Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows Repair and Hard disk failure warnings?

Started by PaulG! , Apr 02 2011 12:21 PM

  • This topic is locked This topic is locked

#16
Essexboy
Posted 28 April 2011 - 10:16 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Once the problem is determined generally the cure is easy. The devil is in finding the problem :) On completion of these two runs can you let me know what problems are outstanding - is it just the desktop icons missing or is it the start menu items as well ?

OK lets now get to town on the remaining miscreants

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O4 - HKCU..\Run: [VOSwDthSgMPbD] C:\Documents and Settings\All Users\Application Data\VOSwDthSgMPbD.exe (GPA)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
    O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\setup\sbcdsl.exe
    [2011/04/01 19:21:12 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Paul G!\Start Menu\Programs\Windows Repair
    [2011/04/01 19:11:09 | 000,533,504 | -H-- | C] (GPA) -- C:\Documents and Settings\All Users\Application Data\VOSwDthSgMPbD.exe
    [2011/04/01 19:21:42 | 000,000,104 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~24764212
    [2011/04/01 19:21:41 | 000,000,120 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~24764212r
    [2011/04/01 19:21:16 | 000,000,809 | -H-- | M] () -- C:\Documents and Settings\Paul G!\Desktop\Windows Repair.lnk
    [2011/04/01 19:20:35 | 000,000,344 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\24764212
    [2011/04/01 19:20:22 | 000,459,776 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\24764212.exe
    [2011/04/01 19:10:54 | 000,533,504 | -H-- | M] (GPA) -- C:\Documents and Settings\All Users\Application Data\VOSwDthSgMPbD.exe
    [2011/04/01 19:21:41 | 000,000,120 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~24764212r
    [2011/04/01 19:21:41 | 000,000,104 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~24764212
    [2011/04/01 19:21:16 | 000,000,809 | -H-- | C] () -- C:\Documents and Settings\Paul G!\Desktop\Windows Repair.lnk
    [2011/04/01 19:20:35 | 000,000,344 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\24764212
    [2011/04/01 19:20:22 | 000,459,776 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\24764212.exe

    :Files
    ipconfig /flushdns /c
    C:\Documents and Settings\All Users\Application Data\24764212.exe
    C:\Documents and Settings\All Users\Application Data\VOSwDthSgMPbD.exe

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

  • 0

Advertisements

#17
PaulG!
Posted 28 April 2011 - 03:57 PM

PaulG!

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
Thanks. I ran the fix and it ended (showed "processing complete" at lower left) by freezing. When I restarted it, this log was there:

************************************


All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\VOSwDthSgMPbD not found.
File C:\Documents and Settings\All Users\Application Data\VOSwDthSgMPbD.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\ deleted successfully.
File D:\setup\sbcdsl.exe not found.
Folder C:\Documents and Settings\Paul G!\Start Menu\Programs\Windows Repair\ not found.
File C:\Documents and Settings\All Users\Application Data\VOSwDthSgMPbD.exe not found.
File C:\Documents and Settings\All Users\Application Data\~24764212 not found.
File C:\Documents and Settings\All Users\Application Data\~24764212r not found.
File C:\Documents and Settings\Paul G!\Desktop\Windows Repair.lnk not found.
File C:\Documents and Settings\All Users\Application Data\24764212 not found.
File C:\Documents and Settings\All Users\Application Data\24764212.exe not found.
File C:\Documents and Settings\All Users\Application Data\VOSwDthSgMPbD.exe not found.
File C:\Documents and Settings\All Users\Application Data\~24764212r not found.
File C:\Documents and Settings\All Users\Application Data\~24764212 not found.
File C:\Documents and Settings\Paul G!\Desktop\Windows Repair.lnk not found.
File C:\Documents and Settings\All Users\Application Data\24764212 not found.
File C:\Documents and Settings\All Users\Application Data\24764212.exe not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Paul G!\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Paul G!\Desktop\cmd.txt deleted successfully.
File\Folder C:\Documents and Settings\All Users\Application Data\24764212.exe not found.
File\Folder C:\Documents and Settings\All Users\Application Data\VOSwDthSgMPbD.exe not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Paul G!
->Temp folder emptied: 2943221 bytes
->Temporary Internet Files folder emptied: 1020632643 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 58154085 bytes
->Flash cache emptied: 10105 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 505 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,032.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: Paul G!
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.22.3 log created on 04282011_163557

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


****************************
****************************

It looks like all my Desktop icons are back, but 'blued' out. They look like they were selected, but the text doesn't have a light blue background (so they aren't really selected), but I can select them and use them (at least my "Jellyfish" backgammon game works,haven't tried them all; figured I get similar results).

My Start > All Programs is showing "(empty)"

When I 'explore' windows, that shows nothing as well.

I couldn't start Notepad from the usual way; I had to open a txt file on my desktop and open that, delete everything and then begin this message.

Upon closing this notepad window, all my icons are gone again.
I'm going to run OTL's Quick Scan now...here is the log:

*****************************
*****************************


OTL logfile created on: 4/2/2011 1:55:08 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Paul G!\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 153.00 Mb Available Physical Memory | 30.00% Memory free
864.00 Mb Paging File | 539.00 Mb Available in Paging File | 62.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 23.65 Gb Free Space | 63.48% Space Free | Partition Type: NTFS

Computer Name: THEPOWER | User Name: Paul G! | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/01 20:48:03 | 000,580,608 | -H-- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul G!\Desktop\OTL.exe
PRC - [2011/04/01 19:20:22 | 000,459,776 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\24764212.exe
PRC - [2011/04/01 19:10:54 | 000,533,504 | -H-- | M] (GPA) -- C:\Documents and Settings\All Users\Application Data\VOSwDthSgMPbD.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/13 20:12:12 | 000,012,288 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\attrib.exe
PRC - [2007/08/09 03:27:52 | 000,073,728 | -H-- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2003/07/16 12:30:45 | 000,094,208 | -H-- | M] (Microsoft Corporation) -- C:\Program Files\MSN\MSNCoreFiles\msn6.exe
PRC - [2002/09/10 22:26:26 | 000,368,706 | -H-- | M] () -- C:\Program Files\BroadJump\Client Foundation\CFD.exe


========== Modules (SafeList) ==========

MOD - [2011/04/01 20:48:03 | 000,580,608 | -H-- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul G!\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/13 20:12:01 | 000,121,344 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvfw32.dll
MOD - [2008/04/13 20:12:00 | 001,384,479 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvbvm60.dll
MOD - [2008/04/13 20:11:52 | 000,367,616 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dsound.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (getPlus® Helper) getPlus®
SRV - [2007/08/09 03:27:52 | 000,073,728 | -H-- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2010/11/14 19:13:42 | 000,074,688 | -H-- | M] (AVG) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\qtsmon.sys -- (qtsmon)
DRV - [2010/02/11 08:02:15 | 000,226,880 | -H-- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2009/06/11 19:34:34 | 000,049,904 | RH-- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2008/04/13 14:56:06 | 000,088,320 | -H-- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2008/04/13 14:41:01 | 000,052,352 | -H-- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\volsnap.sys -- (VolSnap)
DRV - [2007/02/08 15:51:16 | 002,209,408 | -H-- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2005/11/02 14:24:34 | 000,424,320 | -H-- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2004/11/15 16:37:52 | 000,264,440 | -H-- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\stac97.sys -- (STAC97) Audio Driver (WDM)
DRV - [2003/09/26 10:41:10 | 000,044,032 | -H-- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2003/07/16 12:34:04 | 000,063,232 | -H-- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2003/07/16 12:34:04 | 000,055,936 | -H-- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2001/08/17 12:11:30 | 000,096,640 | -H-- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2001/08/17 12:11:30 | 000,026,568 | -H-- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCM4E5.SYS -- (BCM44X2)
DRV - [2001/08/17 12:11:26 | 000,054,271 | -H-- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bcm42xx5.sys -- (BCM42XX) Broadcom iLine10™


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.net
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo....-8&fr=ytff-&p="
FF - prefs.js..browser.search.param.yahoo-fr: "moz2-ytff-"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "moz2-ytff-"
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: "http://att.my.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..keyword.URL: "http://search.yahoo....-8&fr=ytff-&p="


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/27 08:00:47 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/26 09:36:09 | 000,000,000 | -H-D | M]

[2009/04/21 21:40:19 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Extensions
[2011/03/30 23:02:17 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions
[2010/08/13 14:04:13 | 000,000,000 | -H-D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/03/10 19:39:16 | 000,000,000 | -H-D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/03/03 17:36:09 | 000,000,000 | -H-D | M] ("StumbleUpon") -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2009/04/30 21:58:28 | 000,000,000 | -H-D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
[2011/03/30 23:02:18 | 000,000,000 | -H-D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/16 18:35:45 | 000,000,000 | -H-D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/11/16 18:35:22 | 000,000,000 | -H-D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/11/16 18:35:22 | 000,472,808 | -H-- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2003/07/16 12:23:48 | 000,000,734 | -H-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [VOSwDthSgMPbD] C:\Documents and Settings\All Users\Application Data\VOSwDthSgMPbD.exe (GPA)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1231962780789 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Paul G!\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Paul G!\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/13 17:20:01 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\setup\sbcdsl.exe
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/02 13:56:43 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Paul G!\Recent
[2011/04/01 20:48:31 | 000,580,608 | -H-- | C] (OldTimer Tools) -- C:\Documents and Settings\Paul G!\Desktop\OTL.exe
[2011/04/01 19:21:12 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Paul G!\Start Menu\Programs\Windows Repair
[2011/04/01 19:11:09 | 000,533,504 | -H-- | C] (GPA) -- C:\Documents and Settings\All Users\Application Data\VOSwDthSgMPbD.exe
[2011/03/29 22:23:20 | 000,000,000 | -H-D | C] -- C:\spoolerlogs

