[HalYurAznPal]

Hey guys, so I recently downloaded a bunch of Trojans and other Mal-ware onto my computer. Fortunately MBAM has taken care of mostly everything, however MBAM keeps showing a file called Rookit.Agent that is not removed even after I have restarted my computer. Also I have a problem with a fake Google homepage that redirects me to random sites every few searches. Being new to the site I don't really know what logs to post/programs to use so please bear with me. Any help would be very appreciated. Thank you in advance

[Advertisements]

Hello HalYurAznPal and welcome to GeeksToGo
I'm hammerman and I'm going to help you fix your problem.

Before we begin, here are some guidelines which will help us both in fixing your problem.

• Malware removal is not instantaneous and will take a number of steps to complete. Please continue to carry out the steps requested until I let you know that your computer appears clean.
• Please do no attach logs or post them in Quote/Code boxes unless requested.
• I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread. You can copy and paste these instructions into Notepad and then save the text file to your Desktop. If you need any help with this or further clarification, please let me know.
• When posting logs, please ensure Word Wrap is turned off in Notepad. Open Notepad, select Format on the menu bar and make sure that Word Wrap is unchecked.
• Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
• If in doubt about anything, please ask.

Please follow these steps.

Please post your last Malwarebytes log showing the Rootkit.Agent file.

-- Step 1 --

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Under the Custom Scan box paste this in
  
  netsvcs
  %SYSTEMDRIVE%\*.*
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\System32\config\*.sav
  %systemroot%\system32\drivers\*.sys /90
  
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

-- Step 2 --

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

• Double click GMER.exe.
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
    
    Click the image to enlarge it
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.Hello and welcome to GeeksToGo

[hammerman]

Hello HalYurAznPal and welcome to GeeksToGo
I'm hammerman and I'm going to help you fix your problem.

Before we begin, here are some guidelines which will help us both in fixing your problem.

• Malware removal is not instantaneous and will take a number of steps to complete. Please continue to carry out the steps requested until I let you know that your computer appears clean.
• Please do no attach logs or post them in Quote/Code boxes unless requested.
• I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread. You can copy and paste these instructions into Notepad and then save the text file to your Desktop. If you need any help with this or further clarification, please let me know.
• When posting logs, please ensure Word Wrap is turned off in Notepad. Open Notepad, select Format on the menu bar and make sure that Word Wrap is unchecked.
• Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
• If in doubt about anything, please ask.

Please follow these steps.

Please post your last Malwarebytes log showing the Rootkit.Agent file.

-- Step 1 --

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Under the Custom Scan box paste this in
  
  netsvcs
  %SYSTEMDRIVE%\*.*
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\System32\config\*.sav
  %systemroot%\system32\drivers\*.sys /90
  
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

-- Step 2 --

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

• Double click GMER.exe.
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
    
    Click the image to enlarge it
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.Hello and welcome to GeeksToGo

[HalYurAznPal]

Hello hammerman, thank you for the help. Here are the OTL logs you have requested. GMER crashes when I try to run a scan, I thought it might Avira still running so I uninstalled it and tried again and it still crashes. I will just wait for more instructions.

Attached Files

•  OTL.Txt   98.41KB   129 downloads
•  Extras.Txt   65.23KB   144 downloads

[hammerman]

Hi,

Please try running GMER from Safe mode.

To enter Safe Mode, restart your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight SafeMode then hit enter.

Can you please copy/paste logs into your replies rather than attach them. Easier to work with that way. Thanks.

[HalYurAznPal]

I tried running GMER in safe mode but it still crashes during the scan.

[hammerman]

Hi,

Please follow these steps.

-- Step 1 --

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O4 - HKLM..\Run: []  File not found
  [2010/05/06 10:56:46 | 000,823,808 | ---- | M] () -- C:\Windows\System32\drivers\tkkdh.sys
  [2010/05/06 10:38:43 | 000,000,310 | -HS- | M] () -- C:\Windows\tasks\vtmwwv.job
  [2010/04/27 19:21:32 | 000,010,556 | -HS- | M] () -- C:\ProgramData\KLry0l
  [2010/04/27 18:10:48 | 000,000,000 | ---- | M] () -- C:\Windows\System32\igkcomka
  [2010/04/27 15:13:07 | 000,012,730 | -HS- | M] () -- C:\ProgramData\c7vdif
  [2010/04/27 12:42:01 | 000,000,146 | ---- | C] () -- C:\Windows\System32\PRAGMAsrcr.dat
  
  :Services
  
  :Reg
  
  :Files
  C:\Windows\tasks\At*.job
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• This fix will produce a report. Please add this to your reply.

