[dpattt]

Hi,
I am hoping some kind soul can help with my problem. I was hit a bunch of viruses and was able to remove most with malwarebytes and spybot but I am not able to remove what I think is the google redirect virus. There may be more but I can't seem to remove them no matter what I try.
Any help would be appreciated!
Thank You

OTL logfile created on: 4/11/2011 1:18:22 PM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Yumi\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 37.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 2000 2000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 58.59 Gb Total Space | 1.57 Gb Free Space | 2.68% Space Free | Partition Type: NTFS
Drive D: | 53.19 Gb Total Space | 47.72 Gb Free Space | 89.72% Space Free | Partition Type: NTFS
Drive E: | 674.55 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 39.06 Gb Total Space | 27.25 Gb Free Space | 69.78% Space Free | Partition Type: NTFS
Drive H: | 35.48 Gb Total Space | 34.51 Gb Free Space | 97.26% Space Free | Partition Type: NTFS
Drive X: | 367.15 Gb Total Space | 94.93 Gb Free Space | 25.86% Space Free | Partition Type: NTFS

Computer Name: ACADEMIA006 | User Name: Yumi | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/11 13:07:24 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Yumi\My Documents\Downloads\OTL.exe
PRC - [2011/03/22 12:42:54 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/04/13 14:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/05/12 12:43:28 | 000,241,731 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk\PDSched.exe


========== Modules (SafeList) ==========

MOD - [2011/04/11 13:07:24 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Yumi\My Documents\Downloads\OTL.exe
MOD - [2010/08/23 06:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (6to4)
SRV - [2011/04/06 18:30:08 | 000,215,552 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\WINDOWS\system32\itlpfw32.dll -- (itlperf)
SRV - [2009/09/30 08:05:57 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2006/12/14 02:21:20 | 000,045,056 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)
SRV - [2006/12/14 02:02:08 | 000,069,632 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)
SRV - [2006/12/14 01:46:16 | 000,057,344 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
SRV - [2005/05/12 12:43:28 | 000,241,731 | ---- | M] (Raxco Software, Inc.) [Auto | Running] -- C:\Program Files\Raxco\PerfectDisk\PDSched.exe -- (PDSched)
SRV - [2005/05/12 12:42:40 | 000,483,397 | ---- | M] (Raxco Software, Inc.) [On_Demand | Stopped] -- C:\Program Files\Raxco\PerfectDisk\PDEngine.exe -- (PDEngine)


========== Driver Services (SafeList) ==========

DRV - [2007/02/02 10:03:25 | 001,975,296 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/12/13 13:41:48 | 000,011,984 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ElbyDelay.sys -- (ElbyDelay)
DRV - [2006/11/01 05:16:02 | 002,068,992 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atikmdag.sys -- (R300)
DRV - [2006/08/29 03:02:18 | 000,257,024 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2006/08/29 03:01:12 | 000,987,648 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_DP.sys -- (HSF_DP)
DRV - [2006/08/04 06:39:10 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\XAudio.sys -- (XAudio)
DRV - [2006/05/04 16:13:52 | 004,271,616 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/05/12 09:47:14 | 000,061,544 | ---- | M] (Raxco Software, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\defrag32b.sys -- (Defrag32b)
DRV - [2005/05/12 09:47:14 | 000,061,544 | ---- | M] (Raxco Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\defrag32.sys -- (Defrag32)
DRV - [2004/08/03 12:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2001/08/23 12:00:00 | 000,012,160 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fsvga.sys -- (FsVga)
DRV - [2001/08/17 13:53:32 | 000,003,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\qv2kux.sys -- (QV2KUX)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/...007&form=ZGAPHP
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.msn.com
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/...007&form=ZGAPHP
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.msn.com
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1708537768-515967899-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-1708537768-515967899-839522115-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1708537768-515967899-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1708537768-515967899-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.co...-8&oe=UTF-8&q="
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.msn.com/"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.872
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/22 12:43:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/29 08:16:15 | 000,000,000 | ---D | M]

