearyfaery
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/01/03 15:59:00 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\bearyfaery\My Documents\Downloads\OTL.exe
PRC - [2009/12/17 19:15:37 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/11/24 18:51:40 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 18:51:35 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 18:51:21 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 18:48:48 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 18:43:56 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/07/25 04:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/07/09 11:22:18 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/18 10:43:38 | 00,353,680 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/11/06 11:33:56 | 00,288,088 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2010/01/03 15:59:00 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\bearyfaery\My Documents\Downloads\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/11/24 18:51:35 | 00,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 18:51:21 | 00,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 18:48:48 | 00,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 18:43:56 | 00,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/07/25 04:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/07/09 11:22:18 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/12/18 10:43:38 | 00,353,680 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe -- (cpextender)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/03/04 17:11:57 | 00,072,704 | ---- | M] (Adobe Systems) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2007/10/29 23:35:25 | 00,295,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\termsrv32.dll -- (TermService)
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://cnn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "igoogle.com"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:7
FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.52

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/30 18:48:53 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/17 19:15:52 | 00,000,000 | ---D | M]

[2008/08/26 17:25:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Mozilla\Extensions
[2010/01/02 17:56:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Mozilla\Firefox\Profiles\l7wn54xf.default\extensions
[2009/12/09 19:55:57 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\bearyfaery\Application Data\Mozilla\Firefox\Profiles\l7wn54xf.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2010/01/02 17:56:51 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (768 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 mpa.one.microsoft.com
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [RegistryMechanic] File not found
O4 - HKLM..\Run: [TMRUBottedTray] C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe (Trend Micro Inc.)
O4 - Startup: C:\Documents and Settings\bearyfaery\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\bearyfaery\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} https://portal.scdmh...LL/extender.cab (SlimClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/10/16 19:54:01 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{486690f4-869b-11dc-87bd-000c6e19b950}\Shell\AutoRun\command - "" = I:\Autorun.exe -- File not found
O33 - MountPoints2\{486690f4-869b-11dc-87bd-000c6e19b950}\Shell\Shell00\Command - "" = I:\Autorun.exe -- File not found
O33 - MountPoints2\{486690f4-869b-11dc-87bd-000c6e19b950}\Shell\Shell01\Command - "" = I:\Autorun.exe -- File not found
O33 - MountPoints2\{486690f4-869b-11dc-87bd-000c6e19b950}\Shell\Shell02\Command - "" = I:\Autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/10/29 23:41:04 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16892003295952896)

========== Files/Folders - Created Within 14 Days ==========

[2010/01/03 15:05:52 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/03 15:05:22 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/01/02 15:09:52 | 00,023,120 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/01/02 15:09:45 | 00,048,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/01/02 15:09:38 | 00,027,408 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/01/02 15:08:34 | 00,097,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr
[2010/01/02 15:07:59 | 00,020,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/01/02 15:07:58 | 00,114,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/01/02 15:07:57 | 00,094,160 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/01/02 15:07:57 | 00,093,424 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/01/02 15:06:16 | 01,280,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/01/02 15:05:08 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/01/02 14:40:15 | 00,308,160 | ---- | C] (ALWIL Software) -- C:\Documents and Settings\bearyfaery\Desktop\avast_home_setup.exe
[2010/01/02 13:16:55 | 00,206,608 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\TMPassthru.sys
[2010/01/02 13:16:40 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/01/02 13:10:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\bearyfaery\Application Data\InstallShield
[2010/01/02 13:08:04 | 00,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/01/02 12:51:31 | 01,839,496 | ---- | C] (Trend Micro) -- C:\Documents and Settings\bearyfaery\Desktop\HousecallLauncher.exe
[2010/01/01 21:26:09 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\bearyfaery\Recent
[2010/01/01 20:15:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\Star.Wars.ALL.MOViES.DVDRip.XviD
[2010/01/01 20:01:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\Glee - The Music [2009][Volume 2][ITunes][MusicRoutes.Blogspot] [caprio4us]
[2010/01/01 19:17:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\Glee.S01E12.HDTV.XviD-P0W4
[2010/01/01 16:20:45 | 00,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2009/12/27 23:58:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\bearyfaery\Local Settings\Application Data\edgynm
[2009/12/25 21:10:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\Jumper[2008]DvDrip.AC3-aXXo
[2009/12/25 15:28:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\Muse
[2007/01/14 14:19:25 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2006/11/22 10:00:41 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2006/05/20 23:28:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Symantec
[2004/09/24 06:59:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2003/07/28 04:49:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

========== Files - Modified Within 14 Days ==========

[2010/01/03 15:05:31 | 00,000,802 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/01/03 15:05:25 | 00,000,646 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Desktop\NTREGOPT.lnk
[2010/01/03 15:05:25 | 00,000,627 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Desktop\ERUNT.lnk
[2010/01/03 14:56:49 | 00,096,256 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/03 14:18:41 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/03 14:17:26 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/03 14:17:11 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/03 14:17:10 | 26,801,3568 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/03 14:16:20 | 05,767,168 | -H-- | M] () -- C:\Documents and Settings\bearyfaery\NTUSER.DAT
[2010/01/03 14:15:59 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\bearyfaery\ntuser.ini
[2010/01/03 12:28:05 | 03,240,298 | -H-- | M] () -- C:\Documents and Settings\bearyfaery\Local Settings\Application Data\IconCache.db
[2010/01/02 15:10:08 | 00,001,744 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\avast! Antivirus.lnk
[2010/01/02 15:07:58 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/01/02 14:40:18 | 00,308,160 | ---- | M] (ALWIL Software) -- C:\Documents and Settings\bearyfaery\Desktop\avast_home_setup.exe
[2010/01/02 13:08:06 | 00,001,992 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Desktop\HiJackThis.lnk
[2010/01/02 12:53:21 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Local Settings\Application Data\housecall.guid.cache
[2010/01/02 12:51:34 | 01,839,496 | ---- | M] (Trend Micro) -- C:\Documents and Settings\bearyfaery\Desktop\HousecallLauncher.exe
[2010/01/01 20:04:03 | 36,767,6980 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\Glee.S01E09.HDTV.XviD-2HD.[VTV].avi
[2009/12/30 18:54:38 | 00,043,304 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Desktop\target1.pdf
[2009/12/30 18:53:08 | 00,090,025 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Desktop\1 Inch Diamonds.pdf
[2009/12/30 18:52:38 | 00,016,648 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Desktop\rifle_target.pdf
[2009/12/30 18:52:20 | 00,014,762 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Desktop\pistol_target.pdf
[2009/12/30 18:51:50 | 00,092,117 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Desktop\15 Small Circles.pdf
[2009/12/30 14:55:24 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/30 14:54:58 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/27 22:31:22 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\iTunes.lnk
[2009/12/23 13:50:15 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/12/20 18:18:41 | 17,829,0628 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\[DB]_Bleach_250_[B568DD26].avi