========== Files - Modified Within 30 Days ==========

[2049/12/31 16:00:00 | 000,416,454 | -H-- | M] () -- C:\Documents and Settings\Paul G!\My Documents\Viers
[2011/04/02 13:53:08 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{FAD007F6-DED4-468A-96A0-73C433BCB61F}.job
[2011/04/02 13:52:08 | 000,002,206 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/02 13:51:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/01 20:48:03 | 000,580,608 | -H-- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul G!\Desktop\OTL.exe
[2011/04/01 19:21:42 | 000,000,104 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~24764212
[2011/04/01 19:21:41 | 000,000,120 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~24764212r
[2011/04/01 19:21:16 | 000,000,809 | -H-- | M] () -- C:\Documents and Settings\Paul G!\Desktop\Windows Repair.lnk
[2011/04/01 19:20:35 | 000,000,344 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\24764212
[2011/04/01 19:20:22 | 000,459,776 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\24764212.exe
[2011/04/01 19:10:54 | 000,533,504 | -H-- | M] (GPA) -- C:\Documents and Settings\All Users\Application Data\VOSwDthSgMPbD.exe
[2011/04/01 18:37:24 | 000,069,987 | -H-- | M] () -- C:\WINDOWS\System32\nvModes.001
[2011/04/01 18:33:51 | 000,030,098 | -H-- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/04/01 03:25:27 | 000,005,820 | -H-- | M] () -- C:\WINDOWS\Jelly.ini
[2011/03/29 22:29:27 | 000,432,924 | -H-- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/29 22:29:27 | 000,067,714 | -H-- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/26 13:16:33 | 000,002,495 | -H-- | M] () -- C:\Documents and Settings\Paul G!\Desktop\Microsoft Office Excel 2003.lnk
[2011/03/26 13:16:26 | 000,002,497 | -H-- | M] () -- C:\Documents and Settings\Paul G!\Desktop\Microsoft Office Word 2003.lnk
[2011/03/16 21:05:12 | 000,013,824 | -H-- | M] () -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/11 20:14:02 | 000,043,361 | -H-- | M] () -- C:\Documents and Settings\Paul G!\Desktop\TICHY Hopper decal sheet.jpg
[2011/03/09 22:04:12 | 000,001,355 | -H-- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/07 02:09:00 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\DriverCure.job

========== Files Created - No Company Name ==========

[2049/12/31 16:00:00 | 000,416,454 | -H-- | C] () -- C:\Documents and Settings\Paul G!\My Documents\Viers
[2011/04/01 19:21:41 | 000,000,120 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~24764212r
[2011/04/01 19:21:41 | 000,000,104 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~24764212
[2011/04/01 19:21:16 | 000,000,809 | -H-- | C] () -- C:\Documents and Settings\Paul G!\Desktop\Windows Repair.lnk
[2011/04/01 19:20:35 | 000,000,344 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\24764212
[2011/04/01 19:20:22 | 000,459,776 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\24764212.exe
[2011/03/11 20:13:59 | 000,043,361 | -H-- | C] () -- C:\Documents and Settings\Paul G!\Desktop\TICHY Hopper decal sheet.jpg
[2010/11/14 01:00:37 | 000,006,550 | -H-- | C] () -- C:\WINDOWS\jautoexp.dat
[2010/10/09 02:31:07 | 000,000,051 | -H-- | C] () -- C:\WINDOWS\wininit.ini
[2010/06/16 21:14:44 | 000,077,824 | RH-- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2010/06/16 21:11:33 | 000,110,056 | -H-- | C] () -- C:\WINDOWS\hpoins08.dat
[2010/06/16 21:11:32 | 000,007,577 | -H-- | C] () -- C:\WINDOWS\hpomdl08.dat
[2010/02/10 18:58:35 | 000,000,664 | -H-- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/12/17 00:21:06 | 000,013,824 | -H-- | C] () -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/29 18:13:59 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\iplayer.INI
[2009/04/27 21:37:13 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\pcfriend.INI
[2009/04/21 21:40:20 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\nsreg.dat
[2009/04/16 20:07:58 | 000,168,448 | -H-- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/04/16 20:07:54 | 003,596,288 | -H-- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009/04/16 20:07:54 | 000,795,648 | -H-- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/04/16 20:07:54 | 000,130,048 | -H-- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/04/16 20:07:52 | 000,067,584 | -H-- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/04/09 21:39:45 | 000,005,820 | -H-- | C] () -- C:\WINDOWS\Jelly.ini
[2009/04/08 17:03:39 | 000,000,709 | -H-- | C] () -- C:\WINDOWS\AutoCAD 2000 EReg.ini
[2009/04/08 15:54:46 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\mtstack.INI
[2009/04/08 15:50:00 | 000,045,056 | -H-- | C] () -- C:\WINDOWS\System32\MTSTACK.EXE
[2009/04/08 15:33:31 | 000,000,376 | -H-- | C] () -- C:\WINDOWS\ODBC.INI
[2009/01/14 16:33:46 | 000,004,569 | -H-- | C] () -- C:\WINDOWS\System32\secupd.dat
[2009/01/14 15:22:06 | 000,069,987 | -H-- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2009/01/14 14:48:57 | 000,757,760 | -H-- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2009/01/14 14:48:57 | 000,018,944 | -H-- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
[2009/01/14 14:48:56 | 000,086,016 | -H-- | C] () -- C:\WINDOWS\System32\preflib.dll
[2009/01/13 17:27:37 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/01/13 17:16:37 | 000,021,640 | -H-- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/01/13 12:07:32 | 000,004,161 | -H-- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/01/13 12:06:26 | 000,199,344 | -H-- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/07/16 12:48:28 | 000,004,594 | -H-- | C] () -- C:\WINDOWS\System32\oembios.dat
[2003/07/16 12:48:27 | 013,107,200 | -H-- | C] () -- C:\WINDOWS\System32\oembios.bin
[2003/07/16 12:43:57 | 000,052,352 | -H-- | C] () -- C:\WINDOWS\System32\drivers\volsnap.sys
[2003/07/16 12:35:07 | 000,272,128 | -H-- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2003/07/16 12:35:06 | 000,432,924 | -H-- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/07/16 12:35:05 | 000,028,626 | -H-- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2003/07/16 12:35:03 | 000,067,714 | -H-- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/07/16 12:33:18 | 000,000,741 | -H-- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/07/16 12:28:25 | 000,673,088 | -H-- | C] () -- C:\WINDOWS\System32\mlang.dat
[2003/07/16 12:28:14 | 000,046,258 | -H-- | C] () -- C:\WINDOWS\System32\mib.bin
[2003/07/16 12:21:49 | 000,218,003 | -H-- | C] () -- C:\WINDOWS\System32\dssec.dat
[2003/07/16 12:20:48 | 000,001,804 | -H-- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/01/07 15:05:08 | 000,002,695 | -H-- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/07/06 16:30:00 | 000,003,399 | -H-- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2010/11/14 19:13:42 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\AVGQTS
[2010/04/13 19:09:53 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
[2010/10/08 18:38:00 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/04/13 18:58:08 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2009/04/30 21:58:07 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Paul G!\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/04/13 18:58:36 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Paul G!\Application Data\DriverCure
[2010/11/17 22:26:27 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Paul G!\Application Data\MP3Rocket
[2011/03/07 02:09:00 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\Tasks\DriverCure.job
[2011/04/02 13:53:08 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{FAD007F6-DED4-468A-96A0-73C433BCB61F}.job

========== Purity Check ==========



< End of report >


*****************************
*****************************

I also got an unwanted pop-up while getting back online. Not sure if you need all these details, just trying to give you all the information you need to kill this thing completely!

