[W. Savage]

Greetings good people of geekstogo,

I'm having an issue and since you guys have helped in the past I'm once again coming to you with a problem hoping for a solution.

First let me say this much; I had NOTHING bad on my machine until I needed to install JAVA to post a photo album on facebook - shortly after it's installation all heck broke loose - mainly slow response and my firewall was turning itself off - I know from a previous issue that's a BAD sign. So I uninstalled JAVA and ran AVIRA Antivirus, spybot S&D, Lavasoft Adaware and malwarebytes full scans, and have cleaned every twitchy little bug that came up, trashgens, trojans and a LOT of malware out of no where. I uninstalled fire-fox (The browser I use, I don't trust IE) ran all my clean up programs again, found something new, wiped it out. Booted into safe mode, ran them again, found nothing. Did a fresh install of firefox, and instantly the first window I open, it pops up a new tab with some baloney about my system needing to be scanned for a virus - I knew it was bogus cause I've seen that before. Did a google search and the results were leading me to adds instead of the intended url. Tryed with other search sites - same result. So, I come to you with this issue, can you guys help me?

Thank you in advance

William

[Advertisements]

Hello W. Savage and welcome to GeeksToGo
I'm hammerman and I'm going to help you fix your problem.

Before we begin, here are some guidelines which will help us both in fixing your problem.

• Malware removal is not instantaneous and will take a number of steps to complete. Please continue to carry out the steps requested until I let you know that your computer appears clean.
• Please do no attach logs or post them in Quote/Code boxes unless requested.
• I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread. You can copy and paste these instructions into Notepad and then save the text file to your Desktop. If you need any help with this or further clarification, please let me know.
• When posting logs, please ensure Word Wrap is turned off in Notepad. Open Notepad, select Format on the menu bar and make sure that Word Wrap is unchecked.
• Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
• If in doubt about anything, please ask.

Please follow these steps.

-- Step 1 --

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Under the Custom Scan box paste this in
  
  netsvcs
  msconfig
  safebootminimal
  safebootnetwork
  activex
  drivers32
  %ALLUSERSPROFILE%\Application Data\*.
  %ALLUSERSPROFILE%\Application Data\*.exe /s
  %APPDATA%\*.
  %APPDATA%\*.exe /s
  %SYSTEMDRIVE%\*.exe
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  ahcix86.sys
  KR10N.sys
  nvstor32.sys
  ahcix86s.sys
  nvrd32.sys
  symmpi.sys
  adp3132.sys
  mv61xx.sys
  nvraid.sys
  /md5stop
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %systemroot%\System32\config\*.sav
  CREATERESTOREPOINT
  
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

-- Step 2 --

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked. UNCHECK the following boxes
  
  • Sections
  • IAT/EAT
  • Drives/Partition other than System drive (typically C:\)
  • Show all (important)
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

[hammerman]

Hello W. Savage and welcome to GeeksToGo
I'm hammerman and I'm going to help you fix your problem.

Before we begin, here are some guidelines which will help us both in fixing your problem.

• Malware removal is not instantaneous and will take a number of steps to complete. Please continue to carry out the steps requested until I let you know that your computer appears clean.
• Please do no attach logs or post them in Quote/Code boxes unless requested.
• I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread. You can copy and paste these instructions into Notepad and then save the text file to your Desktop. If you need any help with this or further clarification, please let me know.
• When posting logs, please ensure Word Wrap is turned off in Notepad. Open Notepad, select Format on the menu bar and make sure that Word Wrap is unchecked.
• Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
• If in doubt about anything, please ask.

Please follow these steps.

-- Step 1 --

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Under the Custom Scan box paste this in
  
  netsvcs
  msconfig
  safebootminimal
  safebootnetwork
  activex
  drivers32
  %ALLUSERSPROFILE%\Application Data\*.
  %ALLUSERSPROFILE%\Application Data\*.exe /s
  %APPDATA%\*.
  %APPDATA%\*.exe /s
  %SYSTEMDRIVE%\*.exe
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  ahcix86.sys
  KR10N.sys
  nvstor32.sys
  ahcix86s.sys
  nvrd32.sys
  symmpi.sys
  adp3132.sys
  mv61xx.sys
  nvraid.sys
  /md5stop
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %systemroot%\System32\config\*.sav
  CREATERESTOREPOINT
  
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

-- Step 2 --

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked. UNCHECK the following boxes
  
  • Sections
  • IAT/EAT
  • Drives/Partition other than System drive (typically C:\)
  • Show all (important)
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

[W. Savage]

OTL.Txt:

OTL logfile created on: 3/27/2010 6:35:08 AM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Bill\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 582.00 Mb Available Physical Memory | 57.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 24.42 Gb Free Space | 16.38% Space Free | Partition Type: NTFS
Drive D: | 37.20 Gb Total Space | 18.59 Gb Free Space | 49.98% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SAVAGE
Current User Name: Bill
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Bill\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
PRC - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe (Autodesk)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
PRC - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe ()


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Bill\Desktop\OTL.exe (OldTimer Tools)


========== Win32 Services (SafeList) ==========

SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (Autodesk Licensing Service) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe (Autodesk)
SRV - (WmiApSrv) -- C:\WINDOWS\System32\svcrgr.exe ()
SRV - (Viewpoint Manager Service) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
SRV - (mi-raysat_3dsmax8) -- C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe ()