========== Files Created - No Company Name ==========

[2010/01/03 15:05:31 | 00,000,802 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/01/03 15:05:25 | 00,000,646 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Desktop\NTREGOPT.lnk
[2010/01/03 15:05:25 | 00,000,627 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Desktop\ERUNT.lnk
[2010/01/03 14:47:02 | 00,092,117 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Desktop\15 Small Circles.pdf
[2010/01/03 14:47:02 | 00,090,025 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Desktop\1 Inch Diamonds.pdf
[2010/01/03 14:47:02 | 00,043,304 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Desktop\target1.pdf
[2010/01/03 14:47:02 | 00,016,648 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Desktop\rifle_target.pdf
[2010/01/03 14:47:02 | 00,014,762 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Desktop\pistol_target.pdf
[2010/01/02 15:19:53 | 26,801,3568 | -HS- | C] () -- C:\hiberfil.sys
[2010/01/02 15:10:08 | 00,001,744 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\avast! Antivirus.lnk
[2010/01/02 15:06:16 | 00,380,928 | ---- | C] () -- C:\WINDOWS\System32\actskin4.ocx
[2010/01/02 13:08:06 | 00,001,992 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Desktop\HiJackThis.lnk
[2010/01/02 12:53:21 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Local Settings\Application Data\housecall.guid.cache
[2010/01/01 19:16:09 | 36,767,6980 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\Glee.S01E09.HDTV.XviD-2HD.[VTV].avi
[2009/12/20 18:09:40 | 17,829,0628 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\[DB]_Bleach_250_[B568DD26].avi
[2008/08/20 16:32:30 | 00,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2007/12/03 21:38:45 | 00,001,799 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\QTSBandwidthCache
[2007/11/25 23:56:48 | 00,000,059 | ---- | C] () -- C:\WINDOWS\EntPack.ini
[2007/10/31 11:20:10 | 00,096,256 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/10/30 22:44:32 | 00,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2007/10/30 22:29:24 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll

========== LOP Check ==========

[2008/08/20 16:30:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\HotSync
[2007/11/19 00:38:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PlayFirst
[2009/11/01 20:22:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
[2009/04/18 22:19:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
[2009/10/26 19:35:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/07/29 17:00:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/05/25 21:54:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Aim
[2007/12/26 15:55:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Canon
[2008/09/16 07:30:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Check Point
[2009/10/31 17:02:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\FileZilla
[2008/08/18 21:54:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Flickr
[2008/08/20 16:27:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\HotSync
[2008/08/20 16:31:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Leadertech
[2009/09/29 19:37:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\mjusbsp
[2007/12/26 00:08:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Opera
[2007/11/19 00:38:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\PlayFirst
[2010/01/02 15:17:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\uTorrent

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 16:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/03 18:56:44 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/03 18:56:46 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/03 18:56:46 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

========== Alternate Data Streams ==========

@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:0B174FAE
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:60C47453
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:74699137
< End of report >

OTL Extras logfile created on: 1/3/2010 4:01:34 PM - Run 1
OTL by OldTimer - Version 3.1.20.2 Folder = C:\Documents and Settings\bearyfaery\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

256.00 Mb Total Physical Memory | 38.00 Mb Available Physical Memory | 15.00% Memory free
620.00 Mb Paging File | 200.00 Mb Available in Paging File | 32.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 11.23 Gb Free Space | 15.07% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 74.52 Gb Total Space | 6.05 Gb Free Space | 8.12% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NATALIE
Current User Name: bearyfaery
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Digital Photo Professional] -- C:\Program Files\Canon\Digital Photo Professional\DPPViewer.exe /path "%1" (CANON INC.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"6988:TCP" = 6988:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"3246:TCP" = 3246:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"6988:TCP" = 6988:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe" = C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe:*:Enabled:SSL Network Extender Service -- (Check Point Software Technologies)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- File not found
"C:\Program Files\Internet Explorer\iexplore.exe" = C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer -- (Microsoft Corporation)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- File not found
"C:\Program Files\Soulseek\slsk.exe" = C:\Program Files\Soulseek\slsk.exe:*:Disabled:SoulSeek -- File not found
"C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe" = C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe:*:Enabled:SSL Network Extender Service -- (Check Point Software Technologies)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Documents and Settings\bearyfaery\Application Data\mjusbsp\magicJack.exe" = C:\Documents and Settings\bearyfaery\Application Data\mjusbsp\magicJack.exe:*:Enabled:magicJack -- (magicJack L.P.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 15
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160060}" = Java™ 6 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{33CF7CDF-9805-4500-9CC7-D19D52AD63C4}" = Canon Camera WIA Driver
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{652C4ADF-0A29-4B02-9211-EE61675847DE}" = Canon Camera WIA Driver
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{72dee693-a008-40dd-9ba2-e44aef2361a9}" = Check Point SSL Network Extender Service
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{7CCEBC24-62DB-4280-A8EC-BFA49F167920}" = Software Update for Web Folders
"{83C03FBE-4492-4133-BBAB-421CD88ADA32}" = OpenOffice.org 2.3
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.4
"{B74D4E10-1033-0000-0000-000000000001}" = Adobe Bridge 1.0
"{BB3AB664-D92B-4CB5-8B3E-D841841F4E68}" = Canon Camera WIA Driver
"{bdd1702c-bcf5-4a65-8cce-1dddb8a18d53}" = Check Point Deployment Shell
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{EF71A531-5B6C-4B20-8D1E-E6379C7FB6D3}" = Microsoft IntelliPoint 7.0
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"avast!" = avast! Antivirus
"CCleaner" = CCleaner
"DPP" = Canon Utilities Digital Photo Professional 3.0
"EOS Utility" = Canon Utilities EOS Utility
"ERUNT_is1" = ERUNT 1.1j
"FileZilla Client" = FileZilla Client 3.2.4.1
"InstallShield_{33CF7CDF-9805-4500-9CC7-D19D52AD63C4}" = Canon EOS Kiss_N REBEL_XT 350D WIA Driver
"InstallShield_{652C4ADF-0A29-4B02-9211-EE61675847DE}" = Canon EOS-1Ds Mark II WIA Driver
"InstallShield_{BB3AB664-D92B-4CB5-8B3E-D841841F4E68}" = Canon EOS 5D WIA Driver
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.6)" = Mozilla Firefox (3.5.6)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"ODSK" = Canon Utilities Original Data Security Tools
"PhotoStitch" = Canon Utilities PhotoStitch
"PowerISO" = PowerISO
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"Registry Mechanic_is1" = Registry Mechanic 7.0
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"USB MP3 Player WIN98 Drivers" = USB MP3 Player WIN98 Drivers
"VLC media player" = VideoLAN VLC media player 0.8.6c
"WFTK" = Canon Utilities WFT-E1/E2 Utility
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/3/2009 9:32:35 PM | Computer Name = NATALIE | Source = Application Hang | ID = 1002
Description = Hanging application soffice.bin, version 2.3.9215.500, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/3/2009 9:32:38 PM | Computer Name = NATALIE | Source = Application Hang | ID = 1002
Description = Hanging application soffice.bin, version 2.3.9215.500, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/9/2009 11:57:47 PM | Computer Name = NATALIE | Source = Application Hang | ID = 1002
Description = Hanging application explorer.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/10/2009 11:31:49 AM | Computer Name = NATALIE | Source = Application Hang | ID = 1002
Description = Hanging application magicJack.exe, version 1.80.499.2, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/11/2009 8:26:42 PM | Computer Name = NATALIE | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/11/2009 8:28:33 PM | Computer Name = NATALIE | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3526, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 9/11/2009 9:40:14 PM | Computer Name = NATALIE | Source = Application Hang | ID = 1001
Description = Fault bucket 1442353534.