After running TDSKiller, (I already had it on my desktop), there were no infections found, no reboot required. I clicked on Reoprt and this is what opened:
(also, I'm still getting redirects)


*****************************
*****************************


2011/04/28 17:32:52.0100 3656 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/28 17:32:52.0621 3656 ================================================================================
2011/04/28 17:32:52.0621 3656 SystemInfo:
2011/04/28 17:32:52.0621 3656
2011/04/28 17:32:52.0621 3656 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/28 17:32:52.0621 3656 Product type: Workstation
2011/04/28 17:32:52.0621 3656 ComputerName: THEPOWER
2011/04/28 17:32:52.0621 3656 UserName: Paul G!
2011/04/28 17:32:52.0621 3656 Windows directory: C:\WINDOWS
2011/04/28 17:32:52.0621 3656 System windows directory: C:\WINDOWS
2011/04/28 17:32:52.0621 3656 Processor architecture: Intel x86
2011/04/28 17:32:52.0621 3656 Number of processors: 1
2011/04/28 17:32:52.0621 3656 Page size: 0x1000
2011/04/28 17:32:52.0621 3656 Boot type: Normal boot
2011/04/28 17:32:52.0621 3656 ================================================================================
2011/04/28 17:32:52.0991 3656 Initialize success
2011/04/28 17:32:54.0864 4040 ================================================================================
2011/04/28 17:32:54.0864 4040 Scan started
2011/04/28 17:32:54.0864 4040 Mode: Manual;
2011/04/28 17:32:54.0864 4040 ================================================================================
2011/04/28 17:32:56.0837 4040 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/28 17:32:56.0927 4040 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/04/28 17:32:57.0057 4040 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/28 17:32:57.0167 4040 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/04/28 17:32:57.0227 4040 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/04/28 17:32:57.0638 4040 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/04/28 17:32:58.0118 4040 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/28 17:32:58.0189 4040 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/28 17:32:58.0309 4040 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/28 17:32:58.0409 4040 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/28 17:32:58.0499 4040 b57w2k (b9391a83f075351c923c3a37c53af396) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/04/28 17:32:58.0589 4040 BCM42XX (5ff4a1e41df9f1e328c955caa12cd3b0) C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys
2011/04/28 17:32:58.0709 4040 BCM43XX (30d20fc98bcfd52e1da778cf19b223d4) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2011/04/28 17:32:58.0819 4040 BCM44X2 (f13fe9a3648628b29306edb48a4e48d3) C:\WINDOWS\system32\DRIVERS\BCM4E5.SYS
2011/04/28 17:32:58.0920 4040 bcm4sbxp (e727776a56a51b7e6b7c87c02ea8b405) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2011/04/28 17:32:59.0020 4040 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/28 17:32:59.0150 4040 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
2011/04/28 17:32:59.0260 4040 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/28 17:32:59.0390 4040 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/28 17:32:59.0480 4040 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/28 17:32:59.0560 4040 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/28 17:32:59.0701 4040 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/04/28 17:32:59.0821 4040 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/04/28 17:33:00.0091 4040 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/28 17:33:00.0241 4040 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/28 17:33:00.0402 4040 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/28 17:33:00.0482 4040 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/28 17:33:00.0592 4040 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/28 17:33:00.0732 4040 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/28 17:33:00.0852 4040 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/28 17:33:00.0942 4040 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/04/28 17:33:01.0013 4040 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/28 17:33:01.0073 4040 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/04/28 17:33:01.0153 4040 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/04/28 17:33:01.0233 4040 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/28 17:33:01.0293 4040 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/28 17:33:01.0373 4040 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/28 17:33:01.0463 4040 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/28 17:33:01.0633 4040 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/04/28 17:33:01.0704 4040 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/04/28 17:33:01.0794 4040 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/04/28 17:33:01.0914 4040 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/28 17:33:02.0154 4040 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/28 17:33:02.0244 4040 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/28 17:33:02.0405 4040 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/04/28 17:33:02.0485 4040 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/28 17:33:02.0555 4040 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/04/28 17:33:02.0645 4040 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/28 17:33:02.0735 4040 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/28 17:33:02.0825 4040 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/28 17:33:02.0935 4040 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/28 17:33:03.0005 4040 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/28 17:33:03.0096 4040 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/28 17:33:03.0176 4040 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/28 17:33:03.0266 4040 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/28 17:33:03.0346 4040 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/28 17:33:03.0596 4040 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/28 17:33:03.0706 4040 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/28 17:33:03.0777 4040 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/28 17:33:03.0877 4040 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/28 17:33:03.0947 4040 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/28 17:33:04.0087 4040 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/28 17:33:04.0207 4040 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/28 17:33:04.0327 4040 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/28 17:33:04.0407 4040 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/28 17:33:04.0498 4040 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/28 17:33:04.0568 4040 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/28 17:33:04.0668 4040 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/28 17:33:04.0748 4040 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/28 17:33:04.0828 4040 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/28 17:33:04.0898 4040 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/28 17:33:04.0978 4040 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/28 17:33:05.0038 4040 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/28 17:33:05.0118 4040 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/28 17:33:05.0199 4040 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/28 17:33:05.0279 4040 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/28 17:33:05.0409 4040 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/04/28 17:33:05.0519 4040 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/28 17:33:05.0619 4040 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/28 17:33:05.0759 4040 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/28 17:33:06.0060 4040 nv (ecef9af156aafe2819a16230ad8968b7) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/04/28 17:33:06.0370 4040 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/28 17:33:06.0440 4040 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/28 17:33:06.0551 4040 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
2011/04/28 17:33:06.0621 4040 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
2011/04/28 17:33:06.0711 4040 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
2011/04/28 17:33:06.0811 4040 NWRDR (36b9b950e3d2e100970a48d8bad86740) C:\WINDOWS\system32\DRIVERS\nwrdr.sys
2011/04/28 17:33:06.0891 4040 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/04/28 17:33:06.0981 4040 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/04/28 17:33:07.0041 4040 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/28 17:33:07.0141 4040 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/28 17:33:07.0232 4040 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/28 17:33:07.0372 4040 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/28 17:33:07.0452 4040 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/04/28 17:33:07.0953 4040 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/28 17:33:08.0033 4040 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/04/28 17:33:08.0123 4040 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/28 17:33:08.0203 4040 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/28 17:33:08.0603 4040 qtsmon (01b76904cea12f7a8524e9ee5cb4e278) C:\WINDOWS\system32\drivers\qtsmon.sys
2011/04/28 17:33:08.0674 4040 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/28 17:33:08.0744 4040 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/28 17:33:08.0814 4040 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/28 17:33:08.0884 4040 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/28 17:33:08.0974 4040 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/28 17:33:09.0044 4040 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/28 17:33:09.0154 4040 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/28 17:33:09.0254 4040 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/28 17:33:09.0365 4040 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/28 17:33:09.0485 4040 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/04/28 17:33:09.0675 4040 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/28 17:33:09.0775 4040 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/04/28 17:33:09.0855 4040 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/04/28 17:33:09.0945 4040 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/28 17:33:10.0176 4040 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/28 17:33:10.0256 4040 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/28 17:33:10.0416 4040 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/28 17:33:10.0556 4040 STAC97 (5813d453ef8ce49d607c255cf128aceb) C:\WINDOWS\system32\drivers\stac97.sys
2011/04/28 17:33:10.0686 4040 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/28 17:33:10.0757 4040 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/28 17:33:11.0107 4040 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/28 17:33:11.0237 4040 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/28 17:33:11.0367 4040 Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
2011/04/28 17:33:11.0458 4040 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/28 17:33:11.0548 4040 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/28 17:33:11.0618 4040 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/28 17:33:11.0808 4040 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
2011/04/28 17:33:11.0918 4040 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/28 17:33:12.0099 4040 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/28 17:33:12.0249 4040 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/28 17:33:12.0349 4040 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/28 17:33:12.0439 4040 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/28 17:33:12.0519 4040 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/04/28 17:33:12.0579 4040 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/04/28 17:33:12.0649 4040 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/28 17:33:12.0729 4040 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/04/28 17:33:12.0790 4040 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/28 17:33:12.0940 4040 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/28 17:33:13.0170 4040 w29n51 (d6006de6a6ed423d8016a03bc50cbe6b) C:\WINDOWS\system32\DRIVERS\w29n51.sys
2011/04/28 17:33:13.0400 4040 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/28 17:33:13.0541 4040 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/28 17:33:13.0811 4040 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/04/28 17:33:13.0881 4040 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/04/28 17:33:14.0172 4040 ================================================================================
2011/04/28 17:33:14.0172 4040 Scan finished
2011/04/28 17:33:14.0172 4040 ================================================================================


Also, the cursor response is slow, don't know if that is relevant, but it is noticable so I figured I'd mention it.
Thanks for sorting all of this out, I know you're putting in a lot of time!
PG
  • 0

#18
Essexboy
Posted 29 April 2011 - 08:22 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK time to get your files back and the icons working properly :) Once these runs are complete then let me know what is outstanding

Download RogueKiller to your desktop

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 2 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.

