Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

"WindowsSafeMode"

Started by davidmgosselin , Mar 05 2011 06:18 AM

This topic is locked

#1
davidmgosselin

Posted 05 March 2011 - 06:18 AM

New Member

Member
3 posts

I too have found what looks like a piece of malware on a client computer called "WindowsSafeMode". It looks like it's booted windows into safe mode. NOTHING I have tried can bypass this program and I will need to go to the client site to try to cold boot. Question is, in another thread I saw someone with the same problem who was advised to download a program called OTL or something - is this a fix for the problem? My client is pissed, blaming me for it, does not seem to understand the meaning of "stay away from [bleep] sites". Any advice (soon) will be appreciated. Yes, I have antivirus software installed and Malware Bytes but they did not catch the problem.

#2
Essexboy

Posted 05 March 2011 - 07:55 AM

GeekU Moderator

Retired Staff
69,964 posts

Hi OTLPE will only fix it if directed to do so- The prime aim of the tool is analysis and then removal of suspect files. It is a "dumb" programme, inasmuch as it can only do what it is told, it has no malware database or the like

This appears to be something new and I am currently waiting on the log from the other victim, before I can even see what is wrong. If you wish you could run OTLPE and post the log here as the more data I get the better

Please print these instruction out so that you know what you are doing

Download OTLPEStd.exe to your desktop
Download scan.txt to a USB drive
[attachment=48185:scan.txt]
Ensure that you have a blank CD in the drive
Double click OTLPEStd.exe and this will then open imgburn to burn the file to CD
Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
Double-click on the OTLPE icon.
Select the Windows folder of the infected drive if it asks for a location
When asked "Do you wish to load the remote registry", select Yes
When asked "Do you wish to load remote user profile(s) for scanning", select Yes
Ensure the box "Automatically Load All Remaining Users" is checked and press OK
OTL should now start.
Double click the Custom scans and fixes box
In the dialogue locate the scan.txt you have on the USB
Press Run Scan to start the scan.
When finished, the file will be saved in drive C:\OTL.txt
Copy this file to your USB drive if you do not have internet connection on this system.
Right click the file and select send to : select the USB drive.
Confirm that it has copied to the USB drive by selecting it
You can backup any files that you wish from this OS
Please post the contents of the C:\OTL.txt file in your reply.

#3
davidmgosselin

Posted 05 March 2011 - 10:35 AM

New Member

Topic Starter
Member
3 posts

OK, I ran OTLPE and here is the output:

OTL logfile created on: 3/5/2011 10:47:04 AM - Run
OTLPE by OldTimer - Version 3.1.45.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 782.00 Mb Available Physical Memory | 76.00% Memory free
906.00 Mb Paging File | 838.00 Mb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.28 Gb Total Space | 1.79 Gb Free Space | 4.81% Space Free | Partition Type: NTFS
Drive D: | 28.63 Gb Total Space | 24.88 Gb Free Space | 86.93% Space Free | Partition Type: NTFS
Drive E: | 3.74 Gb Total Space | 3.02 Gb Free Space | 80.77% Space Free | Partition Type: FAT32
Drive F: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet004