Error - 9/13/2009 10:35:01 PM | Computer Name = NATALIE | Source = Application Hang | ID = 1002
Description = Hanging application soffice.bin, version 2.3.9215.500, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/13/2009 10:35:02 PM | Computer Name = NATALIE | Source = Application Hang | ID = 1002
Description = Hanging application soffice.bin, version 2.3.9215.500, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/17/2009 10:04:44 PM | Computer Name = NATALIE | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3526, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 1/3/2010 12:47:39 PM | Computer Name = NATALIE | Source = Service Control Manager | ID = 7034
Description = The Error Reporting Service service terminated unexpectedly. It has
done this 1 time(s).

Error - 1/3/2010 12:47:39 PM | Computer Name = NATALIE | Source = Service Control Manager | ID = 7034
Description = The COM+ Event System service terminated unexpectedly. It has done
this 1 time(s).

Error - 1/3/2010 12:47:40 PM | Computer Name = NATALIE | Source = Service Control Manager | ID = 7034
Description = The Fast User Switching Compatibility service terminated unexpectedly.
It has done this 1 time(s).

Error - 1/3/2010 12:47:40 PM | Computer Name = NATALIE | Source = Service Control Manager | ID = 7031
Description = The Help and Support service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 100 milliseconds:
Restart the service.

Error - 1/3/2010 3:09:31 PM | Computer Name = NATALIE | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 1/3/2010 3:09:31 PM | Computer Name = NATALIE | Source = Service Control Manager | ID = 7034
Description = The Bonjour Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 1/3/2010 3:09:31 PM | Computer Name = NATALIE | Source = Service Control Manager | ID = 7031
Description = The Check Point SSL Network Extender service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
500 milliseconds: Restart the service.

Error - 1/3/2010 3:09:31 PM | Computer Name = NATALIE | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 1/3/2010 3:09:31 PM | Computer Name = NATALIE | Source = VNA | ID = 1
Description = Check Point Virtual Network Adapter: Check Point Virtual Network Adapter:
get_nextlog-->

Error - 1/3/2010 3:09:31 PM | Computer Name = NATALIE | Source = VNA | ID = 1
Description = Check Point Virtual Network Adapter: -->: Unexpected IRP !!!

< End of report >

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-03 15:59:34
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\BEARYF~1\LOCALS~1\Temp\pxldqpow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF78046B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF7804574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF7804A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF780414C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF780464E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF780408C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF78040F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF780476E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF780472E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF78048AE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\ACPI \Device\00000043 820D2CB8
Device \Driver\ACPI \Device\00000046 820D2CB8
Device \Driver\ACPI \Device\00000054 820D2CB8
Device \Driver\ACPI \Device\00000061 820D2CB8

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\ACPI \Device\00000062 820D2CB8
Device \Driver\ACPI \Device\00000049 820D2CB8
Device \Driver\ACPI \Device\00000057 820D2CB8
Device \Driver\ACPI \Device\00000058 820D2CB8
Device \Driver\ACPI \Device\00000059 820D2CB8
Device \Driver\ACPI \Device\0000004a 820D2CB8
Device \Driver\ACPI \Device\0000004b 820D2CB8
Device \Driver\ACPI \Device\0000004c 820D2CB8
Device \Driver\ACPI \Device\0000005a 820D2CB8
Device \Driver\ACPI \Device\0000005b 820D2CB8

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\ACPI \Device\0000005d 820D2CB8

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\ACPI \Device\0000005e 820D2CB8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- EOF - GMER 1.0.15 ----

Attached Files

ark.txt 4.48KB 561 downloads
OTL.Txt 50.24KB 104 downloads
Extras.Txt 35.43KB 188 downloads

Edited by chamber, 08 January 2010 - 04:03 AM.
Pasted in logs

#2
chamber

Posted 08 January 2010 - 04:07 AM

Face Burnin' Malware Fighter

Visiting Consultant
2,712 posts

Hi,

Sorry for the delay,

Please run the MGA Diagnostic Tool and post the report it produces:

Download MGADiag to your desktop.
Double-click on MGADiag.exe to launch the program.
Click Continue.
Ensure that the Windows tab is selected. (It should be by default.)
Click the Copy button to copy the MGA Diagnostic Report to the Windows clipboard.
Paste the MGA Diagnostic Report into your next reply.