Then re-run RogueKiller

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 6 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

NEXT

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    PRC - [2011/04/01 19:20:22 | 000,459,776 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\24764212.exe
    PRC - [2011/04/01 19:10:54 | 000,533,504 | -H-- | M] (GPA) -- C:\Documents and Settings\All Users\Application Data\VOSwDthSgMPbD.exe
    O4 - HKCU..\Run: [VOSwDthSgMPbD] C:\Documents and Settings\All Users\Application Data\VOSwDthSgMPbD.exe (GPA)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
    [2011/04/01 19:21:12 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Paul G!\Start Menu\Programs\Windows Repair
    [2011/04/01 19:11:09 | 000,533,504 | -H-- | C] (GPA) -- C:\Documents and Settings\All Users\Application Data\VOSwDthSgMPbD.exe
    [2011/04/01 19:21:42 | 000,000,104 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~24764212
    [2011/04/01 19:21:41 | 000,000,120 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~24764212r
    [2011/04/01 19:21:16 | 000,000,809 | -H-- | M] () -- C:\Documents and Settings\Paul G!\Desktop\Windows Repair.lnk
    [2011/04/01 19:20:35 | 000,000,344 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\24764212
    [2011/04/01 19:20:22 | 000,459,776 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\24764212.exe
    [2011/04/01 19:10:54 | 000,533,504 | -H-- | M] (GPA) -- C:\Documents and Settings\All Users\Application Data\VOSwDthSgMPbD.exe
    [2011/04/01 19:21:41 | 000,000,120 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~24764212r
    [2011/04/01 19:21:41 | 000,000,104 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~24764212
    [2011/04/01 19:21:16 | 000,000,809 | -H-- | C] () -- C:\Documents and Settings\Paul G!\Desktop\Windows Repair.lnk
    [2011/04/01 19:20:35 | 000,000,344 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\24764212
    [2011/04/01 19:20:22 | 000,459,776 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\24764212.exe

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

AND FINALLY

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
  • 0

#19
PaulG!
Posted 30 April 2011 - 11:46 AM

PaulG!

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
Hi. Looks like you've almost got this thing beat! Here are the scan results and logs in the order they were performed:



RogueKiller V4.3.11 [04/25/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-to...-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Paul G! [Admin rights]
Mode: Remove -- Date : 04/29/2011 23:00:10

Bad processes: 0

Registry Entries: 1
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> REPLACED (C:\Documents and Settings\Paul G!\Local Settings\Application Data\Microsoft\Wallpaper1.bmp)

HOSTS File:
ÿ₫1

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



*************************************************************************************************
****************************************************************
*************************************************************************************************


RogueKiller V4.3.11 [04/25/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-to...-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Paul G! [Admin rights]
Mode: Shortcuts HJfix -- Date : 04/29/2011 23:05:07

Bad processes: 0

File attributes restored:
Desktop: Success 325 / Fail 0
Quick launch: Success 5 / Fail 0
Programs: Success 159 / Fail 0
Start menu: Success 23 / Fail 0
User folder: Success 453 / Fail 0
My documents: Success 1378 / Fail 0
My favorites: Success 34 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 55464 / Fail 0

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt



*************************************************************************************************
****************************************************************
*************************************************************************************************


All processes killed
========== OTL ==========
No active process named 24764212.exe was found!
No active process named VOSwDthSgMPbD.exe was found!
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\VOSwDthSgMPbD not found.
File C:\Documents and Settings\All Users\Application Data\VOSwDthSgMPbD.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr not found.
Folder C:\Documents and Settings\Paul G!\Start Menu\Programs\Windows Repair\ not found.
File C:\Documents and Settings\All Users\Application Data\VOSwDthSgMPbD.exe not found.
File C:\Documents and Settings\All Users\Application Data\~24764212 not found.
File C:\Documents and Settings\All Users\Application Data\~24764212r not found.
File C:\Documents and Settings\Paul G!\Desktop\Windows Repair.lnk not found.
File C:\Documents and Settings\All Users\Application Data\24764212 not found.
File C:\Documents and Settings\All Users\Application Data\24764212.exe not found.
File C:\Documents and Settings\All Users\Application Data\VOSwDthSgMPbD.exe not found.
File C:\Documents and Settings\All Users\Application Data\~24764212r not found.
File C:\Documents and Settings\All Users\Application Data\~24764212 not found.
File C:\Documents and Settings\Paul G!\Desktop\Windows Repair.lnk not found.
File C:\Documents and Settings\All Users\Application Data\24764212 not found.
File C:\Documents and Settings\All Users\Application Data\24764212.exe not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Paul G!\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Paul G!\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Paul G!
->Temp folder emptied: 100722 bytes
->Temporary Internet Files folder emptied: 346881673 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 5835 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 505 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 244519 bytes

Total Files Cleaned = 331.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: Paul G!
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.22.3 log created on 04292011_231628

Files\Folders moved on Reboot...
C:\Documents and Settings\Paul G!\Local Settings\Temporary Internet Files\Content.IE5\UAXM2V9P\page__st__15[1].htm moved successfully.
C:\Documents and Settings\Paul G!\Local Settings\Temporary Internet Files\Content.IE5\C3G237BX\like[1].htm moved successfully.
C:\Documents and Settings\Paul G!\Local Settings\Temporary Internet Files\Content.IE5\C3G237BX\xd_proxy[2].htm moved successfully.
C:\Documents and Settings\Paul G!\Local Settings\Temporary Internet Files\SuggestedSites.dat moved successfully.

Registry entries deleted on Reboot...


*************************************************************************************************
****************************************************************
*************************************************************************************************


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6476

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/30/2011 12:54:29 AM
mbam-log-2011-04-30 (00-54-29).txt

Scan type: Quick scan
Objects scanned: 153964
Time elapsed: 1 hour(s), 27 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



********************************************************************************************
****************************************************************
*******************************************************************************************


When trying to connect to post these logs, I got redirected a few times and even had a couple webpages (apartment finder) popped up without me knowing.
I accidentally closed my browser and when reopening Firefox, I got a page that said: Firefox Alert...Get 'XP Total Security 2011'. And when I ran Internet Explorer, it said XP Total Security found IE was infected with "Trojan.BNK.Win32.Keylogger.gen" I got this several times, when trying to connect and as a last resort, ran TDSSKiller...no result, Malwarebytes...won't open and Rogue Killer finally ran and it worked. (Nice program!) Here is that RKreport:


****************************************************************
****************************************************************
****************************************************************



RogueKiller V4.3.11 [04/25/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-to...-Remontees.html
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Paul G! [Admin rights]
Mode: Remove -- Date : 04/30/2011 13:21:21

Bad processes: 1
[APPDT/TMP/DESKTOP] jgv.exe -- c:\documents and settings\paul g!\local settings\application data\jgv.exe -> KILLED

Registry Entries: 8
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED (0)
[FILE ASSO] HKCU\[...]Software\Classes\.exe\shell\open\command : ("C:\Documents and Settings\Paul G!\Local Settings\Application Data\jgv.exe" -a "%1" %*) -> REPLACED : ("%1" %*)
[FILE ASSO] HKCU\[...]Software\Classes\exefile\shell\open\command : ("C:\Documents and Settings\Paul G!\Local Settings\Application Data\jgv.exe" -a "%1" %*) -> REPLACED : ("%1" %*)
[FILE ASSO] HKLM\[...]Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command : ("C:\Documents and Settings\Paul G!\Local Settings\Application Data\jgv.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") -> REPLACED : ("C:\Program Files\mozilla firefox\firefox.exe")
[FILE ASSO] HKLM\[...]Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command : ("C:\Documents and Settings\Paul G!\Local Settings\Application Data\jgv.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) -> REPLACED : ("C:\Program Files\mozilla firefox\firefox.exe" -safe-mode)
[FILE ASSO] HKLM\[...]Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command : ("C:\Documents and Settings\Paul G!\Local Settings\Application Data\jgv.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") -> REPLACED : ("C:\Program Files\internet explorer\iexplore.exe")

HOSTS File:
ÿ₫1

Finished : << RKreport[4].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt



****************************************************************
****************************************************************
****************************************************************


So maybe this thing isn't going to go away as quietly as I hoped. I'm going out of town for 2 more weeks, I'm leaving Sun morning and should be at my hotel later that afternoon. I'll have a company laptop to communicate with; just wanted to let you know what was going on at this end.
Thanks for your continued help!
PG
  • 0

#20
Essexboy
Posted 30 April 2011 - 11:56 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets have another look at your MBR - this is an updated version


Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Posted Image
Click the "Scan" button to start scan


Posted Image
On completion of the scan click save log, save it to your desktop and post in your next reply

THEN

Run a fresh OTL scan for me please
  • 0

#21
PaulG!
Posted 03 May 2011 - 07:18 AM

PaulG!

