[realapp]

I've noticed some browser redirection issues and overall slowing of computer. I tried to install superantispyware, malware on this computer( I have different topic for kids's computer)but it basically freezes up this computer and says I don't have access to run the programs (Malware/super Anti)when I try to run them. I deleted them and can now at least get on here.

Also, (not sure if this should be posted elsewhere) but this computer seems not to shut all the way down. For example, I shut it down and actally unplugged the power cord from it. As soon as I plugged the power cord back in to it, the computer automatically powered itself on. I didn't push the power button. Not sure if this is releated to other issues or not.

Since, I first posted this, I now can't access the internet. It seems to be a network card problem? I have a router and other computer can access internet fine. It won't even access when I plug directly to modem. doesn't seem to recognize anything. Not sure if this has to do with the above

OTL logfile created on: 9/22/2011 9:06:02 AM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\Wayne\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.42 Mb Total Physical Memory | 493.70 Mb Available Physical Memory | 55.20% Memory free
2.11 Gb Paging File | 1.61 Gb Available in Paging File | 75.99% Paging File free
Paging file location(s): C:\pagefile.sys 1341 2000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 139.04 Gb Total Space | 108.33 Gb Free Space | 77.92% Space Free | Partition Type: NTFS

Computer Name: EMACHINE-98E05C | User Name: Wayne | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found -- C:\WINDOWS\3042200689:2394139466.exe
PRC - [2011/09/21 15:47:49 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Wayne\Desktop\OTL.exe
PRC - [2011/06/22 07:13:46 | 000,984,936 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2011/06/22 05:57:14 | 000,045,056 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2009/10/01 03:22:42 | 000,131,072 | ---- | M] (Intuit, Inc.) -- C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe
PRC - [2009/08/17 11:07:23 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/08/17 11:07:17 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/08/17 11:07:01 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/08/17 11:04:21 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/08/17 10:58:55 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/02/09 15:05:12 | 000,165,160 | ---- | M] (The Hartford) -- C:\Program Files\Hartford Fire Insurance\XactPAY Upload Utility\XactPAY.exe
PRC - [2008/06/11 11:18:30 | 000,024,576 | ---- | M] () -- C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/10 22:15:04 | 000,012,800 | ---- | M] (Agere Systems) -- C:\WINDOWS\system32\agrsmsvc.exe
PRC - [2007/08/29 11:55:54 | 001,347,584 | R--- | M] (AWS Convergence Technologies, Inc.) -- C:\Program Files\AWS\WeatherBug\Weather.exe
PRC - [2000/07/10 00:58:12 | 000,323,584 | ---- | M] () -- C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTray.exe