-- Step 2 --

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on Combo-Fix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[HalYurAznPal]

I ran ComboFix and let it do its thing and now I cant connect to the internet even after restarting the computer. I couldn't find a report named "Combo-Fix.txt" but I did find a "ComboFix.txt"

ComboFix 10-05-05.0D - Hallel 06/05/2010 12:36:29.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.2038.994 [GMT -4:00]
Running from: C:\Users\Hallel\Desktop\Combo-Fix.exe
.

[hammerman]

Hi,

Can you please run Combofix again and post the log.

Also, please post the log from the OTL fix (Step 1).

[HalYurAznPal]

Here is the OTL file

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
File move failed. C:\Windows\System32\drivers\tkkdh.sys scheduled to be moved on reboot.
C:\Windows\Tasks\vtmwwv.job moved successfully.
C:\ProgramData\KLry0l moved successfully.
C:\Windows\System32\igkcomka moved successfully.
C:\ProgramData\c7vdif moved successfully.
C:\Windows\System32\PRAGMAsrcr.dat moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Windows\tasks\At1.job moved successfully.
C:\Windows\tasks\At10.job moved successfully.
C:\Windows\tasks\At11.job moved successfully.
C:\Windows\tasks\At12.job moved successfully.
C:\Windows\tasks\At13.job moved successfully.
C:\Windows\tasks\At14.job moved successfully.
C:\Windows\tasks\At15.job moved successfully.
C:\Windows\tasks\At16.job moved successfully.
C:\Windows\tasks\At17.job moved successfully.
C:\Windows\tasks\At18.job moved successfully.
C:\Windows\tasks\At19.job moved successfully.
C:\Windows\tasks\At2.job moved successfully.
C:\Windows\tasks\At20.job moved successfully.
C:\Windows\tasks\At21.job moved successfully.
C:\Windows\tasks\At22.job moved successfully.
C:\Windows\tasks\At23.job moved successfully.
C:\Windows\tasks\At24.job moved successfully.
C:\Windows\tasks\At3.job moved successfully.
C:\Windows\tasks\At4.job moved successfully.
C:\Windows\tasks\At5.job moved successfully.
C:\Windows\tasks\At6.job moved successfully.
C:\Windows\tasks\At7.job moved successfully.
C:\Windows\tasks\At8.job moved successfully.
C:\Windows\tasks\At9.job moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Hal

User: Hallel
->Temp folder emptied: 1648993 bytes
->Temporary Internet Files folder emptied: 1850754 bytes
->FireFox cache emptied: 35796224 bytes
->Flash cache emptied: 3616 bytes

User: Isaac
->Temp folder emptied: 146011 bytes
->Temporary Internet Files folder emptied: 9009342 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 79612693 bytes
->Flash cache emptied: 9496 bytes

User: Mcx1

User: Public

User: Rudy
->Temp folder emptied: 269886351 bytes
->Temporary Internet Files folder emptied: 5714642 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 34819176 bytes
->Flash cache emptied: 948 bytes

User: TJ
->Temp folder emptied: 20563571 bytes
->Temporary Internet Files folder emptied: 9415529 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 80429148 bytes
->Flash cache emptied: 2781 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 21178689 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 544.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Hal

User: Hallel
->Flash cache emptied: 0 bytes

User: Isaac
->Flash cache emptied: 0 bytes

User: Mcx1

User: Public

User: Rudy
->Flash cache emptied: 0 bytes

User: TJ
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.4.1 log created on 05062010_121913

Files\Folders moved on Reboot...
File move failed. C:\Windows\System32\drivers\tkkdh.sys scheduled to be moved on reboot.

Registry entries deleted on Reboot...

[HalYurAznPal]

Here is the ComboFix file

ComboFix 10-05-05.0D - Hallel 06/05/2010 13:36:04.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.2038.1291 [GMT -4:00]
Running from: c:\users\Hallel\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk
c:\windows\system32\driVERs\tkkdh.sys
c:\windows\system32\winstartup.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_tkkdh
-------\Service_tkkdh


((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.