Download CKScanner from here

Important : Save it to your desktop.

Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify that the file is saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

#3
BearyFaery

Posted 08 January 2010 - 05:59 PM

New Member

Topic Starter
Member
5 posts

Diagnostic Report (1.9.0011.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0

Cached Validation Code: N/A
Windows Product Key: *****-*****-JRJRY-JX74Y-9W2BQ
Windows Product Key Hash: ooZQoJC4yJKV1Bh289tCHFE6PvE=
Windows Product ID: 55274-640-5337971-23248
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {A2EF1384-9E71-4D4D-B9DF-FFA067E2EA9C}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.9.40.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-8009_E2AD56EA-766-2efd_E2AD56EA-148-80004005_16E0B333-89-80004005
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.9.40.0
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1

Browser Data-->
Proxy settings: http=127.0.0.1:5555
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{A2EF1384-9E71-4D4D-B9DF-FFA067E2EA9C}</UGUID><Version>1.9.0011.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-9W2BQ</PKey><PID>55274-640-5337971-23248</PID><PIDType>1</PIDType><SID>S-1-5-21-776561741-602609370-725345543</SID><SYSTEM><Manufacturer>System Manufacturer</Manufacturer><Model>System Name</Model></SYSTEM><BIOS><Manufacturer>Award Software, Inc.</Manufacturer><Version>ASUS P4S533-X ACPI BIOS Revision 1004</Version><SMBIOSVersion major="2" minor="3"/><Date>20030224000000.000000+000</Date></BIOS><HWID>AED0338F0184A043</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.9.40.0"/><File Name="WgaLogon.dll" Version="1.9.40.0"/></GANotification></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1DF70:ASUSTeK Computer Inc|12E35:GENUINE C&C INC
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\bearyfaery\my documents\my music\itunes\itunes music\music\compilations\itunes holiday sampler\17 the nutcracker, op. 71, act 2_ ch.m4a
c:\documents and settings\peachtech\favorites\the sims 2 + all current expansions (keys, cracks, cheats) - the pirate bay.url
scanner sequence 3.AA.11
----- EOF -----

#4
chamber

Posted 09 January 2010 - 04:11 AM

Face Burnin' Malware Fighter

Visiting Consultant
2,712 posts

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Under the Custom Scan box paste this in

netsvcs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
/md5stop
CREATERESTOREPOINT
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open OTL.Txt
Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

#5
BearyFaery

Posted 09 January 2010 - 03:07 PM

New Member

Topic Starter
Member
5 posts

OTL logfile created on: 1/9/2010 2:33:36 PM - Run 3
OTL by OldTimer - Version 3.1.22.0 Folder = C:\Documents and Settings\bearyfaery\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

256.00 Mb Total Physical Memory | 85.00 Mb Available Physical Memory | 33.00% Memory free
620.00 Mb Paging File | 304.00 Mb Available in Paging File | 49.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 10.38 Gb Free Space | 13.93% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 74.52 Gb Total Space | 6.05 Gb Free Space | 8.12% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NATALIE
Current User Name: bearyfaery
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\bearyfaery\My Documents\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe (Check Point Software Technologies)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe (Trend Micro Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe (Adobe Systems Incorporated)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\bearyfaery\My Documents\Downloads\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
SRV - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
SRV - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
SRV - (aswUpdSv) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
SRV - (iPod Service) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (cpextender) -- C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe (Check Point Software Technologies)
SRV - (Bonjour Service) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (Adobe LM Service) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe Systems)
SRV - (TermService) -- C:\WINDOWS\system32\termsrv32.dll (Microsoft Corporation)
SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)

========== Driver Services (SafeList) ==========

DRV - (aswMon2) -- C:\WINDOWS\system32\drivers\aswmon2.sys (ALWIL Software)
DRV - (aswSP) -- C:\WINDOWS\system32\drivers\aswSP.sys (ALWIL Software)
DRV - (aswFsBlk) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys (ALWIL Software)
DRV - (aswTdi) -- C:\WINDOWS\system32\drivers\aswTdi.sys (ALWIL Software)
DRV - (aswRdr) -- C:\WINDOWS\system32\drivers\aswRdr.sys (ALWIL Software)
DRV - (Aavmker4) -- C:\WINDOWS\system32\drivers\aavmker4.sys (ALWIL Software)
DRV - (USBAAPL) -- C:\WINDOWS\system32\drivers\usbaapl.sys (Apple, Inc.)
DRV - (tclondrv) -- C:\WINDOWS\system32\DRIVERS\tclondrv.sys (TuneClone Software)
DRV - (Point32) -- C:\WINDOWS\system32\drivers\point32.sys (Microsoft Corporation)
DRV - (GEARAspiWDM) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (VNA) -- C:\WINDOWS\system32\drivers\vna.sys (Check Point Software Technologies)
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (TMPassthruMP) -- C:\WINDOWS\system32\drivers\TMPassthru.sys (Trend Micro Inc.)
DRV - (TMPassthru) -- C:\WINDOWS\system32\drivers\TMPassthru.sys (Trend Micro Inc.)
DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (smwdm) -- C:\WINDOWS\system32\drivers\smwdm.sys (Analog Devices, Inc.)
DRV - (aeaudio) -- C:\WINDOWS\system32\drivers\aeaudio.sys (Andrea Electronics Corporation)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (SCDEmu) -- C:\WINDOWS\system32\drivers\scdemu.sys (PowerISO Computing, Inc.)
DRV - (PxHelp20) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSFDPSP2.sys (Conexant Systems, Inc.)
DRV - (mdmxsdk) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys (Conexant)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSFCXTS2.sys (Conexant Systems, Inc.)
DRV - (HSFHWBS2) -- C:\WINDOWS\system32\drivers\HSFBS2S2.sys (Conexant Systems, Inc.)
DRV - (SISNIC) -- C:\WINDOWS\system32\drivers\sisnic.sys (SiS Corporation)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (SiS7018) Service for AC'97 Sample Driver (WDM) -- C:\WINDOWS\system32\drivers\ac97sis.sys (Silicon Integrated Systems Corp.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://cnn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "igoogle.com"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:7
FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.52

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/06 21:29:17 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/06 21:29:17 | 00,000,000 | ---D | M]