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto] -- -- (LogMeIn)
SRV - File not found [Auto] -- -- (LMIMaint)
SRV - File not found [Auto] -- -- (LMIGuardianSvc)
SRV - File not found [On_Demand] -- -- (AppMgmt)
SRV - [2011/01/05 20:14:19 | 003,129,432 | ---- | M] () [Auto] -- C:\Program Files\Common Files\Akamai\netsession_win_dbc0250.dll -- (Akamai)
SRV - [2010/03/25 20:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/02/19 12:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2008/11/14 11:47:50 | 000,200,704 | ---- | M] (SoundMovieServer) [On_Demand] -- C:\WINDOWS\System32\snmvtsvc.exe -- (SoundMovieServer)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2006/10/13 16:01:06 | 000,207,664 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
SRV - [2005/10/24 06:33:04 | 000,491,520 | ---- | M] ( ) [On_Demand] -- C:\WINDOWS\System32\lxcicoms.exe -- (lxci_device)
SRV - [2004/03/18 15:55:48 | 000,065,536 | ---- | M] (HP) [On_Demand] -- C:\windows\system32\HPZipm12.exe -- (Pml Driver HPZ12)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (UltraMonMirror)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | Auto] -- -- (MCSTRM)
DRV - File not found [Kernel | Auto] -- -- (LMIInfo)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | On_Demand] -- -- (AR5211)
DRV - File not found [Kernel | Unavailable] -- -- (19521E)
DRV - [2010/12/08 13:12:02 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2010/09/01 08:13:23 | 000,625,024 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand] -- C:\windows\system32\drivers\WMP110v2.sys -- (WMP110v2)
DRV - [2010/01/27 11:22:02 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto] -- C:\windows\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2010/01/07 16:07:14 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand] -- C:\windows\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2008/11/14 11:58:12 | 000,003,768 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand] -- C:\windows\system32\drivers\SndTVideo.sys -- (SndTVideo)
DRV - [2008/11/14 11:58:08 | 000,023,096 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand] -- C:\windows\system32\drivers\SndTAudio.sys -- (SndTAudio)
DRV - [2008/07/10 01:49:14 | 000,242,712 | ---- | M] (Microsoft Corporation) [File_System | Disabled] -- C:\windows\system32\drivers\RsFx0102.sys -- (RsFx0102)
DRV - [2008/04/13 14:45:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\windows\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/13 13:41:01 | 000,052,352 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\System32\drivers\volsnap.sys -- (VolSnap)
DRV - [2006/10/13 16:04:28 | 001,966,000 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\windows\system32\drivers\VX1000.sys -- (VX1000)
DRV - [2005/09/26 15:02:50 | 000,362,944 | ---- | M] (NETGEAR, Inc.) [Kernel | On_Demand] -- C:\windows\system32\drivers\WPN111.sys -- (WPN111)
DRV - [2005/05/23 15:27:00 | 000,137,884 | ---- | M] (MCCI) [Kernel | On_Demand] -- C:\windows\system32\drivers\sscdmdm.sys -- (sscdmdm)
DRV - [2005/05/23 15:27:00 | 000,108,003 | ---- | M] (MCCI) [Kernel | On_Demand] -- C:\windows\system32\drivers\sscdserd.sys -- (sscdserd) SAMSUNG CDMA Modem Diagnostic Serial Port (WDM)
DRV - [2005/05/23 15:27:00 | 000,080,272 | ---- | M] (MCCI) [Kernel | On_Demand] -- C:\windows\system32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)
DRV - [2005/05/23 15:27:00 | 000,010,864 | ---- | M] (MCCI) [Kernel | On_Demand] -- C:\windows\system32\drivers\sscdmdfl.sys -- (sscdmdfl)
DRV - [2004/10/07 20:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/08/03 21:29:48 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand] -- C:\windows\system32\drivers\wSiINTxx.sys -- (iAimFP3)
DRV - [2004/08/03 21:29:46 | 000,025,471 | ---- | M] (Intel® Corporation) [Kernel | On_Demand] -- C:\windows\system32\drivers\wATV10nt.sys -- (iAimTV5)
DRV - [2004/08/03 21:29:46 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand] -- C:\windows\system32\drivers\wCh7xxNT.sys -- (iAimTV4)
DRV - [2004/08/03 21:29:46 | 000,022,271 | ---- | M] (Intel® Corporation) [Kernel | On_Demand] -- C:\windows\system32\drivers\wATV06nt.sys -- (iAimTV6)
DRV - [2004/08/03 21:29:44 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand] -- C:\windows\system32\drivers\wATV04nt.sys -- (iAimTV3)
DRV - [2004/08/03 21:29:44 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand] -- C:\windows\system32\drivers\wATV02NT.sys -- (iAimTV1)
DRV - [2004/08/03 21:29:42 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand] -- C:\windows\system32\drivers\wATV01nt.sys -- (iAimTV0)
DRV - [2004/08/03 21:29:42 | 000,011,871 | ---- | M] (Intel® Corporation) [Kernel | On_Demand] -- C:\windows\system32\drivers\wADV09NT.sys -- (iAimFP7)
DRV - [2004/08/03 21:29:40 | 000,011,807 | ---- | M] (Intel® Corporation) [Kernel | On_Demand] -- C:\windows\system32\drivers\wADV07nt.sys -- (iAimFP5)
DRV - [2004/08/03 21:29:40 | 000,011,295 | ---- | M] (Intel® Corporation) [Kernel | On_Demand] -- C:\windows\system32\drivers\wADV08NT.sys -- (iAimFP6)
DRV - [2004/08/03 21:29:38 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand] -- C:\windows\system32\drivers\i81xnt5.sys -- (i81x)
DRV - [2004/08/03 21:29:38 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand] -- C:\windows\system32\drivers\wADV01nt.sys -- (iAimFP0)
DRV - [2004/08/03 21:29:38 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand] -- C:\windows\system32\drivers\wADV02NT.sys -- (iAimFP1)
DRV - [2004/08/03 21:29:38 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand] -- C:\windows\system32\drivers\wADV05NT.sys -- (iAimFP2)
DRV - [2003/07/24 11:10:34 | 000,017,149 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand] -- C:\windows\system32\DNINDIS5.sys -- (DNINDIS5)
DRV - [2002/01/11 00:22:10 | 000,295,168 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\windows\system32\drivers\ati2mtaa.sys -- (ati2mtaa)
DRV - [2001/08/17 11:19:34 | 000,036,480 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\windows\system32\drivers\sfmanm.sys -- (sfman) Creative SoundFont Manager Driver (WDM)
DRV - [2001/08/17 11:19:28 | 000,006,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\windows\system32\drivers\ctlfacem.sys -- (emu10k1) Creative Interface Manager Driver (WDM)
DRV - [2001/08/17 11:19:26 | 000,283,904 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\windows\system32\drivers\emu10k1m.sys -- (emu10k) Creative SB Live! (WDM)
DRV - [2001/08/17 11:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\windows\system32\drivers\ctljystk.sys -- (ctljystk)
DRV - [2001/08/17 07:19:58 | 000,072,192 | ---- | M] (ESS Technology Inc.) [Kernel | On_Demand] -- C:\windows\system32\drivers\es1969.sys -- (es1969) ESS 1969 Audio Driver (WDM)
DRV - [2001/08/17 07:12:32 | 000,016,074 | ---- | M] (NETGEAR Corp.) [Kernel | On_Demand] -- C:\windows\system32\drivers\FA312nd5.sys -- (FA312)
DRV - [1997/12/22 21:02:46 | 000,023,936 | ---- | M] (Adaptec) [Kernel | Auto] -- C:\WINDOWS\System32\drivers\aspi32.sys -- (Aspi32)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKLM\Software\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.c...rch/search.html

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator.DAVID-E1B40F761.000_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\NetworkService.NT_AUTHORITY_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Owner.DAVID-E1B40F761.004_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
IE - HKU\Owner.DAVID-E1B40F761.004_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\Owner.DAVID-E1B40F761.004_ON_C\..\URLSearchHook: {38542454-dfb6-44f5-b052-d4e071a3d073} - C:\Program Files\Elf_1.12\tbElf_.dll (Conduit Ltd.)
IE - HKU\Owner.DAVID-E1B40F761.004_ON_C\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
IE - HKU\Owner.DAVID-E1B40F761.004_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Owner.DAVID-E1B40F761.004_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 74.53.91.58:8080

IE - HKU\systemprofile_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/01/14 10:33:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/01/14 10:33:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/01/14 10:33:42 | 000,000,000 | ---D | M]