2010-05-06 17:41 . 2010-05-06 17:41 -------- d-----w- c:\users\Hallel\AppData\Local\temp
2010-05-06 17:41 . 2010-05-06 17:41 -------- d-----w- c:\users\TJ\AppData\Local\temp
2010-05-06 17:41 . 2010-05-06 17:41 -------- d-----w- c:\users\Rudy\AppData\Local\temp
2010-05-06 17:41 . 2010-05-06 17:41 -------- d-----w- c:\users\Isaac\AppData\Local\temp
2010-05-06 17:41 . 2010-05-06 17:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-06 16:19 . 2010-05-06 16:19 -------- d-----w- C:\_OTL
2010-05-05 20:35 . 2010-05-05 20:35 -------- d-----w- c:\users\TJ\AppData\Local\Skype
2010-05-02 14:47 . 2010-05-02 14:47 -------- d-----w- c:\program files\CONEXANT
2010-04-30 16:07 . 2010-04-30 16:07 6153352 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-30 05:49 . 2010-05-06 17:02 -------- d-----w- c:\users\Hallel\Tracing
2010-04-30 05:42 . 2010-04-30 05:58 -------- d-----w- c:\users\Hallel\AppData\Roaming\vlc
2010-04-30 04:49 . 2010-04-30 04:49 77928 ----a-w- c:\users\Hallel\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-30 04:13 . 2010-04-30 04:13 -------- d-----w- c:\users\Hallel\AppData\Local\Google
2010-04-30 04:13 . 2010-04-30 04:13 0 ----a-w- c:\windows\nsreg.dat
2010-04-30 04:13 . 2010-04-30 04:13 -------- d-----w- c:\users\Hallel\AppData\Local\Mozilla
2010-04-30 04:10 . 2010-04-30 04:11 -------- d-----w- c:\users\Hallel\AppData\Roaming\Malwarebytes
2010-04-30 04:05 . 2010-03-26 14:33 43008 ----a-w- c:\users\Rudy\AppData\Roaming\Mozilla\Firefox\Profiles\on8y9j6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-04-30 04:05 . 2010-03-26 14:33 1496064 ----a-w- c:\users\Rudy\AppData\Roaming\Mozilla\Firefox\Profiles\on8y9j6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-04-30 04:05 . 2010-03-26 14:33 339456 ----a-w- c:\users\Rudy\AppData\Roaming\Mozilla\Firefox\Profiles\on8y9j6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-04-30 04:05 . 2010-03-26 14:32 346112 ----a-w- c:\users\Rudy\AppData\Roaming\Mozilla\Firefox\Profiles\on8y9j6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-04-29 02:56 . 2010-04-29 02:57 -------- d-----w- c:\users\Rudy\AppData\Local\MigWiz
2010-04-28 21:39 . 2010-04-28 21:39 -------- d-----w- c:\users\Isaac\AppData\Roaming\Malwarebytes
2010-04-28 21:37 . 2010-04-28 21:37 -------- d-----w- c:\users\TJ\AppData\Roaming\Malwarebytes
2010-04-28 21:13 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-28 21:13 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-28 21:13 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-28 21:13 . 2010-04-14 16:31 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-04-28 21:13 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-28 21:12 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-28 21:12 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-28 21:12 . 2010-04-28 21:12 -------- d-----w- c:\programdata\Alwil Software
2010-04-27 22:17 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-27 22:17 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 19:37 . 2010-04-27 19:37 -------- d-----w- c:\users\Rudy\AppData\Roaming\Malwarebytes
2010-04-27 19:37 . 2010-04-27 19:37 -------- d-----w- c:\programdata\Malwarebytes
2010-04-27 19:37 . 2010-04-30 16:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-27 16:41 . 2010-04-27 16:41 93184 --sha-r- c:\windows\system32\SCardSvry.dll
2010-04-14 02:26 . 2010-02-23 11:32 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 02:26 . 2010-02-23 11:32 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 02:26 . 2010-02-23 11:32 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 02:26 . 2010-02-18 14:49 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 02:26 . 2010-02-18 14:49 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 02:26 . 2010-03-04 18:54 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 02:25 . 2010-02-18 14:49 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 02:25 . 2010-02-18 14:11 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 02:25 . 2010-02-18 11:52 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-13 18:39 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 18:39 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-05 19:41 . 2007-08-21 00:47 -------- d-----w- c:\programdata\Google Updater
2010-04-30 05:00 . 2008-03-04 02:25 -------- d-----w- c:\program files\Bonjour
2010-04-30 04:59 . 2007-11-22 23:34 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-30 04:56 . 2007-01-04 19:15 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-04-29 02:53 . 2009-02-11 16:27 -------- d-----w- c:\programdata\Norton
2010-04-29 02:51 . 2007-01-04 19:23 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-14 15:34 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-14 15:32 . 2007-07-25 05:22 -------- d-----w- c:\programdata\Microsoft Help
2010-04-03 03:56 . 2010-04-03 03:26 41 ----a-w- c:\users\TJ\jagex_runescape_preferences.dat
2010-04-03 03:54 . 2010-04-03 03:27 69 ----a-w- c:\users\TJ\jagex_runescape_preferences2.dat
2010-04-03 03:27 . 2010-04-03 03:27 0 ----a-w- c:\users\TJ\jagex__preferences3.dat
2010-03-26 03:17 . 2007-01-04 19:09 -------- d-----w- c:\program files\Common Files\InstallShield
2010-03-26 03:16 . 2007-01-04 19:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-23 21:27 . 2008-10-19 02:00 -------- d-----w- c:\program files\uTorrent
2010-03-20 16:30 . 2007-07-25 04:42 77928 ----a-w- c:\users\Rudy\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-16 19:12 . 2007-08-17 15:42 77928 ----a-w- c:\users\Isaac\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-16 16:27 . 2007-07-27 00:43 77928 ----a-w- c:\users\TJ\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-16 04:55 . 2008-11-22 23:12 -------- d-----w- c:\program files\AviSynth 2.5
2010-03-16 04:54 . 2008-02-09 17:21 -------- d-----w- c:\program files\QuickTax 2007
2010-03-16 04:48 . 2010-03-15 03:03 -------- d-----w- c:\program files\Nokia
2010-03-16 04:46 . 2008-06-25 12:51 -------- d-----w- c:\programdata\Yahoo!
2010-03-15 03:17 . 2010-03-15 03:17 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-03-15 03:12 . 2010-03-15 03:12 -------- d-----w- c:\programdata\Nokia
2010-03-15 03:02 . 2010-03-15 03:02 36864 ----a-w- c:\programdata\Installations\{D8DDC00B-2881-407D-AAC2-44AEE70AF0B7}\Installer\CommonCustomActions\Sleep.exe
2010-03-15 03:02 . 2010-03-15 03:02 3351812 ----a-w- c:\programdata\Installations\{D8DDC00B-2881-407D-AAC2-44AEE70AF0B7}\Installer\CommonCustomActions\msxml6Exec.exe
2010-03-15 03:02 . 2010-03-15 03:02 3203453 ----a-w- c:\programdata\Installations\{D8DDC00B-2881-407D-AAC2-44AEE70AF0B7}\Installer\CommonCustomActions\vcredistExec.exe
2010-03-15 03:02 . 2010-03-15 03:02 -------- d-----w- c:\programdata\Installations
2010-03-15 03:02 . 2010-03-15 03:03 34642680 ----a-w- c:\programdata\Installations\{D8DDC00B-2881-407D-AAC2-44AEE70AF0B7}\NokiaSoftwareUpdaterSetup_en.exe
2010-03-09 16:28 . 2010-03-30 18:45 833024 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 16:25 . 2010-03-30 18:45 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 14:01 . 2010-03-30 18:45 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-24 14:16 . 2010-02-13 05:00 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 23:39 . 2010-03-11 22:29 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:37 . 2010-03-11 22:29 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 21:18 . 2010-03-11 22:29 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-09 01:14 . 2009-11-07 16:05 71960 ----a-w- c:\users\TJ\AppData\Roaming\Mozilla\Plugins\npoctoshape.dll
2010-02-08 22:02 . 2009-11-07 01:37 71960 ----a-w- c:\users\Isaac\AppData\Roaming\Mozilla\Plugins\npoctoshape.dll
2009-02-11 21:51 . 2009-02-11 21:51 212991 ----a-w- c:\program files\Adobe After Effects CS4 ????.pdf
2009-02-11 21:51 . 2009-02-11 21:51 143872 ----a-w- c:\program files\Adobe After Effects CS4 ???????.pdf
2008-08-28 18:09 . 2009-02-11 21:51 85534 ----a-w- c:\program files\Leggimi di Adobe After Effects CS4.pdf
2008-08-28 18:09 . 2009-02-11 21:51 54092 ----a-w- c:\program files\Léame de Adobe After Effects CS4.pdf
2008-08-28 18:09 . 2009-02-11 21:51 80920 ----a-w- c:\program files\Adobe After Effects CS4 — Lisez-moi.pdf
2008-08-28 18:09 . 2009-02-11 21:51 80508 ----a-w- c:\program files\Adobe After Effects CS4 - Bitte lesen.pdf
2008-08-25 02:59 . 2009-02-11 21:51 63669 ----a-w- c:\program files\Adobe After Effects CS4 Read Me.pdf
.