========== Driver Services (SafeList) ==========

DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (WsAudio_DeviceS(5)) WsAudio_DeviceS(5) -- C:\WINDOWS\system32\drivers\WsAudio_DeviceS(5).sys (Wondershare)
DRV - (WsAudio_DeviceS(4)) WsAudio_DeviceS(4) -- C:\WINDOWS\system32\drivers\WsAudio_DeviceS(4).sys (Wondershare)
DRV - (WsAudio_DeviceS(3)) WsAudio_DeviceS(3) -- C:\WINDOWS\system32\drivers\WsAudio_DeviceS(3).sys (Wondershare)
DRV - (WsAudio_DeviceS(2)) WsAudio_DeviceS(2) -- C:\WINDOWS\system32\drivers\WsAudio_DeviceS(2).sys (Wondershare)
DRV - (WsAudio_DeviceS(1)) WsAudio_DeviceS(1) -- C:\WINDOWS\system32\drivers\WsAudio_DeviceS(1).sys (Wondershare)
DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (ASPI32) -- C:\WINDOWS\system32\drivers\aspi32.sys (Adaptec)
DRV - (speedfan) -- C:\WINDOWS\system32\speedfan.sys (Windows ® 2000 DDK provider)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (P16X) Creative SB Live! Series (WDM) -- C:\WINDOWS\system32\drivers\P16X.sys (Creative Technology Ltd.)
DRV - (USBIO) USBIO Driver (usbio.sys) -- C:\WINDOWS\system32\drivers\usbio.sys (Thesycon GmbH, Germany)
DRV - (PfModNT) -- C:\WINDOWS\system32\PFMODNT.SYS (Creative Technology Ltd.)
DRV - (giveio) -- C:\WINDOWS\system32\giveio.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.deviantart.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2.1.17
FF - prefs.js..extensions.enabledItems: [email protected]:7
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20091028

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/26 02:24:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/26 02:24:39 | 000,000,000 | ---D | M]

[2010/03/26 02:25:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Mozilla\Extensions
[2010/03/27 03:39:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\tkt41tpv.default\extensions
[2010/03/26 02:35:59 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\tkt41tpv.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2010/03/26 02:36:00 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\tkt41tpv.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2010/03/26 02:55:53 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\tkt41tpv.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/03/26 02:24:39 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2009/10/07 03:51:25 | 000,000,732 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {1FD79A59-37B1-459B-9097-09F9FAB8A523} - No CLSID value found.
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = _ [binary data]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Bill\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Bill\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/09 20:46:46 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/08/09 20:46:31 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: UploadMgr - Service
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {861C31B5-0087-4FA9-2095-4BBF3FFB3376} - Outlook Express
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {AF028F24-9F9C-9A6F-2AB4-7E0053928DA1} - Outlook Express
ActiveX: {BDBA9C9C-0DC5-4A54-F944-55338EEC4E32} - Windows Media Player
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D176208F-FDE2-186B-9AF4-F5D6755602E7} - Vector Graphics Rendering (VML)
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Shockwave Flash
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.ctmp3 - C:\WINDOWS\system32\ctmp3.acm (Creative Technology Ltd.)
Drivers32: msacm.iac2 - C:\WINDOWS\System32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.xvid - C:\WINDOWS\System32\xvidvfw.dll ()
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17173366603513856)