[2010/08/21 08:09:01 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/03/05 19:32:52 | 000,000,104 | ---- | M]) - C:\windows\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.206.201.8 avir-guardian.com
O1 - Hosts: 91.206.201.8 www.avir-guardian.com
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (Elf 1.12 Toolbar) - {38542454-dfb6-44f5-b052-d4e071a3d073} - C:\Program Files\Elf_1.12\tbElf_.dll (Conduit Ltd.)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Elf 1.12 Toolbar) - {38542454-dfb6-44f5-b052-d4e071a3d073} - C:\Program Files\Elf_1.12\tbElf_.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O3 - HKU\Owner.DAVID-E1B40F761.004_ON_C\..\Toolbar\WebBrowser: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O3 - HKU\Owner.DAVID-E1B40F761.004_ON_C\..\Toolbar\WebBrowser: (Elf 1.12 Toolbar) - {38542454-DFB6-44F5-B052-D4E071A3D073} - C:\Program Files\Elf_1.12\tbElf_.dll (Conduit Ltd.)
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS5ServiceManager] C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [EzPrint] C:\Program Files\Lexmark 7300 Series\ezprint.exe (Lexmark International Inc.)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe (HP)
O4 - HKLM..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe (Hewlett-Packard)
O4 - HKLM..\Run: [LifeCam] C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
O4 - HKLM..\Run: [LogMeIn GUI] File not found
O4 - HKLM..\Run: [LXCICATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.DLL ()
O4 - HKLM..\Run: [lxcimon.exe] C:\Program Files\Lexmark 7300 Series\lxcimon.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [TkBellExe] File not found
O4 - HKLM..\Run: [VX1000] C:\windows\vVX1000.exe (Microsoft Corporation)
O4 - HKU\Owner.DAVID-E1B40F761.004_ON_C..\Run: [CE8SIIFGSU] File not found
O4 - HKU\Owner.DAVID-E1B40F761.004_ON_C..\Run: [DW6] File not found
O4 - HKU\Owner.DAVID-E1B40F761.004_ON_C..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\Owner.DAVID-E1B40F761.004_ON_C..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil10g_ActiveX.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\NETGEAR WPN111 Smart Wizard.lnk = C:\Program Files\NETGEAR\WPN111\WPN111.exe (NETGEAR)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator.DAVID-E1B40F761.000_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService.NT_AUTHORITY_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LogMeInRemoteUser_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService.NT_AUTHORITY_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Owner.DAVID-E1B40F761.004_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Owner.DAVID-E1B40F761.004_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKU\Owner.DAVID-E1B40F761.004_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\systemprofile_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll ()
O9 - Extra 'Tools' menuitem : Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll ()
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} http://tky09.celarte...ntrol_en_US.cab (DjVuCtl Class)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.aka...vex-2.2.4.3.cab (DLM Control)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace....ploader1006.cab (MySpace Uploader Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail....es/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2....re/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} http://lads.myspace....ceUploader2.cab (MySpace Uploader Control)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.ado...obat/nos/gp.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx2.hotmail....ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logme...trl.cab?lmi=100 (Performance Viewer Activex Control)
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop BackupWallPaper:
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/07/17 10:38:16 | 000,000,004 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2010/09/01 08:19:35 | 000,000,090 | ---- | M] () - D:\AUTORUN.INF -- [ NTFS ]
O32 - AutoRun File - [2008/05/06 07:26:23 | 000,000,309 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: AppSecDll - (C:\Documents and Settings\All Users.WINDOWS\Application Data\EUIYtkYPIOWCxFj.dll) - C:\Documents and Settings\All Users.WINDOWS\Application Data\EUIYtkYPIOWCxFj.dll ()
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

Drivers32: aux1 - C:\WINDOWS\System32\ctwdm32.dll (Creative Technology Ltd.)
Drivers32: msacm.iac2 - C:\windows\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\windows\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

SafeBootMin: AppMgmt - File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: MsMpSvc - C:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: AppMgmt - File not found
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: MsMpSvc - C:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {0291E591-EA41-4c82-8106-3DC6CE7F7664} - Reg Error: Value error.
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {0e8d0700-75df-11d3-8b4a-0008c7450c4a} - LizardTech DjVu Activex Control
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {166B1BCA-3F9C-11CF-8075-444553540000} - Macromedia Shockwave Director 10.1
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Macromedia Shockwave Director 10.1
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {2F6EFCE6-10DF-49F9-9E64-9AE3775B2588} - Microsoft .NET Framework 1.1 Security Update (KB2416447)
ActiveX: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - Reg Error: Value error.
ActiveX: {347B0667-C7ED-429B-BDE3-CC8D3BACAA31} - Reg Error: Value error.
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA851-CC51-11CF-AAFA-00AA00B6015C} - rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie4x86.inf,PerUserStub
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73fa19d0-2d75-11d2-995d-00c04f98bbc9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - Reg Error: Value error.
ActiveX: {AA218328-0EA8-4D70-8972-E987A9190FF4} - Reg Error: Value error.
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - Reg Error: Value error.
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
PhysicalDisk0 MBR saved to C:\Physical0MBR.bin