<pre>
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Hewlett-Packard\HP Advisor\hpadvisor .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\Windows Live\Messenger\msnmsgr	   .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr .exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCTCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-11-21 106496]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\users\Isaac\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\users\TJ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NCProTray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NCProTray.lnk
backup=c:\windows\pss\NCProTray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 22:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
c:\program files\Common Files\Symantec Shared\ccApp.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2006-11-22 09:11 82864 ----a-w- c:\program files\Lexmark 5400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-04-01 18:41 166424 ----a-w- c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPADVISOR]
c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-04-19 23:11 151552 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-04-01 18:41 141848 ----a-w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iPodVideoConverter_upgrade]
c:\program files\iPodVideoConverter\iPodVideoConverter.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5400 Series Fax Server]
2006-11-22 09:12 304048 ----a-w- c:\program files\Lexmark 5400 Series\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCTCATS]
2006-11-21 12:27 106496 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\lxcttime.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxctmon.exe]
2006-11-22 09:11 291760 ----a-w- c:\program files\Lexmark 5400 Series\lxctmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
c:\program files\Yahoo!\Messenger\YahooMessenger.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-04-01 18:41 133656 ----a-w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 08:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
c:\program files\Yahoo!\Messenger\YahooMessenger.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 aswFsBlk;aswFsBlk;aswFsBlk.sys [x]
R3 A5AGU;D-Link Wireless LAN 802.11 USB device driver;c:\windows\system32\DRIVERS\AGUx86.sys [2007-10-08 892416]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 84832]
R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-12-30 137344]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-12-30 8320]
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
S1 aswSP;aswSP; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-04-14 51792]