========== Files/Folders - Created Within 30 Days ==========

[2010/03/27 06:32:23 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Bill\Desktop\OTL.exe
[2010/03/26 11:06:17 | 000,000,000 | ---D | C] -- C:\Avenger
[2010/03/26 02:59:42 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Bill\UserData
[2010/03/26 02:24:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bill\Local Settings\Application Data\Mozilla
[2010/03/26 02:24:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bill\Application Data\Mozilla
[2010/03/26 02:24:38 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/03/25 13:13:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/03/25 13:13:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/03/25 02:33:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/03/25 02:26:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bill\Application Data\Avira
[2010/03/25 00:41:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
[2010/03/25 00:32:29 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010/03/25 00:32:27 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/03/25 00:32:26 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010/03/25 00:32:26 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010/03/25 00:32:25 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/03/25 00:32:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2010/03/24 23:52:50 | 000,000,000 | ---D | C] -- C:\Program Files\JRTwine Software
[2010/03/24 23:52:49 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/03/24 23:24:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/03/24 23:21:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bill\Local Settings\Application Data\{26E122FA-3B64-42DA-A1D6-664A4CF46FD7}
[2010/03/24 22:14:04 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/03/21 01:50:33 | 000,000,000 | ---D | C] -- C:\!KillBox
[2010/03/03 18:11:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/02/16 21:49:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/02/16 21:44:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/11/26 21:14:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Help
[2009/11/26 21:14:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Help
[2009/08/10 14:22:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/08/09 23:19:25 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/08/09 23:19:25 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/08/09 23:19:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/08/09 22:04:07 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\A3d.dll
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/27 06:32:23 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bill\Desktop\OTL.exe
[2010/03/27 06:09:57 | 000,172,544 | ---- | M] () -- C:\Documents and Settings\Bill\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/27 05:59:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/26 22:59:01 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/26 21:05:11 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/26 21:04:50 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/26 21:04:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/26 21:04:36 | 1072,746,496 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/26 21:03:42 | 005,849,088 | ---- | M] () -- C:\Documents and Settings\Bill\ntuser.dat
[2010/03/26 21:03:42 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Bill\ntuser.ini
[2010/03/26 21:03:35 | 003,771,338 | -H-- | M] () -- C:\Documents and Settings\Bill\Local Settings\Application Data\IconCache.db
[2010/03/26 17:26:28 | 000,000,621 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/03/25 22:19:32 | 000,021,096 | ---- | M] () -- C:\Documents and Settings\Bill\My Documents\bookmarks-2010-03-25.json
[2010/03/25 13:13:38 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/25 13:13:38 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/03/25 01:08:46 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\atapi.sys
[2010/03/24 23:21:15 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Pmala.dat
[2010/03/24 23:21:15 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Uhatuyu.bin
[2010/03/14 10:38:52 | 000,356,120 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/14 10:38:52 | 000,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/14 10:38:52 | 000,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/09 23:40:16 | 000,000,494 | ---- | M] () -- C:\WINDOWS\lexstat.ini
[2010/03/03 18:13:20 | 000,870,128 | ---- | M] () -- C:\Documents and Settings\Bill\Application Data\mcs.rma
[2010/03/03 18:13:20 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\Bill\Application Data\34FD4D
[2010/03/03 02:33:33 | 002,181,619 | ---- | M] () -- C:\Documents and Settings\Bill\My Documents\Burn the Fat Feed the Muscle Body Building Secrets 2004.pdf
[2010/03/02 17:23:37 | 000,022,528 | ---- | M] () -- C:\Documents and Settings\Bill\My Documents\Health.doc
[2010/03/01 09:05:24 | 000,124,784 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/26 20:56:51 | 1072,746,496 | -HS- | C] () -- C:\hiberfil.sys
[2010/03/25 22:19:32 | 000,021,096 | ---- | C] () -- C:\Documents and Settings\Bill\My Documents\bookmarks-2010-03-25.json
[2010/03/25 13:13:38 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/03/24 23:21:15 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Pmala.dat
[2010/03/24 23:21:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Uhatuyu.bin
[2010/03/21 02:04:30 | 005,849,088 | ---- | C] () -- C:\Documents and Settings\Bill\ntuser.dat
[2010/03/03 02:33:32 | 002,181,619 | ---- | C] () -- C:\Documents and Settings\Bill\My Documents\Burn the Fat Feed the Muscle Body Building Secrets 2004.pdf
[2010/03/02 17:21:46 | 000,022,528 | ---- | C] () -- C:\Documents and Settings\Bill\My Documents\Health.doc
[2009/12/05 17:28:12 | 000,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/12/05 17:28:12 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/12/05 17:28:11 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009/09/22 02:01:10 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2009/08/23 08:48:16 | 000,000,621 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/08/19 01:57:55 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/08/12 08:47:17 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Bill\Application Data\34FD4D
[2009/08/12 08:47:15 | 000,870,128 | ---- | C] () -- C:\Documents and Settings\Bill\Application Data\mcs.rma
[2009/08/10 10:00:04 | 000,172,544 | ---- | C] () -- C:\Documents and Settings\Bill\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/10 06:53:06 | 000,040,028 | ---- | C] () -- C:\Documents and Settings\Bill\Application Data\ReplayMusicLog.log
[2009/08/10 06:47:19 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/09 22:14:23 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXBRPMON.DLL
[2009/08/09 22:14:23 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\LXBRPMUI.DLL
[2009/08/09 22:13:03 | 000,000,494 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2009/08/09 22:04:57 | 000,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2009/08/09 22:04:07 | 000,002,158 | ---- | C] () -- C:\WINDOWS\System32\P16X.ini
[2009/08/09 22:04:07 | 000,000,026 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2009/08/09 22:04:06 | 000,047,616 | ---- | C] () -- C:\WINDOWS\System32\P16X.dll
[2009/08/09 22:04:00 | 000,002,572 | ---- | C] () -- C:\WINDOWS\MIXDEF.INI
[2009/08/09 22:03:58 | 000,000,064 | ---- | C] () -- C:\WINDOWS\P16x.ini
[2009/08/09 22:02:39 | 000,000,245 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2006/11/06 17:49:36 | 000,000,310 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2004/03/26 17:59:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/01/13 18:06:46 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\LXBMLCNP.DLL
[2003/06/13 06:53:38 | 000,000,187 | ---- | C] () -- C:\WINDOWS\System32\lxbmcoin.ini
[2002/11/13 10:40:22 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbmvs.dll
[1996/04/03 14:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== Custom Scans ==========


< %ALLUSERSPROFILE%\Application Data\*. >
[2009/08/09 22:14:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\4200Series
[2009/08/10 00:55:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2010/03/26 21:49:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2009/08/10 00:55:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL
[2009/08/10 00:54:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL Downloads
[2009/08/09 23:58:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL OCP
[2009/08/10 07:42:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2009/08/11 03:05:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Autodesk
[2010/03/25 00:32:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avira
[2009/08/14 00:31:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2009/08/09 22:03:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Creative
[2009/08/09 23:55:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/08/10 22:18:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Macrovision
[2009/08/10 01:02:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/10/21 02:54:04 | 000,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2009/08/09 23:00:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/08/10 00:55:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/08/09 23:49:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2010/02/25 00:54:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\xml_param
[2010/02/16 16:12:51 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