========== Modules (No Company Name) ==========

MOD - [2009/08/13 11:27:56 | 000,998,400 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management\8642fdfbf02a6cb6f01169fe6fdb5d11\System.Management.ni.dll
MOD - [2009/08/13 11:26:20 | 001,712,128 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\1c86afc399d0fdd8e069266ffbe748d1\Microsoft.VisualBasic.ni.dll
MOD - [2009/08/11 11:12:17 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\ea3366939280c1715f1c620e33ee3c8a\System.ServiceProcess.ni.dll
MOD - [2009/08/11 11:12:08 | 000,627,712 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\4267bd908175603006c6c90bb5d900c7\System.EnterpriseServices.ni.dll
MOD - [2009/08/11 11:12:08 | 000,280,064 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\4267bd908175603006c6c90bb5d900c7\System.EnterpriseServices.Wrapper.dll
MOD - [2009/08/11 11:12:07 | 000,627,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transactions\5a555c9ae6984c40157cf940bb519f7c\System.Transactions.ni.dll
MOD - [2009/08/11 11:11:42 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\b82c00e2d24305ad6cb08556e3779b75\System.Configuration.ni.dll
MOD - [2009/08/08 20:15:46 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\773a9786013451d3baaeff003dc4230f\System.Xml.ni.dll
MOD - [2009/08/08 20:15:34 | 012,430,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\63406259e94d5c0ff5b79401dfe113ce\System.Windows.Forms.ni.dll
MOD - [2009/08/08 20:15:01 | 001,587,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\3da96ee075bab9202626ae44c18d226c\System.Drawing.ni.dll
MOD - [2009/08/08 20:14:34 | 006,616,576 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\c70731047b0022638b3f9fb158948a03\System.Data.ni.dll
MOD - [2009/08/08 20:12:09 | 007,868,416 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\80978a322d7dd39f0a71be1251ae395a\System.ni.dll
MOD - [2009/08/08 20:11:58 | 011,486,720 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\6d667f19d687361886990f3ca0f49816\mscorlib.ni.dll
MOD - [2009/08/08 04:18:25 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2009/08/08 04:18:21 | 000,303,104 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
MOD - [2009/08/08 04:18:20 | 000,261,632 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
MOD - [2009/08/08 04:18:20 | 000,113,664 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
MOD - [2009/07/24 09:02:12 | 000,270,336 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\log4net\1.2.10.0__1b44e1d426115821\log4net.dll
MOD - [2009/07/24 09:02:12 | 000,061,440 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Framework.Library\3.0.3009.0__3036420f80dd6947\Framework.Library.dll
MOD - [2009/07/24 09:02:12 | 000,036,864 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Framework.Utility\3.0.3009.0__4df5dcab8860d239\Framework.Utility.dll
MOD - [2009/07/24 09:02:12 | 000,032,768 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Framework.Utility.CommonFunctions\3.0.3009.0__770d2a375f176870\Framework.Utility.CommonFunctions.dll
MOD - [2009/07/24 09:02:12 | 000,032,768 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Framework.Model.Controller\3.0.3009.0__14bcaafdb44b5951\Framework.Model.Controller.dll
MOD - [2009/07/24 09:02:12 | 000,015,360 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Framework.Host\3.0.3009.0__672b450de5a7e94a\Framework.Host.dll
MOD - [2009/07/24 09:02:12 | 000,009,216 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Framework.Model.ControllerInterface\3.0.3009.0__d842b71b4d6ed079\Framework.Model.ControllerInterface.dll
MOD - [2009/07/24 09:02:12 | 000,006,144 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Framework.PluginInterface\3.0.3009.0__9ecdf03bb2054f94\Framework.PluginInterface.dll
MOD - [2008/06/20 11:02:47 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2008/06/20 11:02:47 | 000,245,248 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll
MOD - [2008/06/11 11:18:30 | 000,024,576 | ---- | M] () -- C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
MOD - [2008/04/14 07:00:00 | 000,355,112 | ---- | M] () -- C:\WINDOWS\system32\msjetoledb40.dll
MOD - [2008/04/14 07:00:00 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2000/07/10 01:06:24 | 000,086,016 | ---- | M] () -- C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTrayRes.dll
MOD - [2000/07/10 00:58:12 | 000,323,584 | ---- | M] () -- C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTray.exe
MOD - [2000/07/10 00:57:32 | 000,040,960 | ---- | M] () -- C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RfDownload.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/06/22 05:57:14 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2009/10/01 03:22:42 | 000,131,072 | ---- | M] (Intuit, Inc.) [On_Demand | Running] -- C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe -- (QuickBooksDB19)
SRV - [2009/08/17 11:07:17 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/08/17 11:07:01 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/08/17 11:04:21 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/08/17 10:58:55 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/07/24 09:04:19 | 000,110,576 | ---- | M] (Google Inc.) [On_Demand | Stopped] -- C:\Documents and Settings\All Users\Application Data\Partner\partner.exe -- (Partner Service)
SRV - [2008/06/11 11:18:30 | 000,024,576 | ---- | M] () [Auto | Running] -- C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe -- (ETService)
SRV - [2008/05/05 17:25:46 | 000,165,416 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2007/12/10 22:15:04 | 000,012,800 | ---- | M] (Agere Systems) [Auto | Running] -- C:\WINDOWS\system32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2007/05/24 07:08:44 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)