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
Hi Essexboy. I downloaded and ran the mbr scan but the pictures you attached were replaced with a blank image with "the picture or video has been moved or deleted". This wasn't a problem, just letting you know for future reference. Here are the two scans, MBR first:


aswMBR version 0.9.5.247 Copyright© 2011 AVAST Software
Run date: 2011-05-03 08:48:17
-----------------------------
08:48:17.740 OS Version: Windows 5.1.2600 Service Pack 3
08:48:17.740 Number of processors: 1 586 0xD06
08:48:17.740 ComputerName: THEPOWER UserName: Paul G!
08:48:18.221 Initialize success
08:48:21.376 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
08:48:21.376 Disk 0 Vendor: FUJITSU_MHT2040AH 006C Size: 38154MB BusType: 3
08:48:23.378 Disk 0 MBR read successfully
08:48:23.378 Disk 0 MBR scan
08:48:23.378 Disk 0 Windows XP default MBR code
08:48:25.381 Disk 0 scanning sectors +78140160
08:48:25.391 Disk 0 scanning C:\WINDOWS\system32\drivers
08:48:30.729 Service scanning
08:48:33.122 Disk 0 trace - called modules:
08:48:33.143 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS VIDEOPRT.SYS nv4_mini.sys
08:48:33.143 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82f7aab8]
08:48:33.143 3 CLASSPNP.SYS[f8796fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82f91d98]
08:48:33.143 Scan finished successfully
08:48:51.719 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Paul G!\Desktop\MBR.dat"
08:48:51.719 The log file has been saved successfully to "C:\Documents and Settings\Paul G!\Desktop\aswMBRlog.txt"




**************************************************************************

**************************************************************************





OTL logfile created on: 5/3/2011 8:49:22 AM - Run 6
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Paul G!\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 227.00 Mb Available Physical Memory | 44.00% Memory free
864.00 Mb Paging File | 599.00 Mb Available in Paging File | 69.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 23.46 Gb Free Space | 62.96% Space Free | Partition Type: NTFS

Computer Name: THEPOWER | User Name: Paul G! | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/30 13:09:10 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/04/12 17:15:26 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul G!\Desktop\OTL.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2002/09/10 22:26:26 | 000,368,706 | ---- | M] () -- C:\Program Files\BroadJump\Client Foundation\CFD.exe
PRC - [1998/09/25 11:09:44 | 000,760,832 | ---- | M] (JellyFish AS) -- C:\Documents and Settings\All Users\Documents\Jellyfish Backgammon\JFL3532.exe


========== Modules (SafeList) ==========

MOD - [2011/04/12 17:15:26 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul G!\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (getPlus® Helper) getPlus®
SRV - [2007/08/09 03:27:52 | 000,073,728 | ---- | M] (HP) [Auto | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2010/11/14 19:13:42 | 000,074,688 | ---- | M] (AVG) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\qtsmon.sys -- (qtsmon)
DRV - [2010/02/11 08:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2009/06/11 19:34:34 | 000,049,904 | ---- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2008/04/13 14:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2007/02/08 15:51:16 | 002,209,408 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2005/11/02 14:24:34 | 000,424,320 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2004/11/15 16:37:52 | 000,264,440 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\stac97.sys -- (STAC97) Audio Driver (WDM)
DRV - [2003/09/26 10:41:10 | 000,044,032 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2003/07/16 12:34:04 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2003/07/16 12:34:04 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2001/08/17 12:11:30 | 000,096,640 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2001/08/17 12:11:30 | 000,026,568 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCM4E5.SYS -- (BCM44X2)
DRV - [2001/08/17 12:11:26 | 000,054,271 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bcm42xx5.sys -- (BCM42XX) Broadcom iLine10™


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.net
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo....-8&fr=ytff-&p="
FF - prefs.js..browser.search.param.yahoo-fr: "moz2-ytff-"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "moz2-ytff-"
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: "http://att.my.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..keyword.URL: "http://search.yahoo....-8&fr=ytff-&p="


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/30 13:09:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/30 13:09:20 | 000,000,000 | ---D | M]

[2009/04/21 21:40:19 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Extensions
[2011/05/01 20:28:42 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions
[2010/08/13 14:04:13 | 000,000,000 | -H-D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/03/10 19:39:16 | 000,000,000 | -H-D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/03/03 17:36:09 | 000,000,000 | -H-D | M] ("StumbleUpon") -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2009/04/30 21:58:28 | 000,000,000 | -H-D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
[2011/05/01 20:28:42 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/16 18:35:45 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/11/16 18:35:22 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/11/16 18:35:22 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/04/29 23:16:31 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1231962780789 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.100.1 4.2.2.2 4.2.2.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Paul G!\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Paul G!\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/13 17:20:01 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/03 08:46:51 | 000,576,512 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Paul G!\Desktop\aswMBR.exe
[2011/05/01 20:42:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\mM06511CmPlO06511
[2011/04/30 15:23:31 | 000,348,160 | -HS- | C] (Microsoft Corporation) -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\cca.exe
[2011/04/30 13:14:57 | 000,344,064 | -HS- | C] (Microsoft Corporation) -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\jgv.exe
[2011/04/29 22:51:13 | 007,734,240 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Paul G!\Desktop\mbam-setup.exe
[2011/04/14 18:24:08 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware_4_14_2011
[2011/04/14 18:21:33 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/12 17:23:33 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/12 17:10:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul G!\Desktop\RK_Quarantine
[2011/04/12 17:07:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul G!\Recent

========== Files - Modified Within 30 Days ==========

[2011/05/03 08:48:51 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Paul G!\Desktop\MBR.dat
[2011/05/03 08:47:49 | 000,069,987 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2011/05/03 08:47:01 | 000,576,512 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Paul G!\Desktop\aswMBR.exe
[2011/05/03 08:45:43 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{FAD007F6-DED4-468A-96A0-73C433BCB61F}.job
[2011/05/03 08:42:53 | 000,005,816 | -H-- | M] () -- C:\WINDOWS\Jelly.ini
[2011/05/02 07:56:24 | 000,002,206 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/02 07:56:00 | 000,030,098 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/05/02 07:55:52 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/30 15:24:19 | 000,003,238 | -HS- | M] () -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\v403h3pv7p3ucy0uwp0r27yv08uwt87ck0o4w1v3e4
[2011/04/30 15:24:19 | 000,003,238 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\v403h3pv7p3ucy0uwp0r27yv08uwt87ck0o4w1v3e4
[2011/04/30 15:23:31 | 000,348,160 | -HS- | M] (Microsoft Corporation) -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\cca.exe
[2011/04/30 13:17:24 | 000,010,240 | -HS- | M] () -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\47h7308i05434q7ml6uhge302
[2011/04/30 13:17:24 | 000,010,240 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\47h7308i05434q7ml6uhge302
[2011/04/30 13:14:57 | 000,344,064 | -HS- | M] (Microsoft Corporation) -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\jgv.exe
[2011/04/29 23:16:31 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/04/29 22:53:02 | 000,000,854 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/29 22:51:13 | 007,734,240 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Paul G!\Desktop\mbam-setup.exe
[2011/04/29 22:48:19 | 001,116,672 | ---- | M] () -- C:\Documents and Settings\Paul G!\Desktop\RogueKiller.exe
[2011/04/15 18:54:01 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\Paul G!\Desktop\tdsskiller.zip
[2011/04/15 01:09:00 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\DriverCure.job
[2011/04/12 17:15:26 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul G!\Desktop\OTL.exe

========== Files Created - No Company Name ==========

[2011/05/03 08:48:51 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Paul G!\Desktop\MBR.dat
[2011/04/30 15:23:32 | 000,003,238 | -HS- | C] () -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\v403h3pv7p3ucy0uwp0r27yv08uwt87ck0o4w1v3e4
[2011/04/30 15:23:32 | 000,003,238 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\v403h3pv7p3ucy0uwp0r27yv08uwt87ck0o4w1v3e4
[2011/04/30 13:14:59 | 000,010,240 | -HS- | C] () -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\47h7308i05434q7ml6uhge302
[2011/04/30 13:14:59 | 000,010,240 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\47h7308i05434q7ml6uhge302
[2011/04/15 18:54:01 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\Paul G!\Desktop\tdsskiller.zip
[2011/04/14 18:24:12 | 000,000,854 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/12 17:09:52 | 001,116,672 | ---- | C] () -- C:\Documents and Settings\Paul G!\Desktop\RogueKiller.exe
[2010/11/14 01:00:37 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2010/10/09 02:31:07 | 000,000,051 | -H-- | C] () -- C:\WINDOWS\wininit.ini
[2010/06/16 21:14:44 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2010/06/16 21:11:33 | 000,110,056 | ---- | C] () -- C:\WINDOWS\hpoins08.dat
[2010/06/16 21:11:32 | 000,007,577 | ---- | C] () -- C:\WINDOWS\hpomdl08.dat
[2010/02/10 18:58:35 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/12/17 00:21:06 | 000,013,824 | -H-- | C] () -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/29 18:13:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iplayer.INI
[2009/04/27 21:37:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pcfriend.INI
[2009/04/21 21:40:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/04/16 20:07:58 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/04/16 20:07:54 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009/04/16 20:07:54 | 000,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/04/16 20:07:54 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/04/16 20:07:52 | 000,067,584 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/04/09 21:39:45 | 000,005,816 | -H-- | C] () -- C:\WINDOWS\Jelly.ini
[2009/04/08 17:03:39 | 000,000,709 | -H-- | C] () -- C:\WINDOWS\AutoCAD 2000 EReg.ini
[2009/04/08 15:54:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mtstack.INI
[2009/04/08 15:50:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\MTSTACK.EXE
[2009/04/08 15:33:31 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/01/14 16:33:46 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2009/01/14 15:22:06 | 000,069,987 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2009/01/14 14:48:57 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2009/01/14 14:48:57 | 000,018,944 | ---- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
[2009/01/14 14:48:56 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2009/01/13 17:27:37 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/01/13 17:16:37 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/01/13 12:07:32 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/01/13 12:06:26 | 000,199,344 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/07/16 12:48:28 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2003/07/16 12:48:27 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2003/07/16 12:35:07 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2003/07/16 12:35:06 | 000,432,924 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/07/16 12:35:05 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2003/07/16 12:35:03 | 000,067,714 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/07/16 12:33:18 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/07/16 12:28:25 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2003/07/16 12:28:14 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2003/07/16 12:21:49 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2003/07/16 12:20:48 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/07/06 16:30:00 | 000,003,399 | -H-- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2010/11/14 19:13:42 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\AVGQTS
[2010/04/13 19:09:53 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
[2010/10/08 18:38:00 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/05/01 20:42:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\mM06511CmPlO06511
[2010/04/13 18:58:08 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2009/04/30 21:58:07 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Paul G!\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/04/13 18:58:36 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Paul G!\Application Data\DriverCure
[2010/11/17 22:26:27 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Paul G!\Application Data\MP3Rocket
[2011/04/15 01:09:00 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\Tasks\DriverCure.job
[2011/05/03 08:45:43 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{FAD007F6-DED4-468A-96A0-73C433BCB61F}.job

========== Purity Check ==========



< End of report >




****************************************************************************

So, what do you think? I had the same problem as before (most recently), my wallpaper went all blue (but I didn't lose my icons) and Rogue Killer wasn't easy to run; I had to do some quick triple clicks to get it to run, but after 4 or 5 tries, it opened, I selected '2' and that seemed to clean things up, for the time being anyway.