========== Files/Folders - Created Within 30 Days ==========

[2011/03/05 10:32:09 | 000,000,000 | ---D | C] -- C:\Program Files\Abbyy FineReader 6.0 Sprint
[2011/03/05 10:30:00 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\NewSoft
[2011/03/05 10:29:49 | 000,000,000 | ---D | C] -- C:\Program Files\Lexmark Applications
[2011/03/04 15:15:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.DAVID-E1B40F761.004\Start Menu\Programs\Windows Safemode
[2010/10/05 08:15:15 | 001,183,744 | ---- | C] ( ) -- C:\WINDOWS\System32\lxciserv.dll
[2010/10/05 08:15:15 | 001,122,304 | ---- | C] ( ) -- C:\WINDOWS\System32\lxciusb1.dll
[2010/10/05 08:15:15 | 000,630,784 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcipmui.dll
[2010/10/05 08:15:15 | 000,155,648 | ---- | C] ( ) -- C:\WINDOWS\System32\lxciprox.dll
[2010/10/05 08:15:15 | 000,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcipplc.dll
[2010/10/05 08:15:14 | 000,770,048 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcihbn3.dll
[2010/10/05 08:15:14 | 000,704,512 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcicomc.dll
[2010/10/05 08:15:14 | 000,491,520 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcilmpm.dll
[2010/10/05 08:15:14 | 000,491,520 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcicoms.exe
[2010/10/05 08:15:14 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcicomm.dll
[2010/10/05 08:15:14 | 000,372,736 | ---- | C] ( ) -- C:\WINDOWS\System32\lxciih.exe
[2010/10/05 08:15:14 | 000,368,640 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcicfg.exe
[2006/02/04 09:47:11 | 000,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\Documents and Settings\Owner.DAVID-E1B40F761.004\My Documents\*.tmp files -> C:\Documents and Settings\Owner.DAVID-E1B40F761.004\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/05 10:48:06 | 000,000,512 | ---- | M] () -- C:\Physical0MBR.bin
[2011/03/05 10:24:25 | 1072,549,888 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/05 08:58:00 | 000,000,296 | -H-- | M] () -- C:\WINDOWS\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
[2011/03/05 08:45:00 | 000,000,296 | -H-- | M] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2011/03/05 08:43:03 | 000,001,018 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-630328440-725345543-1003UA.job
[2011/03/05 08:36:44 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1214440339-630328440-725345543-1003.job
[2011/03/05 08:36:37 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1214440339-630328440-725345543-1003.job
[2011/03/05 08:36:17 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2011/03/05 08:36:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/05 08:36:00 | 000,000,280 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-18.job
[2011/03/05 08:36:00 | 000,000,246 | -H-- | M] () -- C:\WINDOWS\tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
[2011/03/05 08:35:59 | 000,000,306 | -HS- | M] () -- C:\WINDOWS\tasks\Cofch.job
[2011/03/05 08:35:47 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/05 08:35:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/05 08:30:00 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\HP Usg Daily.job
[2011/03/05 08:21:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/05 02:00:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\AdobeAAMUpdater-1.0-DAVID-E1B40F761-Owner.job
[2011/03/04 15:15:55 | 000,000,844 | ---- | M] () -- C:\Documents and Settings\Owner.DAVID-E1B40F761.004\Desktop\Windows Safemode.lnk
[2011/03/04 14:52:46 | 000,003,064 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/04 10:36:00 | 000,000,452 | ---- | M] () -- C:\WINDOWS\tasks\WebReg 20090406103646.job
[2011/03/04 09:43:00 | 000,186,097 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/03/04 09:43:00 | 000,000,966 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-630328440-725345543-1003Core.job
[2011/02/28 08:11:00 | 000,000,288 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-18.job
[2011/02/26 03:01:54 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\Owner.DAVID-E1B40F761.004\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/02/10 07:28:52 | 000,293,272 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/02/10 03:08:52 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/02/08 03:16:00 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\Disk Cleanup.job
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\Documents and Settings\Owner.DAVID-E1B40F761.004\My Documents\*.tmp files -> C:\Documents and Settings\Owner.DAVID-E1B40F761.004\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/05 10:48:06 | 000,000,512 | ---- | C] () -- C:\Physical0MBR.bin
[2011/03/04 15:15:55 | 000,000,844 | ---- | C] () -- C:\Documents and Settings\Owner.DAVID-E1B40F761.004\Desktop\Windows Safemode.lnk
[2011/01/19 20:05:08 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\vvuc.sys
[2011/01/17 08:02:48 | 000,069,632 | RHS- | C] () -- C:\WINDOWS\System32\kbdlt1A.dll
[2010/10/05 08:15:15 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxcivs.dll
[2010/08/21 08:09:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/07/16 08:06:39 | 000,149,392 | ---- | C] () -- C:\WINDOWS\System32\drivers\ar5523.bin
[2010/07/14 11:53:21 | 000,651,264 | R--- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2010/07/14 10:52:32 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2010/03/30 12:04:30 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/01/25 11:58:06 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2009/11/28 17:10:28 | 000,000,008 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2009/08/26 08:05:45 | 000,003,064 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/07/22 17:56:22 | 000,000,162 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/03/13 15:22:07 | 000,000,186 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2009/02/05 22:01:10 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Owner.DAVID-E1B40F761.004\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/06 10:35:03 | 000,484,352 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2008/08/17 09:56:30 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\cdTextCtl.dll
[2008/06/02 10:57:03 | 000,093,421 | ---- | C] () -- C:\WINDOWS\HPHins03.dat
[2008/06/02 10:57:03 | 000,002,655 | ---- | C] () -- C:\WINDOWS\hphmdl03.dat
[2008/06/02 10:56:19 | 000,009,505 | ---- | C] () -- C:\WINDOWS\System32\hphmon06.dat
[2008/06/01 11:35:27 | 004,718,592 | -H-- | C] () -- C:\Documents and Settings\Owner.DAVID-E1B40F761.004\NTUSER.bak
[2008/05/29 18:41:31 | 000,262,144 | -H-- | C] () -- C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.bak
[2008/05/29 18:41:20 | 000,262,144 | -H-- | C] () -- C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.bak
[2008/05/29 18:39:26 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/05/29 18:33:00 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/05/29 14:07:51 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/05/29 14:06:28 | 000,293,272 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/05/26 20:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 20:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/05/16 14:01:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/05/16 14:01:00 | 001,630,208 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2008/05/16 14:01:00 | 001,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/05/16 14:01:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2008/05/16 14:01:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/05/16 14:01:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/05/16 14:01:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2008/05/16 14:01:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2008/05/16 14:01:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/09/27 09:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 09:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 09:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/07/26 17:22:42 | 000,015,498 | ---- | C] () -- C:\WINDOWS\VX1000.ini
[2006/02/28 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/28 07:00:00 | 001,288,192 | ---- | C] () -- C:\WINDOWS\System32\quartz(2).dll
[2006/02/28 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/28 07:00:00 | 000,531,060 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/28 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/28 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/28 07:00:00 | 000,103,910 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/28 07:00:00 | 000,052,352 | ---- | C] () -- C:\WINDOWS\System32\drivers\volsnap.sys
[2006/02/28 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/28 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/28 07:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/28 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/28 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2006/02/28 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2001/12/27 05:38:04 | 000,054,765 | ---- | C] () -- C:\WINDOWS\System32\drivers\LMFilt.sys