.
Contents of the 'Scheduled Tasks' folder

2010-05-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-21 19:30]

2010-05-06 c:\windows\Tasks\User_Feed_Synchronization-{3B5EC866-8A93-4E2E-B6E6-EC2E18C8C982}.job
- c:\windows\system32\msfeedssync.exe [2008-06-17 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=71&bd=Pavilion&pf=desktop
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
TCP: {BC1206EB-AE85-4833-901F-16AFF14E1757} = 207.210.47.10,207.210.47.27
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} -
FF - ProfilePath - c:\users\Hallel\AppData\Roaming\Mozilla\Firefox\Profiles\rdqnamks.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-06 13:41
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCTCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000020

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-05-06 13:43:26
ComboFix-quarantined-files.txt 2010-05-06 17:43

Pre-Run: 84,403,695,616 bytes free
Post-Run: 84,329,709,568 bytes free

- - End Of File - - 832D9038A9A9008432816D14C4D0B8E2

[hammerman]

Hi,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Save the attached file CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Then...

Download Security Check from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Attached Files

•  CFScript.txt   410bytes   110 downloads

[HalYurAznPal]

Hello again, sorry for the long reply. I am unable to run security check because I get a window saying "Illegal operation attempted on a registry key that has been marked for deletion."

Edit: After a reboot I was able to run Security Check. Its under the ComboFix Log

Here is the ComboFix file:

ComboFix 10-05-05.0D - Hallel 06/05/2010 15:58:24.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.2038.1311 [GMT -4:00]
Running from: c:\users\Hallel\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Hallel\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-04-07 to 2010-05-07 )))))))))))))))))))))))))))))))
.