========== Driver Services (SafeList) ==========

DRV - [2009/08/17 11:06:43 | 000,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009/08/17 11:05:52 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/08/17 11:05:37 | 000,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/08/17 11:04:40 | 000,051,376 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/08/17 11:04:29 | 000,023,152 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/08/17 11:03:21 | 000,026,944 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2008/06/11 11:13:24 | 000,015,392 | ---- | M] (Acer, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\int15.sys -- (int15)
DRV - [2008/05/20 04:53:00 | 004,800,000 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/04/14 07:00:00 | 000,052,480 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\i8042prt.sys -- (i8042prt)
DRV - [2008/03/05 00:10:54 | 001,203,808 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2008/01/28 23:37:48 | 000,022,016 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2008/01/28 23:37:46 | 000,054,016 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [1997/06/17 05:00:00 | 000,004,064 | ---- | M] (Adobe Systems Incorporated) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\ATMHELPR.SYS -- (ATMhelpr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emac...=0709&m=el1300g
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)


[2010/02/03 00:32:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Wayne\Application Data\Mozilla\Extensions
[2010/02/03 00:32:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Wayne\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}

========== Chrome ==========


Hosts file not found
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - No CLSID value found.
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe (Microsoft Corporation)
O4 - HKLM..\Run: [eRecoveryService] File not found
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
O4 - HKLM..\Run: [LVCOMS] C:\WINDOWS\system32\LVCOMS.EXE File not found
O4 - HKLM..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe (Fellowes, Inc.)
O4 - HKLM..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe (Microsoft® Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" File not found
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePSTShortCut] C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe (Microsoft® Corporation)
O4 - HKLM..\Run: [xactpay] C:\Program Files\Hartford Fire Insurance\XactPAY Upload Utility\XactPAY.exe (The Hartford)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe ()
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe File not found
O4 - HKCU..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe (AWS Convergence Technologies, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Reality Fusion GameCam SE.lnk = C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTray.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 91 00 00 00 [binary data]
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_20.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - mswsock.dll File not found
O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...tes/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{89F01536-F7F5-4197-B115-1D2D10E04958}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O18 - Protocol\Handler\intu-help-qb2 {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) -C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop Components:1 () - http://www.zimbra.com/
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/13 10:27:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{a3cb6feb-46cc-11e0-acd7-001d72ba4835}\Shell - "" = AutoRun
O33 - MountPoints2\{a3cb6feb-46cc-11e0-acd7-001d72ba4835}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a3cb6feb-46cc-11e0-acd7-001d72ba4835}\Shell\AutoRun\command - "" = I:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/21 15:47:46 | 000,582,656 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Wayne\Desktop\OTL.exe
[2011/09/21 14:53:59 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/09/21 14:51:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wayne\Application Data\SUPERAntiSpyware.com
[2011/09/21 14:50:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/09/21 14:48:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBlaster
[2011/09/21 14:48:48 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2011/09/21 14:47:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Wayne\Application Data\Malwarebytes
[2011/09/21 14:47:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/09/21 14:46:18 | 012,585,160 | ---- | C] (SUPERAntiSpyware.com) -- C:\Documents and Settings\Wayne\Desktop\SUPERAntiSpyware.exe
[2011/09/21 14:45:05 | 009,852,544 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Wayne\Desktop\mbam-setup-1.51.2.1300.exe
[2011/09/21 14:39:41 | 003,194,296 | ---- | C] (Javacool Software LLC ) -- C:\Documents and Settings\Wayne\Desktop\spywareblastersetup44.exe
[2011/09/18 09:06:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/09/18 09:06:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/09/16 15:18:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/09/16 15:18:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/22 09:01:05 | 000,001,006 | ---- | M] () -- C:\Documents and Settings\Wayne\Desktop\magicJack.lnk
[2011/09/22 09:00:26 | 000,433,698 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/09/22 09:00:25 | 000,067,984 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/09/22 08:58:52 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/09/22 08:39:04 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\LogConfigTemp.xml
[2011/09/22 08:38:55 | 000,000,000 | ---- | M] () -- C:\WINDOWS\3042200689
[2011/09/22 08:38:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/22 08:24:21 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/09/21 20:30:34 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/09/21 15:47:49 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Wayne\Desktop\OTL.exe
[2011/09/21 15:16:22 | 012,585,160 | ---- | M] (SUPERAntiSpyware.com) -- C:\Documents and Settings\Wayne\Desktop\SUPERAntiSpyware.exe
[2011/09/21 14:53:59 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/09/21 14:48:51 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\Wayne\Desktop\SpywareBlaster.lnk