========== LOP Check ==========

[2010/11/22 08:00:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Windows Search
[2008/07/07 07:19:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.DAVID-E1B40F761.004\Application Data\alot
[2008/12/29 21:37:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.DAVID-E1B40F761.004\Application Data\Amazon
[2010/06/04 15:39:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.DAVID-E1B40F761.004\Application Data\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/06/04 09:45:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.DAVID-E1B40F761.004\Application Data\FileZilla
[2009/08/18 13:15:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.DAVID-E1B40F761.004\Application Data\GetRightToGo
[2010/03/05 20:03:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.DAVID-E1B40F761.004\Application Data\IObit
[2009/08/29 12:38:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.DAVID-E1B40F761.004\Application Data\KIDASA
[2011/01/10 21:25:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong
[2009/11/27 16:52:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.DAVID-E1B40F761.004\Application Data\proDAD
[2009/03/20 11:14:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.DAVID-E1B40F761.004\Application Data\SmartDraw
[2010/12/28 16:12:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.DAVID-E1B40F761.004\Application Data\TechWizard
[2008/12/29 13:04:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.DAVID-E1B40F761.004\Application Data\uTorrent
[2009/06/06 16:10:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.DAVID-E1B40F761.004\Application Data\Walgreens
[2009/08/19 16:56:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.DAVID-E1B40F761.004\Application Data\Windows Desktop Search
[2009/09/16 12:34:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.DAVID-E1B40F761.004\Application Data\Windows Search
[2011/03/05 08:35:59 | 000,000,306 | -HS- | M] () -- C:\WINDOWS\Tasks\Cofch.job
[2011/02/08 03:16:00 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\Disk Cleanup.job
[2011/03/05 08:45:00 | 000,000,296 | -H-- | M] () -- C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2011/03/05 08:36:00 | 000,000,246 | -H-- | M] () -- C:\WINDOWS\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
[2011/03/05 08:58:00 | 000,000,296 | -H-- | M] () -- C:\WINDOWS\Tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2010/08/10 17:57:47 | 000,001,024 | ---- | M] () -- C:\.rnd
[2003/11/26 19:27:45 | 004,384,311 | ---- | M] () -- C:\20031126-007-i32.exe
[2004/11/08 12:40:58 | 000,429,032 | ---- | M] (Adobe Systems) -- C:\AdbeRdr60_DLM_enu_full.exe
[2004/04/05 23:00:32 | 001,756,856 | ---- | M] () -- C:\AiRoboForm-cnety.exe
[2007/12/14 18:48:38 | 015,600,792 | ---- | M] (Oberon Media Inc.) -- C:\Amazonia-setup.exe
[2002/07/17 10:38:16 | 000,000,004 | ---- | M] () -- C:\autoexec.bat
[2010/05/10 08:12:44 | 000,160,752 | ---- | M] () -- C:\bar.emf
[2008/05/29 18:23:47 | 000,000,319 | -HS- | M] () -- C:\boot.ini
[2001/10/09 12:30:18 | 000,000,112 | -HS- | M] () -- C:\BOOTLOG.TXT
[2001/10/09 12:30:20 | 000,000,512 | -HS- | M] () -- C:\BOOTSECT.DOS
[2009/11/17 12:04:10 | 000,004,942 | R--- | M] () -- C:\CLDMA.LOG
[2008/05/29 12:13:02 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/05/04 16:03:15 | 000,000,081 | ---- | M] () -- C:\CTX.DAT
[2004/01/01 19:27:57 | 002,861,110 | ---- | M] () -- C:\CubisDeluxe.exe
[2006/12/28 13:41:06 | 008,756,120 | ---- | M] () -- C:\cubisgold2-setup.exe
[2004/05/25 16:59:31 | 003,696,336 | ---- | M] (iCentric Corp.) -- C:\dgt.exe
[2007/04/11 17:48:25 | 000,000,004 | -HS- | M] () -- C:\dllimp_regmsft985
[2006/11/24 17:24:18 | 000,000,203 | ---- | M] () -- C:\DownloadLog.txt
[1999/04/23 22:22:00 | 000,068,871 | RHS- | M] () -- C:\DRVSPACE.BIN
[2004/06/07 18:50:35 | 000,047,648 | ---- | M] () -- C:\fixhosts.exe
[2003/06/10 18:47:20 | 000,005,106 | ---- | M] () -- C:\GatorPatch.log
[2011/03/05 10:24:25 | 1072,549,888 | -HS- | M] () -- C:\hiberfil.sys
[2003/07/03 07:23:06 | 000,139,040 | ---- | M] () -- C:\hpfr5550.log
[2007/05/11 17:57:40 | 000,000,132 | ---- | M] () -- C:\ICSYSINF.log
[2010/03/30 12:24:13 | 000,028,824 | ---- | M] () -- C:\img2-001.raw
[2010/01/10 17:16:49 | 000,230,424 | ---- | M] () -- C:\img2-005.raw
[2007/05/11 17:52:38 | 000,657,952 | ---- | M] () -- C:\InterCasino%20Installer.exe
[2001/10/09 12:50:50 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2007/10/25 18:28:33 | 000,000,139 | ---- | M] () -- C:\ioSpecial.ini
[2006/02/16 15:52:29 | 000,157,170 | ---- | M] () -- C:\log.txt
[2007/11/18 10:57:21 | 000,230,206 | ---- | M] () -- C:\logfile
[2011/01/19 20:50:39 | 000,009,564 | ---- | M] () -- C:\lxci.log
[2010/10/05 08:15:04 | 000,000,275 | ---- | M] () -- C:\lxcifire.csv
[2010/10/05 08:15:27 | 000,000,867 | ---- | M] () -- C:\lxciinst.csv
[2007/05/11 20:25:16 | 000,085,136 | ---- | M] (Big Fish Games) -- C:\magicball3_s1_l1_gF1347T1L1_d1292921.exe
[2003/11/13 14:43:01 | 010,135,688 | ---- | M] (Microsoft Corporation) -- C:\MPSetupXP.exe
[2001/10/09 12:50:50 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/04/25 17:23:53 | 005,425,288 | ---- | M] () -- C:\msgrplus.exe
[2004/05/10 15:39:03 | 000,000,174 | ---- | M] () -- C:\mw.log
[2006/02/28 07:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/07/19 08:07:41 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2004/06/06 14:44:03 | 013,588,888 | ---- | M] (Microsoft Corporation) -- C:\O2kSp3.exe
[2004/06/06 14:33:30 | 000,788,000 | ---- | M] (Microsoft Corporation) -- C:\officexp-kb833858-client-enu.exe
[2004/06/06 14:35:23 | 016,835,104 | ---- | M] (Microsoft Corporation) -- C:\OfficeXpSp3-kb832671-client-enu.exe
[2011/03/05 10:24:20 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys
[2007/05/11 17:43:46 | 009,099,470 | ---- | M] () -- C:\ParadisePokerSetup.exe
[2011/03/05 10:48:06 | 000,000,512 | ---- | M] () -- C:\Physical0MBR.bin
[2007/11/22 12:31:23 | 000,042,650 | ---- | M] () -- C:\playground.log
[2003/12/15 12:52:03 | 008,676,536 | ---- | M] (RealNetworks, Inc.) -- C:\RealOnePlayerV2GOLD.exe
[2011/01/19 21:15:52 | 000,000,507 | ---- | M] () -- C:\rkill.log
[2011/03/05 10:33:33 | 000,000,172 | ---- | M] () -- C:\setupfax.log
[2008/06/01 13:25:39 | 000,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2008/06/01 13:30:47 | 000,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2008/06/01 14:11:54 | 000,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2008/06/01 14:18:46 | 000,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2008/06/02 02:06:34 | 000,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
[2008/06/02 09:27:00 | 000,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2008/06/09 16:26:14 | 000,000,268 | -H-- | M] () -- C:\sqmdata06.sqm
[2008/07/06 13:49:58 | 000,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2008/10/16 02:16:54 | 000,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
[2008/10/21 07:47:33 | 000,000,268 | -H-- | M] () -- C:\sqmdata09.sqm
[2008/10/23 18:42:27 | 000,000,268 | -H-- | M] () -- C:\sqmdata10.sqm
[2008/10/25 02:05:58 | 000,000,268 | -H-- | M] () -- C:\sqmdata11.sqm
[2008/11/11 07:23:11 | 000,000,268 | -H-- | M] () -- C:\sqmdata12.sqm
[2008/12/01 07:29:32 | 000,000,232 | -H-- | M] () -- C:\sqmdata13.sqm
[2008/12/09 07:25:05 | 000,000,268 | -H-- | M] () -- C:\sqmdata14.sqm
[2009/01/07 09:30:19 | 000,000,232 | -H-- | M] () -- C:\sqmdata15.sqm
[2009/01/14 03:08:19 | 000,000,268 | -H-- | M] () -- C:\sqmdata16.sqm
[2009/01/16 21:39:52 | 000,000,268 | -H-- | M] () -- C:\sqmdata17.sqm
[2009/02/01 07:55:59 | 000,000,268 | -H-- | M] () -- C:\sqmdata18.sqm
[2009/03/18 21:32:51 | 000,000,268 | -H-- | M] () -- C:\sqmdata19.sqm
[2008/06/01 13:25:39 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2008/06/01 13:30:47 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2008/06/01 14:11:54 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2008/06/01 14:18:46 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2008/06/02 02:06:34 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2008/06/02 09:27:00 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2008/06/09 16:26:14 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2008/07/06 13:49:58 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2008/10/16 02:16:54 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2008/10/21 07:47:33 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2008/10/23 18:42:27 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2008/10/25 02:05:58 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2008/11/11 07:23:11 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2008/12/01 07:29:32 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2008/12/09 07:25:05 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2009/01/07 09:30:19 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2009/01/14 03:08:19 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2009/01/16 21:39:51 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2009/02/01 07:55:59 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2009/03/18 21:32:51 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2010/03/05 19:31:19 | 000,020,480 | -H-- | M] () -- C:\SZKGFS.dat
[2002/10/22 15:57:32 | 000,000,000 | ---- | M] () -- C:\temp.html
[2003/11/14 16:39:41 | 000,000,021 | ---- | M] () -- C:\url.txt
[2008/06/16 00:25:27 | 000,000,146 | ---- | M] () -- C:\YServer.txt
[2004/09/03 15:24:02 | 004,988,672 | ---- | M] () -- C:\zumadeluxesetup.exe