[2009/02/17 14:20:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Yumi\Application Data\Mozilla\Extensions
[2011/03/22 12:03:44 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Yumi\Application Data\Mozilla\Firefox\Profiles\nsu3pkc4.default\extensions
[2011/02/22 15:56:43 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Yumi\Application Data\Mozilla\Firefox\Profiles\nsu3pkc4.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/01/31 10:41:24 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Yumi\Application Data\Mozilla\Firefox\Profiles\nsu3pkc4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/03/02 13:22:07 | 000,001,827 | ---- | M] () -- C:\Documents and Settings\Yumi\Application Data\Mozilla\Firefox\Profiles\nsu3pkc4.default\searchplugins\bing.xml
[2008/05/14 12:08:33 | 000,002,520 | ---- | M] () -- C:\Documents and Settings\Yumi\Application Data\Mozilla\Firefox\Profiles\nsu3pkc4.default\searchplugins\mozilla-add-ons.xml
[2008/05/14 12:09:08 | 000,000,705 | ---- | M] () -- C:\Documents and Settings\Yumi\Application Data\Mozilla\Firefox\Profiles\nsu3pkc4.default\searchplugins\webster.xml
[2008/05/14 12:08:43 | 000,001,032 | ---- | M] () -- C:\Documents and Settings\Yumi\Application Data\Mozilla\Firefox\Profiles\nsu3pkc4.default\searchplugins\wikipedia-eng.xml
[2011/03/23 15:43:07 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2007/06/08 17:22:05 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2011/03/23 15:43:07 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/09/17 08:15:00 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/12/03 08:07:05 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
File not found (No name found) --
[2010/02/16 14:10:12 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/03/22 12:42:54 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/09/15 04:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2007/03/09 13:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll
[2011/04/07 03:04:10 | 000,001,919 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing-zugo.xml
[2011/03/22 12:42:58 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/04/08 13:41:37 | 000,432,331 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 mpa.one.microsoft.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 14882 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Solid Converter PDF) - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll (VoyagerSoft, LLC)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKLM\..\Toolbar: (Solid Converter PDF) - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll (VoyagerSoft, LLC)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKU\S-1-5-21-1708537768-515967899-839522115-1003\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKU\S-1-5-21-1708537768-515967899-839522115-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O4 - HKU\.DEFAULT..\Run: [CY08W456F0] File not found
O4 - HKU\S-1-5-18..\Run: [CY08W456F0] File not found
O4 - HKU\S-1-5-21-1708537768-515967899-839522115-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1708537768-515967899-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Inc.)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-1708537768-515967899-839522115-1003\..Trusted Ranges: Range1 ([*] in Trusted sites)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1175090937968 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\itlnfw32: DllName - itlnfw32.dll - C:\WINDOWS\System32\itlnfw32.dll ()
O20 - Winlogon\Notify\itlntfy: DllName - itlnfw32.dll - C:\WINDOWS\System32\itlnfw32.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\Yumi\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Yumi\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {93994DE8-8239-4655-B1D1-5F4E91300429} - C:\Program Files\DVD Region+CSS Free\DVDShell.dll (Fengtao Software Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/03/28 05:46:18 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/08/23 12:00:00 | 000,000,110 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [2004/05/21 13:31:16 | 000,000,000 | ---- | M] () - G:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{7ca82018-cc79-11df-bdaf-0030bd1f2902}\Shell - "" = AutoRun
O33 - MountPoints2\{7ca82018-cc79-11df-bdaf-0030bd1f2902}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7ca82018-cc79-11df-bdaf-0030bd1f2902}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{f1f10087-616e-11de-90b3-001921a23cf4}\Shell - "" = AutoRun
O33 - MountPoints2\{f1f10087-616e-11de-90b3-001921a23cf4}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f1f10087-616e-11de-90b3-001921a23cf4}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (PDBoot.exe) - C:\WINDOWS\System32\PDBoot.exe (Raxco Software, Inc.)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-1708537768-515967899-839522115-1003..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/08 12:38:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/04/08 12:38:12 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/04/08 12:38:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/04/08 11:09:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/04/08 07:14:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2011/04/07 16:53:32 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/07 16:53:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/07 16:53:28 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/07 16:53:28 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/07 15:53:17 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2011/04/07 15:52:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2011/04/07 15:20:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Wise Registry Cleaner Free
[2011/04/07 15:20:46 | 000,000,000 | ---D | C] -- C:\Program Files\Wise Registry Cleaner
[2011/04/07 14:50:53 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2011/04/07 14:13:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2011/04/07 09:02:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/04/07 08:31:15 | 000,000,000 | ---D | C] -- C:\backups
[2011/04/07 08:25:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Yumi\Start Menu\Programs\HiJackThis
[2011/04/07 08:25:28 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/04/07 03:03:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Mozilla
[2011/04/06 21:20:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/04/06 19:28:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/04/06 16:23:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/04/06 16:23:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/03/24 16:24:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[2011/03/24 16:24:36 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2011/03/23 15:41:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
[2011/03/23 15:41:51 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2011/03/14 09:54:33 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Yumi\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\Yumi\Local Settings\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/11 12:35:18 | 000,000,524 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI
[2011/04/11 11:28:51 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2011/04/11 11:03:52 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2011/04/11 11:03:27 | 000,002,262 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/11 11:03:26 | 000,000,512 | ---- | M] () -- C:\WINDOWS\tasks\Microsoft Office Outlook 2003.job
[2011/04/11 11:03:07 | 000,000,308 | -HS- | M] () -- C:\WINDOWS\tasks\egthskg.job
[2011/04/11 11:03:02 | 000,000,306 | -HS- | M] () -- C:\WINDOWS\tasks\ygajgcqi.job
[2011/04/11 11:02:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/11 10:27:06 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/08 13:41:37 | 000,432,331 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/04/08 13:39:51 | 000,432,331 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110408-134136.backup
[2011/04/08 13:29:58 | 000,000,073 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/04/08 13:05:22 | 000,432,331 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110408-133951.backup
[2011/04/08 12:38:21 | 000,000,951 | ---- | M] () -- C:\Documents and Settings\Yumi\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/04/08 12:38:21 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Yumi\Desktop\Spybot - Search & Destroy.lnk
[2011/04/07 16:53:32 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/07 16:48:06 | 000,013,928 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\82n6u1y5v2x4155u05qfmjh637ph4uoluj8
[2011/04/07 15:52:56 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/04/07 15:20:47 | 000,000,828 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Wise Registry Cleaner.lnk
[2011/04/07 14:45:16 | 000,274,168 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/07 13:54:40 | 000,000,054 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/04/07 13:54:40 | 000,000,039 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/04/07 08:59:57 | 000,002,445 | ---- | M] () -- C:\Documents and Settings\Yumi\Desktop\HiJackThis.lnk
[2011/04/07 08:57:54 | 000,000,092 | ---- | M] () -- C:\Documents and Settings\Yumi\default.pls
[2011/04/07 08:57:51 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/04/07 08:42:58 | 000,000,688 | ---- | M] () -- C:\Documents and Settings\Yumi\Desktop\mbam.exe.lnk
[2011/04/07 08:41:50 | 000,000,344 | ---- | M] () -- C:\Documents and Settings\Yumi\Desktop\exefix.reg
[2011/04/07 08:21:11 | 000,017,162 | -HS- | M] () -- C:\Documents and Settings\Yumi\Local Settings\Application Data\d370ib50k8d5s35bk41t72fyy28xc84
[2011/04/07 08:21:11 | 000,017,162 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\d370ib50k8d5s35bk41t72fyy28xc84
[2011/04/07 07:44:05 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/04/06 18:30:07 | 000,034,816 | ---- | M] () -- C:\WINDOWS\System32\itlnfw32.dll
[2011/04/06 16:13:50 | 000,090,112 | RHS- | M] () -- C:\WINDOWS\System32\kbdsmsno6.dll
[2011/04/06 16:13:50 | 000,090,112 | RHS- | M] () -- C:\WINDOWS\System32\dmloadery.dll
[2011/04/05 16:05:07 | 000,000,052 | ---- | M] () -- C:\WINDOWS\BRPP2KA.INI
[2011/04/05 11:36:54 | 000,014,308 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\gp58e7rek0f3tjm315j4224kl0yn45fup1h7n
[2011/04/05 11:28:56 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Yumi\Local Settings\Application Data\housecall.guid.cache
[2011/04/04 09:09:46 | 000,000,067 | ---- | M] () -- C:\WINDOWS\DVDRegionFree.INI
[2011/03/29 08:16:15 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/03/24 03:03:00 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/23 15:41:52 | 000,001,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Yumi\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\Yumi\Local Settings\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/08 13:29:58 | 000,000,073 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/04/08 12:38:21 | 000,000,951 | ---- | C] () -- C:\Documents and Settings\Yumi\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/04/08 12:38:21 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Yumi\Desktop\Spybot - Search & Destroy.lnk
[2011/04/07 16:53:32 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/07 16:43:52 | 000,013,928 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\82n6u1y5v2x4155u05qfmjh637ph4uoluj8
[2011/04/07 15:52:56 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/04/07 15:20:47 | 000,000,828 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Wise Registry Cleaner.lnk
[2011/04/07 08:42:58 | 000,000,688 | ---- | C] () -- C:\Documents and Settings\Yumi\Desktop\mbam.exe.lnk
[2011/04/07 08:36:04 | 000,000,344 | ---- | C] () -- C:\Documents and Settings\Yumi\Desktop\exefix.reg
[2011/04/07 08:25:29 | 000,002,445 | ---- | C] () -- C:\Documents and Settings\Yumi\Desktop\HiJackThis.lnk
[2011/04/06 18:30:07 | 000,034,816 | ---- | C] () -- C:\WINDOWS\System32\itlnfw32.dll
[2011/04/06 17:18:57 | 000,017,162 | -HS- | C] () -- C:\Documents and Settings\Yumi\Local Settings\Application Data\d370ib50k8d5s35bk41t72fyy28xc84
[2011/04/06 17:18:57 | 000,017,162 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\d370ib50k8d5s35bk41t72fyy28xc84
[2011/04/06 16:13:56 | 000,000,308 | -HS- | C] () -- C:\WINDOWS\tasks\egthskg.job
[2011/04/06 16:13:56 | 000,000,306 | -HS- | C] () -- C:\WINDOWS\tasks\ygajgcqi.job
[2011/04/06 16:13:50 | 000,090,112 | RHS- | C] () -- C:\WINDOWS\System32\kbdsmsno6.dll
[2011/04/06 16:13:50 | 000,090,112 | RHS- | C] () -- C:\WINDOWS\System32\dmloadery.dll
[2011/04/05 11:28:56 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Yumi\Local Settings\Application Data\housecall.guid.cache
[2011/04/05 11:04:32 | 000,014,308 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\gp58e7rek0f3tjm315j4224kl0yn45fup1h7n
[2011/03/24 07:47:21 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/03/24 07:47:21 | 000,000,039 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/03/23 15:41:52 | 000,001,878 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2011/03/22 12:43:22 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/03/02 10:53:10 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/02/08 12:58:13 | 000,000,034 | ---- | C] () -- C:\WINDOWS\System32\BD5240.DAT
[2010/02/19 09:40:08 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2008/07/08 16:26:40 | 000,037,027 | ---- | C] () -- C:\WINDOWS\atmoUn.exe
[2008/02/05 15:15:55 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2007/09/17 17:46:04 | 000,001,156 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2007/08/08 13:26:09 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\Yumi\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/06/26 09:29:02 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\jacob.dll
[2007/06/18 16:21:34 | 000,532,480 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Sony.dll
[2007/06/08 17:22:11 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2007/06/07 14:21:45 | 000,000,040 | ---- | C] () -- C:\WINDOWS\opt_1850.ini
[2007/06/07 14:15:11 | 000,000,080 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2007/06/07 12:10:16 | 000,000,391 | ---- | C] () -- C:\WINDOWS\COVERE~1.INI
[2007/06/07 10:05:30 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2007/05/25 16:06:07 | 000,009,331 | ---- | C] () -- C:\Documents and Settings\Yumi\Application Data\Comma Separated Values (Windows).EML
[2007/05/25 16:04:50 | 000,038,999 | ---- | C] () -- C:\Documents and Settings\Yumi\Application Data\Comma Separated Values (Windows).ADR
[2007/04/12 16:13:51 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/04/04 12:42:23 | 000,000,043 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2007/03/29 09:44:27 | 000,000,040 | ---- | C] () -- C:\WINDOWS\BO5170DN.INI
[2007/03/29 09:44:08 | 000,000,524 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2007/03/29 09:44:08 | 000,000,052 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2007/03/29 09:21:14 | 000,000,118 | ---- | C] () -- C:\WINDOWS\ConverterCore.INI
[2007/03/28 05:59:43 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\atiumdva.dat
[2007/03/28 05:59:43 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\atitmmxx.dll
[2007/03/28 05:59:42 | 000,128,813 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2007/03/28 05:48:43 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2007/03/28 05:43:07 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2007/03/28 05:06:10 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/03/28 04:12:49 | 000,000,067 | ---- | C] () -- C:\WINDOWS\DVDRegionFree.INI
[2007/03/28 03:55:16 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2007/03/28 03:55:16 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2007/03/28 03:26:03 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2007/03/27 19:39:16 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/03/27 19:36:18 | 000,274,168 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/02/02 09:40:11 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2004/08/04 01:07:22 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2001/08/23 12:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 12:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 12:00:00 | 000,483,794 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 12:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 12:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 12:00:00 | 000,080,064 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 12:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 12:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 12:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 12:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2011/02/08 09:29:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\boost_interprocess
[2011/03/14 09:54:33 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2007/04/04 12:42:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
[2007/06/06 12:17:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2010/10/28 08:07:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/02/17 12:18:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/07/08 16:26:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2011/02/14 11:13:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David\Application Data\3M
[2011/02/11 12:03:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David\Application Data\FileMaker
[2011/02/14 09:38:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David\Application Data\GetRightToGo
[2011/03/01 14:33:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David\Application Data\gtk-2.0
[2011/02/14 11:26:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Yumi\Application Data\3M
[2011/02/10 16:08:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Yumi\Application Data\Boilsoft
[2007/03/30 09:41:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Yumi\Application Data\FileMaker
[2009/10/19 13:38:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Yumi\Application Data\FileMaker Pro
[2009/09/30 07:47:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Yumi\Application Data\Leadertech
[2010/09/07 13:34:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Yumi\Application Data\SolidDocuments
[2011/04/07 07:44:05 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2011/04/11 11:03:07 | 000,000,308 | -HS- | M] () -- C:\WINDOWS\Tasks\egthskg.job
[2011/04/11 11:03:52 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job
[2011/04/11 11:03:02 | 000,000,306 | -HS- | M] () -- C:\WINDOWS\Tasks\ygajgcqi.job

========== Purity Check ==========



========== Files - Unicode (All) ==========
[2009/06/05 13:07:04 | 000,000,000 | ---D | M](C:\Documents and Settings\Yumi\Application Data\???????sAppData) -- C:\Documents and Settings\Yumi\Application Data\敎潲䍄敔灭慬整sAppData
[2009/06/05 13:07:04 | 000,000,000 | ---D | M](C:\Documents and Settings\Yumi\Application Data\???????sAppData) -- C:\Documents and Settings\Yumi\Application Data\敎潲䍄敔灭慬整sAppData
(C:\Documents and Settings\Yumi\Application Data\???????sAppData) -- C:\Documents and Settings\Yumi\Application Data\敎潲䍄敔灭慬整sAppData

========== Alternate Data Streams ==========

@Alternate Data Stream - 836 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:35E5AF34

< End of report >

[Advertisements]

First disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

Copy the text in the code box by highlighting and Ctrl + c

:Services
6to4

:OTL
SRV - File not found [Auto | Stopped] -- -- (6to4)
IE - HKU\S-1-5-21-1708537768-515967899-839522115-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
[2010/09/17 08:15:00 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/12/03 08:07:05 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
O4 - HKU\.DEFAULT..\Run: [CY08W456F0] File not found
O4 - HKU\S-1-5-18..\Run: [CY08W456F0] File not found
O15 - HKU\S-1-5-21-1708537768-515967899-839522115-1003\..Trusted Ranges: Range1 ([*] in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O20 - Winlogon\Notify\itlnfw32: DllName - itlnfw32.dll - C:\WINDOWS\System32\itlnfw32.dll ()
O20 - Winlogon\Notify\itlntfy: DllName - itlnfw32.dll - C:\WINDOWS\System32\itlnfw32.dll ()
[2011/04/07 16:43:52 | 000,013,928 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\82n6u1y5v2x4155u05qfmjh637ph4uoluj8
[2011/04/06 18:30:07 | 000,034,816 | ---- | C] () -- C:\WINDOWS\System32\itlnfw32.dll
[2011/04/06 17:18:57 | 000,017,162 | -HS- | C] () -- C:\Documents and Settings\Yumi\Local Settings\Application Data\d370ib50k8d5s35bk41t72fyy28xc84
[2011/04/06 17:18:57 | 000,017,162 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\d370ib50k8d5s35bk41t72fyy28xc84
[2011/04/06 16:13:56 | 000,000,308 | -HS- | C] () -- C:\WINDOWS\tasks\egthskg.job
[2011/04/06 16:13:56 | 000,000,306 | -HS- | C] () -- C:\WINDOWS\tasks\ygajgcqi.job
[2011/04/06 16:13:50 | 000,090,112 | RHS- | C] () -- C:\WINDOWS\System32\kbdsmsno6.dll
[2011/04/06 16:13:50 | 000,090,112 | RHS- | C] () -- C:\WINDOWS\System32\dmloadery.dll
[2011/04/05 11:28:56 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Yumi\Local Settings\Application Data\housecall.guid.cache
[2011/04/05 11:04:32 | 000,014,308 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\gp58e7rek0f3tjm315j4224kl0yn45fup1h7n
[2009/06/05 13:07:04 | 000,000,000 | ---D | M](C:\Documents and Settings\Yumi\Application Data\???????sAppData) -- C:\Documents and Settings\Yumi\Application Data\敎潲䍄敔灭慬整sAppData
[2009/06/05 13:07:04 | 000,000,000 | ---D | M](C:\Documents and Settings\Yumi\Application Data\???????sAppData) -- C:\Documents and Settings\Yumi\Application Data\敎潲䍄敔灭慬整sAppData
(C:\Documents and Settings\Yumi\Application Data\???????sAppData) -- C:\Documents and Settings\Yumi\Application Data\敎潲䍄敔灭慬整sAppData


:Files
C:\WINDOWS\tasks\At*.job
     
:Commands
[RESETHOSTS]
[purity]
[emptytemp]
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Open OTL again and select either the Use SafeList or All option in the Extra Registry group then the Run Scan button. Post the two logs it produces in your next reply.

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your anti-virus program at this time :!:

Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then right click and Run as Administrator

If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it. It will produce a log MBRCheck(date).txt on your desktop. Copy and paste it into a reply.

One of your bugs: ITLNFW32.DLL is identified as a Trojan Program that is used for stealing bank information and users passwords. So if you have logged into your bank, bought something with a credit card or used a password on another site you might want to change all your passwords immediately and check for fraud.

nstall the free Avast:

http://www.avast.com...ivirus-download

Once you have it installed and it has updated, right click on it and select Open Avast! User Interface then click on Scan Computer, then on
Boot-Time Scan then Schedule Now. Reboot and let it run a scan. It will take hours and unfortunately you may need to check back with it once in a while to see if it needs an input from you. Usually the first time it stops if you tell it to quarantine all or move all to the chest it won't bother you again until it finishes.



Ron

[RKinner]

First disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

Copy the text in the code box by highlighting and Ctrl + c

:Services
6to4

:OTL
SRV - File not found [Auto | Stopped] -- -- (6to4)
IE - HKU\S-1-5-21-1708537768-515967899-839522115-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
[2010/09/17 08:15:00 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/12/03 08:07:05 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
O4 - HKU\.DEFAULT..\Run: [CY08W456F0] File not found
O4 - HKU\S-1-5-18..\Run: [CY08W456F0] File not found
O15 - HKU\S-1-5-21-1708537768-515967899-839522115-1003\..Trusted Ranges: Range1 ([*] in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O20 - Winlogon\Notify\itlnfw32: DllName - itlnfw32.dll - C:\WINDOWS\System32\itlnfw32.dll ()
O20 - Winlogon\Notify\itlntfy: DllName - itlnfw32.dll - C:\WINDOWS\System32\itlnfw32.dll ()
[2011/04/07 16:43:52 | 000,013,928 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\82n6u1y5v2x4155u05qfmjh637ph4uoluj8
[2011/04/06 18:30:07 | 000,034,816 | ---- | C] () -- C:\WINDOWS\System32\itlnfw32.dll
[2011/04/06 17:18:57 | 000,017,162 | -HS- | C] () -- C:\Documents and Settings\Yumi\Local Settings\Application Data\d370ib50k8d5s35bk41t72fyy28xc84
[2011/04/06 17:18:57 | 000,017,162 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\d370ib50k8d5s35bk41t72fyy28xc84
[2011/04/06 16:13:56 | 000,000,308 | -HS- | C] () -- C:\WINDOWS\tasks\egthskg.job
[2011/04/06 16:13:56 | 000,000,306 | -HS- | C] () -- C:\WINDOWS\tasks\ygajgcqi.job
[2011/04/06 16:13:50 | 000,090,112 | RHS- | C] () -- C:\WINDOWS\System32\kbdsmsno6.dll
[2011/04/06 16:13:50 | 000,090,112 | RHS- | C] () -- C:\WINDOWS\System32\dmloadery.dll
[2011/04/05 11:28:56 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Yumi\Local Settings\Application Data\housecall.guid.cache
[2011/04/05 11:04:32 | 000,014,308 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\gp58e7rek0f3tjm315j4224kl0yn45fup1h7n
[2009/06/05 13:07:04 | 000,000,000 | ---D | M](C:\Documents and Settings\Yumi\Application Data\???????sAppData) -- C:\Documents and Settings\Yumi\Application Data\敎潲䍄敔灭慬整sAppData
[2009/06/05 13:07:04 | 000,000,000 | ---D | M](C:\Documents and Settings\Yumi\Application Data\???????sAppData) -- C:\Documents and Settings\Yumi\Application Data\敎潲䍄敔灭慬整sAppData
(C:\Documents and Settings\Yumi\Application Data\???????sAppData) -- C:\Documents and Settings\Yumi\Application Data\敎潲䍄敔灭慬整sAppData


:Files
C:\WINDOWS\tasks\At*.job
     
:Commands
[RESETHOSTS]
[purity]
[emptytemp]
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Open OTL again and select either the Use SafeList or All option in the Extra Registry group then the Run Scan button. Post the two logs it produces in your next reply.

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your anti-virus program at this time :!:

Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then right click and Run as Administrator

If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it. It will produce a log MBRCheck(date).txt on your desktop. Copy and paste it into a reply.

One of your bugs: ITLNFW32.DLL is identified as a Trojan Program that is used for stealing bank information and users passwords. So if you have logged into your bank, bought something with a credit card or used a password on another site you might want to change all your passwords immediately and check for fraud.

nstall the free Avast:

http://www.avast.com...ivirus-download

Once you have it installed and it has updated, right click on it and select Open Avast! User Interface then click on Scan Computer, then on
Boot-Time Scan then Schedule Now. Reboot and let it run a scan. It will take hours and unfortunately you may need to check back with it once in a while to see if it needs an input from you. Usually the first time it stops if you tell it to quarantine all or move all to the chest it won't bother you again until it finishes.



Ron

[dpattt]

Thank you for your help!
okay so here are the logss.

First otl log after applying fixes

OTL logfile created on: 4/14/2011 1:47:26 PM - Run 3
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Yumi\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 59.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 2000 2000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 58.59 Gb Total Space | 4.45 Gb Free Space | 7.60% Space Free | Partition Type: NTFS
Drive D: | 53.19 Gb Total Space | 47.72 Gb Free Space | 89.72% Space Free | Partition Type: NTFS
Drive G: | 39.06 Gb Total Space | 27.25 Gb Free Space | 69.78% Space Free | Partition Type: NTFS
Drive H: | 35.48 Gb Total Space | 34.51 Gb Free Space | 97.26% Space Free | Partition Type: NTFS

Computer Name: ACADEMIA006 | User Name: Yumi | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/11 13:07:24 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Yumi\My Documents\Downloads\OTL.exe
PRC - [2011/03/22 12:42:54 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/03/10 22:18:14 | 000,934,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\WgaTray.exe
PRC - [2008/04/13 14:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/05/12 12:43:28 | 000,241,731 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk\PDSched.exe


========== Modules (SafeList) ==========

MOD - [2011/04/11 13:07:24 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Yumi\My Documents\Downloads\OTL.exe
MOD - [2010/08/23 06:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/04/06 18:30:08 | 000,215,552 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\WINDOWS\system32\itlpfw32.dll -- (itlperf)
SRV - [2009/09/30 08:05:57 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2006/12/14 02:21:20 | 000,045,056 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)
SRV - [2006/12/14 02:02:08 | 000,069,632 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)
SRV - [2006/12/14 01:46:16 | 000,057,344 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
SRV - [2005/05/12 12:43:28 | 000,241,731 | ---- | M] (Raxco Software, Inc.) [Auto | Running] -- C:\Program Files\Raxco\PerfectDisk\PDSched.exe -- (PDSched)
SRV - [2005/05/12 12:42:40 | 000,483,397 | ---- | M] (Raxco Software, Inc.) [On_Demand | Stopped] -- C:\Program Files\Raxco\PerfectDisk\PDEngine.exe -- (PDEngine)