[2008/08/26 17:25:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Mozilla\Extensions
[2010/01/08 18:29:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Mozilla\Firefox\Profiles\l7wn54xf.default\extensions
[2009/12/09 19:55:57 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\bearyfaery\Application Data\Mozilla\Firefox\Profiles\l7wn54xf.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2010/01/09 12:18:49 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (768 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 mpa.one.microsoft.com
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [RegistryMechanic] File not found
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TMRUBottedTray] C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe (Trend Micro Inc.)
O4 - Startup: C:\Documents and Settings\bearyfaery\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_15.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} https://portal.scdmh...LL/extender.cab (SlimClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/10/16 19:54:01 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{486690f4-869b-11dc-87bd-000c6e19b950}\Shell\AutoRun\command - "" = I:\Autorun.exe -- File not found
O33 - MountPoints2\{486690f4-869b-11dc-87bd-000c6e19b950}\Shell\Shell00\Command - "" = I:\Autorun.exe -- File not found
O33 - MountPoints2\{486690f4-869b-11dc-87bd-000c6e19b950}\Shell\Shell01\Command - "" = I:\Autorun.exe -- File not found
O33 - MountPoints2\{486690f4-869b-11dc-87bd-000c6e19b950}\Shell\Shell02\Command - "" = I:\Autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/10/29 23:41:04 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16892003295952896)

========== Files/Folders - Created Within 30 Days ==========

[2010/01/08 18:51:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
[2010/01/03 15:05:52 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/02 15:09:52 | 00,023,120 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/01/02 15:09:45 | 00,048,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/01/02 15:09:38 | 00,027,408 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/01/02 15:08:34 | 00,097,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr
[2010/01/02 15:07:59 | 00,020,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/01/02 15:07:58 | 00,114,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/01/02 15:07:57 | 00,094,160 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/01/02 15:07:57 | 00,093,424 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/01/02 15:06:16 | 01,280,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/01/02 15:05:08 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/01/02 14:40:15 | 00,308,160 | ---- | C] (ALWIL Software) -- C:\Documents and Settings\bearyfaery\Desktop\avast_home_setup.exe
[2010/01/02 13:16:55 | 00,206,608 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\TMPassthru.sys
[2010/01/02 13:16:40 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/01/02 13:10:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\bearyfaery\Application Data\InstallShield
[2010/01/02 13:08:04 | 00,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/01/02 12:51:31 | 01,839,496 | ---- | C] (Trend Micro) -- C:\Documents and Settings\bearyfaery\Desktop\HousecallLauncher.exe
[2010/01/01 21:26:09 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\bearyfaery\Recent
[2010/01/01 20:15:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\Star.Wars.ALL.MOViES.DVDRip.XviD
[2010/01/01 20:01:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\Glee - The Music [2009][Volume 2][ITunes][MusicRoutes.Blogspot] [caprio4us]
[2010/01/01 19:17:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\Glee.S01E12.HDTV.XviD-P0W4
[2010/01/01 16:20:45 | 00,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2009/12/27 23:58:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\bearyfaery\Local Settings\Application Data\edgynm
[2009/12/25 21:10:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\Jumper[2008]DvDrip.AC3-aXXo
[2009/12/25 15:28:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\Muse
[2009/12/19 16:12:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\Law Abiding Citizen (2009) DVDRip XviD-MAXSPEED
[2009/12/15 12:55:26 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/12/12 11:00:15 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2007/01/14 14:19:25 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2006/11/22 10:00:41 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2006/05/20 23:28:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Symantec
[2004/09/24 06:59:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2003/07/28 04:49:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2010/01/09 12:15:03 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/09 12:14:25 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/09 12:14:09 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/09 12:14:07 | 26,801,3568 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/08 20:49:50 | 05,767,168 | -H-- | M] () -- C:\Documents and Settings\bearyfaery\NTUSER.DAT
[2010/01/08 20:49:28 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\bearyfaery\ntuser.ini
[2010/01/08 20:48:57 | 03,775,224 | -H-- | M] () -- C:\Documents and Settings\bearyfaery\Local Settings\Application Data\IconCache.db
[2010/01/08 20:01:44 | 00,096,256 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/08 20:01:41 | 36,715,1886 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\Glee.S01E13.Sectionals.HDTV.XviD-FQM.[VTV].avi
[2010/01/07 15:30:01 | 36,767,6980 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\Glee.S01E09.HDTV.XviD-2HD.[VTV].avi
[2010/01/02 15:10:08 | 00,001,744 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\avast! Antivirus.lnk
[2010/01/02 15:07:58 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/01/02 14:40:18 | 00,308,160 | ---- | M] (ALWIL Software) -- C:\Documents and Settings\bearyfaery\Desktop\avast_home_setup.exe
[2010/01/02 12:53:21 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Local Settings\Application Data\housecall.guid.cache
[2010/01/02 12:51:34 | 01,839,496 | ---- | M] (Trend Micro) -- C:\Documents and Settings\bearyfaery\Desktop\HousecallLauncher.exe
[2009/12/30 18:54:38 | 00,043,304 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Desktop\target1.pdf
[2009/12/30 18:53:08 | 00,090,025 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Desktop\1 Inch Diamonds.pdf
[2009/12/30 18:52:38 | 00,016,648 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Desktop\rifle_target.pdf
[2009/12/30 18:52:20 | 00,014,762 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Desktop\pistol_target.pdf
[2009/12/30 18:51:50 | 00,092,117 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Desktop\15 Small Circles.pdf
[2009/12/30 14:55:24 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/30 14:54:58 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/27 22:31:22 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\iTunes.lnk
[2009/12/23 13:50:15 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/12/20 18:18:41 | 17,829,0628 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\[DB]_Bleach_250_[B568DD26].avi
[2009/12/14 21:51:38 | 36,647,1030 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\Lie.to.Me.S02E09.Fold.Equity.HDTV.XviD-FQM.[VTV].avi
[2009/12/12 11:26:27 | 00,023,188 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/12/11 23:13:01 | 36,699,3736 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\Fringe.S02E10.Grey.Matters.HDTV.XviD-FQM.avi