< MD5 for: EXPLORER.EXE >
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\windows\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\windows\ServicePackFiles\i386\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINNT\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
[2007/06/13 06:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 06:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINNT\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\windows\$NtServicePackUninstall$\explorer.exe
[2006/02/28 07:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\windows\$NtUninstallKB938828$\explorer.exe
[2006/02/28 07:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINNT\explorer.exe
[2006/02/28 07:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINNT\system32\dllcache\explorer.exe

< MD5 for: SFC.DLL >
[2008/04/13 19:12:05 | 000,005,120 | ---- | M] (Microsoft Corporation) MD5=96E1C926F22EE1BFBAE82901A35F6BF3 -- C:\windows\ServicePackFiles\i386\sfc.dll
[2008/04/13 19:12:05 | 000,005,120 | ---- | M] (Microsoft Corporation) MD5=96E1C926F22EE1BFBAE82901A35F6BF3 -- C:\windows\system32\sfc.dll
[2008/04/13 19:12:05 | 000,005,120 | ---- | M] (Microsoft Corporation) MD5=96E1C926F22EE1BFBAE82901A35F6BF3 -- C:\WINNT\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\sfc.dll
[2006/02/28 07:00:00 | 000,005,120 | ---- | M] (Microsoft Corporation) MD5=E8A12A12EA9088B4327D49EDCA3ADD3E -- C:\windows\$NtServicePackUninstall$\sfc.dll
[2006/02/28 07:00:00 | 000,005,120 | ---- | M] (Microsoft Corporation) MD5=E8A12A12EA9088B4327D49EDCA3ADD3E -- C:\WINNT\system32\dllcache\sfc.dll
[2006/02/28 07:00:00 | 000,005,120 | ---- | M] (Microsoft Corporation) MD5=E8A12A12EA9088B4327D49EDCA3ADD3E -- C:\WINNT\system32\sfc.dll

< MD5 for: USERINIT.EXE >
[2006/02/28 07:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\windows\$NtServicePackUninstall$\userinit.exe
[2006/02/28 07:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINNT\system32\dllcache\userinit.exe
[2006/02/28 07:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINNT\system32\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\windows\ServicePackFiles\i386\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\windows\system32\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINNT\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\userinit.exe

< MD5 for: WINLOGON.EXE >
[2006/02/28 07:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\windows\$NtServicePackUninstall$\winlogon.exe
[2006/02/28 07:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINNT\system32\dllcache\winlogon.exe
[2006/02/28 07:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINNT\system32\winlogon.exe
[2004/05/26 20:38:46 | 000,483,328 | ---- | M] (Microsoft Corporation) MD5=E7F9D2E4E4A94A6F58014E5FFA16A65E -- C:\WINNT\SoftwareDistribution\Download\0bfb0fd6d1529228f4175fc177388244\sp1qfe\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\windows\ServicePackFiles\i386\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\windows\system32\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINNT\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\winlogon.exe