========== Driver Services (SafeList) ==========

DRV - [2007/02/02 10:03:25 | 001,975,296 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/12/13 13:41:48 | 000,011,984 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ElbyDelay.sys -- (ElbyDelay)
DRV - [2006/11/01 05:16:02 | 002,068,992 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atikmdag.sys -- (R300)
DRV - [2006/08/29 03:02:18 | 000,257,024 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2006/08/29 03:01:12 | 000,987,648 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_DP.sys -- (HSF_DP)
DRV - [2006/08/04 06:39:10 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\XAudio.sys -- (XAudio)
DRV - [2006/05/04 16:13:52 | 004,271,616 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/05/12 09:47:14 | 000,061,544 | ---- | M] (Raxco Software, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\defrag32b.sys -- (Defrag32b)
DRV - [2005/05/12 09:47:14 | 000,061,544 | ---- | M] (Raxco Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\defrag32.sys -- (Defrag32)
DRV - [2004/08/03 12:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2001/08/23 12:00:00 | 000,012,160 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fsvga.sys -- (FsVga)
DRV - [2001/08/17 13:53:32 | 000,003,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\qv2kux.sys -- (QV2KUX)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.co...-8&oe=UTF-8&q="
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.msn.com/"

FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/11 15:36:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/11 15:36:09 | 000,000,000 | ---D | M]

[2009/02/17 14:20:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Yumi\Application Data\Mozilla\Extensions
[2011/03/22 12:03:44 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Yumi\Application Data\Mozilla\Firefox\Profiles\nsu3pkc4.default\extensions
[2011/02/22 15:56:43 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Yumi\Application Data\Mozilla\Firefox\Profiles\nsu3pkc4.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/01/31 10:41:24 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Yumi\Application Data\Mozilla\Firefox\Profiles\nsu3pkc4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/03/02 13:22:07 | 000,001,827 | ---- | M] () -- C:\Documents and Settings\Yumi\Application Data\Mozilla\Firefox\Profiles\nsu3pkc4.default\searchplugins\bing.xml
[2008/05/14 12:08:33 | 000,002,520 | ---- | M] () -- C:\Documents and Settings\Yumi\Application Data\Mozilla\Firefox\Profiles\nsu3pkc4.default\searchplugins\mozilla-add-ons.xml
[2008/05/14 12:09:08 | 000,000,705 | ---- | M] () -- C:\Documents and Settings\Yumi\Application Data\Mozilla\Firefox\Profiles\nsu3pkc4.default\searchplugins\webster.xml
[2008/05/14 12:08:43 | 000,001,032 | ---- | M] () -- C:\Documents and Settings\Yumi\Application Data\Mozilla\Firefox\Profiles\nsu3pkc4.default\searchplugins\wikipedia-eng.xml
[2011/04/14 13:29:51 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2007/06/08 17:22:05 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2011/03/23 15:43:07 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
File not found (No name found) --
[2010/02/16 14:10:12 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/03/22 12:42:54 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/09/15 04:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2007/03/09 13:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll
[2011/04/07 03:04:10 | 000,001,919 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing-zugo.xml
[2011/03/22 12:42:58 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/04/14 13:29:58 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Solid Converter PDF) - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll (VoyagerSoft, LLC)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKLM\..\Toolbar: (Solid Converter PDF) - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll (VoyagerSoft, LLC)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKCU\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Inc.)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1175090937968 (WUWebControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\itlntfy: DllName - itlnfw32.dll - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Yumi\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Yumi\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {93994DE8-8239-4655-B1D1-5F4E91300429} - C:\Program Files\DVD Region+CSS Free\DVDShell.dll (Fengtao Software Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/03/28 05:46:18 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/05/21 13:31:16 | 000,000,000 | ---- | M] () - G:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{7ca82018-cc79-11df-bdaf-0030bd1f2902}\Shell - "" = AutoRun
O33 - MountPoints2\{7ca82018-cc79-11df-bdaf-0030bd1f2902}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7ca82018-cc79-11df-bdaf-0030bd1f2902}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{f1f10087-616e-11de-90b3-001921a23cf4}\Shell - "" = AutoRun
O33 - MountPoints2\{f1f10087-616e-11de-90b3-001921a23cf4}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f1f10087-616e-11de-90b3-001921a23cf4}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (PDBoot.exe) - C:\WINDOWS\System32\PDBoot.exe (Raxco Software, Inc.)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/14 13:48:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Yumi\Desktop\clean
[2011/04/14 13:29:45 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/08 12:38:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/04/08 12:38:12 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/04/08 12:38:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/04/08 11:09:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/04/08 07:14:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2011/04/07 15:53:17 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2011/04/07 15:52:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2011/04/07 15:20:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Wise Registry Cleaner Free
[2011/04/07 15:20:46 | 000,000,000 | ---D | C] -- C:\Program Files\Wise Registry Cleaner
[2011/04/07 14:50:53 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2011/04/07 14:13:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2011/04/07 09:02:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/04/07 08:31:15 | 000,000,000 | ---D | C] -- C:\backups
[2011/04/07 08:25:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Yumi\Start Menu\Programs\HiJackThis
[2011/04/07 08:25:28 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/04/07 03:03:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Mozilla
[2011/04/06 21:20:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/04/06 19:28:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/04/06 18:30:08 | 000,215,552 | ---- | C] (Intel Corporation ) -- C:\WINDOWS\System32\itlpfw32.dll
[2011/04/06 16:23:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/04/06 16:23:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/03/24 16:24:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[2011/03/24 16:24:36 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2011/03/23 15:41:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
[2011/03/23 15:41:51 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[1 C:\Documents and Settings\Yumi\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\Yumi\Local Settings\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/14 13:42:56 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2011/04/14 13:42:55 | 000,002,262 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/14 13:42:55 | 000,000,512 | ---- | M] () -- C:\WINDOWS\tasks\Microsoft Office Outlook 2003.job
[2011/04/14 13:41:36 | 000,000,308 | -HS- | M] () -- C:\WINDOWS\tasks\egthskg.job
[2011/04/14 13:41:31 | 000,000,306 | -HS- | M] () -- C:\WINDOWS\tasks\ygajgcqi.job
[2011/04/14 13:41:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/14 13:29:58 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/04/14 07:44:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/04/13 14:23:35 | 000,000,524 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI
[2011/04/13 14:23:35 | 000,000,052 | ---- | M] () -- C:\WINDOWS\BRPP2KA.INI
[2011/04/11 11:28:51 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2011/04/11 10:27:06 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/08 13:41:37 | 000,432,331 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts22
[2011/04/08 13:41:37 | 000,432,331 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\Copy of hosts
[2011/04/08 13:39:51 | 000,432,331 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110408-134136.backup
[2011/04/08 13:29:58 | 000,000,073 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/04/08 13:05:22 | 000,432,331 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110408-133951.backup
[2011/04/08 12:38:21 | 000,000,951 | ---- | M] () -- C:\Documents and Settings\Yumi\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/04/08 12:38:21 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Yumi\Desktop\Spybot - Search & Destroy.lnk
[2011/04/07 15:52:56 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/04/07 15:20:47 | 000,000,828 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Wise Registry Cleaner.lnk
[2011/04/07 14:45:16 | 000,274,168 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/07 13:54:40 | 000,000,054 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/04/07 13:54:40 | 000,000,039 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/04/07 08:59:57 | 000,002,445 | ---- | M] () -- C:\Documents and Settings\Yumi\Desktop\HiJackThis.lnk
[2011/04/07 08:57:54 | 000,000,092 | ---- | M] () -- C:\Documents and Settings\Yumi\default.pls
[2011/04/07 08:57:51 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/04/07 08:42:58 | 000,000,688 | ---- | M] () -- C:\Documents and Settings\Yumi\Desktop\mbam.exe.lnk
[2011/04/06 18:30:08 | 000,215,552 | ---- | M] (Intel Corporation ) -- C:\WINDOWS\System32\itlpfw32.dll
[2011/04/06 16:13:50 | 000,090,112 | RHS- | M] () -- C:\WINDOWS\System32\kbdsmsno6.dll
[2011/04/06 16:13:50 | 000,090,112 | RHS- | M] () -- C:\WINDOWS\System32\dmloadery.dll
[2011/04/04 09:09:46 | 000,000,067 | ---- | M] () -- C:\WINDOWS\DVDRegionFree.INI
[2011/03/29 08:16:15 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/03/24 03:03:00 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/23 15:41:52 | 000,001,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[1 C:\Documents and Settings\Yumi\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\Yumi\Local Settings\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/08 13:29:58 | 000,000,073 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/04/08 12:38:21 | 000,000,951 | ---- | C] () -- C:\Documents and Settings\Yumi\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/04/08 12:38:21 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Yumi\Desktop\Spybot - Search & Destroy.lnk
[2011/04/07 15:52:56 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/04/07 15:20:47 | 000,000,828 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Wise Registry Cleaner.lnk
[2011/04/07 08:42:58 | 000,000,688 | ---- | C] () -- C:\Documents and Settings\Yumi\Desktop\mbam.exe.lnk
[2011/04/07 08:25:29 | 000,002,445 | ---- | C] () -- C:\Documents and Settings\Yumi\Desktop\HiJackThis.lnk
[2011/04/06 16:13:56 | 000,000,308 | -HS- | C] () -- C:\WINDOWS\tasks\egthskg.job
[2011/04/06 16:13:56 | 000,000,306 | -HS- | C] () -- C:\WINDOWS\tasks\ygajgcqi.job
[2011/04/06 16:13:50 | 000,090,112 | RHS- | C] () -- C:\WINDOWS\System32\kbdsmsno6.dll
[2011/04/06 16:13:50 | 000,090,112 | RHS- | C] () -- C:\WINDOWS\System32\dmloadery.dll
[2011/03/24 07:47:21 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/03/24 07:47:21 | 000,000,039 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/03/23 15:41:52 | 000,001,878 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2011/03/22 12:43:22 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/03/02 10:53:10 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/02/08 12:58:13 | 000,000,034 | ---- | C] () -- C:\WINDOWS\System32\BD5240.DAT
[2010/02/19 09:40:08 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2008/07/08 16:26:40 | 000,037,027 | ---- | C] () -- C:\WINDOWS\atmoUn.exe
[2008/02/05 15:15:55 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2007/09/17 17:46:04 | 000,001,156 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2007/08/08 13:26:09 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\Yumi\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/06/26 09:29:02 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\jacob.dll
[2007/06/18 16:21:34 | 000,532,480 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Sony.dll
[2007/06/08 17:22:11 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2007/06/07 14:21:45 | 000,000,040 | ---- | C] () -- C:\WINDOWS\opt_1850.ini
[2007/06/07 14:15:11 | 000,000,080 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2007/06/07 12:10:16 | 000,000,391 | ---- | C] () -- C:\WINDOWS\COVERE~1.INI
[2007/06/07 10:05:30 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2007/05/25 16:06:07 | 000,009,331 | ---- | C] () -- C:\Documents and Settings\Yumi\Application Data\Comma Separated Values (Windows).EML
[2007/05/25 16:04:50 | 000,038,999 | ---- | C] () -- C:\Documents and Settings\Yumi\Application Data\Comma Separated Values (Windows).ADR
[2007/04/12 16:13:51 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/04/04 12:42:23 | 000,000,043 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2007/03/29 09:44:27 | 000,000,040 | ---- | C] () -- C:\WINDOWS\BO5170DN.INI
[2007/03/29 09:44:08 | 000,000,524 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2007/03/29 09:44:08 | 000,000,052 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2007/03/29 09:21:14 | 000,000,118 | ---- | C] () -- C:\WINDOWS\ConverterCore.INI
[2007/03/28 05:59:43 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\atiumdva.dat
[2007/03/28 05:59:43 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\atitmmxx.dll
[2007/03/28 05:59:42 | 000,128,813 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2007/03/28 05:48:43 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2007/03/28 05:43:07 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2007/03/28 05:06:10 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/03/28 04:12:49 | 000,000,067 | ---- | C] () -- C:\WINDOWS\DVDRegionFree.INI
[2007/03/28 03:55:16 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2007/03/28 03:55:16 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2007/03/28 03:26:03 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2007/03/27 19:39:16 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/03/27 19:36:18 | 000,274,168 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/02/02 09:40:11 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2004/08/04 01:07:22 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2001/08/23 12:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 12:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 12:00:00 | 000,483,794 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 12:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 12:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 12:00:00 | 000,080,064 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 12:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 12:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 12:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 12:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 836 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:35E5AF34