[2011/09/21 14:45:06 | 009,852,544 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Wayne\Desktop\mbam-setup-1.51.2.1300.exe
[2011/09/21 14:39:50 | 003,194,296 | ---- | M] (Javacool Software LLC ) -- C:\Documents and Settings\Wayne\Desktop\spywareblastersetup44.exe
[2011/09/21 09:49:18 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/09/17 14:32:37 | 000,045,612 | ---- | M] () -- C:\Documents and Settings\Wayne\Desktop\mdhouse1.jpg
[2011/09/17 14:32:37 | 000,038,427 | ---- | M] () -- C:\Documents and Settings\Wayne\Desktop\house3.jpg
[2011/09/17 14:32:37 | 000,038,010 | ---- | M] () -- C:\Documents and Settings\Wayne\Desktop\house2.jpg
[2011/09/17 14:32:37 | 000,034,120 | ---- | M] () -- C:\Documents and Settings\Wayne\Desktop\house6.jpg
[2011/09/17 14:32:37 | 000,033,474 | ---- | M] () -- C:\Documents and Settings\Wayne\Desktop\house4.jpg
[2011/09/17 14:32:37 | 000,032,746 | ---- | M] () -- C:\Documents and Settings\Wayne\Desktop\house5.jpg
[2011/09/16 03:04:31 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/08/31 12:12:00 | 000,107,745 | ---- | M] () -- C:\Documents and Settings\Wayne\Desktop\abbyphone.pdf
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/21 14:48:51 | 000,000,692 | ---- | C] () -- C:\Documents and Settings\Wayne\Desktop\SpywareBlaster.lnk
[2011/09/16 16:25:48 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/09/16 15:06:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\3042200689
[2011/08/31 12:12:00 | 000,107,745 | ---- | C] () -- C:\Documents and Settings\Wayne\Desktop\abbyphone.pdf
[2010/06/01 23:51:21 | 000,020,886 | ---- | C] () -- C:\WINDOWS\System32\ddmon.dll
[2010/05/07 20:01:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MSDraw.ini
[2010/03/20 21:45:18 | 000,000,016 | ---- | C] () -- C:\WINDOWS\RealityFusion.ini
[2010/03/20 21:42:55 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2010/02/23 20:53:52 | 000,000,042 | ---- | C] () -- C:\WINDOWS\AlchemyMindworksUpdateList.INI
[2010/02/23 20:45:47 | 000,212,992 | ---- | C] () -- C:\WINDOWS\ALCHUNIN.EXE
[2010/02/03 00:32:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/12/03 02:38:15 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2009/09/26 23:53:52 | 000,000,090 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2009/08/13 11:54:06 | 000,054,272 | ---- | C] () -- C:\Documents and Settings\Wayne\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/26 23:30:05 | 000,002,348 | ---- | C] () -- C:\Documents and Settings\Wayne\Application Data\wklnhst.dat
[2009/07/26 23:01:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mtstack.INI
[2009/07/26 22:59:15 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\MTSTACK.EXE
[2009/07/26 02:00:00 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/07/26 01:10:55 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2009/07/26 01:10:55 | 000,000,114 | ---- | C] () -- C:\WINDOWS\kpcms.ini
[2009/07/26 01:02:43 | 000,000,082 | ---- | C] () -- C:\WINDOWS\MPLAYER.INI
[2009/07/25 05:42:52 | 000,000,359 | ---- | C] () -- C:\Program Files\German Machine Works,Inc Apr 3 2009.ND
[2009/07/25 02:42:21 | 000,130,348 | ---- | C] () -- C:\WINDOWS\hpoins12.dat
[2009/07/25 02:42:21 | 000,001,470 | ---- | C] () -- C:\WINDOWS\hpomdl12.dat
[2009/07/24 09:02:18 | 000,487,424 | ---- | C] () -- C:\WINDOWS\System32\INT15.dll
[2009/03/13 12:29:26 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/03/13 10:38:53 | 000,000,169 | ---- | C] () -- C:\WINDOWS\FR-CA.INI
[2009/03/13 10:38:53 | 000,000,169 | ---- | C] () -- C:\WINDOWS\EN-CA.INI
[2009/03/13 10:38:53 | 000,000,168 | ---- | C] () -- C:\WINDOWS\ZH.INI
[2009/03/13 10:38:21 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2009/03/13 10:33:52 | 000,003,948 | ---- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin
[2009/03/13 10:29:36 | 000,032,768 | ---- | C] () -- C:\WINDOWS\AMove.exe
[2009/03/13 10:29:36 | 000,007,492 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2009/03/13 10:28:42 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/03/13 10:26:07 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/03/13 10:25:23 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2009/03/13 10:16:25 | 001,626,112 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2009/03/13 10:16:24 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/03/13 10:16:24 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/03/13 10:16:24 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/03/13 10:16:23 | 001,482,752 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/03/13 10:16:23 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2009/03/13 10:16:23 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2009/03/13 10:16:22 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2009/03/13 10:16:22 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2009/03/13 10:15:59 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2009/03/13 10:15:58 | 000,433,698 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2009/03/13 10:15:58 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2009/03/13 10:15:58 | 000,067,984 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2009/03/13 10:15:58 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2009/03/13 10:15:58 | 000,004,524 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2009/03/13 10:15:57 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2009/03/13 10:15:57 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2009/03/13 10:15:56 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2009/03/13 10:15:56 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2009/03/13 10:15:55 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2009/03/13 10:15:54 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2009/03/13 02:22:41 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/03/13 02:22:07 | 000,526,512 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/04/13 19:48:02 | 000,052,480 | ---- | C] () -- C:\WINDOWS\System32\drivers\i8042prt.sys
[2002/11/26 21:12:58 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\zip.exe
[2002/11/26 21:12:16 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\lttls13n.dll
[2002/11/26 21:12:00 | 000,708,608 | ---- | C] () -- C:\WINDOWS\System32\ltcry13n.dll
[1999/08/10 12:02:20 | 000,116,736 | ---- | C] () -- C:\WINDOWS\System32\LFKODAK.DLL
[1999/08/10 12:02:16 | 000,343,040 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll

========== LOP Check ==========

[2009/07/25 05:30:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2010/05/27 19:56:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Fellowes
[2010/08/25 21:03:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\magicJack
[2009/07/24 09:04:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Partner
[2010/04/09 00:29:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SQL Anywhere 10
[2011/09/21 15:00:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Temp
[2009/03/13 11:07:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2010/05/30 03:08:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne\Application Data\Alchemy Mindworks
[2010/06/01 23:58:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne\Application Data\deskPDF
[2009/07/26 01:02:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne\Application Data\FTW
[2010/01/16 22:04:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne\Application Data\gtk-2.0
[2010/01/24 15:45:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne\Application Data\Kensington
[2011/09/22 09:01:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne\Application Data\mjusbsp
[2010/07/22 13:16:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne\Application Data\ntr
[2009/11/11 23:32:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne\Application Data\OpenOffice.org
[2009/07/26 23:30:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne\Application Data\Template
[2010/02/03 00:32:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne\Application Data\Thunderbird
[2010/02/04 16:26:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne\Application Data\Uniblue
[2010/01/16 21:36:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne\Application Data\WeatherBug

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:5C321E34
@Alternate Data Stream - 784 bytes -> C:\WINDOWS\3042200689:2394139466.exe

< End of report >

Edited by realapp, 23 September 2011 - 01:15 PM.

[Advertisements]

Hello realapp and welcome to G2G!

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described.
• If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
• You must reply within 3 days or your topic will be closed

Step 1

NOTE: You have very nasty infection! I would strongly advice you to backup all your important data from your system before you begin with the fix.

After this please continue with steps below.

Step 2

Please close all running programs and Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :processes
  killallprocesses
  
  :OTL
  @Alternate Data Stream - 784 bytes -> C:\WINDOWS\3042200689:2394139466.exe
  [2011/09/16 15:06:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\3042200689
  
  :Files
  C:\WINDOWS\3042200689
  
  :Commands
  [purity]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Step 3

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
• Accept the disclaimer and allow to update if it asks
  
  
  
  
• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Step 4

Please don't forget to include these items in your reply:

• OTL fix log
• Combofix log

It would be helpful if you could post each log in separate post

[maliprog]

Hello realapp and welcome to G2G!