Someone told me maybe the reason for the quick recurrence of my problem may be because the malicious program has left a 'seed' behind, and every once in a while something looks for this 'seed' and once it is found, the problem 'grows' all over again. (the growing reference is from a earth-hugger type I was talking to at a bar; I don't trust his knowledge but thought it was interesting enough to ask a true professional...you! aren't you lucky!lol) I have a red shield in my Quick Launch? toolbar (the one in the lower right , by the clock), it shows Windows Security Alert when I hover over it.

Thanks again for helping. I appreciate all the work you are doing for me.

Right now, I don't have an anti-virus thing active on this laptop. I was using AVG's free version but it's not active (or even seen) now. Do you recommend I use one now? Usually I hear I should have it disabled it during scans and troubleshooting.

Thanks again for entertaining my questions and helping me out!
PaulG
  • 0

#22
Essexboy
Posted 03 May 2011 - 10:54 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Not so much a seed but a folder that the automated tools cannot detect. Also with no AV driveby downloads find it easier to install

Reference the pictures I have updated them and was playing with the presentation, then broke the links... :unsure: But, all fixed now albeit at a different location

For an antivirus - if you do not wish to have AVG back then I could recommend either Avast or Microsoft Security Essentials

Once you have run the OTL fix could you update and then run Malwarebytes, posting the resultant log. Along with an update on how your computer is behaving :)

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    [2011/05/01 20:42:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\mM06511CmPlO06511
    [2011/04/30 15:23:31 | 000,348,160 | -HS- | C] (Microsoft Corporation) -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\cca.exe
    [2011/04/30 13:14:57 | 000,344,064 | -HS- | C] (Microsoft Corporation) -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\jgv.exe
    [2011/04/30 15:24:19 | 000,003,238 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\v403h3pv7p3ucy0uwp0r27yv08uwt87ck0o4w1v3e4
    [2011/04/30 15:23:31 | 000,348,160 | -HS- | M] (Microsoft Corporation) -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\cca.exe
    [2011/04/30 13:17:24 | 000,010,240 | -HS- | M] () -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\47h7308i05434q7ml6uhge302
    [2011/04/30 13:17:24 | 000,010,240 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\47h7308i05434q7ml6uhge302
    [2011/04/30 13:14:57 | 000,344,064 | -HS- | M] (Microsoft Corporation) -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\jgv.exe
    [2011/04/30 15:23:32 | 000,003,238 | -HS- | C] () -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\v403h3pv7p3ucy0uwp0r27yv08uwt87ck0o4w1v3e4
    [2011/04/30 15:23:32 | 000,003,238 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\v403h3pv7p3ucy0uwp0r27yv08uwt87ck0o4w1v3e4
    [2011/04/30 13:14:59 | 000,010,240 | -HS- | C] () -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\47h7308i05434q7ml6uhge302
    [2011/04/30 13:14:59 | 000,010,240 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\47h7308i05434q7ml6uhge302
    [2011/05/01 20:42:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\mM06511CmPlO06511

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

  • 0

#23
PaulG!
Posted 04 May 2011 - 04:06 PM

PaulG!

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
Hello. I still see the red shield on my toolbar, 'Windows Security Alerts' and every once in a while, I hear a "pop" sound (kind of like a popping bubble), but nothing opens or happens.
I haven't gotten any redirects when I click on any pages, so far so good!

Here are the scan results:

All processes killed
========== OTL ==========
Folder C:\Documents and Settings\All Users\Application Data\mM06511CmPlO06511\ not found.
C:\Documents and Settings\Paul G!\Local Settings\Application Data\cca.exe moved successfully.
C:\Documents and Settings\Paul G!\Local Settings\Application Data\jgv.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\v403h3pv7p3ucy0uwp0r27yv08uwt87ck0o4w1v3e4 moved successfully.
File C:\Documents and Settings\Paul G!\Local Settings\Application Data\cca.exe not found.
C:\Documents and Settings\Paul G!\Local Settings\Application Data\47h7308i05434q7ml6uhge302 moved successfully.
C:\Documents and Settings\All Users\Application Data\47h7308i05434q7ml6uhge302 moved successfully.
File C:\Documents and Settings\Paul G!\Local Settings\Application Data\jgv.exe not found.
C:\Documents and Settings\Paul G!\Local Settings\Application Data\v403h3pv7p3ucy0uwp0r27yv08uwt87ck0o4w1v3e4 moved successfully.
File C:\Documents and Settings\All Users\Application Data\v403h3pv7p3ucy0uwp0r27yv08uwt87ck0o4w1v3e4 not found.
File C:\Documents and Settings\Paul G!\Local Settings\Application Data\47h7308i05434q7ml6uhge302 not found.
File C:\Documents and Settings\All Users\Application Data\47h7308i05434q7ml6uhge302 not found.
Folder C:\Documents and Settings\All Users\Application Data\mM06511CmPlO06511\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Paul G!\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Paul G!\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Paul G!
->Temp folder emptied: 4467543 bytes
->Temporary Internet Files folder emptied: 457261909 bytes
->Java cache emptied: 1013899 bytes
->FireFox cache emptied: 104531179 bytes
->Flash cache emptied: 8197 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 505 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 541.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: Paul G!
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.22.3 log created on 05042011_164802

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...



***************************************************************
***************************************************************



Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6507

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/4/2011 5:48:32 PM
mbam-log-2011-05-04 (17-48-32).txt

Scan type: Full scan (C:\|)
Objects scanned: 210531
Time elapsed: 48 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: () Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\mm06511cmplo06511\mm06511cmplo06511.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Paul G!\Desktop\rk_quarantine\24764212.exe.vir (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\documents and settings\Paul G!\Desktop\rk_quarantine\cca.exe.vir (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\Paul G!\Desktop\rk_quarantine\jgv.exe.vir (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\Paul G!\Desktop\rk_quarantine\mm06511cmplo06511.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Paul G!\Desktop\rk_quarantine\voswdthsgmpbd.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\_OTL\movedfiles\04122011_172333\c_documents and settings\all users\application data\24764212.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\_OTL\movedfiles\04122011_172333\c_documents and settings\all users\application data\voswdthsgmpbd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\_OTL\movedfiles\05042011_164802\c_documents and settings\Paul G!\local settings\application data\cca.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\_OTL\movedfiles\05042011_164802\c_documents and settings\Paul G!\local settings\application data\jgv.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.



***********************************************************************
***********************************************************************



OTL logfile created on: 5/4/2011 5:53:22 PM - Run 7
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Paul G!\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 248.00 Mb Available Physical Memory | 49.00% Memory free
864.00 Mb Paging File | 640.00 Mb Available in Paging File | 74.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 23.94 Gb Free Space | 64.24% Space Free | Partition Type: NTFS

Computer Name: THEPOWER | User Name: Paul G! | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/30 13:09:10 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/04/12 17:15:26 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul G!\Desktop\OTL.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2002/09/10 22:26:26 | 000,368,706 | ---- | M] () -- C:\Program Files\BroadJump\Client Foundation\CFD.exe
PRC - [1998/09/25 11:09:44 | 000,760,832 | ---- | M] (JellyFish AS) -- C:\Documents and Settings\All Users\Documents\Jellyfish Backgammon\JFL3532.exe