2010-05-06 20:04 . 2010-05-07 02:00 -------- d-----w- c:\users\Hallel\AppData\Local\temp
2010-05-06 20:04 . 2010-05-06 20:04 -------- d-----w- c:\users\TJ\AppData\Local\temp
2010-05-06 20:04 . 2010-05-06 20:04 -------- d-----w- c:\users\Rudy\AppData\Local\temp
2010-05-06 20:04 . 2010-05-06 20:04 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-06 20:04 . 2010-05-06 20:04 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2010-05-06 20:04 . 2010-05-06 20:04 -------- d-----w- c:\users\Isaac\AppData\Local\temp
2010-05-06 20:04 . 2010-05-06 20:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-06 17:35 . 2010-05-06 17:43 -------- d-----w- C:\Combo-Fix
2010-05-06 16:19 . 2010-05-06 16:19 -------- d-----w- C:\_OTL
2010-05-05 20:35 . 2010-05-05 20:35 -------- d-----w- c:\users\TJ\AppData\Local\Skype
2010-05-02 14:47 . 2010-05-02 14:47 -------- d-----w- c:\program files\CONEXANT
2010-04-30 05:49 . 2010-05-06 19:12 -------- d-----w- c:\users\Hallel\Tracing
2010-04-30 05:42 . 2010-04-30 05:58 -------- d-----w- c:\users\Hallel\AppData\Roaming\vlc
2010-04-30 04:49 . 2010-04-30 04:49 77928 ----a-w- c:\users\Hallel\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-30 04:13 . 2010-04-30 04:13 -------- d-----w- c:\users\Hallel\AppData\Local\Google
2010-04-30 04:13 . 2010-04-30 04:13 0 ----a-w- c:\windows\nsreg.dat
2010-04-30 04:13 . 2010-04-30 04:13 -------- d-----w- c:\users\Hallel\AppData\Local\Mozilla
2010-04-30 04:10 . 2010-04-30 04:11 -------- d-----w- c:\users\Hallel\AppData\Roaming\Malwarebytes
2010-04-29 02:56 . 2010-04-29 02:57 -------- d-----w- c:\users\Rudy\AppData\Local\MigWiz
2010-04-28 21:39 . 2010-04-28 21:39 -------- d-----w- c:\users\Isaac\AppData\Roaming\Malwarebytes
2010-04-28 21:37 . 2010-04-28 21:37 -------- d-----w- c:\users\TJ\AppData\Roaming\Malwarebytes
2010-04-28 21:13 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-28 21:13 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-28 21:13 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-28 21:13 . 2010-04-14 16:31 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-04-28 21:13 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-28 21:12 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-28 21:12 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-28 21:12 . 2010-04-28 21:12 -------- d-----w- c:\programdata\Alwil Software
2010-04-27 22:17 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-27 22:17 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 19:37 . 2010-04-27 19:37 -------- d-----w- c:\users\Rudy\AppData\Roaming\Malwarebytes
2010-04-27 19:37 . 2010-04-27 19:37 -------- d-----w- c:\programdata\Malwarebytes
2010-04-27 19:37 . 2010-05-06 19:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-27 16:41 . 2010-04-27 16:41 93184 --sha-r- c:\windows\system32\SCardSvry.dll
2010-04-14 02:26 . 2010-02-23 11:32 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 02:26 . 2010-02-23 11:32 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 02:26 . 2010-02-23 11:32 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 02:26 . 2010-02-18 14:49 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 02:26 . 2010-02-18 14:49 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 02:26 . 2010-03-04 18:54 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 02:25 . 2010-02-18 14:49 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 02:25 . 2010-02-18 14:11 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 02:25 . 2010-02-18 11:52 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-13 18:39 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 18:39 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-07 02:03 . 2007-08-21 00:47 -------- d-----w- c:\programdata\Google Updater
2010-04-30 16:07 . 2010-04-30 16:07 6153352 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-30 05:00 . 2008-03-04 02:25 -------- d-----w- c:\program files\Bonjour
2010-04-30 04:59 . 2007-11-22 23:34 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-30 04:56 . 2007-01-04 19:15 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-04-29 02:53 . 2009-02-11 16:27 -------- d-----w- c:\programdata\Norton
2010-04-29 02:51 . 2007-01-04 19:23 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-14 15:34 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-14 15:32 . 2007-07-25 05:22 -------- d-----w- c:\programdata\Microsoft Help
2010-04-03 03:56 . 2010-04-03 03:26 41 ----a-w- c:\users\TJ\jagex_runescape_preferences.dat
2010-04-03 03:54 . 2010-04-03 03:27 69 ----a-w- c:\users\TJ\jagex_runescape_preferences2.dat