========== Files Created - No Company Name ==========

[2010/01/07 17:44:46 | 36,715,1886 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\Glee.S01E13.Sectionals.HDTV.XviD-FQM.[VTV].avi
[2010/01/03 14:47:02 | 00,092,117 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Desktop\15 Small Circles.pdf
[2010/01/03 14:47:02 | 00,090,025 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Desktop\1 Inch Diamonds.pdf
[2010/01/03 14:47:02 | 00,043,304 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Desktop\target1.pdf
[2010/01/03 14:47:02 | 00,016,648 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Desktop\rifle_target.pdf
[2010/01/03 14:47:02 | 00,014,762 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Desktop\pistol_target.pdf
[2010/01/02 15:19:53 | 26,801,3568 | -HS- | C] () -- C:\hiberfil.sys
[2010/01/02 15:10:08 | 00,001,744 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\avast! Antivirus.lnk
[2010/01/02 15:06:16 | 00,380,928 | ---- | C] () -- C:\WINDOWS\System32\actskin4.ocx
[2010/01/02 12:53:21 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Local Settings\Application Data\housecall.guid.cache
[2010/01/01 19:16:09 | 36,767,6980 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\Glee.S01E09.HDTV.XviD-2HD.[VTV].avi
[2009/12/20 18:09:40 | 17,829,0628 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\[DB]_Bleach_250_[B568DD26].avi
[2009/12/14 21:50:53 | 36,647,1030 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\Lie.to.Me.S02E09.Fold.Equity.HDTV.XviD-FQM.[VTV].avi
[2009/12/12 11:26:27 | 00,023,188 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/12/12 11:02:15 | 00,002,137 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\iTunes.lnk
[2009/12/11 22:47:58 | 36,699,3736 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\Fringe.S02E10.Grey.Matters.HDTV.XviD-FQM.avi
[2008/08/20 16:32:30 | 00,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2007/12/03 21:38:45 | 00,001,799 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\QTSBandwidthCache
[2007/11/25 23:56:48 | 00,000,059 | ---- | C] () -- C:\WINDOWS\EntPack.ini
[2007/10/31 11:20:10 | 00,096,256 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/10/30 22:44:32 | 00,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2007/10/30 22:29:24 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll

========== LOP Check ==========

[2008/08/20 16:30:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\HotSync
[2007/11/19 00:38:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PlayFirst
[2009/11/01 20:22:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
[2009/04/18 22:19:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
[2009/10/26 19:35:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/07/29 17:00:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/05/25 21:54:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Aim
[2007/12/26 15:55:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Canon
[2008/09/16 07:30:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Check Point
[2009/10/31 17:02:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\FileZilla
[2008/08/18 21:54:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Flickr
[2008/08/20 16:27:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\HotSync
[2008/08/20 16:31:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Leadertech
[2009/09/29 19:37:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\mjusbsp
[2007/12/26 00:08:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Opera
[2007/11/19 00:38:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\PlayFirst
[2010/01/08 20:49:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\uTorrent

========== Purity Check ==========

========== Custom Scans ==========

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2009-12-09 08:21:50

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2008/08/29 18:14:16 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/08/29 18:14:16 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/08/29 18:14:16 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/08/29 18:14:16 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 16:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/03 18:56:44 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/03 18:56:46 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/03 18:56:46 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:0B174FAE
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:60C47453
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:74699137
< End of report >

#6
chamber

Posted 10 January 2010 - 12:42 PM

Face Burnin' Malware Fighter

Visiting Consultant
2,712 posts

Hi,

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [RegistryMechanic] File not found
O33 - MountPoints2\{486690f4-869b-11dc-87bd-000c6e19b950}\Shell\AutoRun\command - "" = I:\Autorun.exe -- File not found
O33 - MountPoints2\{486690f4-869b-11dc-87bd-000c6e19b950}\Shell\Shell00\Command - "" = I:\Autorun.exe -- File not found
O33 - MountPoints2\{486690f4-869b-11dc-87bd-000c6e19b950}\Shell\Shell01\Command - "" = I:\Autorun.exe -- File not found
O33 - MountPoints2\{486690f4-869b-11dc-87bd-000c6e19b950}\Shell\Shell02\Command - "" = I:\Autorun.exe -- File not found

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link HERE
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

#7
BearyFaery

Posted 11 January 2010 - 07:31 PM

New Member

Topic Starter
Member
5 posts

OTL logfile created on: 1/11/2010 7:29:29 PM - Run 4
OTL by OldTimer - Version 3.1.22.0 Folder = C:\Documents and Settings\bearyfaery\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

256.00 Mb Total Physical Memory | 59.00 Mb Available Physical Memory | 23.00% Memory free
620.00 Mb Paging File | 298.00 Mb Available in Paging File | 48.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 10.39 Gb Free Space | 13.94% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 74.52 Gb Total Space | 6.05 Gb Free Space | 8.12% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NATALIE
Current User Name: bearyfaery
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\bearyfaery\My Documents\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe (Check Point Software Technologies)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe (Trend Micro Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\bearyfaery\My Documents\Downloads\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
SRV - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
SRV - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
SRV - (aswUpdSv) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
SRV - (iPod Service) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (cpextender) -- C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe (Check Point Software Technologies)
SRV - (Bonjour Service) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (Adobe LM Service) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe Systems)
SRV - (TermService) -- C:\WINDOWS\system32\termsrv32.dll (Microsoft Corporation)
SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://cnn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "igoogle.com"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:7
FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.52

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/06 21:29:17 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/06 21:29:17 | 00,000,000 | ---D | M]