< %ALLUSERSPROFILE%\Application Data\*.exe /s >
[2010/02/04 10:53:47 | 002,954,656 | ---- | M] (Lavasoft ) -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
[2009/05/19 01:35:46 | 002,402,104 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4426\AIMinst.exe
[2009/05/19 01:35:48 | 000,550,024 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4426\AIMLang.exe
[2009/05/19 01:36:04 | 000,142,040 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4426\alsetup.exe
[2009/05/19 01:35:52 | 000,037,888 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4426\amoinst.exe
[2009/05/19 01:35:52 | 000,069,104 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4426\amos.exe
[2009/05/19 01:35:58 | 000,120,368 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4426\aoldlmgr.exe
[2009/05/19 01:36:04 | 000,097,072 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4426\bsetutil.exe
[2009/05/19 01:35:52 | 000,231,216 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4426\migrator.exe
[2009/05/19 01:35:52 | 001,225,352 | ---- | M] (AOL LLC.) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4426\msvc9rt.exe
[2009/05/19 01:35:54 | 004,480,040 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4426\ocpinst.exe
[2009/05/19 01:35:44 | 000,036,704 | ---- | M] (AOL LLC.) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4426\postproc.exe
[2009/05/19 01:35:42 | 000,172,840 | ---- | M] (AOL LLC.) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4426\setup.exe
[2009/05/19 01:35:56 | 000,383,128 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4426\tbsetup.exe
[2009/05/19 01:36:04 | 001,484,856 | ---- | M] (AOL LLC.) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4426\toolbar.exe
[2009/05/19 01:35:56 | 000,376,568 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4426\unagi3.exe
[2009/05/19 01:36:02 | 000,030,512 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4426\Uninstaller.exe
[2009/05/19 01:36:04 | 002,884,832 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4426\vwpt.exe
[2009/08/09 23:56:26 | 001,272,304 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\AIMinst.exe
[2009/08/09 23:57:01 | 000,481,432 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\AIMLang.exe
[2009/08/09 23:56:34 | 000,141,944 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\alsetup.exe
[2009/08/09 23:56:36 | 000,120,368 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\aoldlmgr.exe
[2009/08/09 23:56:38 | 000,228,912 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\migrator.exe
[2009/08/09 23:56:54 | 005,312,840 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\ocpinst.exe
[2009/08/09 23:56:32 | 000,035,888 | ---- | M] (AOL LLC.) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\postproc.exe
[2009/08/09 23:56:33 | 000,169,520 | ---- | M] (AOL LLC.) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe
[2009/08/09 23:56:56 | 000,357,776 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\tbsetup.exe
[2009/08/09 23:56:58 | 000,376,568 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\unagi3.exe
[2009/08/09 23:57:13 | 003,858,056 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\Vwpt.exe
[2010/03/25 00:03:11 | 001,263,728 | ---- | M] (Lavasoft) -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
[2010/03/25 00:03:11 | 000,818,256 | ---- | M] (Lavasoft) -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
[2009/09/21 16:50:51 | 000,640,760 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
[2010/03/25 00:03:13 | 001,597,440 | ---- | M] (Lavasoft) -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
[2010/03/25 00:03:13 | 000,855,352 | ---- | M] (Lavasoft ) -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
[2010/03/25 00:03:14 | 000,848,160 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
[2010/02/08 00:31:59 | 003,803,208 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
[2010/02/16 16:18:27 | 000,015,880 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
[2010/03/25 00:03:19 | 000,885,736 | ---- | M] (Lavasoft) -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
[2009/08/09 23:54:57 | 000,085,352 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
[2009/09/21 16:51:00 | 000,303,976 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe
[2010/01/08 22:14:12 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

< %APPDATA%\*. >
[2009/11/26 21:14:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\4200Series
[2009/08/10 00:46:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\acccore
[2010/03/26 21:49:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Adobe
[2009/08/16 04:37:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Apple Computer
[2010/03/25 02:26:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Avira
[2010/03/07 04:17:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Canon
[2009/08/18 13:49:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\CyberLink
[2009/08/13 00:59:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\DivX
[2009/08/22 10:07:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Dropbox
[2010/03/24 23:52:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\dvdcss
[2010/02/16 21:45:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Google
[2009/08/09 21:01:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Identities
[2009/09/07 15:08:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Leadertech
[2009/08/10 00:36:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Macromedia
[2009/08/10 01:02:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Malwarebytes
[2009/09/20 13:22:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Media Player Classic
[2009/10/04 04:15:19 | 000,000,000 | --SD | M] -- C:\Documents and Settings\Bill\Application Data\Microsoft
[2009/08/22 12:06:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Move Networks
[2010/03/26 02:25:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Mozilla
[2009/08/17 10:31:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\NesterSoft
[2009/09/21 16:29:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Sonic
[2009/09/21 16:33:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Sun
[2010/03/27 06:17:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\vlc
[2009/08/10 13:17:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\WinRAR