< End of report >

**after running safelist option on registry*
All processes killed
========== SERVICES/DRIVERS ==========
Service 6to4 stopped successfully!
Service 6to4 deleted successfully!
========== OTL ==========
Error: No service named 6to4 was found to stop!
Service\Driver key 6to4 not found.
Registry value HKEY_USERS\S-1-5-21-1708537768-515967899-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
Prefs.js: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21 removed from extensions.enabledItems
Prefs.js: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 removed from extensions.enabledItems
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\zh-TW folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\zh-CN folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\sv-SE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\ko-KR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\ja-JP folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\it-IT folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\fr-FR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\es-ES folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\en-US folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\de-DE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\content\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\content folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\zh-TW folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\zh-CN folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\sv-SE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\ko-KR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\ja-JP folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\it-IT folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\fr-FR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\es-ES folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\en-US folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale\de-DE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\locale folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\content\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome\content folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\chrome folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} folder moved successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\CY08W456F0 deleted successfully.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\CY08W456F0 not found.
Registry value HKEY_USERS\S-1-5-21-1708537768-515967899-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1\\* deleted successfully.
Invalid CLSID key: *
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\itlnfw32\ deleted successfully.
C:\WINDOWS\system32\itlnfw32.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\itlntfy\ deleted successfully.
File C:\WINDOWS\System32\itlnfw32.dll not found.
C:\Documents and Settings\All Users\Application Data\82n6u1y5v2x4155u05qfmjh637ph4uoluj8 moved successfully.
File C:\WINDOWS\System32\itlnfw32.dll not found.
C:\Documents and Settings\Yumi\Local Settings\Application Data\d370ib50k8d5s35bk41t72fyy28xc84 moved successfully.
C:\Documents and Settings\All Users\Application Data\d370ib50k8d5s35bk41t72fyy28xc84 moved successfully.
File move failed. C:\WINDOWS\tasks\egthskg.job scheduled to be moved on reboot.
File move failed. C:\WINDOWS\tasks\ygajgcqi.job scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\kbdsmsno6.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\dmloadery.dll scheduled to be moved on reboot.
C:\Documents and Settings\Yumi\Local Settings\Application Data\housecall.guid.cache moved successfully.
C:\Documents and Settings\All Users\Application Data\gp58e7rek0f3tjm315j4224kl0yn45fup1h7n moved successfully.
C:\Documents and Settings\Yumi\Application Data\敎潲䍄敔灭慬整sAppData folder moved successfully.
Folder C:\Documents and Settings\Yumi\Application Data\敎潲䍄敔灭慬整sAppData\ not found.
========== FILES ==========
File\Folder C:\WINDOWS\tasks\At*.job not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator

User: All Users

User: David
->Temp folder emptied: 203992291 bytes
->Temporary Internet Files folder emptied: 123918622 bytes
->Java cache emptied: 23932 bytes
->FireFox cache emptied: 71343001 bytes
->Flash cache emptied: 204893 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 1597665 bytes
->Flash cache emptied: 3607 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 463857810 bytes
->Java cache emptied: 13306 bytes
->Flash cache emptied: 57209 bytes

User: Yumi
->Temp folder emptied: 1728176 bytes
->Temporary Internet Files folder emptied: 141085439 bytes
->Java cache emptied: 38868482 bytes
->FireFox cache emptied: 28927352 bytes
->Flash cache emptied: 2080062 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2675729 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 35752050 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 51758502 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 41731119 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,156.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04142011_132945

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\tasks\egthskg.job scheduled to be moved on reboot.
File move failed. C:\WINDOWS\tasks\ygajgcqi.job scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\kbdsmsno6.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\dmloadery.dll scheduled to be moved on reboot.

Registry entries deleted on Reboot...
*
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6365

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/14/2011 3:09:56 PM
mbam-log-2011-04-14 (15-09-56).txt

Scan type: Full scan (C:\|)
Objects scanned: 236713
Time elapsed: 1 hour(s), 9 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




ComboFix 11-04-14.01 - Yumi 04/14/2011 15:24:13.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1407.941 [GMT -10:00]
Running from: c:\documents and settings\Yumi\Desktop\georgefix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\David\Application Data\Adobe\plugs
c:\documents and settings\David\Application Data\Adobe\shed
c:\windows\system32\itlpfw32.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ITLPERF
-------\Service_itlperf
.
.
((((((((((((((((((((((((( Files Created from 2011-03-15 to 2011-04-15 )))))))))))))))))))))))))))))))
.
.
2011-04-14 23:56 . 2010-12-21 04:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-14 23:56 . 2011-04-14 23:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-14 23:56 . 2010-12-21 04:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-14 23:29 . 2011-04-14 23:29 -------- d-----w- C:\_OTL
2011-04-13 00:37 . 2011-04-13 00:37 -------- d-----w- c:\documents and settings\David\Application Data\FileMaker Pro
2011-04-13 00:35 . 2011-04-13 00:35 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\FileMaker
2011-04-12 01:36 . 2009-06-25 23:20 1446264 ----a-w- c:\program files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
2011-04-08 22:38 . 2011-04-08 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-04-08 22:38 . 2011-04-08 22:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-08 22:10 . 2011-04-08 22:10 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-04-08 21:21 . 2011-04-08 21:21 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-04-08 21:09 . 2011-04-08 21:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-08 19:24 . 2011-04-08 19:24 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-04-08 17:14 . 2011-04-08 17:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-04-08 01:53 . 2011-04-08 01:53 -------- d-----w- c:\program files\VS Revo Group
2011-04-08 01:20 . 2011-04-08 01:25 -------- d-----w- c:\program files\Wise Registry Cleaner
2011-04-08 00:50 . 2011-04-08 20:43 -------- d-----w- c:\program files\Windows Defender
2011-04-08 00:13 . 2011-04-08 00:45 -------- d-----w- c:\windows\SxsCaPendDel
2011-04-07 18:31 . 2011-04-07 18:45 -------- d-----w- C:\backups
2011-04-07 18:25 . 2011-04-07 18:25 388096 ----a-r- c:\documents and settings\Yumi\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-07 18:25 . 2011-04-07 18:25 -------- d-----w- c:\program files\Trend Micro
2011-04-07 03:45 . 2011-04-07 06:31 664 ----a-w- c:\documents and settings\Yumi\Local Settings\Application Data\d3d9caps.tmp
2011-04-07 02:59 . 2011-04-07 02:59 -------- d-----w- c:\documents and settings\David\Application Data\Malwarebytes
2011-04-07 02:13 . 2011-04-07 02:13 90112 --sha-r- c:\windows\system32\kbdsmsno6.dll
2011-04-07 02:13 . 2011-04-07 02:13 90112 --sha-r- c:\windows\system32\dmloadery.dll
2011-03-25 02:24 . 2011-03-25 02:24 -------- d-----w- c:\program files\Microsoft Silverlight
2011-03-24 01:43 . 2011-04-07 21:05 -------- d-----w- c:\documents and settings\David\Application Data\skypePM
2011-03-24 01:42 . 2011-04-08 00:46 -------- d-----w- c:\documents and settings\David\Application Data\Skype
2011-03-24 01:41 . 2011-03-24 01:41 -------- d-----w- c:\program files\Common Files\Skype
2011-03-22 22:42 . 2011-03-22 22:42 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-22 22:42 . 2011-03-22 22:42 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-22 22:42 . 2011-03-22 22:42 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-22 22:42 . 2011-03-22 22:42 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-22 22:42 . 2011-03-22 22:42 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-22 22:42 . 2011-03-22 22:42 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-22 22:42 . 2011-03-22 22:42 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-22 22:42 . 2011-03-22 22:42 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 10:56 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:56 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2007-03-28 15:42 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2007-03-28 15:42 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 10:56 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-03-22 22:42 . 2011-03-22 22:42 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-10 49152]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Digital Notes.lnk]
backup=c:\windows\pss\Post-it® Digital Notes.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Yumi^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\K8CE6CA1JO
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Toolbar
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Q7NZMT7RLB
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartIndex
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 09:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-05-16 19:27 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-05-16 03:12 484904 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-27 02:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-02 01:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 09:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-03-08 21:02 17037704 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 22:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 21:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\moodle_home\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FileMaker\\FileMaker Pro 10\\FileMaker Pro.exe"=
"c:\\moodle_home\\apache\\bin\\apache.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R2 PDSched;PDScheduler;c:\program files\Raxco\PerfectDisk\PDSched.exe [5/12/2005 12:43 PM 241731]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 ttqsfvo;ttqsfvo;c:\windows\system32\drivers\xyll.sys --> c:\windows\system32\drivers\xyll.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-05-16 03:08 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-15 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-04 01:07]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Yumi\Application Data\Mozilla\Firefox\Profiles\nsu3pkc4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
.
- - - - ORPHANS REMOVED - - - -
.
Notify-itlntfy - itlnfw32.dll
MSConfigStartUp-k70ccreloc - (no file)
HKLM_ActiveSetup-ccc-core-static - msiexec
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-14 15:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,6b,4a,4b,72,d1,58,4b,a2,fc,00,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,6b,4a,4b,72,d1,58,4b,a2,fc,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(588)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2308)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WgaTray.exe
.
**************************************************************************
.
Completion time: 2011-04-14 15:38:40 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-15 01:38
.
Pre-Run: 9,624,436,736 bytes free
Post-Run: 9,441,185,792 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 032BB12AABD67E4630EB1DA7EF5F7E18