[2008/08/26 17:25:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Mozilla\Extensions
[2010/01/11 19:04:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Mozilla\Firefox\Profiles\l7wn54xf.default\extensions
[2009/12/09 19:55:57 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\bearyfaery\Application Data\Mozilla\Firefox\Profiles\l7wn54xf.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2010/01/11 19:04:14 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (768 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 mpa.one.microsoft.com
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TMRUBottedTray] C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe (Trend Micro Inc.)
O4 - Startup: C:\Documents and Settings\bearyfaery\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_15.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} https://portal.scdmh...LL/extender.cab (SlimClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/10/16 19:54:01 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/01/11 19:14:49 | 00,000,000 | ---D | C] -- C:\_OTL
[2010/01/08 18:51:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
[2010/01/03 15:05:52 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/02 15:09:52 | 00,023,120 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/01/02 15:09:45 | 00,048,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/01/02 15:09:38 | 00,027,408 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/01/02 15:08:34 | 00,097,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr
[2010/01/02 15:07:59 | 00,020,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/01/02 15:07:58 | 00,114,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/01/02 15:07:57 | 00,094,160 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/01/02 15:07:57 | 00,093,424 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/01/02 15:06:16 | 01,280,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/01/02 15:05:08 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/01/02 14:40:15 | 00,308,160 | ---- | C] (ALWIL Software) -- C:\Documents and Settings\bearyfaery\Desktop\avast_home_setup.exe
[2010/01/02 13:16:55 | 00,206,608 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\TMPassthru.sys
[2010/01/02 13:16:40 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/01/02 13:10:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\bearyfaery\Application Data\InstallShield
[2010/01/02 13:08:04 | 00,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/01/02 12:51:31 | 01,839,496 | ---- | C] (Trend Micro) -- C:\Documents and Settings\bearyfaery\Desktop\HousecallLauncher.exe
[2010/01/01 21:26:09 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\bearyfaery\Recent
[2010/01/01 20:15:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\Star.Wars.ALL.MOViES.DVDRip.XviD
[2010/01/01 20:01:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\Glee - The Music [2009][Volume 2][ITunes][MusicRoutes.Blogspot] [caprio4us]
[2010/01/01 19:17:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\Glee.S01E12.HDTV.XviD-P0W4
[2010/01/01 16:20:45 | 00,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2007/01/14 14:19:25 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2006/11/22 10:00:41 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2006/05/20 23:28:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Symantec
[2004/09/24 06:59:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2003/07/28 04:49:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

========== Files - Modified Within 14 Days ==========

[2010/01/11 19:19:03 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/11 19:17:52 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/11 19:17:37 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/11 19:17:35 | 26,801,3568 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/11 19:16:46 | 05,767,168 | -H-- | M] () -- C:\Documents and Settings\bearyfaery\NTUSER.DAT
[2010/01/11 19:16:26 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\bearyfaery\ntuser.ini
[2010/01/08 20:48:57 | 03,775,224 | -H-- | M] () -- C:\Documents and Settings\bearyfaery\Local Settings\Application Data\IconCache.db
[2010/01/08 20:01:44 | 00,096,256 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/08 20:01:41 | 36,715,1886 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\Glee.S01E13.Sectionals.HDTV.XviD-FQM.[VTV].avi
[2010/01/07 15:30:01 | 36,767,6980 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\Glee.S01E09.HDTV.XviD-2HD.[VTV].avi
[2010/01/02 15:10:08 | 00,001,744 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\avast! Antivirus.lnk
[2010/01/02 15:07:58 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/01/02 14:40:18 | 00,308,160 | ---- | M] (ALWIL Software) -- C:\Documents and Settings\bearyfaery\Desktop\avast_home_setup.exe
[2010/01/02 12:53:21 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Local Settings\Application Data\housecall.guid.cache
[2010/01/02 12:51:34 | 01,839,496 | ---- | M] (Trend Micro) -- C:\Documents and Settings\bearyfaery\Desktop\HousecallLauncher.exe
[2009/12/30 18:54:38 | 00,043,304 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Desktop\target1.pdf
[2009/12/30 18:53:08 | 00,090,025 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Desktop\1 Inch Diamonds.pdf
[2009/12/30 18:52:38 | 00,016,648 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Desktop\rifle_target.pdf
[2009/12/30 18:52:20 | 00,014,762 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Desktop\pistol_target.pdf
[2009/12/30 18:51:50 | 00,092,117 | ---- | M] () -- C:\Documents and Settings\bearyfaery\Desktop\15 Small Circles.pdf
[2009/12/30 14:55:24 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/30 14:54:58 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2010/01/07 17:44:46 | 36,715,1886 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\Glee.S01E13.Sectionals.HDTV.XviD-FQM.[VTV].avi
[2010/01/03 14:47:02 | 00,092,117 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Desktop\15 Small Circles.pdf
[2010/01/03 14:47:02 | 00,090,025 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Desktop\1 Inch Diamonds.pdf
[2010/01/03 14:47:02 | 00,043,304 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Desktop\target1.pdf
[2010/01/03 14:47:02 | 00,016,648 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Desktop\rifle_target.pdf
[2010/01/03 14:47:02 | 00,014,762 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Desktop\pistol_target.pdf
[2010/01/02 15:19:53 | 26,801,3568 | -HS- | C] () -- C:\hiberfil.sys
[2010/01/02 15:10:08 | 00,001,744 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\avast! Antivirus.lnk
[2010/01/02 15:06:16 | 00,380,928 | ---- | C] () -- C:\WINDOWS\System32\actskin4.ocx
[2010/01/02 12:53:21 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Local Settings\Application Data\housecall.guid.cache
[2010/01/01 19:16:09 | 36,767,6980 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\Glee.S01E09.HDTV.XviD-2HD.[VTV].avi
[2008/08/20 16:32:30 | 00,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2007/12/03 21:38:45 | 00,001,799 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\QTSBandwidthCache
[2007/11/25 23:56:48 | 00,000,059 | ---- | C] () -- C:\WINDOWS\EntPack.ini
[2007/10/31 11:20:10 | 00,096,256 | ---- | C] () -- C:\Documents and Settings\bearyfaery\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/10/30 22:44:32 | 00,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2007/10/30 22:29:24 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll

========== LOP Check ==========

[2008/08/20 16:30:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\HotSync
[2007/11/19 00:38:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PlayFirst
[2009/11/01 20:22:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
[2009/04/18 22:19:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
[2009/10/26 19:35:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/07/29 17:00:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/05/25 21:54:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Aim
[2007/12/26 15:55:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Canon
[2008/09/16 07:30:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Check Point
[2009/10/31 17:02:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\FileZilla
[2008/08/18 21:54:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Flickr
[2008/08/20 16:27:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\HotSync
[2008/08/20 16:31:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Leadertech
[2009/09/29 19:37:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\mjusbsp
[2007/12/26 00:08:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\Opera
[2007/11/19 00:38:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\PlayFirst
[2010/01/08 20:49:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\bearyfaery\Application Data\uTorrent

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:0B174FAE
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:60C47453
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:74699137
< End of report >

ComboFix 10-01-11.01 - bearyfaery 01/11/2010 20:04:55.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.256.46 [GMT -5:00]
Running from: c:\documents and settings\bearyfaery\My Documents\Downloads\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100111-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\PeachTech\My Documents\ZbThumbnail.info
c:\program files\Common Files\Real\WeatherBug\MiniBugTransporter.dll
c:\recycler\NPROTECT
c:\recycler\S-1-5-21-1935655697-2147159999-725345543-1005
c:\windows\kb913800.exe

.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2009-12-12 to 2010-01-12 )))))))))))))))))))))))))))))))
.