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described.
• If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
• You must reply within 3 days or your topic will be closed

Step 1

NOTE: You have very nasty infection! I would strongly advice you to backup all your important data from your system before you begin with the fix.

After this please continue with steps below.

Step 2

Please close all running programs and Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :processes
  killallprocesses
  
  :OTL
  @Alternate Data Stream - 784 bytes -> C:\WINDOWS\3042200689:2394139466.exe
  [2011/09/16 15:06:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\3042200689
  
  :Files
  C:\WINDOWS\3042200689
  
  :Commands
  [purity]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Step 3

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
• Accept the disclaimer and allow to update if it asks
  
  
  
  
• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Step 4

Please don't forget to include these items in your reply:

• OTL fix log
• Combofix log

It would be helpful if you could post each log in separate post

[realapp]

Thank you for your input. It is greatly appreciated! I am accessing this from a different computer than the infected one as I'm not able to get online with that one.
Since I was not able to get online I copied the OTL info to a flash drive and pasted it that way. I clicked on the run Fix button and it started to run and then just went to a blank destop for a long time. Nothing was happening, so I restarted computer and now looked inthe OTL moved files folder and it says it is EMPTY. Also, the OTL icon on my desktop doesn't look the same and when I click on it it says I can't access it. Same thing it did originally when I was trying to access SUperantispyware. Any suggestions?

Edited by realapp, 27 September 2011 - 09:36 AM.

[maliprog]

OTL didn't work then. Infection interfered with the fix and killed OTL.

If you are using clean PC and USB memory to download and transfer tools to infected PC then first we need to disinfect your USB memory so you can transfer files and not get infected.

Do this on the clean computer:

• 1 - Flash Drive Disinfector
  Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.
  
• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.
  
  Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.

Can you try to run Combofix but before you copy it to infected PC rename it to svchost.exe.

[realapp]

ok, I ran the flash drive disinfector tool and rebooted. Should I now retry the process as well as also tr to download Combofix(changing the name as you suggested) on my flashdrive to install it on the infected computer

Edited by realapp, 27 September 2011 - 12:16 PM.

[maliprog]

Skip OTL fix for now. Download Combofix on clean system, change the name and run it on infected system as instructed before.

[realapp]

was able to get combo fix over to infected computer and it is running , but have a microsoft windows recovery console screen that says it doesnt' have this installed and combofix won't finish fixing infections without it. It requires and internet connection to update.
I clicked yes to update (even though I didn't have internet connection). It then said it could not connect but is continuing checking for infected files. It said it found rootkit and is attempting to delete it. It rebooted, but now my keyboard won't work, so I can't login to windows.

Edited by realapp, 27 September 2011 - 01:32 PM.

[maliprog]

Hi realapp,

That's what I was afraid off... It's all part of infection. Can you try to start your system in Safe mode:

To restart in safe mode:

• If the computer is running, shut down Windows, and then turn off the power
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.

[realapp]

I was in safemode but keyboard still not working.

Was able to login as Administrator. Combofix now running. Im assuming you want me to now paste the log once it's done?

Combofix restarted. Still can't use keyboard and have to login in safemode as Adminstator. Log below:


ComboFix 11-09-27.01 - Administrator 09/28/2011 9:18.1.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.732 [GMT -5:00]
Running from: J:\svchost.exe.exe
AV: avast! antivirus 4.8.1351 [VPS 091016-0] *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB55814$\1900827829\@
c:\windows\$NtUninstallKB55814$\1900827829\bckfg.tmp
c:\windows\$NtUninstallKB55814$\1900827829\cfg.ini
c:\windows\$NtUninstallKB55814$\1900827829\Desktop.ini
c:\windows\$NtUninstallKB55814$\1900827829\keywords
c:\windows\$NtUninstallKB55814$\1900827829\kwrd.dll
c:\windows\$NtUninstallKB55814$\1900827829\L\aatagjfo
c:\windows\$NtUninstallKB55814$\1900827829\lsflt7.ver
c:\windows\$NtUninstallKB55814$\1900827829\U\00000001.@
c:\windows\$NtUninstallKB55814$\1900827829\U\00000002.@
c:\windows\$NtUninstallKB55814$\1900827829\U\80000000.@
c:\windows\$NtUninstallKB55814$\1900827829\U\80000032.@
c:\windows\$NtUninstallKB55814$\2063264711
c:\windows\system32\comct332.ocx
c:\windows\system32\d3d9caps.dat
c:\windows\$NtUninstallKB55814$ . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_714c54b5
.
.
((((((((((((((((((((((((( Files Created from 2011-08-28 to 2011-09-28 )))))))))))))))))))))))))))))))
.
.
2011-09-28 14:16 . 2011-09-28 14:16 -------- d-----w- c:\documents and settings\Administrator
2011-09-27 15:16 . 2011-09-27 15:16 -------- d-----w- C:\_OTL
2011-09-21 19:53 . 2011-09-21 19:53 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-21 19:50 . 2011-09-21 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-09-21 19:48 . 2011-09-21 19:49 -------- d-----w- c:\program files\SpywareBlaster
2011-09-21 19:47 . 2011-09-21 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-18 14:06 . 2011-09-18 14:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-09-16 20:19 . 2011-09-16 20:19 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2009-03-13 15:15 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2009-03-13 15:15 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2009-03-13 15:15 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-25 8491008]
"nwiz"="nwiz.exe" [2008-02-25 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-25 81920]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-06 30192]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-09-25 210216]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-15 1532760]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"DXM6Patch_981116"="c:\windows\p_981116.exe" [1998-11-30 497376]
"xactpay"="c:\program files\Hartford Fire Insurance\XactPAY Upload Utility\xactpay.exe" [2009-02-09 165160]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-11 1468256]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe" [2002-12-17 53248]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2002-06-20 725046]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-6-22 984936]
Reality Fusion GameCam SE.lnk - c:\program files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe [2000-7-10 323584]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
.
S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/25/2009 3:28 AM 114768]
S1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [7/26/2009 1:14 AM 4064]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/25/2009 3:28 AM 20560]
S2 ETService;Empowering Technology Service;c:\program files\EMACHINES\eMachines Recovery Management\Service\ETService.exe [7/24/2009 9:02 AM 24576]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/13/2009 10:45 AM 30192]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 10:37 PM 4640000]
S3 Partner Service;Partner Service;c:\documents and settings\All Users\Application Data\Partner\partner.exe [7/24/2009 9:04 AM 110576]
S3 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.emachines.com
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-eRecoveryService - (no file)
HKLM-Run-LVCOMS - c:\windows\system32\LVCOMS.EXE
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-28 09:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1236)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\restore\rstrui.exe
.
**************************************************************************
.
Completion time: 2011-09-28 09:43:52 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-28 14:43
.
Pre-Run: 116,409,978,880 bytes free
Post-Run: 117,502,668,800 bytes free
.
- - End Of File - - 6FE3260062496E50C2EABD148842F9FE

Edited by realapp, 28 September 2011 - 09:02 AM.

[maliprog]

Good job. Please post Combofix log after the scan for me.

[realapp]

I added the log to the above, ( i was in edit mode before you posted, sorry)

[maliprog]

Hi realapp,

Looks like Combofix crippled infection. You can run all these programs from Administrator account in safe mode.

Step 1

Please read carefully and follow these steps.

Download TDSSKiller.zip from Kaspersky and save it to your Desktop.

• Extract the zip file to its own folder.
• Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
• Click Start scan to start scanning.
• If infection is detected, the default setting for "action" should be Cure
  
  • (If suspicious file is detected please click on it and change it to Skip).
• Click Continue button
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

Step 2

• Run OTL.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the "Scan All User" checkbox
• Change "Extra Registry" option to "SafeList"
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows OTL.txt and Extra.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of this files, and post it with your next reply.

Step 3

Please don't forget to include these items in your reply:

• OTL log
• Extras.txt
• TDSSKiller log

It would be helpful if you could post each log in separate post

[realapp]

Just want to make sure that when you say "download and save to desktop" you mean save to my flash drive as I'm still not able to get online?

[maliprog]

That is right. In your case that's mean download to flash drive on your clean PC then transfer and run tool on infected machine.

You are doing right thing to stop and ask . If you have any questions always stop and ask before continue with the steps.

[realapp]

ok, thanks, but I can't seem to download the file. It just goes to blank page