2011/04/14 15:11:23.0187 3956 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/14 15:11:23.0671 3956 ================================================================================
2011/04/14 15:11:23.0671 3956 SystemInfo:
2011/04/14 15:11:23.0671 3956
2011/04/14 15:11:23.0671 3956 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/14 15:11:23.0671 3956 Product type: Workstation
2011/04/14 15:11:23.0671 3956 ComputerName: ACADEMIA006
2011/04/14 15:11:23.0671 3956 UserName: Yumi
2011/04/14 15:11:23.0671 3956 Windows directory: C:\WINDOWS
2011/04/14 15:11:23.0671 3956 System windows directory: C:\WINDOWS
2011/04/14 15:11:23.0671 3956 Processor architecture: Intel x86
2011/04/14 15:11:23.0671 3956 Number of processors: 1
2011/04/14 15:11:23.0671 3956 Page size: 0x1000
2011/04/14 15:11:23.0671 3956 Boot type: Normal boot
2011/04/14 15:11:23.0671 3956 ================================================================================
2011/04/14 15:11:24.0234 3956 Initialize success
2011/04/14 15:11:25.0875 1916 ================================================================================
2011/04/14 15:11:25.0875 1916 Scan started
2011/04/14 15:11:25.0875 1916 Mode: Manual;
2011/04/14 15:11:25.0875 1916 ================================================================================
2011/04/14 15:11:27.0359 1916 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/14 15:11:27.0484 1916 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/04/14 15:11:27.0656 1916 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/14 15:11:27.0781 1916 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/04/14 15:11:28.0484 1916 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/14 15:11:28.0609 1916 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/14 15:11:29.0046 1916 ati2mtag (a1789368b4a31d2111af7aeda0c8d3fc) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/04/14 15:11:29.0281 1916 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/14 15:11:29.0406 1916 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/14 15:11:29.0531 1916 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/14 15:11:29.0656 1916 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/14 15:11:29.0843 1916 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/14 15:11:29.0953 1916 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/14 15:11:30.0046 1916 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/14 15:11:30.0546 1916 Defrag32 (9ac3d088bbed2dd2f4b1e791d7374371) C:\WINDOWS\system32\drivers\Defrag32.sys
2011/04/14 15:11:30.0656 1916 Defrag32b (0baf90b406d074192f929b8bc512d7a2) C:\WINDOWS\system32\drivers\Defrag32b.sys
2011/04/14 15:11:30.0765 1916 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/14 15:11:30.0906 1916 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/14 15:11:31.0046 1916 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/14 15:11:31.0140 1916 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/14 15:11:31.0250 1916 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/14 15:11:31.0453 1916 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/14 15:11:31.0593 1916 ElbyCDIO (b5326548762bfaae7a42d5b0898dfeac) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
2011/04/14 15:11:31.0687 1916 ElbyDelay (20d3b81663b3dfd5e32b0af8640aaf50) C:\WINDOWS\system32\Drivers\ElbyDelay.sys
2011/04/14 15:11:31.0828 1916 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/14 15:11:31.0937 1916 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/04/14 15:11:32.0046 1916 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/14 15:11:32.0156 1916 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/04/14 15:11:32.0250 1916 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/04/14 15:11:32.0406 1916 FsVga (455f778ee14368468560bd7cb8c854d0) C:\WINDOWS\system32\DRIVERS\fsvga.sys
2011/04/14 15:11:32.0515 1916 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/14 15:11:32.0625 1916 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/14 15:11:32.0765 1916 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/14 15:11:32.0890 1916 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/04/14 15:11:33.0000 1916 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/14 15:11:33.0187 1916 HSF_DP (d1ee1f4b5df4660d72749d28a50dbeed) C:\WINDOWS\system32\DRIVERS\HSX_DP.sys
2011/04/14 15:11:33.0328 1916 HSXHWBS2 (d40d29a880a1a1ba5aee2e21aac9f6f7) C:\WINDOWS\system32\DRIVERS\HSXHWBS2.sys
2011/04/14 15:11:33.0437 1916 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/14 15:11:33.0718 1916 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/14 15:11:33.0843 1916 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/14 15:11:34.0156 1916 IntcAzAudAddService (7c09d605fcae64e3cb11ebf90fb1e3a1) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/04/14 15:11:34.0421 1916 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/14 15:11:34.0531 1916 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/04/14 15:11:34.0625 1916 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/14 15:11:34.0734 1916 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/14 15:11:34.0843 1916 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/14 15:11:34.0953 1916 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/14 15:11:35.0062 1916 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/14 15:11:35.0171 1916 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/14 15:11:35.0296 1916 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/14 15:11:35.0390 1916 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/04/14 15:11:35.0500 1916 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/14 15:11:35.0625 1916 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/14 15:11:36.0000 1916 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/04/14 15:11:36.0125 1916 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/14 15:11:36.0234 1916 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/14 15:11:36.0343 1916 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/14 15:11:36.0437 1916 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/14 15:11:36.0546 1916 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/14 15:11:36.0703 1916 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/14 15:11:36.0843 1916 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/14 15:11:36.0984 1916 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/14 15:11:37.0109 1916 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/14 15:11:37.0203 1916 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/14 15:11:37.0312 1916 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/14 15:11:37.0406 1916 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/14 15:11:37.0531 1916 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/14 15:11:37.0656 1916 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/14 15:11:38.0000 1916 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/14 15:11:38.0093 1916 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/14 15:11:38.0203 1916 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/14 15:11:38.0328 1916 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/14 15:11:38.0468 1916 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/14 15:11:38.0578 1916 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/14 15:11:38.0750 1916 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/14 15:11:38.0859 1916 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/14 15:11:39.0000 1916 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/14 15:11:39.0093 1916 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/14 15:11:39.0203 1916 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/14 15:11:39.0328 1916 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/04/14 15:11:39.0437 1916 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/14 15:11:39.0546 1916 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/14 15:11:39.0656 1916 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/14 15:11:39.0890 1916 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/14 15:11:40.0031 1916 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/04/14 15:11:40.0625 1916 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/14 15:11:40.0734 1916 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/14 15:11:40.0843 1916 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/14 15:11:40.0984 1916 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/04/14 15:11:41.0609 1916 QV2KUX (0087f01d35a65b32393cc8bba46ee4a6) C:\WINDOWS\system32\DRIVERS\qv2kux.sys
2011/04/14 15:11:41.0750 1916 R300 (8766b8f65459c37e20d525645e30e466) C:\WINDOWS\system32\DRIVERS\atikmdag.sys
2011/04/14 15:11:41.0937 1916 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/14 15:11:42.0031 1916 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/14 15:11:42.0156 1916 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/14 15:11:42.0250 1916 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/14 15:11:42.0359 1916 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/14 15:11:42.0468 1916 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/14 15:11:42.0593 1916 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/14 15:11:42.0718 1916 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/14 15:11:42.0812 1916 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/14 15:11:42.0953 1916 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/04/14 15:11:43.0109 1916 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/14 15:11:43.0218 1916 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/04/14 15:11:43.0375 1916 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/14 15:11:43.0640 1916 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/14 15:11:43.0750 1916 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/14 15:11:43.0875 1916 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/14 15:11:44.0062 1916 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/14 15:11:44.0234 1916 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/14 15:11:45.0250 1916 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/14 15:11:45.0906 1916 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/14 15:11:46.0171 1916 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/14 15:11:46.0296 1916 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/14 15:11:46.0406 1916 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/14 15:11:46.0671 1916 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/14 15:11:46.0859 1916 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/14 15:11:47.0015 1916 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/04/14 15:11:47.0093 1916 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/14 15:11:47.0203 1916 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/14 15:11:47.0312 1916 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/14 15:11:47.0421 1916 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/04/14 15:11:47.0515 1916 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/04/14 15:11:47.0593 1916 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/14 15:11:47.0718 1916 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/14 15:11:47.0859 1916 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/14 15:11:48.0000 1916 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/14 15:11:48.0156 1916 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/14 15:11:48.0312 1916 winachsf (9521278962c0dee2a11c2472075e6d5e) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
2011/04/14 15:11:48.0625 1916 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/04/14 15:11:48.0750 1916 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/04/14 15:11:48.0859 1916 XAudio (5a7ff9a18ff6d7e0527fe3abf9204ef8) C:\WINDOWS\system32\DRIVERS\xaudio.sys
2011/04/14 15:11:49.0140 1916 ================================================================================
2011/04/14 15:11:49.0140 1916 Scan finished
2011/04/14 15:11:49.0140 1916 ================================================================================
2011/04/14 15:11:55.0500 3740 Deinitialize success