< %systemroot%\*. /mp /s >

< %SYSTEMDRIVE%\*.exe >
[2003/11/26 19:27:45 | 004,384,311 | ---- | M] () -- C:\20031126-007-i32.exe
[2004/11/08 12:40:58 | 000,429,032 | ---- | M] (Adobe Systems) -- C:\AdbeRdr60_DLM_enu_full.exe
[2004/04/05 23:00:32 | 001,756,856 | ---- | M] () -- C:\AiRoboForm-cnety.exe
[2007/12/14 18:48:38 | 015,600,792 | ---- | M] (Oberon Media Inc.) -- C:\Amazonia-setup.exe
[2004/01/01 19:27:57 | 002,861,110 | ---- | M] () -- C:\CubisDeluxe.exe
[2006/12/28 13:41:06 | 008,756,120 | ---- | M] () -- C:\cubisgold2-setup.exe
[2004/05/25 16:59:31 | 003,696,336 | ---- | M] (iCentric Corp.) -- C:\dgt.exe
[2004/06/07 18:50:35 | 000,047,648 | ---- | M] () -- C:\fixhosts.exe
[2007/05/11 17:52:38 | 000,657,952 | ---- | M] () -- C:\InterCasino%20Installer.exe
[2007/05/11 20:25:16 | 000,085,136 | ---- | M] (Big Fish Games) -- C:\magicball3_s1_l1_gF1347T1L1_d1292921.exe
[2003/11/13 14:43:01 | 010,135,688 | ---- | M] (Microsoft Corporation) -- C:\MPSetupXP.exe
[2004/04/25 17:23:53 | 005,425,288 | ---- | M] () -- C:\msgrplus.exe
[2004/06/06 14:44:03 | 013,588,888 | ---- | M] (Microsoft Corporation) -- C:\O2kSp3.exe
[2004/06/06 14:33:30 | 000,788,000 | ---- | M] (Microsoft Corporation) -- C:\officexp-kb833858-client-enu.exe
[2004/06/06 14:35:23 | 016,835,104 | ---- | M] (Microsoft Corporation) -- C:\OfficeXpSp3-kb832671-client-enu.exe
[2007/05/11 17:43:46 | 009,099,470 | ---- | M] () -- C:\ParadisePokerSetup.exe
[2003/12/15 12:52:03 | 008,676,536 | ---- | M] (RealNetworks, Inc.) -- C:\RealOnePlayerV2GOLD.exe
[2004/09/03 15:24:02 | 004,988,672 | ---- | M] () -- C:\zumadeluxesetup.exe

< End of report >

#4
Essexboy

Posted 05 March 2011 - 11:05 AM

GeekU Moderator

Retired Staff
69,964 posts

OK I think I have found it, it shows in the appcert chain and within the start up folder along with several jobs. Did you set the 8080 proxy ? "ProxyServer" = 74.53.91.58:8080
Also task manager was disabled.

Start OTLPE as you did previously from CD
Copy the attached Fix.txt to a USB
[attachment=48195:fix.txt]

Insert your USB drive with fix.txt on it
Start OTLPE
Drag and drop fix.txt into the Custom scans and fixes box
If you cannot drag and drop for some reason. Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive
Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done to normal mode if possible
Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

THEN

From normal mode

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#5
davidmgosselin

Posted 09 March 2011 - 06:23 AM

New Member

Topic Starter
Member
3 posts

Everything seems to be working fine now, thank you. Following is the contents of ComboFix.txt:

ComboFix 11-03-05.01 - Owner 03/07/2011 8:59.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.642 [GMT -5:00]
Running from: c:\documents and settings\Owner.DAVID-E1B40F761.004\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\data
c:\data\Crosswrd.ldb
c:\documents and settings\All Users.WINDOWS\Application Data\62062.exe
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_0\Button_0.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_0\Button_0.xml.backup
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_1\Button_1.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_1\Button_1.xml.backup
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_10\Button_10.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_10\Button_10.xml.backup
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_11\Button_11.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_11\Button_11.xml.backup
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_2\Button_2.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_2\Button_2.xml.backup
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_3\Button_3.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_3\Button_3.xml.backup
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_4\Button_4.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_4\Button_4.xml.backup
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_5\Button_5.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_5\Button_5.xml.backup
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_6\Button_6.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_6\Button_6.xml.backup
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_7\Button_7.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_7\Button_7.xml.backup
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_8\Button_8.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_8\Button_8.xml.backup
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_9\Button_9.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Button_9\Button_9.xml.backup
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\configurator\configurator.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\configurator\configurator.xml.backup
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\products\products.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\products\products.xml.backup
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Resources\Button_0\images\alot_icon_35x16.bmp
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Resources\Button_1\images\alot_search_24x16.bmp
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Resources\Button_2\images\alert-icon.bmp
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Resources\Button_2\images\clear.bmp
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Resources\Button_2\images\default_281_alot_weather_widget.bmp
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Resources\Button_2\images\nrain.bmp
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Resources\Button_3\images\default_246_alot_weather_radar.bmp
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Resources\Button_4\images\default_247_alot_weather_detailed.bmp
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Resources\Button_5\images\default_248_alot_weather_severe.bmp
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Resources\Button_6\images\default_249_default_243_alot_news_mrkt_nyt.bmp
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Resources\Button_7\images\default_452_alot_mrkt_180.bmp
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Resources\Shared\domains.dat
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Resources\Shared\images\alot_brand.png
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Resources\Shared\images\spinner.bmp
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Resources\Shared\images\widget_bottom.bmp
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Resources\Shared\images\widget_btnmin0.bmp
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Resources\Shared\images\widget_btnmin1.bmp
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Resources\Shared\images\widget_caption.bmp
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Resources\Shared\images\widget_error_close.bmp
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\TimerManager\TimerManager.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\TimerManager\TimerManager.xml.backup
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\toolbar.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Updater\Updater.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\alot\Updater\Updater.xml.backup
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Owner.DAVID-E1B40F761.004\System
c:\documents and settings\Owner.DAVID-E1B40F761.004\System\win_qs8.jqx
c:\documents and settings\Owner\raw101.exe
c:\documents and settings\Owner\runonce.exe
c:\program files\CxtPls
c:\program files\CxtPls\AI_10-04-2005.log
c:\program files\CxtPls\AI_11-04-2005.log
c:\program files\CxtPls\AI_12-04-2005.log
c:\program files\CxtPls\AI_13-04-2005.log
c:\program files\CxtPls\AI_14-04-2005.log
c:\program files\CxtPls\atl.dll
c:\program files\CxtPls\data.bin
c:\program files\Srng
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
E:\AUTORUN.INF
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack

.
((((((((((((((((((((((((( Files Created from 2011-02-07 to 2011-03-07 )))))))))))))))))))))))))))))))
.
.
2011-03-07 13:31 . 2011-03-07 13:31 -------- d-----w- C:\_OTL
2011-03-05 15:48 . 2011-03-05 15:48 512 ----a-w- C:\Physical0MBR.bin
2011-03-05 15:32 . 2011-03-05 15:32 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2011-03-05 15:31 . 2005-04-04 04:02 69714 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2011-03-05 15:31 . 2005-04-04 04:01 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2011-03-05 15:31 . 2005-04-04 04:00 184320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2011-03-05 15:31 . 2005-04-04 04:02 753664 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2011-03-05 15:31 . 2005-04-04 03:59 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe
2011-03-05 15:31 . 2011-03-05 15:31 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2011-03-05 15:31 . 2011-03-05 15:31 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
2011-03-05 15:30 . 2011-03-05 15:30 -------- d-----w- c:\program files\Common Files\NewSoft
2011-03-05 15:29 . 2011-03-05 15:29 -------- d-----w- c:\program files\Lexmark Applications
2011-03-05 15:29 . 2005-02-23 20:43 614532 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
2011-03-05 15:25 . 2011-03-05 15:25 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2011-03-05 15:25 . 2011-03-05 15:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-03-05 15:24 . 2011-03-05 15:24 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2011-03-05 15:00 . 2011-03-05 15:00 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2006-02-28 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-17 13:02 . 2011-01-17 13:02 224256 ----a-w- c:\windows\Wbotea.exe
2011-01-14 15:32 . 2003-03-19 00:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-01-14 15:32 . 2003-02-21 08:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-01-07 14:09 . 2006-02-28 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2006-02-28 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2006-02-28 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:08 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08 . 2006-02-28 12:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-12-20 17:26 . 2006-02-28 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2006-02-28 12:00 389120 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2006-02-28 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2006-02-28 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2006-02-28 12:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-03 22:59 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-12-08 18:12 . 2010-08-10 22:58 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-12-08 18:11 . 2010-08-10 22:58 53632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-12-08 18:11 . 2010-08-10 22:58 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-12-08 18:11 . 2010-08-10 22:57 87424 ----a-w- c:\windows\system32\LMIinit.dll
2006-02-04 14:46 . 2006-02-04 14:47 774144 -c--a-w- c:\program files\RngInterstitial.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{38542454-dfb6-44f5-b052-d4e071a3d073}"= "c:\program files\Elf_1.12\tbElf_.dll" [2010-11-29 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{38542454-dfb6-44f5-b052-d4e071a3d073}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-11-29 20:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38542454-dfb6-44f5-b052-d4e071a3d073}]
2010-11-29 20:26 3908192 ----a-w- c:\program files\Elf_1.12\tbElf_.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{38542454-dfb6-44f5-b052-d4e071a3d073}"= "c:\program files\Elf_1.12\tbElf_.dll" [2010-11-29 3908192]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-11-29 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{38542454-dfb6-44f5-b052-d4e071a3d073}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{38542454-DFB6-44F5-B052-D4E071A3D073}"= "c:\program files\Elf_1.12\tbElf_.dll" [2010-11-29 3908192]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-11-29 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{38542454-dfb6-44f5-b052-d4e071a3d073}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-07 39408]
"Google Update"="c:\documents and settings\Owner.DAVID-E1B40F761.004\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-19 133104]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-02-17 5244216]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2006-01-07 172032]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2006-01-07 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2006-01-07 659456]
"VX1000"="c:\windows\vVX1000.exe" [2006-10-13 707376]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-11-18 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-11-18 118784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"LogMeIn GUI"="e:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-01-27 63048]
"LXCICATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCItime.dll" [2005-09-08 73728]
"lxcimon.exe"="c:\program files\Lexmark 7300 Series\lxcimon.exe" [2007-02-02 205744]
"EzPrint"="c:\program files\Lexmark 7300 Series\ezprint.exe" [2007-02-02 103344]
"TkBellExe"="e:\program files\update\realsched.exe" [2011-01-14 274608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\Owner.DAVID-E1B40F761.004\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2010-3-4 41051]
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2010-7-16 884838]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-08 18:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\windows\\system32\\dpvsetup.exe"=
"c:\\Documents and Settings\\Owner.DAVID-E1B40F761.004\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DevServer\\9.0\\WebDev.WebServer.EXE"=
"c:\\windows\\system32\\rtcshare.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Documents and Settings\\Owner.DAVID-E1B40F761.004\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1120:TCP"= 1120:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [2/28/2006 7:00 AM 14336]
R2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [3/4/2010 10:27 AM 24645]
R2 LMIGuardianSvc;LMIGuardianSvc;e:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/2/2010 9:07 AM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;e:\program files\LogMeIn\x86\rainfo.sys [1/27/2010 11:22 AM 12856]
R3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [1/5/2009 2:30 PM 23096]
R3 SndTVideo;SndTVideo;c:\windows\system32\drivers\SndTVideo.sys [1/5/2009 2:30 PM 3768]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/22/2010 8:11 AM 135664]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [7/16/2010 8:06 AM 17149]
S3 es1969;ESS 1969 Audio Driver (WDM);c:\windows\system32\drivers\es1969.sys [5/29/2008 2:10 PM 72192]
S3 lxci_device;lxci_device;c:\windows\system32\lxcicoms.exe -service --> c:\windows\system32\lxcicoms.exe -service [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [3/5/2010 8:04 PM 38224]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [1/5/2009 2:31 PM 200704]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\DRIVERS\UltraMonMirror.sys --> c:\windows\system32\DRIVERS\UltraMonMirror.sys [?]
S3 WMP110v2;Linksys WMP110 RangePlus Wireless PCI Adapter Wireless Driver;c:\windows\system32\drivers\WMP110v2.sys [3/28/2008 5:38 PM 625024]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [7/16/2010 8:06 AM 362944]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 7:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 1:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 7:28 PM 369688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-01 23:08]
.
2011-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-22 13:11]
.
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-22 13:11]
.
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-630328440-725345543-1003Core.job
- c:\documents and settings\Owner.DAVID-E1B40F761.004\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-19 13:18]
.
2011-03-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-630328440-725345543-1003UA.job
- c:\documents and settings\Owner.DAVID-E1B40F761.004\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-19 13:18]
.
2011-03-06 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped05.exe [2008-05-27 05:09]
.
2011-03-07 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-03-07 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1214440339-630328440-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-02-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-03-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1214440339-630328440-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = 74.53.91.58:8080
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\documents and settings\Owner.DAVID-E1B40F761.004\Application Data\Mozilla\Firefox\Profiles\j89ijma8.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-DW6 - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-07 09:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCICATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10g_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10g_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
"DC3BF90CC0D3D2F398A9A6D1762F70F3"=multi:"M?\00\03\00\00\00\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(484)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2011-03-07 09:13:10
ComboFix-quarantined-files.txt 2011-03-07 14:13
.
Pre-Run: 3,083,452,416 bytes free
Post-Run: 4,724,908,032 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin
.
Current=4 Default=4 Failed=2 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - 6AFFCE58C1FAE619B1E16F2440CDB35C

#6
Essexboy

Posted 09 March 2011 - 07:58 AM

GeekU Moderator

Retired Staff
69,964 posts

Good a quick sweep for orphans now and could you then let me know of any problems remaining

Posted Image

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

#7
Essexboy

Posted 13 March 2011 - 05:42 AM

GeekU Moderator

Retired Staff
69,964 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.