2010-01-12 00:14 . 2010-01-12 00:14 -------- d-----w- C:\_OTL
2010-01-08 23:51 . 2010-01-08 23:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2010-01-02 20:09 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-02 20:09 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-02 20:09 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-01-02 20:08 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2010-01-02 20:07 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-02 20:07 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-02 20:07 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-01-02 20:07 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-01-02 20:06 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-02 20:05 . 2010-01-02 20:05 -------- d-----w- c:\program files\Alwil Software
2010-01-02 18:16 . 2008-03-02 08:28 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-01-02 18:16 . 2010-01-02 18:16 -------- d-----w- c:\program files\Trend Micro
2010-01-02 18:10 . 2010-01-02 18:10 -------- d-----w- c:\documents and settings\bearyfaery\Application Data\InstallShield
2010-01-02 18:08 . 2010-01-02 18:08 -------- d-----w- c:\program files\TrendMicro
2010-01-01 22:56 . 2010-01-01 22:56 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2010-01-01 22:56 . 2010-01-01 22:56 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-01-01 22:15 . 2010-01-01 22:15 -------- d-----w- c:\documents and settings\HelpAssistant\.housecall6.6
2009-12-30 23:51 . 2009-12-30 23:51 -------- d-----w- c:\documents and settings\Administrator.NATALIE\Local Settings\Application Data\AVG Security Toolbar
2009-12-30 23:49 . 2009-12-30 23:49 -------- d-----w- c:\documents and settings\Administrator.NATALIE\Application Data\Malwarebytes
2009-12-30 23:48 . 2009-12-30 23:48 -------- d-----w- c:\documents and settings\Administrator.NATALIE\Local Settings\Application Data\Mozilla
2009-12-28 04:58 . 2010-01-01 21:57 -------- d-----w- c:\documents and settings\bearyfaery\Local Settings\Application Data\edgynm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-09 01:49 . 2007-10-30 04:04 -------- d-----w- c:\documents and settings\bearyfaery\Application Data\uTorrent
2010-01-08 23:35 . 2006-03-10 12:55 -------- d-----w- c:\program files\Java
2010-01-02 18:16 . 2003-07-27 19:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-02 18:15 . 2009-06-21 14:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-02 17:51 . 2009-06-01 23:25 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2010-01-02 01:39 . 2007-10-30 04:04 -------- d-----w- c:\program files\uTorrent
2009-12-30 19:55 . 2009-06-21 14:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 19:54 . 2009-06-21 14:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-15 16:15 . 2006-05-16 18:50 -------- d-----w- c:\program files\CCleaner
2009-12-12 16:26 . 2009-12-12 16:26 23188 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-12 16:01 . 2006-03-03 20:03 -------- d-----w- c:\program files\iTunes
2009-12-12 16:00 . 2009-12-12 16:00 -------- d-----w- c:\program files\iPod
2009-12-12 16:00 . 2008-10-08 22:47 -------- d-----w- c:\program files\Common Files\Apple
2009-12-12 15:54 . 2006-03-03 20:10 -------- d-----w- c:\program files\QuickTime
2009-12-12 15:46 . 2009-12-12 15:46 79144 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-29 01:12 . 2009-11-29 01:12 -------- d-----w- c:\documents and settings\bearyfaery\Application Data\dvdcss
2009-11-21 00:30 . 2007-10-30 04:26 -------- d-----w- c:\documents and settings\bearyfaery\Application Data\OpenOffice.org2
2009-11-21 00:28 . 2007-10-30 04:26 1 ----a-w- c:\documents and settings\bearyfaery\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-10-29 05:38 . 2007-02-18 21:39 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-03 23:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-03 23:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2007-02-18 21:37 265728 ----a-w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

c:\documents and settings\PeachTech\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-4-18 113664]

c:\documents and settings\bearyfaery\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-4-18 113664]

[HKLM\~\startupfolder\C:^Documents and Settings^bearyfaery^Start Menu^Programs^Startup^palmOne Registration.lnk]
backup=c:\windows\pss\palmOne Registration.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\CheckPoint\\SSL Network Extender\\slimsvc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\bearyfaery\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"6988:TCP"= 6988:TCP:Services
"3246:TCP"= 3246:TCP:Services
"6770:TCP"= 6770:TCP:Services

R0 tclondrv;tclondrv;c:\windows\system32\drivers\tclondrv.sys [11/1/2009 8:19 PM 20352]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1/2/2010 3:07 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/2/2010 3:07 PM 20560]
R2 cpextender;Check Point SSL Network Extender;c:\program files\CheckPoint\SSL Network Extender\slimsvc.exe [12/18/2008 10:43 AM 353680]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [1/2/2010 1:16 PM 206608]
R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [9/12/2006 5:14 PM 126808]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [1/2/2010 1:16 PM 206608]
.
Contents of the 'Scheduled Tasks' folder

2009-12-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-07-21 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-06-01 17:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://cnn.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} - hxxps://portal.scdmh.org//SNX/CSHELL/extender.cab
FF - ProfilePath - c:\documents and settings\bearyfaery\Application Data\Mozilla\Firefox\Profiles\l7wn54xf.default\
FF - prefs.js: browser.startup.homepage - igoogle.com
FF - plugin: c:\documents and settings\bearyfaery\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\bearyfaery\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
------- File Associations -------
.
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-11 20:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3596)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2010-01-11 20:29:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-12 01:29

Pre-Run: 10,990,546,944 bytes free
Post-Run: 13,143,674,880 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS=Windows XP/2003

- - End Of File - - A0A2805253E43A58D23F5575BE437D18

Not having any boot up beeps, but that might have just been combo fix running

#8
chamber

Posted 12 January 2010 - 02:03 AM

Face Burnin' Malware Fighter

Visiting Consultant
2,712 posts

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::
c:\documents and settings\bearyfaery\Local Settings\Application Data\edgynm

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"2479:TCP"=-
"6988:TCP"=-
"3246:TCP"=-
"6770:TCP"=-

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Posted Image

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.