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x008000dc

Kernel Drivers (total 120):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D1000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EEB000 fltmgr.sys
0xB9ED9000 sr.sys
0xBA0F8000 PxHelp20.sys
0xB9EC2000 KSecDD.sys
0xBA108000 Defrag32b.sys
0xB9E35000 Ntfs.sys
0xB9E08000 NDIS.sys
0xB9DEE000 Mup.sys
0xB77A3000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB752F000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB751B000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA400000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB74F7000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA408000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB7793000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA5E2000 \SystemRoot\System32\Drivers\ElbyDelay.sys
0xB7783000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB7773000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB74D4000 \SystemRoot\system32\DRIVERS\ks.sys
0xB74AC000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA410000 \SystemRoot\system32\DRIVERS\RTL8139.SYS
0xB7462000 \SystemRoot\system32\DRIVERS\HSXHWBS2.sys
0xB735F000 \SystemRoot\system32\DRIVERS\HSX_DP.sys
0xB72AB000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0xBA420000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA578000 \SystemRoot\system32\DRIVERS\fsvga.sys
0xBA699000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB7763000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA57C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB7294000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB7753000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB7743000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA428000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB7283000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA188000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA438000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA440000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB7253000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA198000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA448000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA450000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5E4000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB71F5000 \SystemRoot\system32\DRIVERS\update.sys
0xBA598000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA1A8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA1D8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5EC000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xAEBE3000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xAEBBF000 \SystemRoot\system32\drivers\portcls.sys
0xBA208000 \SystemRoot\system32\drivers\drmk.sys
0xBA5FA000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA77A000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5FC000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA488000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA490000 \SystemRoot\System32\drivers\vga.sys
0xBA5FE000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA600000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA498000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA4A0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA550000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAE904000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAE8AB000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAE883000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAE861000 \SystemRoot\System32\drivers\afd.sys
0xBA228000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAE836000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAE7C6000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA238000 \SystemRoot\System32\Drivers\Fips.SYS
0xAE700000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA248000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB71F1000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA278000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB71E9000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB71E1000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xBA288000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xAE6C0000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA60E000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xAEBB3000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA3A8000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA777000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF056000 \SystemRoot\System32\ati2cqag.dll
0xBF0AB000 \SystemRoot\System32\atikvmag.dll
0xBF0F7000 \SystemRoot\System32\ati3duag.dll
0xBF3AA000 \SystemRoot\System32\ativvaxx.dll
0xBF4E1000 \SystemRoot\System32\ATMFD.DLL
0xAC31C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xABFDB000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xAC3C8000 \SystemRoot\System32\Drivers\Defrag32.SYS
0xBA662000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
0xABE6B000 \SystemRoot\system32\DRIVERS\srv.sys
0xAC1B4000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xBA480000 \SystemRoot\system32\DRIVERS\xaudio.sys
0xABB0E000 \SystemRoot\system32\drivers\wdmaud.sys
0xABDFB000 \SystemRoot\system32\drivers\sysaudio.sys
0xAB75D000 \SystemRoot\System32\Drivers\HTTP.sys
0xAB6CD000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xAB45C000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 34):
0 System Idle Process
4 System
504 C:\WINDOWS\system32\smss.exe
560 csrss.exe
588 C:\WINDOWS\system32\winlogon.exe
632 C:\WINDOWS\system32\services.exe
644 C:\WINDOWS\system32\lsass.exe
800 C:\WINDOWS\system32\ati2evxx.exe
832 C:\WINDOWS\system32\svchost.exe
908 svchost.exe
996 C:\WINDOWS\system32\svchost.exe
1040 svchost.exe
1092 svchost.exe
1352 C:\WINDOWS\system32\rundll32.exe
1348 C:\WINDOWS\system32\spoolsv.exe
1548 svchost.exe
1604 C:\Program Files\Bonjour\mDNSResponder.exe
1684 C:\WINDOWS\system32\svchost.exe
1712 C:\Program Files\Java\jre6\bin\jqs.exe
1740 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
1764 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
1944 C:\WINDOWS\system32\svchost.exe
2000 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
224 C:\Program Files\Raxco\PerfectDisk\PDSched.exe
500 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
1024 alg.exe
1792 C:\WINDOWS\system32\WgaTray.exe
1984 C:\WINDOWS\explorer.exe
1672 C:\WINDOWS\notepad.exe
2052 C:\WINDOWS\system32\ctfmon.exe
2448 C:\Program Files\Mozilla Firefox\firefox.exe
2748 C:\Program Files\Mozilla Firefox\plugin-container.exe
3272 C:\WINDOWS\system32\svchost.exe
868 C:\Documents and Settings\Yumi\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000e`a609c000 (NTFS)
\\.\G: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\H: --> \\.\PhysicalDrive1 at offset 0x00000009`c3dcd400 (NTFS)

PhysicalDrive0 Model Number: ST3120213AS, Rev: 3.AHL
PhysicalDrive1 Model Number: MAXTOR6L080L4, Rev: A93.0500

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
74 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

and AVAST found one virus which it deleted.



thankyou for your help . i hope this is it? thank you so much for your patience and help in this. a huge help and much easier than reformatting everything.

[RKinner]

Almost there.





Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

DirLook::
C:\Program Files\Common
%user%\library

File::
c:\windows\system32\kbdsmsno6.dll
c:\windows\system32\dmloadery.dll
C:\WINDOWS\tasks\egthskg.job
C:\WINDOWS\tasks\ygajgcqi.job
C:\WINDOWS\system32\itlpfw32.dll

Driver::
Lbd
ttqsfvo
itlperf
itlsvc


******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag it over to george and let it start as before.

Post the new log.

You have two items unchecked in msconfig:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\K8CE6CA1JO

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Q7NZMT7RLB

Don't know what they do but are obviously malware. Should be safe to uncheck them now and then run combofix one more time.

I don't see an anti-virus. Let's install the free Avast:

http://www.avast.com...ivirus-download

Once you have it installed and it has updated, right click on it and select Open Avast! User Interface then click on Scan Computer, then on
Boot-Time Scan then Schedule Now. Reboot and let it run a scan. It may take a few hours and unfortunately you may need to check back with it once in a while to see if it needs an input from you but the first time it stops you can tell it to Move All to the chest or quarantine and it shouldn't bother you again.

Is the redirect gone? Any other problems?

Ron

[dpattt]

Okay- followed your steps. I hope this is it. I had avast installed earlier, maybe it didnt show on my logs when I posted. Am I all clear?

Thanks!


ComboFix 11-04-14.03 - Yumi 04/15/2011 12:54:52.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1407.962 [GMT -10:00]
Running from: c:\documents and settings\Yumi\Desktop\georgefix.exe
Command switches used :: c:\documents and settings\Yumi\Desktop\cfscript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\windows\system32\dmloadery.dll"
"c:\windows\system32\itlpfw32.dll"
"c:\windows\system32\kbdsmsno6.dll"
"c:\windows\tasks\egthskg.job"
"c:\windows\tasks\ygajgcqi.job"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\dmloadery.dll
c:\windows\system32\kbdsmsno6.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_LBD
-------\Service_Lbd
-------\Service_ttqsfvo
.
.
((((((((((((((((((((((((( Files Created from 2011-03-15 to 2011-04-15 )))))))))))))))))))))))))))))))
.
.
2011-04-15 19:08 . 2011-04-15 19:08 -------- d-----w- c:\documents and settings\David\Application Data\AdobeUM
2011-04-15 19:07 . 2011-04-15 20:48 -------- d-----w- c:\documents and settings\David\Application Data\SolidDocuments
2011-04-15 01:41 . 2011-02-23 14:56 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-04-15 01:41 . 2011-02-23 14:54 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-04-15 01:41 . 2011-02-23 14:55 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-04-15 01:41 . 2011-02-23 14:55 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-04-15 01:41 . 2011-02-23 14:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-04-15 01:41 . 2011-02-23 14:55 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-04-15 01:41 . 2011-02-23 14:55 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-04-15 01:41 . 2011-02-23 14:54 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-04-15 01:41 . 2011-02-23 15:04 40648 ----a-w- c:\windows\avastSS.scr
2011-04-15 01:41 . 2011-02-23 15:04 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-04-15 01:41 . 2011-04-15 01:41 -------- d-----w- c:\program files\AVAST Software
2011-04-15 01:41 . 2011-04-15 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-04-14 23:56 . 2010-12-21 04:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-14 23:56 . 2011-04-14 23:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-14 23:56 . 2010-12-21 04:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-14 23:29 . 2011-04-14 23:29 -------- d-----w- C:\_OTL
2011-04-13 00:37 . 2011-04-13 00:37 -------- d-----w- c:\documents and settings\David\Application Data\FileMaker Pro
2011-04-13 00:35 . 2011-04-13 00:35 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\FileMaker
2011-04-12 01:36 . 2009-06-25 23:20 1446264 ----a-w- c:\program files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
2011-04-08 22:38 . 2011-04-08 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-04-08 22:38 . 2011-04-08 22:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-08 22:10 . 2011-04-08 22:10 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-04-08 21:21 . 2011-04-08 21:21 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-04-08 21:09 . 2011-04-08 21:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-08 19:24 . 2011-04-08 19:24 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-04-08 17:14 . 2011-04-08 17:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-04-08 01:53 . 2011-04-08 01:53 -------- d-----w- c:\program files\VS Revo Group
2011-04-08 01:20 . 2011-04-08 01:25 -------- d-----w- c:\program files\Wise Registry Cleaner
2011-04-08 00:50 . 2011-04-08 20:43 -------- d-----w- c:\program files\Windows Defender
2011-04-08 00:13 . 2011-04-08 00:45 -------- d-----w- c:\windows\SxsCaPendDel
2011-04-07 18:31 . 2011-04-07 18:45 -------- d-----w- C:\backups
2011-04-07 18:25 . 2011-04-07 18:25 388096 ----a-r- c:\documents and settings\Yumi\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-07 18:25 . 2011-04-07 18:25 -------- d-----w- c:\program files\Trend Micro
2011-04-07 03:45 . 2011-04-07 06:31 664 ----a-w- c:\documents and settings\Yumi\Local Settings\Application Data\d3d9caps.tmp
2011-04-07 02:59 . 2011-04-07 02:59 -------- d-----w- c:\documents and settings\David\Application Data\Malwarebytes
2011-03-25 02:24 . 2011-03-25 02:24 -------- d-----w- c:\program files\Microsoft Silverlight
2011-03-24 01:43 . 2011-04-07 21:05 -------- d-----w- c:\documents and settings\David\Application Data\skypePM
2011-03-24 01:42 . 2011-04-08 00:46 -------- d-----w- c:\documents and settings\David\Application Data\Skype
2011-03-24 01:41 . 2011-03-24 01:41 -------- d-----w- c:\program files\Common Files\Skype
2011-03-22 22:42 . 2011-03-22 22:42 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-22 22:42 . 2011-03-22 22:42 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-22 22:42 . 2011-03-22 22:42 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-22 22:42 . 2011-03-22 22:42 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-22 22:42 . 2011-03-22 22:42 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-22 22:42 . 2011-03-22 22:42 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-22 22:42 . 2011-03-22 22:42 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-22 22:42 . 2011-03-22 22:42 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 10:56 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:56 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2007-03-28 15:42 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2007-03-28 15:42 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 10:56 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-03-22 22:42 . 2011-03-22 22:42 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of %user%\library ----
.
.
---- Directory of c:\program files\Common ----
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-10 49152]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Digital Notes.lnk]
backup=c:\windows\pss\Post-it® Digital Notes.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Yumi^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 09:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-05-16 19:27 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-05-16 03:12 484904 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-27 02:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-02 01:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 09:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-03-08 21:02 17037704 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 22:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 21:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\moodle_home\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FileMaker\\FileMaker Pro 10\\FileMaker Pro.exe"=
"c:\\moodle_home\\apache\\bin\\apache.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/14/2011 3:41 PM 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/14/2011 3:41 PM 301528]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/14/2011 3:41 PM 19544]
R2 PDSched;PDScheduler;c:\program files\Raxco\PerfectDisk\PDSched.exe [5/12/2005 12:43 PM 241731]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-05-16 03:08 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-15 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-04 01:07]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Yumi\Application Data\Mozilla\Firefox\Profiles\nsu3pkc4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-15 13:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,6b,4a,4b,72,d1,58,4b,a2,fc,00,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,6b,4a,4b,72,d1,58,4b,a2,fc,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(620)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(4068)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WgaTray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-04-15 13:14:25 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-15 23:14
ComboFix2.txt 2011-04-15 01:38
.
Pre-Run: 9,047,629,824 bytes free
Post-Run: 8,960,622,592 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 72858090C1325C4A9978CC4BB074E689