< %APPDATA%\*.exe /s >
[2009/08/20 19:36:36 | 026,784,219 | ---- | M] () -- C:\Documents and Settings\Bill\Application Data\Dropbox\bin\Dropbox.exe
[2009/08/22 09:46:22 | 000,089,822 | ---- | M] () -- C:\Documents and Settings\Bill\Application Data\Dropbox\bin\Uninstall.exe
[2009/08/21 17:23:49 | 000,127,872 | ---- | M] () -- C:\Documents and Settings\Bill\Application Data\Move Networks\uninstall.exe
[2009/06/16 01:35:42 | 000,097,144 | ---- | M] () -- C:\Documents and Settings\Bill\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
[2010/03/26 02:36:02 | 000,177,024 | ---- | M] () -- C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\tkt41tpv.default\FlashGot.exe

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/14 00:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/14 00:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2003/07/16 11:40:05 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2010/03/25 01:08:46 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2010/03/25 01:08:46 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 05:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 05:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 00:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 05:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 05:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 00:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 00:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 05:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 05:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[6 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/08/09 14:45:24 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/08/09 14:45:24 | 000,626,688 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/08/09 14:45:24 | 000,421,888 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >

[W. Savage]

Extras.Txt:

OTL Extras logfile created on: 3/27/2010 6:35:08 AM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Bill\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 582.00 Mb Available Physical Memory | 57.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 24.42 Gb Free Space | 16.38% Space Free | Partition Type: NTFS
Drive D: | 37.20 Gb Total Space | 18.59 Gb Free Space | 49.98% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SAVAGE
Current User Name: Bill
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe File not found

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome File not found
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 File not found
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 File not found
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- (AOL LLC)
"C:\Program Files\Autodesk\backburner\monitor.exe" = C:\Program Files\Autodesk\backburner\monitor.exe:*:Enabled:backburner 2.3 monitor -- (Autodesk, Inc.)
"C:\Program Files\Autodesk\backburner\manager.exe" = C:\Program Files\Autodesk\backburner\manager.exe:*:Enabled:backburner 2.3 manager -- (Autodesk, Inc.)
"C:\Program Files\Autodesk\backburner\server.exe" = C:\Program Files\Autodesk\backburner\server.exe:*:Enabled:backburner 2.3 server -- (Autodesk, Inc.)
"C:\Program Files\Vuze\Azureus.exe" = C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus -- File not found
"C:\Program Files\Rhapsody\rhapsody.exe" = C:\Program Files\Rhapsody\rhapsody.exe:*:Enabled:Rhapsody Media Player -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2222B364-0854-4265-B32E-A142DB9DC7BB}" = Intel® PRO Network Connections 11.2.0.69
"{338F08AB-C262-42C7-B000-34DE1A475273}" = Ad-Aware Email Scanner for Outlook
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3D347E6D-5A03-4342-B5BA-6A771885F379}" = Backburner
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.1
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{885744A4-1A01-44B0-858A-0AE6738CBCF7}" = PrimoPDF Redistribution Package
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{96E16100-A77F-4B31-B9AD-FFBA040EE1BD}" = Sound Blaster Live!
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C439D065-5B64-4563-A6B9-1AA202633E13}" = Lexmark Fax Solutions
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{D1696920-9794-4BBC-8A30-7A88763DE5A2}" = ABBYY FineReader 5.0 Sprint Plus
"{D3E29D5A-B772-4578-9075-4272569504E2}" = Delete FXP Files Classic
"{DBB313D6-4B13-4961-BD5F-673CDA1793CC}" = Autodesk 3ds Max 8
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"Ad-Aware" = Ad-Aware
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AIM_6" = AIM 6
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CDisplay_is1" = CDisplay 1.8
"Digital Clock Screen Saver_is1" = Digital Clock Screen Saver
"Flash Movie Player" = Flash Movie Player 1.5
"InstallShield_{C439D065-5B64-4563-A6B9-1AA202633E13}" = Lexmark 4200 Series Fax Solutions
"Lexmark 4200 Series" = Lexmark 4200 Series
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.5.1)" = Mozilla Firefox (3.5.1)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"PlayFLV" = PlayFLV
"PrimoPDF3.1" = PrimoPDF
"Q828026" = Windows Media Player Hotfix [See Q828026 for more information]
"Replay Music3.45" = Replay Music
"SpeedFan" = SpeedFan (remove only)
"TIMELEFT3_is1" = TimeLeft
"ViewpointMediaPlayer" = Viewpoint Media Player
"VLC media player" = VLC media player 1.0.3
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"Wondershare Media Converter_is1" = Wondershare Media Converter(Build 1.2.0.0)
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/27/2010 3:50:57 AM | Computer Name = SAVAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/27/2010 3:50:57 AM | Computer Name = SAVAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/27/2010 5:14:57 AM | Computer Name = SAVAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/27/2010 5:14:57 AM | Computer Name = SAVAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/27/2010 5:20:57 AM | Computer Name = SAVAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/27/2010 5:20:57 AM | Computer Name = SAVAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/27/2010 6:49:57 AM | Computer Name = SAVAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/27/2010 6:49:57 AM | Computer Name = SAVAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/27/2010 6:52:57 AM | Computer Name = SAVAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/27/2010 6:52:57 AM | Computer Name = SAVAGE | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

[ System Events ]
Error - 3/26/2010 9:57:11 PM | Computer Name = SAVAGE | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error: %%2

Error - 3/26/2010 9:57:11 PM | Computer Name = SAVAGE | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the WMI Performance Adapter
service to connect.