========== Modules (SafeList) ==========

MOD - [2011/04/12 17:15:26 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul G!\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (getPlus® Helper) getPlus®
SRV - [2007/08/09 03:27:52 | 000,073,728 | ---- | M] (HP) [Auto | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2010/11/14 19:13:42 | 000,074,688 | ---- | M] (AVG) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\qtsmon.sys -- (qtsmon)
DRV - [2010/02/11 08:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2009/06/11 19:34:34 | 000,049,904 | ---- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2008/04/13 14:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2007/02/08 15:51:16 | 002,209,408 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2005/11/02 14:24:34 | 000,424,320 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2004/11/15 16:37:52 | 000,264,440 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\stac97.sys -- (STAC97) Audio Driver (WDM)
DRV - [2003/09/26 10:41:10 | 000,044,032 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2003/07/16 12:34:04 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2003/07/16 12:34:04 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2001/08/17 12:11:30 | 000,096,640 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2001/08/17 12:11:30 | 000,026,568 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCM4E5.SYS -- (BCM44X2)
DRV - [2001/08/17 12:11:26 | 000,054,271 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bcm42xx5.sys -- (BCM42XX) Broadcom iLine10™


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.net
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo....-8&fr=ytff-&p="
FF - prefs.js..browser.search.param.yahoo-fr: "moz2-ytff-"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "moz2-ytff-"
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: "http://att.my.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..keyword.URL: "http://search.yahoo....-8&fr=ytff-&p="


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/30 13:09:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/30 13:09:20 | 000,000,000 | ---D | M]

[2009/04/21 21:40:19 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Extensions
[2011/05/04 13:27:02 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions
[2010/08/13 14:04:13 | 000,000,000 | -H-D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/03/10 19:39:16 | 000,000,000 | -H-D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/03/03 17:36:09 | 000,000,000 | -H-D | M] ("StumbleUpon") -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2009/04/30 21:58:28 | 000,000,000 | -H-D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
[2011/05/04 13:27:02 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/16 18:35:45 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/11/16 18:35:22 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/11/16 18:35:22 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/05/04 16:48:07 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1231962780789 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.100.1 4.2.2.2 4.2.2.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Paul G!\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Paul G!\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/13 17:20:01 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/03 08:46:51 | 000,576,512 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Paul G!\Desktop\aswMBR.exe
[2011/05/01 20:42:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\mM06511CmPlO06511
[2011/04/29 22:51:13 | 007,734,240 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Paul G!\Desktop\mbam-setup.exe
[2011/04/14 18:24:08 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware_4_14_2011
[2011/04/14 18:21:33 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/12 17:23:33 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/12 17:10:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul G!\Desktop\RK_Quarantine
[2011/04/12 17:07:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul G!\Recent

========== Files - Modified Within 30 Days ==========

[2011/05/04 17:51:00 | 000,069,987 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2011/05/04 17:50:57 | 000,002,206 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/04 17:50:52 | 000,005,816 | -H-- | M] () -- C:\WINDOWS\Jelly.ini
[2011/05/04 17:50:36 | 000,030,098 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/05/04 17:50:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/04 17:45:58 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{FAD007F6-DED4-468A-96A0-73C433BCB61F}.job
[2011/05/04 16:48:07 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/05/03 08:48:51 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Paul G!\Desktop\MBR.dat
[2011/05/03 08:47:01 | 000,576,512 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Paul G!\Desktop\aswMBR.exe
[2011/04/29 22:53:02 | 000,000,854 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/29 22:51:13 | 007,734,240 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Paul G!\Desktop\mbam-setup.exe
[2011/04/29 22:48:19 | 001,116,672 | ---- | M] () -- C:\Documents and Settings\Paul G!\Desktop\RogueKiller.exe
[2011/04/15 18:54:01 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\Paul G!\Desktop\tdsskiller.zip
[2011/04/15 01:09:00 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\DriverCure.job
[2011/04/12 17:15:26 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul G!\Desktop\OTL.exe

========== Files Created - No Company Name ==========

[2011/05/03 08:48:51 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Paul G!\Desktop\MBR.dat
[2011/04/15 18:54:01 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\Paul G!\Desktop\tdsskiller.zip
[2011/04/14 18:24:12 | 000,000,854 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/12 17:09:52 | 001,116,672 | ---- | C] () -- C:\Documents and Settings\Paul G!\Desktop\RogueKiller.exe
[2010/11/14 01:00:37 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2010/10/09 02:31:07 | 000,000,051 | -H-- | C] () -- C:\WINDOWS\wininit.ini
[2010/06/16 21:14:44 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2010/06/16 21:11:33 | 000,110,056 | ---- | C] () -- C:\WINDOWS\hpoins08.dat
[2010/06/16 21:11:32 | 000,007,577 | ---- | C] () -- C:\WINDOWS\hpomdl08.dat
[2010/02/10 18:58:35 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/12/17 00:21:06 | 000,013,824 | -H-- | C] () -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/29 18:13:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iplayer.INI
[2009/04/27 21:37:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pcfriend.INI
[2009/04/21 21:40:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/04/16 20:07:58 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/04/16 20:07:54 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009/04/16 20:07:54 | 000,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/04/16 20:07:54 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/04/16 20:07:52 | 000,067,584 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/04/09 21:39:45 | 000,005,816 | -H-- | C] () -- C:\WINDOWS\Jelly.ini
[2009/04/08 17:03:39 | 000,000,709 | -H-- | C] () -- C:\WINDOWS\AutoCAD 2000 EReg.ini
[2009/04/08 15:54:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mtstack.INI
[2009/04/08 15:50:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\MTSTACK.EXE
[2009/04/08 15:33:31 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/01/14 16:33:46 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2009/01/14 15:22:06 | 000,069,987 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2009/01/14 14:48:57 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2009/01/14 14:48:57 | 000,018,944 | ---- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
[2009/01/14 14:48:56 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2009/01/13 17:27:37 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/01/13 17:16:37 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/01/13 12:07:32 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/01/13 12:06:26 | 000,199,344 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/07/16 12:48:28 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2003/07/16 12:48:27 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2003/07/16 12:35:07 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2003/07/16 12:35:06 | 000,432,924 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/07/16 12:35:05 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2003/07/16 12:35:03 | 000,067,714 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/07/16 12:33:18 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/07/16 12:28:25 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2003/07/16 12:28:14 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2003/07/16 12:21:49 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2003/07/16 12:20:48 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/07/06 16:30:00 | 000,003,399 | -H-- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2010/11/14 19:13:42 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\AVGQTS
[2010/04/13 19:09:53 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
[2010/10/08 18:38:00 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/05/04 17:48:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\mM06511CmPlO06511
[2010/04/13 18:58:08 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2009/04/30 21:58:07 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Paul G!\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/04/13 18:58:36 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Paul G!\Application Data\DriverCure
[2010/11/17 22:26:27 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Paul G!\Application Data\MP3Rocket
[2011/04/15 01:09:00 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\Tasks\DriverCure.job
[2011/05/04 17:45:58 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{FAD007F6-DED4-468A-96A0-73C433BCB61F}.job

========== Purity Check ==========



< End of report >


Thanks for clearing things up for me. As soon as my laptop is clean, I'll download an AV.
PG
  • 0

#24
Essexboy
Posted 05 May 2011 - 10:22 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Is the shield from windows security centre ? Once done can you let me know what problems remain

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    [2011/05/01 20:42:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\mM06511CmPlO06511

    :Files
    ipconfig /flushdns /c
    C:\Documents and Settings\All Users\Application Data\mM06511CmPlO06511

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

  • 0

#25
PaulG!
Posted 08 May 2011 - 06:12 PM

PaulG!

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
Essexboy,
Yes, it is the red shield with a white 'x' and when I hover over it, it says Windows Security Alerts; when I right click on it, 2 choices, 'Open Security Center' or 'Go to Microsoft Security Web Site'. I still hear the popping sound every once in a while and sometimes my searches get redirected.

I ran the fix, here is the log:

All processes killed
========== OTL ==========
Folder C:\Documents and Settings\All Users\Application Data\mM06511CmPlO06511\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Paul G!\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Paul G!\Desktop\cmd.txt deleted successfully.
C:\Documents and Settings\All Users\Application Data\mM06511CmPlO06511 folder moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Paul G!
->Temp folder emptied: 4188351 bytes
->Temporary Internet Files folder emptied: 35335228 bytes
->Java cache emptied: 466513 bytes
->FireFox cache emptied: 62491075 bytes
->Flash cache emptied: 7341 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 505 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 13015171 bytes

Total Files Cleaned = 110.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: Paul G!
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.22.3 log created on 05082011_195657

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...



Hope this helps!
PaulG
  • 0

Advertisements

#26
Essexboy
Posted 09 May 2011 - 11:24 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK we will have to use a stronger tool - first I will need to remove the remnants of AVG. The alerts are legitimate :)

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    DRV - [2010/11/14 19:13:42 | 000,074,688 | ---- | M] (AVG) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\qtsmon.sys -- (qtsmon)
    [2010/11/14 19:13:42 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\AVGQTS

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#27
PaulG!
Posted 12 May 2011 - 12:24 PM

PaulG!