2010-04-03 03:27 . 2010-04-03 03:27 0 ----a-w- c:\users\TJ\jagex__preferences3.dat
2010-03-26 14:33 . 2010-04-30 04:05 1496064 ----a-w- c:\users\Rudy\AppData\Roaming\Mozilla\Firefox\Profiles\on8y9j6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 14:33 . 2010-04-30 04:05 43008 ----a-w- c:\users\Rudy\AppData\Roaming\Mozilla\Firefox\Profiles\on8y9j6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 14:33 . 2010-04-30 04:05 339456 ----a-w- c:\users\Rudy\AppData\Roaming\Mozilla\Firefox\Profiles\on8y9j6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 14:32 . 2010-04-30 04:05 346112 ----a-w- c:\users\Rudy\AppData\Roaming\Mozilla\Firefox\Profiles\on8y9j6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-26 03:17 . 2007-01-04 19:09 -------- d-----w- c:\program files\Common Files\InstallShield
2010-03-26 03:16 . 2007-01-04 19:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-23 21:27 . 2008-10-19 02:00 -------- d-----w- c:\program files\uTorrent
2010-03-20 16:30 . 2007-07-25 04:42 77928 ----a-w- c:\users\Rudy\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-16 19:12 . 2007-08-17 15:42 77928 ----a-w- c:\users\Isaac\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-16 16:27 . 2007-07-27 00:43 77928 ----a-w- c:\users\TJ\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-16 04:55 . 2008-11-22 23:12 -------- d-----w- c:\program files\AviSynth 2.5
2010-03-16 04:54 . 2008-02-09 17:21 -------- d-----w- c:\program files\QuickTax 2007
2010-03-16 04:48 . 2010-03-15 03:03 -------- d-----w- c:\program files\Nokia
2010-03-16 04:46 . 2008-06-25 12:51 -------- d-----w- c:\programdata\Yahoo!
2010-03-15 03:17 . 2010-03-15 03:17 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-03-15 03:12 . 2010-03-15 03:12 -------- d-----w- c:\programdata\Nokia
2010-03-15 03:02 . 2010-03-15 03:02 36864 ----a-w- c:\programdata\Installations\{D8DDC00B-2881-407D-AAC2-44AEE70AF0B7}\Installer\CommonCustomActions\Sleep.exe
2010-03-15 03:02 . 2010-03-15 03:02 3351812 ----a-w- c:\programdata\Installations\{D8DDC00B-2881-407D-AAC2-44AEE70AF0B7}\Installer\CommonCustomActions\msxml6Exec.exe
2010-03-15 03:02 . 2010-03-15 03:02 3203453 ----a-w- c:\programdata\Installations\{D8DDC00B-2881-407D-AAC2-44AEE70AF0B7}\Installer\CommonCustomActions\vcredistExec.exe
2010-03-15 03:02 . 2010-03-15 03:02 -------- d-----w- c:\programdata\Installations
2010-03-15 03:02 . 2010-03-15 03:03 34642680 ----a-w- c:\programdata\Installations\{D8DDC00B-2881-407D-AAC2-44AEE70AF0B7}\NokiaSoftwareUpdaterSetup_en.exe
2010-03-09 16:28 . 2010-03-30 18:45 833024 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 16:25 . 2010-03-30 18:45 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 14:01 . 2010-03-30 18:45 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-24 14:16 . 2010-02-13 05:00 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 23:39 . 2010-03-11 22:29 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:37 . 2010-03-11 22:29 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 21:18 . 2010-03-11 22:29 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-09 01:14 . 2009-11-07 16:05 71960 ----a-w- c:\users\TJ\AppData\Roaming\Mozilla\Plugins\npoctoshape.dll
2010-02-08 22:02 . 2009-11-07 01:37 71960 ----a-w- c:\users\Isaac\AppData\Roaming\Mozilla\Plugins\npoctoshape.dll
2009-02-11 21:51 . 2009-02-11 21:51 212991 ----a-w- c:\program files\Adobe After Effects CS4 ????.pdf
2009-02-11 21:51 . 2009-02-11 21:51 143872 ----a-w- c:\program files\Adobe After Effects CS4 ???????.pdf
2008-08-28 18:09 . 2009-02-11 21:51 85534 ----a-w- c:\program files\Leggimi di Adobe After Effects CS4.pdf
2008-08-28 18:09 . 2009-02-11 21:51 54092 ----a-w- c:\program files\Léame de Adobe After Effects CS4.pdf
2008-08-28 18:09 . 2009-02-11 21:51 80920 ----a-w- c:\program files\Adobe After Effects CS4 — Lisez-moi.pdf
2008-08-28 18:09 . 2009-02-11 21:51 80508 ----a-w- c:\program files\Adobe After Effects CS4 - Bitte lesen.pdf
2008-08-25 02:59 . 2009-02-11 21:51 63669 ----a-w- c:\program files\Adobe After Effects CS4 Read Me.pdf
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\system32\SCardSvry.dll ---
Company: Microsoft Corporation
File Description: Script Client Side Extension
File Version: 6.0.6000.16386 (vista_rtm.061101-2205)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: gpscript.dll
File size: 93184
Created time: 2010-04-27 16:41
Modified time: 2010-04-27 16:41
MD5: 3D9866C2159F6E9E3DB4CEED841CC287
SHA1: 4B83B442A0504D2E3F93559826BF09EA4DFFF8DF