[RKinner]

One more time should do it.

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"itlsvc"=-



******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag it over to george and let it start as before.

Post the new log.

Ron

[dpattt]

hope this is it

ComboFix 11-04-14.03 - Yumi 04/19/2011 13:14:04.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1407.976 [GMT -10:00]
Running from: c:\documents and settings\Yumi\Desktop\georgefix.exe
Command switches used :: c:\documents and settings\Yumi\Desktop\cfscript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-19 to 2011-04-19 )))))))))))))))))))))))))))))))
.
.
2011-04-15 19:08 . 2011-04-15 19:08 -------- d-----w- c:\documents and settings\David\Application Data\AdobeUM
2011-04-15 19:07 . 2011-04-19 22:56 -------- d-----w- c:\documents and settings\David\Application Data\SolidDocuments
2011-04-15 01:41 . 2011-04-18 17:17 307288 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-04-15 01:41 . 2011-04-18 17:12 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-04-15 01:41 . 2011-04-18 17:16 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-04-15 01:41 . 2011-04-18 17:13 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-04-15 01:41 . 2011-04-18 17:17 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-04-15 01:41 . 2011-04-18 17:16 102488 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-04-15 01:41 . 2011-04-18 17:16 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-04-15 01:41 . 2011-04-18 17:13 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-04-15 01:41 . 2011-04-18 17:25 40112 ----a-w- c:\windows\avastSS.scr
2011-04-15 01:41 . 2011-04-18 17:25 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-04-15 01:41 . 2011-04-15 01:41 -------- d-----w- c:\program files\AVAST Software
2011-04-15 01:41 . 2011-04-15 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-04-14 23:56 . 2010-12-21 04:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-14 23:56 . 2011-04-14 23:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-14 23:56 . 2010-12-21 04:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-14 23:29 . 2011-04-14 23:29 -------- d-----w- C:\_OTL
2011-04-13 00:37 . 2011-04-13 00:37 -------- d-----w- c:\documents and settings\David\Application Data\FileMaker Pro
2011-04-13 00:35 . 2011-04-13 00:35 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\FileMaker
2011-04-12 01:36 . 2009-06-25 23:20 1446264 ----a-w- c:\program files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
2011-04-08 22:38 . 2011-04-08 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-04-08 22:38 . 2011-04-08 22:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-08 22:10 . 2011-04-08 22:10 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-04-08 21:21 . 2011-04-08 21:21 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-04-08 21:09 . 2011-04-08 21:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-08 19:24 . 2011-04-08 19:24 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-04-08 17:14 . 2011-04-08 17:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-04-08 01:53 . 2011-04-08 01:53 -------- d-----w- c:\program files\VS Revo Group
2011-04-08 01:20 . 2011-04-08 01:25 -------- d-----w- c:\program files\Wise Registry Cleaner
2011-04-08 00:50 . 2011-04-08 20:43 -------- d-----w- c:\program files\Windows Defender
2011-04-08 00:13 . 2011-04-08 00:45 -------- d-----w- c:\windows\SxsCaPendDel
2011-04-07 18:31 . 2011-04-07 18:45 -------- d-----w- C:\backups
2011-04-07 18:25 . 2011-04-07 18:25 388096 ----a-r- c:\documents and settings\Yumi\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-07 18:25 . 2011-04-07 18:25 -------- d-----w- c:\program files\Trend Micro
2011-04-07 03:45 . 2011-04-07 06:31 664 ----a-w- c:\documents and settings\Yumi\Local Settings\Application Data\d3d9caps.tmp
2011-04-07 02:59 . 2011-04-07 02:59 -------- d-----w- c:\documents and settings\David\Application Data\Malwarebytes
2011-03-25 02:24 . 2011-03-25 02:24 -------- d-----w- c:\program files\Microsoft Silverlight
2011-03-24 01:43 . 2011-04-07 21:05 -------- d-----w- c:\documents and settings\David\Application Data\skypePM
2011-03-24 01:42 . 2011-04-08 00:46 -------- d-----w- c:\documents and settings\David\Application Data\Skype
2011-03-24 01:41 . 2011-03-24 01:41 -------- d-----w- c:\program files\Common Files\Skype
2011-03-22 22:42 . 2011-03-22 22:42 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-22 22:42 . 2011-03-22 22:42 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-22 22:42 . 2011-03-22 22:42 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-22 22:42 . 2011-03-22 22:42 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-22 22:42 . 2011-03-22 22:42 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-22 22:42 . 2011-03-22 22:42 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-22 22:42 . 2011-03-22 22:42 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-22 22:42 . 2011-03-22 22:42 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 10:56 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:56 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2007-03-28 15:42 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2007-03-28 15:42 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 10:56 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-03-22 22:42 . 2011-03-22 22:42 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-04-18 17:25 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-04-18 3460784]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-10 49152]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Digital Notes.lnk]
backup=c:\windows\pss\Post-it® Digital Notes.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Yumi^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 09:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-05-16 19:27 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-05-16 03:12 484904 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-27 02:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-02 01:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 09:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-03-08 21:02 17037704 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 22:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 21:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\moodle_home\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FileMaker\\FileMaker Pro 10\\FileMaker Pro.exe"=
"c:\\moodle_home\\apache\\bin\\apache.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/14/2011 3:41 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/14/2011 3:41 PM 307288]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/14/2011 3:41 PM 19544]
R2 PDSched;PDScheduler;c:\program files\Raxco\PerfectDisk\PDSched.exe [5/12/2005 12:43 PM 241731]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-05-16 03:08 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-19 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-04 01:07]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Yumi\Application Data\Mozilla\Firefox\Profiles\nsu3pkc4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-19 13:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\## aswSnx private storage
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,6b,4a,4b,72,d1,58,4b,a2,fc,00,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,6b,4a,4b,72,d1,58,4b,a2,fc,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(628)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3816)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\WgaTray.exe
.
**************************************************************************
.
Completion time: 2011-04-19 13:34:33 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-19 23:34
ComboFix2.txt 2011-04-15 23:14
ComboFix3.txt 2011-04-15 01:38
.
Pre-Run: 8,419,991,552 bytes free
Post-Run: 8,394,444,800 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 7D3E78F68FE46019F10A25ED29B0923C

[RKinner]

Logs look clean. No sign of it left. Any other problems? If not:

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\george.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

To hide hidden files again:

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

You do not have the latest Java (Java™ 6 Update 24 or maybe even 25 by now). Get the latest at:

http://javadl.sun.co...?BundleId=41723

Save it to your PC then close all browsers and install it.

Once you install it, go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
I see:
Java™ 6 Update 22 which is new enough that it should be removed automatically. If you use Firefox go into tools, Add-ons and make sure that only CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA is enabled but 0021 and 22 and any other versions of Java should be disabled or uninstalled. Java seems to have a real problem removing the old consoles from Firefox. Having multiple Java consoles will make Firefox very sluggish and slow to start.


Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

I recommend you install the free WinPatrol from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

If you use USB drives you might want to install Autorun Eater v2.5.
http://download.cnet...4-10752777.html
Another small program which will stay resident and prevent an infected USB drive from infecting your PC.

If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox. It seems to work best if you reboot right after running it. You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you install the MVP Hosts file:
http://www.mvps.org/...p2002/hosts.htm
it will keep you from going to most bad sites. You do not need Spybot's Immunize which does the same thing.

If you have a router, log on to it today and change the default password!


Ron