Error - 3/26/2010 9:57:11 PM | Computer Name = SAVAGE | Source = Service Control Manager | ID = 7000
Description = The WMI Performance Adapter service failed to start due to the following
error: %%1053

Error - 3/26/2010 9:57:15 PM | Computer Name = SAVAGE | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 3/26/2010 9:57:15 PM | Computer Name = SAVAGE | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 3/26/2010 10:05:03 PM | Computer Name = SAVAGE | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 3/26/2010 10:05:03 PM | Computer Name = SAVAGE | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 3/26/2010 10:05:06 PM | Computer Name = SAVAGE | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error: %%2

Error - 3/26/2010 10:05:06 PM | Computer Name = SAVAGE | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the WMI Performance Adapter
service to connect.

Error - 3/26/2010 10:05:06 PM | Computer Name = SAVAGE | Source = Service Control Manager | ID = 7000
Description = The WMI Performance Adapter service failed to start due to the following
error: %%1053


< End of report >

[W. Savage]

GMER.txt:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-27 20:24:47
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Bill\LOCALS~1\Temp\fwtdypow.sys


---- System - GMER 1.0.15 ----

SSDT EF65B176 ZwCreateKey
SSDT EF65B16C ZwCreateThread
SSDT EF65B17B ZwDeleteKey
SSDT EF65B185 ZwDeleteValueKey
SSDT EF65B18A ZwLoadKey
SSDT EF65B158 ZwOpenProcess
SSDT EF65B15D ZwOpenThread
SSDT EF65B194 ZwReplaceKey
SSDT EF65B18F ZwRestoreKey
SSDT EF65B180 ZwSetValueKey

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 866FBCA1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

[hammerman]

Hi,

Please follow these steps.

-- Step 1 --

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O2 - BHO: (no name) - {1FD79A59-37B1-459B-9097-09F9FAB8A523} - No CLSID value found.
  O4 - HKLM..\Run: [] File not found
  [2010/03/24 23:21:15 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Pmala.dat
  [2010/03/24 23:21:15 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Uhatuyu.bin
  
  :Services
  
  :Reg
  
  :Files
  C:\WINDOWS\system32\drivers\atapi.sys | C:\WINDOWS\ServicePackFiles\i386\atapi.sys /replace
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• This fix will produce a report. Please add this to your reply.

-- Step 2 --

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

[W. Savage]

OTL log:

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD79A59-37B1-459B-9097-09F9FAB8A523}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1FD79A59-37B1-459B-9097-09F9FAB8A523}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
C:\WINDOWS\Pmala.dat moved successfully.
C:\WINDOWS\Uhatuyu.bin moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File C:\WINDOWS\system32\drivers\atapi.sys successfully replaced with C:\WINDOWS\ServicePackFiles\i386\atapi.sys
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Bill
->Temp folder emptied: 15601 bytes
->Temporary Internet Files folder emptied: 90750320 bytes
->Java cache emptied: 16813539 bytes
->FireFox cache emptied: 34819482 bytes
->Flash cache emptied: 4124 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 243388 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 7730377 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1145933 bytes
%systemroot%\System32 .tmp files removed: 3992253 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1604686 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 150.00 mb


[EMPTYFLASH]

User: All Users

User: Bill
->Flash cache emptied: 0 bytes

User: Default User

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.1.37.3 log created on 03282010_170713

Files\Folders moved on Reboot...
C:\Documents and Settings\Bill\Local Settings\Application Data\Mozilla\Firefox\Profiles\tkt41tpv.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Bill\Local Settings\Application Data\Mozilla\Firefox\Profiles\tkt41tpv.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Bill\Local Settings\Application Data\Mozilla\Firefox\Profiles\tkt41tpv.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Bill\Local Settings\Application Data\Mozilla\Firefox\Profiles\tkt41tpv.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Bill\Local Settings\Application Data\Mozilla\Firefox\Profiles\tkt41tpv.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Bill\Local Settings\Application Data\Mozilla\Firefox\Profiles\tkt41tpv.default\XUL.mfl moved successfully.

Registry entries deleted on Reboot...

[W. Savage]

ComboFix 10-03-28.01 - Bill 03/28/2010 17:36:10.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.659 [GMT -5:00]
Running from: c:\documents and settings\Bill\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Bill\Local Settings\Application Data\{26E122FA-3B64-42DA-A1D6-664A4CF46FD7}
c:\documents and settings\Bill\Local Settings\Application Data\{26E122FA-3B64-42DA-A1D6-664A4CF46FD7}\chrome\content\_cfg.js
c:\documents and settings\Bill\Local Settings\Application Data\{26E122FA-3B64-42DA-A1D6-664A4CF46FD7}\chrome\content\overlay.xul
c:\documents and settings\Bill\Local Settings\Application Data\{26E122FA-3B64-42DA-A1D6-664A4CF46FD7}\install.rdf
c:\windows\run.log
c:\windows\system32\Data

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\system32\dllcache\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))
.

2010-03-26 07:59 . 2010-03-26 07:59 -------- d-s---w- c:\documents and settings\Bill\UserData
2010-03-26 07:36 . 2010-03-26 07:36 177024 ----a-w- c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\tkt41tpv.default\FlashGot.exe
2010-03-26 07:24 . 2010-03-26 07:24 -------- d-----w- c:\documents and settings\Bill\Local Settings\Application Data\Mozilla
2010-03-25 18:13 . 2010-03-25 18:13 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-25 18:13 . 2010-03-25 18:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-25 07:33 . 2010-03-27 02:00 -------- d-----w- c:\windows\system32\NtmsData
2010-03-25 07:26 . 2010-03-25 07:26 -------- d-----w- c:\documents and settings\Bill\Application Data\Avira
2010-03-25 06:14 . 2010-03-25 06:14 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-03-25 05:41 . 2010-03-25 05:41 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-03-25 05:32 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-03-25 05:32 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-03-25 05:32 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-03-25 05:32 . 2010-03-25 05:32 -------- d-----w- c:\program files\Avira
2010-03-25 05:32 . 2010-03-25 05:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-03-25 04:56 . 2010-03-25 04:56 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-25 04:52 . 2010-03-25 04:52 -------- d-----w- c:\program files\JRTwine Software
2010-03-25 04:52 . 2010-03-25 04:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-25 03:14 . 2010-03-25 03:14 -------- d-----w- c:\program files\Java
2010-03-21 06:50 . 2010-03-21 06:51 -------- d-----w- C:\!KillBox

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-28 22:07 . 2003-07-16 16:18 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-28 07:58 . 2009-12-09 06:25 -------- d-----w- c:\documents and settings\Bill\Application Data\vlc
2010-03-25 18:13 . 2010-02-19 10:52 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-25 04:52 . 2009-12-13 22:45 -------- d-----w- c:\documents and settings\Bill\Application Data\dvdcss
2010-03-07 09:17 . 2009-08-27 18:35 -------- d-----w- c:\documents and settings\Bill\Application Data\Canon
2010-02-25 05:54 . 2009-12-27 19:23 -------- d-----w- c:\documents and settings\All Users\Application Data\xml_param
2010-02-22 22:59 . 2009-08-27 20:40 -------- d-----w- c:\program files\SpeedFan
2010-02-17 02:44 . 2010-02-12 14:07 -------- d-----w- c:\program files\Google
2010-02-16 21:19 . 2009-11-04 18:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-16 21:19 . 2009-11-04 18:14 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-02-16 21:19 . 2010-02-16 21:19 598368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-02-16 21:18 . 2009-11-04 18:14 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2010-02-16 21:18 . 2009-08-10 04:55 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-02-16 21:18 . 2009-11-04 18:14 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2010-02-16 21:18 . 2009-11-04 18:14 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2010-02-16 21:18 . 2009-08-10 04:55 6330848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-02-16 21:18 . 2010-02-16 21:18 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-02-16 21:12 . 2009-08-10 04:53 -------- d-----w- c:\program files\Lavasoft
2010-02-16 21:12 . 2010-02-16 21:12 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-16 18:24 . 2009-08-10 05:17 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-08 05:31 . 2009-09-21 21:50 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-04 15:53 . 2010-02-16 21:12 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-02 05:49 . 2009-08-10 04:55 8 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-25 22:01 . 2009-08-10 11:53 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
2010-01-09 03:14 . 2009-09-11 20:37 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 22:07 . 2009-08-10 06:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2009-08-10 06:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2003-07-16 16:40 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Bill\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Bill\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Bill\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-25 818256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-8-10 113664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"
"FaxCenterServer4_in_1"="c:\program files\Lexmark 4200 Series\Fax\fm3032.exe" /s
"Lexmark 4200 Series"="c:\program files\Lexmark 4200 Series\lxbmbmgr.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"UpdReg"=c:\windows\UpdReg.EXE
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\backburner\\server.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/9/2009 11:55 PM 64288]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/25/2010 12:32 AM 135336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/10/2009 12:55 AM 24652]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [10/22/2009 10:53 PM 25704]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [10/22/2009 10:53 PM 25704]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [10/22/2009 10:53 PM 25704]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [10/22/2009 10:53 PM 25704]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [10/22/2009 10:53 PM 25704]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/16/2010 9:44 PM 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1263728]
.
Contents of the 'Scheduled Tasks' folder

2010-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 02:44]

2010-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 02:44]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\tkt41tpv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.deviantart.com/
FF - plugin: c:\documents and settings\Bill\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-28 17:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2020)
c:\documents and settings\Bill\Application Data\Dropbox\bin\DropboxExt.3.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-28 17:50:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-28 22:50

Pre-Run: 26,177,228,800 bytes free
Post-Run: 26,148,601,856 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - FE091D2CEA233852858F522B3A9F1B86

[hammerman]

Hi,

Please follow these steps and then let me know how your computer's running.

-- Step 1 --

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

-- Step 2 --

Run Malwarebytes' Anti-Malware.

• Select the Update tab and then click Check for Updates. If an update is found, it will download and install the latest version.
• Select the Scanner tab, select "Perform Quick Scan", then click Scan
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

-- Step 3 --

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

[W. Savage]

Hello,

I've completed steps 1 - 3

There was no log created/saved by malwarebytes but I didn't notice this until I was getting ready to write this reply - I must have disabled that checkbox when I initially installed it and forgot. Since I'm supposed to do the steps you instruct in the order in which you give them, I figured it was best just to tell you that I didn't save one instead of running it a second time after step 3 (the eset scan). I do know that nothing was found in the malwarebytes scan though, and that it did not request a reboot. The ESET scan did produce a log file, which I cam copying to this reply as requested:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=41d89d0e2608d0429b74158850817060
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-03-29 02:59:19
# local_time=2010-03-28 09:59:19 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 16775125 100 93 0 27971605 83172 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=62902
# found=1
# cleaned=1
# scan_time=9847
D:\Back up\other\software\Max 8.0\VRay_1.5_RC3_Max8_and_Max9\Vray Render1.5 R3 - Tutorials.iso probably a variant of Win32/Agent trojan (deleted - quarantined) 00000000000000000000000000000000 C

[hammerman]

Hi,

Congratulations, your computer appears clean

Let's remove the tools we've been using.

Please follow these steps.

-- Step 1 --

Follow these steps to uninstall Combofix and tools used in the removal of malware

• Click START then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

-- Step 2 --

• Download OTC to your desktop and run it
• Click Yes to beginning the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

I recommend you update to Internet Explorer 8.

Here are some measures you can take to ensure that your computer remains clean.

1. Updates

Windows Updates

It is essential that you regularly check and install the latest Windows Updates. Vulnerabilities within Windows can leave your computer open to infection. Regular updates are released to fix these security vulnerabilities. It is recommended that you set Windows to check, download and install your updates automatically.

• Click Start
• Select Control Panel
• Click on Automatic (recommended)
• Set the day and time for the update check. Set this to a time when your computer will normally be on and connected to the internet.
• Click Apply then OK.

Java Updates

As with Windows, Java also needs to be regularly updated to fix security vulnerabilites. You can download the latest version of the Java Runtime Environment (JRE) from here. Download, install and reboot your computer. You also need to uininstall older versions of Java.

• Click Start
• Select Control Panel
• Select Add or Remove Programs
• Remove all Java updates except the latest one you have just installed.

Adobe Updates

You should ensure you use the latest Adobe Acrobat Reader and install any security updates that are released. You can download the latest reader and updates from here.

Other Updates

Regularly check for updates for all your security programs including firewall, antivirus, antispyware etc

2. Security Programs

Here is a list of security programs that I would recommend.

Firewall

A firewall is essential to stop hackers infiltrating your computer. The following firewalls are free for personal use. Do not install more than one firewall.

Zone Alarm is an excellent free basic firewall which is very easy to use.
Online-Armor Free is a more advanced firewall which includes a Host Intrusion Protection System (HIPS). This ensures that unrecognised programs will not run unless you give permission.

Antivirus

An antivirus program is essential. The following antivirus programs are free for personal use. Do not use more than one antivirus and always update virus definitions regularly.

AVG
Avira Free
Avast

Anti-Malware

Malwarebytes Anti-Malware MBAM is an excellent anti-malware tool that should be updated and a Quick Scan performed regularly. A Full Scan does not have to be carried out on such a regular basis as the developers aim to detect the vast majority of malware with the Quick Scan. The scanner is free for on-demand scans only.

Ad-Aware, Spybot, SuperAntispyware and A-Squared Free are also very good anti-malware programs that are free for on-demand scans. Spybot has a real-time protection feature called TeaTimer.

Prevention

SpywareBlaster is an excellent free tool for preventing the installation of spyware.
SpywareGuard offers real-time protection so that spyware is detected and blocked before it can do any harm.

Cleaner

ATF Cleaner removes temporary Internet Explorer, Firefox and Windows files.

Browser

Firefox is an alternative browser to Internet Explorer and is more secure.
NoScript is an add-on for Firefox and prevents execution of malicious scripts.
MVPS is a HOSTS file to replace your existing file. This prevents you connecting to a list of well-known ad sites.

[W. Savage]

Hello,

Currently typing this from a mac because my pc doesn't have a browser installed - I got sick of things creeping in while I was trying to fix my computer. I'm running Avira, malwarebytes, Lavasoft Adaware and spybot search and destroy like I normally do. Keep in mind I started these before I read your lastest post. Sadly Avira found two threats something called a patch.gen? I'll get you more specifics as soon as I can. I will also download appropriate programs from the list you provided.

thanks

[hammerman]

OK. Will be interested in what Avira found. I suspect it's the patched files we already removed.

[W. Savage]

I re-scanned and found nothing. It said they were located somewhere in the system restore. But again, ran the second scan and found nothing. Also, did a fresh install of firefox 3.6 and installed new software you'd recommended. From what I can tell, I'm having no problems. Google results go to their proper websites, and I'm not getting any errors or beeps from avira. I'm going to clear the ram and scan one last time to make SURE nothing is crawling but I'm assuming there's no problem

[hammerman]

Hi,

I suspected it was in the restore points. You can delete your restore points and create a clean one by following these steps.

• Right-click on My Computer and select Properties.
• Click the System Restore tab.
• Check Turn off System Restore.
• Click Apply then click Yes to confirm. This will remove all your System Restore points and infected files.
• Now uncheck the Turn off System Restore, click Apply then OK.

A new Restore Point has now been created containing backup files for your computer that are clean. You can create additional Restore Points at any time. Click here for instructions.