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCTCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-11-21 106496]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]

c:\users\Isaac\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\users\TJ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NCProTray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NCProTray.lnk
backup=c:\windows\pss\NCProTray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 22:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2006-11-22 09:11 82864 ----a-w- c:\program files\Lexmark 5400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-04-01 18:41 166424 ----a-w- c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPADVISOR]
2006-11-16 22:59 1480296 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\hpadvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-04-19 23:11 151552 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-04-01 18:41 141848 ----a-w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5400 Series Fax Server]
2006-11-22 09:12 304048 ----a-w- c:\program files\Lexmark 5400 Series\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCTCATS]
2006-11-21 12:27 106496 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\lxcttime.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxctmon.exe]
2006-11-22 09:11 291760 ----a-w- c:\program files\Lexmark 5400 Series\lxctmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-04-01 18:41 133656 ----a-w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 08:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-08-21 00:47 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 aswFsBlk;aswFsBlk;aswFsBlk.sys [x]
R3 A5AGU;D-Link Wireless LAN 802.11 USB device driver;c:\windows\system32\DRIVERS\AGUx86.sys [2007-10-08 892416]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 84832]
R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-12-30 137344]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-12-30 8320]
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
S1 aswSP;aswSP; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-04-14 51792]

.
Contents of the 'Scheduled Tasks' folder

2010-05-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-21 19:30]

2010-05-06 c:\windows\Tasks\User_Feed_Synchronization-{3B5EC866-8A93-4E2E-B6E6-EC2E18C8C982}.job
- c:\windows\system32\msfeedssync.exe [2008-06-17 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=71&bd=Pavilion&pf=desktop
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
TCP: {BC1206EB-AE85-4833-901F-16AFF14E1757} = 207.210.47.10,207.210.47.27
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} -
FF - ProfilePath - c:\users\Hallel\AppData\Roaming\Mozilla\Firefox\Profiles\rdqnamks.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr .exe
MSConfigStartUp-ANIWZCS2Service - c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-iPodVideoConverter_upgrade - c:\program files\iPodVideoConverter\iPodVideoConverter.exe
MSConfigStartUp-Messenger (Yahoo!) - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
MSConfigStartUp-Symantec PIF AlertEng - c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\YahooMessenger.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-06 22:00
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCTCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000020

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\lxctcoms.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conime.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-05-06 22:08:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-07 02:08
ComboFix2.txt 2010-05-06 17:43

Pre-Run: 84,369,199,104 bytes free
Post-Run: 84,329,115,648 bytes free

- - End Of File - - 3D42025468BE5B9CF1CD905ED9B02C03

Security Check File:

Results of screen317's Security Check version 0.99.4
Windows Vista Service Pack 1 (UAC is disabled!)
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java™ 6 Update 15
Java™ 6 Update 5
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10.0.45.2
Adobe Reader 9.1
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
````````````````````````````````
DNS Vulnerability Check:
Unknown. This method cannot test your vulnerability to DNS cache poisoning.

``````````End of Log````````````

Edited by HalYurAznPal, 06 May 2010 - 10:21 PM.

[hammerman]

Hi,

Please follow these steps.

-- Step 1 --

I notice that you do not have an antivirus program running on your computer. Without this protection, you are extremely vulnerable to the ever-increasing number of viruses and malware present today. This is so important that I ask you to install an antivirus program before we proceed.

There are many free programs available for you to use. Two such programs are Avast from here or Avira from here. Please install ONE of these programs now and ensure you carry out a full update.

Can you enable the Windows firewall.

-- Step 2 --

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

-- Step 3 --

Run Malwarebytes' Anti-Malware.

• Select the Update tab and then click Check for Updates. If an update is found, it will download and install the latest version.
• Select the Scanner tab, select "Perform Quick Scan", then click Scan
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

-- Step 4 --

• Download the latest version of Java Runtime Environment (JRE) 6 Update 20.
• Click the "Download JRE" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u20-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u20-windows-i586.exe and select "Run as an Administrator.")

-- Step 5 --

Run OTL and select Minimal Output. Use the Quick Scan button to start a scan.
Please post the OTL report in your reply.

[HalYurAznPal]

I still dont have internet access on my computer, so I cant update my version of these programs.

Edit: In step one you asked me to download an Antivirus program. I just remembered I have Norton Internet Security 2010 that I have yet to use, should I use that instead?

Edited by HalYurAznPal, 07 May 2010 - 09:25 AM.

[hammerman]

Hi,

Right-click on the Network icon in the notification area in the lower right corner of the Desktop & select "Repair"