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
I ran the fix and OTL quick scan and downloaded ComboFix but it seems to freeze on the page...'typical scans last 10 minutes, badly infected machines may easily double...'.
I ran it twice, the last time it ran for 5 hours with the same results. I will keep trying to run it, but in the meantime, here are the two logs that were produced (one from the fix, and one from the quick scan):



All processes killed
========== OTL ==========
Error: No service named qtsmon was found to stop!
Service\Driver key qtsmon not found.
C:\WINDOWS\system32\drivers\qtsmon.sys moved successfully.
C:\Documents and Settings\All Users\Application Data\AVGQTS folder moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Paul G!\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Paul G!\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Paul G!
->Temp folder emptied: 124981 bytes
->Temporary Internet Files folder emptied: 58081050 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 46940836 bytes
->Flash cache emptied: 5325 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 100.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: Paul G!
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.22.3 log created on 05122011_085338

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...



**************************************************************************************************
**************************************************************************************************
**************************************************************************************************


OTL logfile created on: 5/12/2011 8:56:32 AM - Run 8
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Paul G!\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 308.00 Mb Available Physical Memory | 60.00% Memory free
864.00 Mb Paging File | 692.00 Mb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 23.98 Gb Free Space | 64.35% Space Free | Partition Type: NTFS

Computer Name: THEPOWER | User Name: Paul G! | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/12 17:15:26 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul G!\Desktop\OTL.exe
PRC - [2011/01/30 11:45:14 | 000,035,736 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 10.0\Reader\reader_sl.exe
PRC - [2009/03/08 04:31:54 | 000,013,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msfeedssync.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2002/09/10 22:26:26 | 000,368,706 | ---- | M] () -- C:\Program Files\BroadJump\Client Foundation\CFD.exe


========== Modules (SafeList) ==========

MOD - [2011/04/12 17:15:26 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul G!\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (getPlus® Helper) getPlus®
SRV - [2007/08/09 03:27:52 | 000,073,728 | ---- | M] (HP) [Auto | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2010/02/11 08:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2009/06/11 19:34:34 | 000,049,904 | ---- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2008/04/13 14:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2007/02/08 15:51:16 | 002,209,408 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2005/11/02 14:24:34 | 000,424,320 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2004/11/15 16:37:52 | 000,264,440 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\stac97.sys -- (STAC97) Audio Driver (WDM)
DRV - [2003/09/26 10:41:10 | 000,044,032 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2003/07/16 12:34:04 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2003/07/16 12:34:04 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2001/08/17 12:11:30 | 000,096,640 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2001/08/17 12:11:30 | 000,026,568 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCM4E5.SYS -- (BCM44X2)
DRV - [2001/08/17 12:11:26 | 000,054,271 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bcm42xx5.sys -- (BCM42XX) Broadcom iLine10™


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.net
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo....-8&fr=ytff-&p="
FF - prefs.js..browser.search.param.yahoo-fr: "moz2-ytff-"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "moz2-ytff-"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://att.my.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..keyword.URL: "http://search.yahoo....-8&fr=ytff-&p="


FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/08 13:40:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/08 13:40:36 | 000,000,000 | ---D | M]

[2009/04/21 21:40:19 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Extensions
[2011/05/08 13:41:51 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions
[2010/08/13 14:04:13 | 000,000,000 | -H-D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/05/08 13:41:51 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/03/03 17:36:09 | 000,000,000 | -H-D | M] ("StumbleUpon") -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2009/04/30 21:58:28 | 000,000,000 | -H-D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\Paul G!\Application Data\Mozilla\Firefox\Profiles\2wc5tstv.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
[2011/05/08 12:46:45 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/16 18:35:45 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
File not found (No name found) --
[2010/11/16 18:35:22 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/05/08 13:40:31 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/11/16 18:35:22 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2011/05/08 13:40:33 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/05/12 08:53:41 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1231962780789 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.100.1 4.2.2.2 4.2.2.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Paul G!\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Paul G!\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/13 17:20:01 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/05 16:14:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\dE06511IjNhK06511
[2011/05/03 08:46:51 | 000,576,512 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Paul G!\Desktop\aswMBR.exe
[2011/04/29 22:51:13 | 007,734,240 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Paul G!\Desktop\mbam-setup.exe
[2011/04/14 18:24:08 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware_4_14_2011
[2011/04/14 18:21:33 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/12 17:23:33 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/12 17:07:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul G!\Recent

========== Files - Modified Within 30 Days ==========

[2011/05/12 08:56:59 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{FAD007F6-DED4-468A-96A0-73C433BCB61F}.job
[2011/05/12 08:55:51 | 000,069,987 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2011/05/12 08:55:48 | 000,002,206 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/12 08:55:27 | 000,030,098 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/05/12 08:55:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/12 08:53:41 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/05/12 08:47:34 | 000,005,819 | -H-- | M] () -- C:\WINDOWS\Jelly.ini
[2011/05/08 22:32:06 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/03 08:47:01 | 000,576,512 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Paul G!\Desktop\aswMBR.exe
[2011/04/29 22:53:02 | 000,000,854 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/29 22:51:13 | 007,734,240 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Paul G!\Desktop\mbam-setup.exe
[2011/04/29 22:48:19 | 001,116,672 | ---- | M] () -- C:\Documents and Settings\Paul G!\Desktop\RogueKiller.exe
[2011/04/15 18:54:01 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\Paul G!\Desktop\tdsskiller.zip
[2011/04/15 01:09:00 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\DriverCure.job
[2011/04/12 17:15:26 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul G!\Desktop\OTL.exe

========== Files Created - No Company Name ==========

[2011/05/08 13:40:42 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/05/05 16:37:34 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\Paul G!\Desktop\Copy of Mozilla Firefox.lnk
[2011/04/15 18:54:01 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\Paul G!\Desktop\tdsskiller.zip
[2011/04/14 18:24:12 | 000,000,854 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/12 17:09:52 | 001,116,672 | ---- | C] () -- C:\Documents and Settings\Paul G!\Desktop\RogueKiller.exe
[2010/11/14 01:00:37 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2010/10/09 02:31:07 | 000,000,051 | -H-- | C] () -- C:\WINDOWS\wininit.ini
[2010/06/16 21:14:44 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2010/06/16 21:11:33 | 000,110,056 | ---- | C] () -- C:\WINDOWS\hpoins08.dat
[2010/06/16 21:11:32 | 000,007,577 | ---- | C] () -- C:\WINDOWS\hpomdl08.dat
[2010/02/10 18:58:35 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/12/17 00:21:06 | 000,013,824 | -H-- | C] () -- C:\Documents and Settings\Paul G!\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/29 18:13:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iplayer.INI
[2009/04/27 21:37:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pcfriend.INI
[2009/04/21 21:40:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/04/16 20:07:58 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/04/16 20:07:54 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009/04/16 20:07:54 | 000,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/04/16 20:07:54 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/04/16 20:07:52 | 000,067,584 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/04/09 21:39:45 | 000,005,819 | -H-- | C] () -- C:\WINDOWS\Jelly.ini
[2009/04/08 17:03:39 | 000,000,709 | -H-- | C] () -- C:\WINDOWS\AutoCAD 2000 EReg.ini
[2009/04/08 15:54:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mtstack.INI
[2009/04/08 15:50:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\MTSTACK.EXE
[2009/04/08 15:33:31 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/01/14 16:33:46 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2009/01/14 15:22:06 | 000,069,987 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2009/01/14 14:48:57 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2009/01/14 14:48:57 | 000,018,944 | ---- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
[2009/01/14 14:48:56 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2009/01/13 17:27:37 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/01/13 17:16:37 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/01/13 12:07:32 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/01/13 12:06:26 | 000,199,344 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/07/16 12:48:28 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2003/07/16 12:48:27 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2003/07/16 12:35:07 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2003/07/16 12:35:06 | 000,432,924 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/07/16 12:35:05 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2003/07/16 12:35:03 | 000,067,714 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/07/16 12:33:18 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/07/16 12:28:25 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2003/07/16 12:28:14 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2003/07/16 12:21:49 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2003/07/16 12:20:48 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/07/06 16:30:00 | 000,003,399 | -H-- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2011/05/05 16:14:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\dE06511IjNhK06511
[2010/04/13 19:09:53 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
[2010/10/08 18:38:00 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/04/13 18:58:08 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2009/04/30 21:58:07 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Paul G!\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/04/13 18:58:36 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Paul G!\Application Data\DriverCure
[2010/11/17 22:26:27 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Paul G!\Application Data\MP3Rocket
[2011/04/15 01:09:00 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\Tasks\DriverCure.job
[2011/05/12 08:56:59 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{FAD007F6-DED4-468A-96A0-73C433BCB61F}.job

========== Purity Check ==========



< End of report >



**********************************************************************************************************
**********************************************************************************************************
**********************************************************************************************************

Thanks for breaking out 'the Big Guns' on my computer troubles...I'll keep trying to successfully run ComboFix, I just wanted to post what I have so far. Thanks for all of your time!
PaulG
  • 0

#28
Essexboy
Posted 12 May 2011 - 12:30 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Could you try combofix from safe mode please. One stubborn folder to kill

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    [2011/05/05 16:14:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\dE06511IjNhK06511

    :Files
    ipconfig /flushdns /c
    C:\Documents and Settings\All Users\Application Data\dE06511IjNhK06511

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

  • 0

#29
Essexboy
Posted 16 May 2011 - 12:54 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#30
Essexboy
Posted 19 May 2011 - 11:19 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
User returned
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP