Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Sirefef Rtk AGAIN!

Started by 3mateo , Sep 07 2012 05:55 PM

Please log in to reply

#1
3mateo

Posted 07 September 2012 - 05:55 PM

Member

Member
47 posts

Greetings and thanks in advance!
I had a similar virus about 6 or 8 weeks ago, tho with slightly different manifestations.
G2G helped me remove it, but I'm back again. Thought I did everything I should have regarding prevention.

Yesterday, a number of error messages poped up while i was both surfing the internet and cautios P2P-ing.
(I scanned all P2P files with multiple scanners, all clean by their accounts.)
There were also persistant google redirects and overall odd behavior for my comp, including some files and programs missing.

So I immedialty did an Avast scan, found:
MBR:SST [Rtk]
PUP: Win32:BitCoin Miner-U [PUP] and
Win32:Sirefef-PL [Rtk]

Mostly in "Recyler" files. I deleted ALL.
Followed up w/ Avast boot time scan, found more; again I deleted ALL.
SuperAntiSpyware scan found many Tracking Cookies; I deleted ALL.

Tried to restore to previous point; provided some missing files & programes.

Unable to run Malwarebytes until this morn, when I re-downloaded it and it found 2 registry threats and 2 SVI/restore threats.

Since this morning, Avast has been poping up "Threat Detected"s every 5 mins; either C: WINDOWS/Exploere.exe, or finding malware in a Partition, and requesting a reboot.

I downloaded OTL, see 2 log below.
Thanks for any help.
-Mateo

######### 1st OTL Log #############

OTL logfile created on: 9/7/2012 4:11:56 PM - Run 1
OTL by OldTimer - Version 3.2.61.1 Folder = C:\Documents and Settings\Jim\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.47 Gb Available Physical Memory | 73.67% Memory free
3.85 Gb Paging File | 3.41 Gb Available in Paging File | 88.55% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.96 Gb Total Space | 108.79 Gb Free Space | 73.03% Space Free | Partition Type: NTFS
Drive F: | 7.45 Gb Total Space | 5.09 Gb Free Space | 68.38% Space Free | Partition Type: FAT32

Computer Name: BOSS | User Name: Jim | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/07 15:27:19 | 000,599,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.exe
PRC - [2012/08/21 02:12:26 | 004,282,728 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2012/08/21 02:12:25 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2012/08/08 16:05:09 | 000,161,776 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2012/07/04 12:40:20 | 001,395,736 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
PRC - [2012/07/04 12:40:18 | 001,188,896 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
PRC - [2011/08/11 16:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCore.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (No Company Name) ==========

MOD - [2012/09/07 11:02:08 | 001,808,384 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\12090701\algo.dll
MOD - [2012/07/04 12:39:50 | 000,051,200 | ---- | M] () -- C:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl
MOD - [2012/07/04 12:39:48 | 000,410,112 | ---- | M] () -- C:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl
MOD - [2012/05/30 20:06:48 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2012/05/30 20:06:30 | 001,242,512 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/04/20 12:39:12 | 000,565,827 | ---- | M] () -- C:\Program Files\Spybot - Search & Destroy 2\sqlite3.dll

========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - File not found [Auto | Running] -- C:\Program Files\Spybot -- (SDUpdateService)
SRV - File not found [Auto | Running] -- C:\Program Files\Spybot -- (SDScannerService)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\system32\drivers\KodakCCS.exe -- (KodakCCS)
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2012/08/21 02:12:25 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2012/08/08 16:05:09 | 000,161,776 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2011/08/11 16:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCore.exe -- (!SASCORE)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\PTDUWWAN.sys -- (PTDUWWAN)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\PTDUWFLT.sys -- (PTDUWFLT)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\PTDUVsp.sys -- (PTDUVsp)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\PTDUMdm.sys -- (PTDUMdm)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\PTDUBus.sys -- (PTDUBus)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lvuvc.sys -- (LVUVC)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\LVUSBSta.sys -- (LVUSBSta)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lvrs.sys -- (LVRS)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lvuvcflt.sys -- (FilterService)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/08/21 02:13:15 | 000,729,752 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/08/21 02:13:15 | 000,355,632 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/08/21 02:13:15 | 000,054,232 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/08/21 02:13:14 | 000,097,608 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2012/08/21 02:13:14 | 000,035,928 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (AswRdr)
DRV - [2012/08/21 02:13:13 | 000,025,256 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2012/08/21 02:13:13 | 000,021,256 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2011/07/22 09:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 14:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2007/07/22 14:27:12 | 004,424,704 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2004/04/21 22:09:00 | 000,120,448 | R--- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RT2500.sys -- (RT2500)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
IE - HKCU\..\URLSearchHook: {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{02C2FC17-3FA4-475F-9F6F-099E21DA079D}: "URL" = http://www.bing.com/...ferrer:source?}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{1E02B687-EA27-4815-A25C-25B51B037734}: "URL" = http://www.flickr.co...q={searchTerms}
IE - HKCU\..\SearchScopes\{1F397D90-488D-4800-BAEE-F0BCD701E15C}: "URL" = http://delicious.com...p={searchTerms}
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...&rlz=1I7DKUS_en
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.condui...&ctid=CT3201318
IE - HKCU\..\SearchScopes\{C62CFA05-44B5-4B60-917B-9289833B2AD5}: "URL" = http://rover.ebay.co...e={searchTerms}
IE - HKCU\..\SearchScopes\{F1359F9E-D2BE-4403-A7C6-D7B2998237C7}: "URL" = http://search.yahoo....0834,6901,0,8,0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@mozilla.zeniko.ch/PDFlite_Browser_Plugin: C:\Program Files\PDFlite\npPdfViewer.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@mozilla.zeniko.ch/PDFlite_Browser_Plugin: C:\Program Files\PDFlite\npPdfViewer.dll File not found

[2008/10/09 16:42:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jim\Application Data\Mozilla\Extensions
[2008/10/09 16:42:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jim\Application Data\Mozilla\Extensions\[email protected]

Hosts file not found
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (Yontoo) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo\YontooIEClient.dll File not found
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} http://www.fcd.maric...mgaxctrl6.5.cab (Autodesk MapGuide ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1346283026031 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1346283014625 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_05)
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius....tiveXPlugin.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_05)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} http://update.hpphot.../HPSWUpdate.ocx (CUpdateCtl Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{70FC676B-AE41-4E18-B39D-20CB5E48B32C}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\SDWinLogon: DllName - (SDWinLogon.dll) - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Jim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 12:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (sdnclean.exe)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/09/07 15:48:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Apple Computer
[2012/09/07 15:47:04 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/09/07 15:27:18 | 000,599,552 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.exe
[2012/09/07 13:31:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/09/07 13:31:55 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/09/07 11:16:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Desktop\Pics n Music 2012
[2012/09/07 00:00:24 | 000,021,256 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2012/09/07 00:00:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
[2012/09/07 00:00:23 | 000,355,632 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2012/09/07 00:00:22 | 000,729,752 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2012/09/07 00:00:22 | 000,054,232 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2012/09/07 00:00:22 | 000,035,928 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2012/09/07 00:00:21 | 000,097,608 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2012/09/07 00:00:21 | 000,089,624 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2012/09/07 00:00:19 | 000,025,256 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2012/09/07 00:00:03 | 000,227,648 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2012/09/07 00:00:03 | 000,041,224 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2012/09/06 21:53:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/09/06 21:53:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/09/06 20:51:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2012/09/06 20:51:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2012/09/06 20:37:49 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Jim\Recent
[2012/09/06 19:00:42 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Jim\Recent(2)
[2012/09/04 15:30:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Application Data\ImgBurn
[2012/08/30 20:46:06 | 000,000,000 | ---D | C] -- C:\Program Files\Shrink Pic
[2012/08/30 20:46:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Start Menu\Programs\Shrink Pic
[2012/08/30 20:45:41 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Jim\My Documents\Downloads
[2012/08/28 11:04:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Free RAR Extract Frog
[2012/08/28 11:04:14 | 000,000,000 | ---D | C] -- C:\Program Files\Free RAR Extract Frog
[2012/08/23 21:14:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Application Data\Sibelius Software
[2012/08/23 18:14:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Application Data\PriceGong
[2012/08/23 18:14:24 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2012/08/23 18:14:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Local Settings\Application Data\Conduit
[2012/08/19 23:51:32 | 000,000,000 | ---D | C] -- C:\Program Files\WiseConvert
[2012/08/09 19:02:23 | 000,000,000 | ---D | C] -- C:\Program Files\IDT
[2012/08/09 19:01:28 | 000,000,000 | ---D | C] -- C:\swsetup
[2012/08/09 18:18:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Application Data\OpenOffice.org
[2012/08/09 18:16:01 | 000,000,000 | ---D | C] -- C:\Program Files\OpenOffice.org 3
[2012/08/08 16:51:10 | 000,015,224 | ---- | C] (Safer Networking Limited) -- C:\WINDOWS\System32\sdnclean.exe
[2012/08/08 16:51:06 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy 2
[2012/08/08 16:18:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Application Data\Malwarebytes
[2012/08/08 16:18:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

========== Files - Modified Within 30 Days ==========

[2012/09/07 16:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At41.job
[2012/09/07 15:51:03 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2012/09/07 15:51:01 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/09/07 15:27:19 | 000,599,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.exe
[2012/09/07 15:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At40.job
[2012/09/07 14:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At39.job
[2012/09/07 13:31:59 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\Jim\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
[2012/09/07 13:31:59 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/09/07 12:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At37.job
[2012/09/07 10:39:12 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/09/07 10:27:04 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/09/07 02:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At27.job
[2012/09/07 00:00:24 | 000,001,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2012/09/07 00:00:21 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2012/09/06 23:38:45 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\GL5U4r7.dat
[2012/09/06 23:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At48.job
[2012/09/06 22:45:22 | 000,088,576 | ---- | M] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/09/06 22:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At47.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At46.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At45.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At43.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At42.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At38.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At36.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At35.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At34.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At33.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At32.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At31.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At30.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At29.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At28.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
[2012/09/06 21:51:52 | 000,000,001 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_.b
[2012/09/06 21:51:52 | 000,000,001 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe.b
[2012/09/06 21:34:14 | 000,000,066 | ---- | M] () -- C:\Documents and Settings\Jim\Application Data\mbam.context.scan
[2012/09/06 20:40:00 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/09/05 12:44:40 | 221,672,648 | -H-- | M] () -- C:\Documents and Settings\Jim\Desktop\1x15 - So Sorry, My Island Now.avi
[2012/08/30 20:46:06 | 000,000,706 | ---- | M] () -- C:\Documents and Settings\Jim\Desktop\Shrink Pic.lnk
[2012/08/28 15:47:45 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\Jim\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2012/08/27 09:33:34 | 000,367,304 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/08/21 02:13:15 | 000,729,752 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2012/08/21 02:13:15 | 000,355,632 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2012/08/21 02:13:15 | 000,054,232 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2012/08/21 02:13:14 | 000,097,608 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2012/08/21 02:13:14 | 000,089,624 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2012/08/21 02:13:14 | 000,035,928 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2012/08/21 02:13:13 | 000,025,256 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2012/08/21 02:13:13 | 000,021,256 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2012/08/21 02:12:33 | 000,041,224 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2012/08/21 02:12:23 | 000,227,648 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2012/08/08 18:38:57 | 000,000,184 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2012/08/08 16:51:14 | 000,001,836 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spybot-S&D Start Center.lnk
[2012/08/08 16:43:45 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk

========== Files Created - No Company Name ==========

[2012/09/07 13:31:59 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
[2012/09/07 13:31:59 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/09/07 00:00:24 | 000,001,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2012/09/07 00:00:21 | 000,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2012/09/06 21:52:07 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\GL5U4r7.dat
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At48.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At47.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At46.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At45.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At44.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At43.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At42.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At41.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At40.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At39.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At38.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At37.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At36.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At35.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At34.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At33.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At32.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At31.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At30.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At29.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At28.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At27.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At26.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\At25.job
[2012/09/06 21:51:52 | 000,000,001 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_.b
[2012/09/06 21:51:52 | 000,000,001 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe.b
[2012/09/06 20:42:33 | 000,000,066 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\mbam.context.scan
[2012/09/05 12:46:00 | 221,672,648 | -H-- | C] () -- C:\Documents and Settings\Jim\Desktop\1x15 - So Sorry, My Island Now.avi
[2012/08/30 20:46:06 | 000,000,706 | ---- | C] () -- C:\Documents and Settings\Jim\Desktop\Shrink Pic.lnk
[2012/08/08 16:51:14 | 000,001,842 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot-S&D Start Center.lnk
[2012/08/08 16:51:14 | 000,001,836 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spybot-S&D Start Center.lnk
[2012/06/01 23:25:57 | 000,184,696 | -H-- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/05/31 11:34:25 | 000,000,288 | -H-- | C] () -- C:\Documents and Settings\Jim\Application Data\.backup.dm
[2012/02/28 08:42:14 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/15 21:16:41 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2010/11/04 16:22:07 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Jim\Application Data\bibstats
[2010/10/14 14:50:36 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2008/08/20 13:10:43 | 000,000,022 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\kodakpcd.ini
[2008/07/21 13:18:42 | 000,088,576 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/01/31 10:15:58 | 000,260,544 | -H-- | C] () -- C:\Documents and Settings\Jim\BD=1

========== LOP Check ==========

[2012/09/06 23:59:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/04/09 13:28:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2012/02/10 17:28:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJScan
[2012/02/24 12:52:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ChessBase
[2012/05/31 11:45:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ClubSanDisk
[2009/12/04 10:15:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
[2009/10/27 16:07:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2008/01/31 10:28:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBT
[2012/08/27 09:08:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer
[2011/02/04 16:55:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WEngineLite
[2011/07/12 10:29:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2012/06/22 19:00:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\AnvSoft
[2012/09/06 20:38:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Azureus
[2012/02/10 17:28:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Canon
[2008/10/06 16:34:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/10/27 16:07:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\DriverCure
[2012/08/06 11:26:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\ElevatedDiagnostics
[2009/01/14 13:19:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Hoyle Casino
[2008/02/01 11:54:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Hoyle FaceCreator
[2012/09/04 15:30:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\ImgBurn
[2009/09/25 11:11:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Leadertech
[2011/03/22 15:10:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\MSNInstaller
[2012/08/09 18:18:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\OpenOffice.org
[2012/08/08 16:05:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Oracle
[2011/04/05 12:41:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Panasonic
[2012/08/28 11:04:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Philipp Winterberg
[2012/08/27 08:57:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\PriceGong
[2012/09/06 20:39:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\shrink_pic
[2008/07/21 15:23:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Skinux
[2010/01/29 11:29:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Smith Micro
[2012/08/27 09:22:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\stickies
[2008/09/17 14:05:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\TomTom
[2012/07/30 11:59:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Uniblue
[2012/06/22 18:48:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Video Converter
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At25.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At26.job
[2012/09/07 02:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At27.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At28.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At29.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At30.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At31.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At32.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At33.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At34.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At35.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At36.job
[2012/09/07 12:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At37.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At38.job
[2012/09/07 14:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At39.job
[2012/09/07 15:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At40.job
[2012/09/07 16:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At41.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At42.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At43.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At44.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At45.job
[2012/09/06 21:51:52 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At46.job
[2012/09/06 22:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At47.job
[2012/09/06 23:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At48.job
[2012/09/07 15:51:03 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\avast! Emergency Update.job

========== Purity Check ==========

< End of report >

############ 2nd OTL LOG: EXTRAS!! ######################## ############################################

OTL Extras logfile created on: 9/7/2012 4:12:02 PM - Run 1
OTL by OldTimer - Version 3.2.61.1 Folder = C:\Documents and Settings\Jim\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.47 Gb Available Physical Memory | 73.67% Memory free
3.85 Gb Paging File | 3.41 Gb Available in Paging File | 88.55% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.96 Gb Total Space | 108.79 Gb Free Space | 73.03% Space Free | Partition Type: NTFS
Drive F: | 7.45 Gb Total Space | 5.09 Gb Free Space | 68.38% Space Free | Partition Type: FAT32

Computer Name: BOSS | User Name: Jim | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"ANTIVIRUSDISABLENOTIFY" = 0
"FIREWALLDISABLENOTIFY" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

========== Authorized Applications List ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Disc 2
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series" = Canon MP250 series MP Drivers
"{122ADF8C-DDA1-480C-9936-C88F2825B265}" = Apple Application Support
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83217005FF}" = Java™ 7 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{543E938C-BDC4-4933-A612-01293996845F}" = UnloadSupport
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5DA8F6CD-C70E-39D8-8430-3D9808D6BD17}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
"{6AD9F5F3-5BD0-4000-BD9C-B536CF86D988}" = iTunes
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.12.0
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{8F1ADE4D-EFAC-4F5A-B346-23C2687FAF50}" = Apple Mobile Device Support
"{90110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1" = Spybot - Search & Destroy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{c9920352-04e6-469d-bab8-e2b9c7c75415}.sdb" = Microsoft Automated Troubleshooting Services Shim
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DB55D872-A96B-4434-8110-CA7B755AD914}" = Fritz 12
"{E2662C24-B31E-4349-A084-32EB76E8B760}" = BufferChm
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"8461-7759-5462-8226" = Vuze
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"avast" = avast! Free Antivirus
"CCleaner" = CCleaner
"Free RAR Extract Frog" = Free RAR Extract Frog
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MP Navigator EX 3.0" = Canon MP Navigator EX 3.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"OfotoEZUpload" = KODAK EASYSHARE Gallery Upload ActiveX Control
"Shrink Pic" = Shrink Pic (remove)
"VLC media player" = VLC media player 2.0.0
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 9/2/2012 3:50:02 AM | Computer Name = BOSS | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 1968

Error - 9/6/2012 2:54:37 AM | Computer Name = BOSS | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 9/6/2012 2:54:37 AM | Computer Name = BOSS | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 1953

Error - 9/6/2012 2:54:37 AM | Computer Name = BOSS | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 1953

Error - 9/6/2012 2:54:39 AM | Computer Name = BOSS | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 9/6/2012 2:54:39 AM | Computer Name = BOSS | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 3953

Error - 9/6/2012 2:54:39 AM | Computer Name = BOSS | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 3953

Error - 9/7/2012 2:03:05 AM | Computer Name = BOSS | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: The data is invalid.

Error - 9/7/2012 2:37:45 AM | Computer Name = BOSS | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 2.0.9.172, faulting module
rtl150.bpl, version 15.0.3953.35171, fault address 0x0000a116.

Error - 9/7/2012 2:39:16 AM | Computer Name = BOSS | Source = Application Error | ID = 1000
Description = Faulting application sdcleaner.exe, version 2.0.9.110, faulting module
rtl150.bpl, version 15.0.3953.35171, fault address 0x0000c106.

[ System Events ]
Error - 9/7/2012 6:47:06 PM | Computer Name = BOSS | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 9/7/2012 6:47:06 PM | Computer Name = BOSS | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 9/7/2012 6:47:06 PM | Computer Name = BOSS | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 9/7/2012 6:47:06 PM | Computer Name = BOSS | Source = Service Control Manager | ID = 7031
Description = The Spybot-S&D 2 Scanner Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Restart the service.

Error - 9/7/2012 6:47:06 PM | Computer Name = BOSS | Source = Service Control Manager | ID = 7034
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).

Error - 9/7/2012 6:47:06 PM | Computer Name = BOSS | Source = Service Control Manager | ID = 7031
Description = The Spybot-S&D 2 Updating Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
60000 milliseconds: Restart the service.

Error - 9/7/2012 6:52:30 PM | Computer Name = BOSS | Source = Service Control Manager | ID = 7000
Description = The Kodak Camera Connection Software service failed to start due to
the following error: %%2

Error - 9/7/2012 6:52:30 PM | Computer Name = BOSS | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1060

Error - 9/7/2012 7:00:00 PM | Computer Name = BOSS | Source = Schedule | ID = 7901
Description = The At41.job command failed to start due to the following error: %%2147942402

Error - 9/7/2012 7:00:02 PM | Computer Name = BOSS | Source = Service Control Manager | ID = 7031
Description = The avast! Antivirus service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 5000 milliseconds:
Restart the service.

< End of report >

#2
RKinner

Posted 08 September 2012 - 12:04 AM

Malware Expert

Expert
24,625 posts

Copy the text in the code box by highlighting and Ctrl + c


:OTL
[2012/09/06 21:52:07 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\GL5U4r7.dat
[2012/09/06 21:51:52 | 000,000,001 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_.b
[2012/09/06 21:51:52 | 000,000,001 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe.b

:files
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
at /c
C:\WINDOWS\tasks\AT*.job
dir /a /s C:\$Recycle.Bin\S-1-5-18 /c
dir /a /s C:\$Recycle.Bin /c

:reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
""="%systemroot%\system32\wbem\wbemess.dll"


:Commands
[EMPTYFLASH]
[EMPTYJAVA]
[purity]
[Reboot]

then Double on OTL to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it into a reply.

Download aswMBR.exe ( 511KB ) to your desktop.
Double click aswMBR.exe
uncheck trace disk IO calls
Click the "Scan" button to start scan (Accept the Avast Engine)
On completion of the scan if the Fix button is enabled (not the FixMBR button) press it and then run a new scan and click save log, save it to your desktop and post in your next reply
If the Fix button is not enabled then just click save log, save it to your desktop and post in your next reply

ComboFix

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html

Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Double click on ComboFix to start the program.

* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe and to start the program.

If TDSSKiller alerts you that the system needs to reboot, please consent.

Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:
http://www.malwareby...lwarebytes_free

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe to start the program.
* follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.

Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application.

Reboot.

1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning

Then use the 'Number of events' as follows:

1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.

Please post the Output log in your next reply then repeat but select Application.

Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll 
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemdrive%\$Recycle.Bin|@;true;true;true
CREATERESTOREPOINT

Run OTL

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

Ron

#3
3mateo

Posted 08 September 2012 - 01:11 PM

Member

Topic Starter
Member
47 posts

RKinner-

Ran into a prob with the aswMBR step, here's what I did:

1) Ran OTL w/ full script pasted, reboot. *see log below
2) Downloaded aswMBR, dbl cliked on icon, nothing happened.
3) Disabled Avast, tried 2), same result.
4) Removed older version of Mbam, searched for aswMBR in programs to delete and re-download,
it wasn't there, so I deleted the icon.
5) Completely removed Avast in case of conflict.
6) Having lots of redirects. Re-downloaded aswMBR, saved to desktop; dbl clik on icon on desktop, still nothing happens.
7) Checked under it's properties, cliked on UNBLOCK, tried all compatability modes, still nothing happens.
8) Removed SuperAntiSpyware & Spybot in case of conflict.
9) I am stymied.
10) run Rkill. **see log below.
11) try aswMBR again, nothing
12) renamed aswMBR as "iexplore", error popup "can't initialize properly," 2nd attempt: nothing, no response.
13) download and run TDSSKiller, same as aswMBR, i.e., wont run.

I do not know enough to know if it's safe or contraidicative to run Combofix without a rootkit scan first, so,...
what do you recommend?

Thanks again!
-Mateo

* #### OTL LOG ###################################

========== OTL ==========
C:\Documents and Settings\All Users\Application Data\GL5U4r7.dat moved successfully.
C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_.b moved successfully.
C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe.b moved successfully.
========== FILES ==========
File\Folder C:\Windows\assembly\GAC_32\Desktop.ini not found.
File\Folder C:\Windows\assembly\GAC_64\Desktop.ini not found.
< at /c >
Status ID Day Time Command Line
-------------------------------------------------------------------------------
Error 25 Each M T W Th F S Su 12:28 AM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
26 Each M T W Th F S Su 1:00 AM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
Error 27 Each M T W Th F S Su 2:00 AM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
28 Each M T W Th F S Su 3:00 AM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
29 Each M T W Th F S Su 4:00 AM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
30 Each M T W Th F S Su 5:00 AM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
31 Each M T W Th F S Su 6:00 AM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
32 Each M T W Th F S Su 7:00 AM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
33 Each M T W Th F S Su 8:00 AM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
34 Each M T W Th F S Su 9:00 AM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
35 Each M T W Th F S Su 10:00 AM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
36 Each M T W Th F S Su 11:00 AM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
Error 37 Each M T W Th F S Su 12:00 PM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
38 Each M T W Th F S Su 1:00 PM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
Error 39 Each M T W Th F S Su 2:00 PM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
Error 40 Each M T W Th F S Su 3:00 PM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
Error 41 Each M T W Th F S Su 4:00 PM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
42 Each M T W Th F S Su 5:00 PM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
43 Each M T W Th F S Su 6:00 PM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
44 Each M T W Th F S Su 7:00 PM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
45 Each M T W Th F S Su 8:00 PM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
Error 46 Each M T W Th F S Su 9:00 PM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
Error 47 Each M T W Th F S Su 10:00 PM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
Error 48 Each M T W Th F S Su 11:00 PM "C:\Documents and Settings\All Users\Application Data\41qU5y8x.exe_"
C:\Documents and Settings\Jim\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Jim\Desktop\cmd.txt deleted successfully.
C:\WINDOWS\tasks\At25.job moved successfully.
C:\WINDOWS\tasks\At26.job moved successfully.
C:\WINDOWS\tasks\At27.job moved successfully.
C:\WINDOWS\tasks\At28.job moved successfully.
C:\WINDOWS\tasks\At29.job moved successfully.
C:\WINDOWS\tasks\At30.job moved successfully.
C:\WINDOWS\tasks\At31.job moved successfully.
C:\WINDOWS\tasks\At32.job moved successfully.
C:\WINDOWS\tasks\At33.job moved successfully.
C:\WINDOWS\tasks\At34.job moved successfully.
C:\WINDOWS\tasks\At35.job moved successfully.
C:\WINDOWS\tasks\At36.job moved successfully.
C:\WINDOWS\tasks\At37.job moved successfully.
C:\WINDOWS\tasks\At38.job moved successfully.
C:\WINDOWS\tasks\At39.job moved successfully.
C:\WINDOWS\tasks\At40.job moved successfully.
C:\WINDOWS\tasks\At41.job moved successfully.
C:\WINDOWS\tasks\At42.job moved successfully.
C:\WINDOWS\tasks\At43.job moved successfully.
C:\WINDOWS\tasks\At44.job moved successfully.
C:\WINDOWS\tasks\At45.job moved successfully.
C:\WINDOWS\tasks\At46.job moved successfully.
C:\WINDOWS\tasks\At47.job moved successfully.
C:\WINDOWS\tasks\At48.job moved successfully.
< dir /a /s C:\$Recycle.Bin\S-1-5-18 /c >
C:\Documents and Settings\Jim\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Jim\Desktop\cmd.txt deleted successfully.
< dir /a /s C:\$Recycle.Bin /c >
Volume in drive C has no label.
Volume Serial Number is 206D-1F5F
C:\Documents and Settings\Jim\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Jim\Desktop\cmd.txt deleted successfully.
========== REGISTRY ==========
HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\\""|"%systemroot%\system32\wbem\wbemess.dll" /E : value set successfully!
========== COMMANDS ==========

[EMPTYFLASH]

User: Administrator

User: Administrator.BOSS
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: Jim
->Flash cache emptied: 506 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

[EMPTYJAVA]

User: Administrator

User: Administrator.BOSS

User: All Users

User: Default User

User: Jim
->Java cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Java Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.61.1 log created on 09082012_095718

*** ##### Rkill LOG ##################################################LOG:

Rkill 2.3.9 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingc...opic308364.html

Program started at: 09/08/2012 11:13:39 AM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* BITS [Missing Service]
* wscsvc [Missing Service]
* wuauserv [Missing Service]

* SharedAccess [Missing ImagePath]

* RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [Incorrect ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Program finished at: 09/08/2012 11:13:44 AM
Execution time: 0 hours(s), 0 minute(s), and 4 seconds(s)

#4
RKinner

Posted 08 September 2012 - 01:41 PM

Malware Expert

Expert
24,625 posts

Go ahead and try Combofix. Sometimes it works better in Safe Mode with Networking:

(Reboot and when you see the maker's logo, hear a beep or it talks about F8, start tapping the F8 key slowly. Keep tapping until the Safe Mode Menu appears and choose Safe Mode with Networking. Login with your usual login.)

Then pause your anti-virus, download Combofix.exe and save it to your desktop but change the name to george.exe before running it.

Let's see if ESET's fix will work:
Download save and run the three files on this page per the instructions.

http://kb.eset.com/e...ent&id=SOLN2895

Let's also check for the Zero Access rootkit that creates its own permission:

Do the following:
Start -> Run
type diskmgmt.msc
Click "OK"

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.
http://graphicssoft....nscreenshot.htm Save the file as a .jpg or the forum won't allow it.

IF you still have Avast, run a boot-time scan:
Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?
I think in XP they hide a text version of the report at:
C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\aswBoot.txt

#5
3mateo

Posted 08 September 2012 - 06:37 PM

Member

Topic Starter
Member
47 posts

Much better progress this time, o hitch.

1) ComboFix seemed sucessful in Safe mode w/ Ntwg.

2) ESET:
The 3 ESETs seemed to download, but the icon for the remover looked funny (like the comp didn't recognize it)
The EZSireFix.exe seemed to work
The Sirefefremover did not:
On a black screen, prog name etc., then "Can't initialize driver" "Can't open Sirefef Remover driver." "Checking for latest variat of Sirefef aka 'ZeroAcess'".
And finally, a pop up: Win32/Sirefef has NOT been found on your system.

Re-downloaded the ESET remover w/ new name, same result, wouldn't run.

In complete ignorantz, I went ahead a ran Service repair.

3) Took Screen Shot, attached as JPEG.

4) Did not have Avast, so reloaded; BUT it would not do a boot scan, when I tried, the comp just restarted in normal mode, w/out a scan; and in normal mode it would not run a full system scan: "no end lines" or the like.
5) Restared in 'Safe Mod w/ newrking' it did run a full system scan, Found 6 threats, below, and i think the correct log is pasted below, title: aswAr1.log

Threats found:
1. SVC:... (bunch o numbers) ...>C:/Windows/System32\Drivers....sys Rootkit:hidden system
2.-5. In System Volume Info\_restore... (bunch o numbers) ...ini Win32:Sirefef-PL [Rtk]
6. C:\WINDOWS\assembly\GACS\Desktop.ini w/ same threat as 2 thru 5: Win32:Sirefef-PL [Rtk]

6) At last attempt, still does not do Avast BOOT Time Scan.

Thanks again, esp for being so quick!!!
~Mateo

#### AVAST LOG (PS, I'm not sure if this is what you asked for??) ###########
avast! Antirootkit, version 1.0 [Quick]
Scan started: Saturday, September 08, 2012 2:55:16 PM

File C:\WINDOWS\$hf_mig$
File C:\WINDOWS\$hf_mig$\KB2079403
File C:\WINDOWS\$hf_mig$\KB2079403\SP3QFE

####################################

OK>>>> this log was too long for a post, so if you need it, lemee know and I'll attache it to post.

-M

Attached Thumbnails

#6
RKinner

Posted 08 September 2012 - 08:32 PM

Malware Expert

Expert
24,625 posts

Did you not get a combofix log? If it ran there should be a log in either c:\combofix.txt or c:\combofix\combofix.txt

Go ahead and run the final OTL and post both logs so I can see where we are.

I think we've got a hidden partition version of Zero Access. I hate these. The only safe way to fix it is to burn a CD or use a bootable USB drive but your computer is so old that it probably won't do a bootable drive so that leaves us with burning a CD. Do you have a couple of blank CD's that you can burn?

#7
3mateo

Posted 09 September 2012 - 05:49 PM

Member

Topic Starter
Member
47 posts

Yes, I have blank CDs, and, i think, blank DVDs.
I cannot find combofix log; I looked, and did a search, to no avail.
I ran ComboFix again (psudonymed as George); it seemed to run ok but stopped after about an hour of running; and froze for 3+hrs with "crating log" on the screen, I finally had to manually turn off computer.
Also, in Safe Mode w/ Networking, I'm getting a heinous Saftey Warning, that is hard to work around ... i assume it's part of the virus since it prompts me for registration, money, and makes it hard to do anything else.
I'm using my mini-laptop now.
QUESTions: is there any risk to my router and/or modem? and thus this laptop?

I'm ready for the blank disk instruction.
Thanks!
-Mateo

#8
3mateo

Posted 09 September 2012 - 06:27 PM

Member

Topic Starter
Member
47 posts

Took me bit:

OTL LOG:

OTL logfile created on: 9/8/2012 9:26:30 PM - Run 2
OTL by OldTimer - Version 3.2.61.1 Folder = C:\Documents and Settings\Jim\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.59 Gb Available Physical Memory | 79.58% Memory free
3.85 Gb Paging File | 3.62 Gb Available in Paging File | 93.91% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.96 Gb Total Space | 108.36 Gb Free Space | 72.74% Space Free | Partition Type: NTFS
Drive F: | 7.45 Gb Total Space | 6.59 Gb Free Space | 88.50% Space Free | Partition Type: FAT32

Computer Name: BOSS | User Name: Jim | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/07 15:27:19 | 000,599,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (No Company Name) ==========

========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\system32\drivers\KodakCCS.exe -- (KodakCCS)
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2012/09/08 12:21:35 | 000,254,888 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\msiserv.exe -- (W32Sch)
SRV - [2012/08/21 02:12:25 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Stopped] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2012/08/08 16:05:09 | 000,161,776 | ---- | M] (Oracle Corporation) [Auto | Stopped] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\PTDUWWAN.sys -- (PTDUWWAN)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\PTDUWFLT.sys -- (PTDUWFLT)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\PTDUVsp.sys -- (PTDUVsp)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\PTDUMdm.sys -- (PTDUMdm)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\PTDUBus.sys -- (PTDUBus)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lvuvc.sys -- (LVUVC)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\LVUSBSta.sys -- (LVUSBSta)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lvrs.sys -- (LVRS)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lvuvcflt.sys -- (FilterService)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/08/21 02:13:15 | 000,729,752 | ---- | M] (AVAST Software) [File_System | System | Stopped] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/08/21 02:13:15 | 000,355,632 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/08/21 02:13:15 | 000,054,232 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/08/21 02:13:14 | 000,097,608 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2012/08/21 02:13:14 | 000,035,928 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (AswRdr)
DRV - [2012/08/21 02:13:13 | 000,025,256 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2012/08/21 02:13:13 | 000,021,256 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2007/07/22 14:27:12 | 004,424,704 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2004/04/21 22:09:00 | 000,120,448 | R--- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RT2500.sys -- (RT2500)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
IE - HKCU\..\URLSearchHook: {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{02C2FC17-3FA4-475F-9F6F-099E21DA079D}: "URL" = http://www.bing.com/...ferrer:source?}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{1E02B687-EA27-4815-A25C-25B51B037734}: "URL" = http://www.flickr.co...q={searchTerms}
IE - HKCU\..\SearchScopes\{1F397D90-488D-4800-BAEE-F0BCD701E15C}: "URL" = http://delicious.com...p={searchTerms}
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...&rlz=1I7DKUS_en
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.condui...&ctid=CT3201318
IE - HKCU\..\SearchScopes\{C62CFA05-44B5-4B60-917B-9289833B2AD5}: "URL" = http://rover.ebay.co...e={searchTerms}
IE - HKCU\..\SearchScopes\{F1359F9E-D2BE-4403-A7C6-D7B2998237C7}: "URL" = http://search.yahoo....0834,6901,0,8,0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@mozilla.zeniko.ch/PDFlite_Browser_Plugin: C:\Program Files\PDFlite\npPdfViewer.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@mozilla.zeniko.ch/PDFlite_Browser_Plugin: C:\Program Files\PDFlite\npPdfViewer.dll File not found

[2008/10/09 16:42:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jim\Application Data\Mozilla\Extensions
[2008/10/09 16:42:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jim\Application Data\Mozilla\Extensions\[email protected]

Hosts file not found
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (Yontoo) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo\YontooIEClient.dll File not found
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [syshost32] C:\WINDOWS\Installer\{06009DE9-CE52-5394-4A34-C9162998F4E3}\syshost.exe (HighTech Information System)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} http://www.fcd.maric...mgaxctrl6.5.cab (Autodesk MapGuide ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1346283026031 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1346283014625 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_05)
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius....tiveXPlugin.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_05)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} http://update.hpphot.../HPSWUpdate.ocx (CUpdateCtl Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{70FC676B-AE41-4E18-B39D-20CB5E48B32C}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Jim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 12:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (sdnclean.exe)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/09/08 21:25:41 | 004,747,716 | ---- | C] (Swearware) -- C:\Documents and Settings\Jim\Desktop\GEORGEelSEGUNDO.exe
[2012/09/08 14:39:19 | 000,355,632 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2012/09/08 14:39:19 | 000,021,256 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2012/09/08 14:39:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
[2012/09/08 14:39:16 | 000,054,232 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2012/09/08 14:39:16 | 000,035,928 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2012/09/08 14:39:15 | 000,729,752 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2012/09/08 14:39:15 | 000,097,608 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2012/09/08 14:39:15 | 000,089,624 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2012/09/08 14:39:14 | 000,025,256 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2012/09/08 14:39:01 | 000,227,648 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2012/09/08 14:39:01 | 000,041,224 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2012/09/08 14:03:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\CC Support
[2012/09/08 14:00:53 | 000,138,120 | ---- | C] (ESET) -- C:\Documents and Settings\Jim\Desktop\ESETSirefefRemover.exe
[2012/09/08 13:57:02 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2012/09/08 13:54:16 | 004,747,117 | R--- | C] (Swearware) -- C:\Documents and Settings\Jim\Desktop\GEORGE.exe
[2012/09/08 13:41:41 | 001,629,088 | ---- | C] (Bleeping Computer, LLC) -- C:\Documents and Settings\Jim\Desktop\rkill.exe
[2012/09/08 10:44:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Desktop\JUST TOO OLD
[2012/09/07 15:48:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Apple Computer
[2012/09/07 15:47:04 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/09/07 15:27:18 | 000,599,552 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.exe
[2012/09/07 11:16:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Desktop\Pics n Music 2012
[2012/09/06 21:53:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/09/06 21:53:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/09/06 20:51:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2012/09/06 20:51:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2012/09/06 20:37:49 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Jim\Recent
[2012/09/06 19:00:42 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Jim\Recent(2)
[2012/09/04 15:30:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Application Data\ImgBurn
[2012/08/30 20:45:41 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Jim\My Documents\Downloads
[2012/08/29 16:30:52 | 000,015,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll.mui
[2012/08/23 21:14:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Application Data\Sibelius Software
[2012/08/23 18:14:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Application Data\PriceGong
[2012/08/23 18:14:24 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2012/08/23 18:14:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Local Settings\Application Data\Conduit
[2012/08/19 23:51:32 | 000,000,000 | ---D | C] -- C:\Program Files\WiseConvert

========== Files - Modified Within 30 Days ==========

[2012/09/08 21:25:54 | 004,747,716 | ---- | M] (Swearware) -- C:\Documents and Settings\Jim\Desktop\GEORGEelSEGUNDO.exe
[2012/09/08 21:13:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/09/08 19:03:47 | 000,000,310 | -H-- | M] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2012/09/08 19:02:22 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/09/08 14:39:19 | 000,001,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2012/09/08 14:39:15 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2012/09/08 14:35:13 | 000,083,541 | ---- | M] () -- C:\Documents and Settings\Jim\Desktop\Disk Mg Wind SHOT.JPG
[2012/09/08 14:01:17 | 004,009,167 | ---- | M] () -- C:\Documents and Settings\Jim\Desktop\ServicesRepair.exe
[2012/09/08 14:00:54 | 000,138,120 | ---- | M] (ESET) -- C:\Documents and Settings\Jim\Desktop\ESETSirefefRemover.exe
[2012/09/08 14:00:43 | 002,033,481 | ---- | M] () -- C:\Documents and Settings\Jim\Desktop\EZ_Sirefix.exe
[2012/09/08 13:54:26 | 004,747,117 | R--- | M] (Swearware) -- C:\Documents and Settings\Jim\Desktop\GEORGE.exe
[2012/09/08 13:23:18 | 001,629,088 | ---- | M] (Bleeping Computer, LLC) -- C:\Documents and Settings\Jim\Desktop\rkill.exe
[2012/09/08 12:21:35 | 000,254,888 | ---- | M] () -- C:\WINDOWS\msiserv.exe
[2012/09/08 12:17:51 | 000,069,504 | ---- | M] () -- C:\WINDOWS\System32\drivers\52c68b51ad2755ee.sys
[2012/09/08 12:17:29 | 000,312,320 | ---- | M] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\nxnww.exe
[2012/09/07 15:27:19 | 000,599,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.exe
[2012/09/07 10:27:04 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/09/06 22:45:22 | 000,088,576 | ---- | M] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/09/06 21:34:14 | 000,000,066 | ---- | M] () -- C:\Documents and Settings\Jim\Application Data\mbam.context.scan
[2012/09/06 20:40:00 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/09/05 12:44:40 | 221,672,648 | -H-- | M] () -- C:\Documents and Settings\Jim\Desktop\1x15 - So Sorry, My Island Now.avi
[2012/08/28 15:47:45 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\Jim\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2012/08/27 09:33:34 | 000,367,304 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/08/21 02:13:15 | 000,729,752 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2012/08/21 02:13:15 | 000,355,632 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2012/08/21 02:13:15 | 000,054,232 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2012/08/21 02:13:14 | 000,097,608 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2012/08/21 02:13:14 | 000,089,624 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2012/08/21 02:13:14 | 000,035,928 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2012/08/21 02:13:13 | 000,025,256 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2012/08/21 02:13:13 | 000,021,256 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2012/08/21 02:12:33 | 000,041,224 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2012/08/21 02:12:23 | 000,227,648 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe

========== Files Created - No Company Name ==========

[2012/09/08 14:39:19 | 000,001,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2012/09/08 14:39:15 | 000,000,310 | -H-- | C] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2012/09/08 14:33:48 | 000,083,541 | ---- | C] () -- C:\Documents and Settings\Jim\Desktop\Disk Mg Wind SHOT.JPG
[2012/09/08 14:01:10 | 004,009,167 | ---- | C] () -- C:\Documents and Settings\Jim\Desktop\ServicesRepair.exe
[2012/09/08 14:00:41 | 002,033,481 | ---- | C] () -- C:\Documents and Settings\Jim\Desktop\EZ_Sirefix.exe
[2012/09/08 12:21:32 | 000,254,888 | ---- | C] () -- C:\WINDOWS\msiserv.exe
[2012/09/08 12:17:51 | 000,069,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\52c68b51ad2755ee.sys
[2012/09/08 12:17:29 | 000,312,320 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\nxnww.exe
[2012/09/06 20:42:33 | 000,000,066 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\mbam.context.scan
[2012/09/05 12:46:00 | 221,672,648 | -H-- | C] () -- C:\Documents and Settings\Jim\Desktop\1x15 - So Sorry, My Island Now.avi
[2012/08/07 23:01:45 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\usbaapl.sys
[2012/06/01 23:25:57 | 000,184,696 | -H-- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/05/31 11:34:25 | 000,000,288 | -H-- | C] () -- C:\Documents and Settings\Jim\Application Data\.backup.dm
[2012/02/28 08:42:14 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/15 21:16:41 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/07/12 10:29:47 | 000,026,600 | ---- | C] () -- C:\WINDOWS\System32\drivers\GEARAspiWDM.sys
[2010/11/04 16:22:07 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Jim\Application Data\bibstats
[2010/10/14 14:50:36 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2008/08/20 13:10:43 | 000,000,022 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\kodakpcd.ini
[2008/07/21 13:18:42 | 000,088,576 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/01/31 10:15:58 | 000,260,544 | -H-- | C] () -- C:\Documents and Settings\Jim\BD=1

< End of report >

#9
RKinner

Posted 09 September 2012 - 07:38 PM

Malware Expert

Expert
24,625 posts

Copy the text in the code box by highlighting and Ctrl + c


:OTL
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\PTDUWWAN.sys -- (PTDUWWAN)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\PTDUWFLT.sys -- (PTDUWFLT)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\PTDUVsp.sys -- (PTDUVsp)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\PTDUMdm.sys -- (PTDUMdm)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\PTDUBus.sys -- (PTDUBus)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lvuvc.sys -- (LVUVC)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\LVUSBSta.sys -- (LVUSBSta)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lvrs.sys -- (LVRS)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lvuvcflt.sys -- (FilterService)
IE - HKCU\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
IE - HKCU\..\URLSearchHook: {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - No CLSID value found
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (Yontoo) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo\YontooIEClient.dll File not found
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
[2012/08/23 18:14:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Application Data\PriceGong
[2012/08/23 18:14:24 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2012/08/23 18:14:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Local Settings\Application Data\Conduit
[2012/09/08 12:21:32 | 000,254,888 | ---- | C] () -- C:\WINDOWS\msiserv.exe
[2012/09/08 12:17:51 | 000,069,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\52c68b51ad2755ee.sys
[2012/09/08 12:17:29 | 000,312,320 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\nxnww.exe

:files
xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C
C:\Documents and Settings\Owner\Application Data\*.exe
C:\Documents and Settings\All Users\Application Data\*.exe
C:\Documents and Settings\Jim\Local Settings\Application Data\*.exe
sc config W32Sch start= disabled /c
sc delete W32Sch /c
     
:Commands
[EMPTYJAVA]
[EMPTYFLASH]
[RESETHOSTS]
[purity]
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

I think you get this thing from a driveby download probably using a java vulnerability. I don't think it has network worm capabilities but your router should have something other than the default admin password just on general principles and if you are using wireless you should have wpa/wpa2 encryption rather than none or wep.

Please attach the log you said was too long to post.

Was Combofix able to install the Recovery Console? (When you reboot you should now get a 2 second pause where it offers you your regular windows and the Recovery Console if it is installed.)

Copy the text in the code box:

SaveMBR:0
DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll 
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
user32.dll
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemdrive%\$Recycle.Bin|@;true;true;true
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Run Scan.

You should get 1 log. Please copy and paste it. Also this should create a file C:\PhysicalMBR.bin Please rename it to C:\PhysicalMBR.txt and attach it.
For the CD we will need:

1. Preferably from a clean computer, please download the following: gparted-live-0.10.0-3.iso (115 MB)

When you have the .ISO file downloaded, you need to create a bootable disk, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like Free Iso Burner: http://www.freeisoburner.com/ or BurnAware Free or ImgBurn that can burn an .ISO image.

2. Now, please boot off of the newly created GParted CD. See How to Set BIOS to Boot from CDROM for information on how to boot from the CD.

You should arrive to the following screen:

Press the ENTER key

By default, "do not touch keymap" is highlighted. Leave this setting alone and press the ENTER key.

Next, choose your language and press the ENTER key. English is the default setting [33]

Once again, at this prompt, press the ENTER key.

You will now be taken to the main GUI screen below

They usually tell you to:
Please take a picture of this screen (camera or phone pictures will work just fine), and post it here for me to see. It is very important that you complete this step.

But I think probably have enough info from the screen shot.

According to your logs, the partition that you want to delete is 2M

Please select the partition of that size. Click the trash can icon to delete that partition, and then click Apply.

You should now be here confirming your actions:

After clicking Accept, you should be at the following screen:

Under "Flags", Right-click the 148.96 GB (or some number near that) while in GParted and select Manage Flags

In the menu that pops up, place a check mark in boot like the picture below:

Now double-click the Posted Image

button.

You should receive a small pop up like this:
Posted Image

Choose reboot and then press OK.

IF you are lucky you should be able to reboot into regular mode. If not you need to boot into the Recovery Console and run:

fixmbr \Device\HardDisk0
fixboot c:
exit

#10
3mateo

Posted 10 September 2012 - 12:02 AM

Member

Topic Starter
Member
47 posts

Got it, thanks. You are a rockstar.
I'll have to do the bulk in the morn; it's a bit too computer-savvy for my current state.
I'm half a doz bebidas into the night, and my gfriend is playing wierd piano music (I.e., i've been ignorning her more than usu since the virus!)
I'll upgrade the wireless, etc. as well.
Question 1: Can I use my neighbor's Mac to make the CD? This laptop has no disk slot. I suppose yes, but just double checking cuz it'll take me 1 to 3 hrs to do it (including calling, planning, schmoozing, emphatically stating that he WON"T get the virus from what I'm doing, log'n in, figuring out how to burn a CD on his comp, etc, etc,)
Q2: what is "driveby download"? From P2P, dl-ing new software, or just surf'n?
I had a virus about 8 weeks ago, fixed it 4 weeks ago (i was on a canue trip for 2 weeks) and upgraded Java as per instructions from a G2G newbie (had to check evthing w/ an elder); thus Java was fairly upgraded, so by 'weakness', you mean in programing? (as opposed to usage, upgrades, etc.)

RECOVERY CONSOLE possibly via ComboFix :
If I boot in Safe Mode or SM w/ Netwerkn, I get a second option of 3:
MS Windows Recovery Console
do not selct this (debugger enabled)
MS Windows XP Home Edition

Tho I have yet find a Combofix log anywhere.
At this moment, I can't find -- or remember where that truncated Avast log is; moreover, things seem to disappear a lot rite now on my comp!
I'll do a search tomorrow, thanks for your patients!
~Mateo

ps, noticed yer in the Horcasitas; i spent some time hip'n it in Bellingham, the Couve, lasqueti, Tofino, but mostly in the Kootenays (Nelson & Slocan valley). Loved it!

#11
RKinner

Posted 10 September 2012 - 01:28 AM

Malware Expert

Expert
24,625 posts

Question 1: Can I use my neighbor's Mac to make the CD? This laptop has no disk slot. I suppose yes, but just double checking cuz it'll take me 1 to 3 hrs to do it (including calling, planning, schmoozing, emphatically stating that he WON"T get the virus from what I'm doing, log'n in, figuring out how to burn a CD on his comp, etc, etc,)

I don't speak MAC so can't say for sure. You would think that since it is an ISO file that it would have to work. I found this:
http://hints.macworl...060619181010389 which should help with the process.

Q2: what is "driveby download"? From P2P, dl-ing new software, or just surf'n?

Probably just from surf'n. You hit an infected website and they load stuff on your PC. Usually via Java, Javascript or Flash. Sometimes they talk you into clicking on something and other times it just gets in trhough some known vulnerability. A recent glitch in Java has been discovered that makes all Java version 7's vulnerable. Version 7 Upgrade 7 was rushed out to combat the bug but in the hurry they actually left your PC wide open so right now we are recommending that you either uninstall Java or Remove ti form your browser. See: http://www.geekstogo...ur-web-browser/ or if you absolutely need it on certain sites you run the Noscript add-on in Firefox (ScriptNo in Chrome) and avoid IE. With these add-ons you must tell the add-on that a site is allowed to use Java or Javascript. A bit of a pain but lots safer.

#12
3mateo

Posted 10 September 2012 - 01:44 PM

Member

Topic Starter
Member
47 posts

On the second, OTL seemed to start working then just stopped with no log, and this still in Cust Scan/Fixes box:

Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
user32.dll
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemdrive%\$Recycle.Bin|@;true;true;true

Did I do sompin wrong? I think I did it as per instructions, but maybe I hit Run Scan instead of Fix or the like... maybe you can tell from info. Should I start over with the FIX before this Scan? or do the Scan over again? Or just continue?

Nuther QUESTION: When i get there, can I create the ISO image on my lap top, and just burn it to disk on my neighbors Mac? (You know how people can be about thier computers, and if I did mess up their comp, well, then it's all over fer me.)

Thanks!

-Mateo

############## OTL LOG from RUN FIX #######################

#13
3mateo

Posted 10 September 2012 - 02:02 PM

Member

Topic Starter
Member
47 posts

Didn't see OTL log on last post, see below.
Also, couldn't get the AVAST log to attach. Keeps saying "No file was selected for upload".

I could paste in mulitple posts?? PLease advise.

Thanks,
~M

========== OTL ==========
Service PTDUWWAN stopped successfully!
Service PTDUWWAN deleted successfully!
File system32\DRIVERS\PTDUWWAN.sys not found.
Service PTDUWFLT stopped successfully!
Service PTDUWFLT deleted successfully!
File system32\DRIVERS\PTDUWFLT.sys not found.
Service PTDUVsp stopped successfully!
Service PTDUVsp deleted successfully!
File system32\DRIVERS\PTDUVsp.sys not found.
Service PTDUMdm stopped successfully!
Service PTDUMdm deleted successfully!
File system32\DRIVERS\PTDUMdm.sys not found.
Service PTDUBus stopped successfully!
Service PTDUBus deleted successfully!
File system32\DRIVERS\PTDUBus.sys not found.
Service LVUVC stopped successfully!
Service LVUVC deleted successfully!
File system32\DRIVERS\lvuvc.sys not found.
Service LVUSBSta stopped successfully!
Service LVUSBSta deleted successfully!
File system32\DRIVERS\LVUSBSta.sys not found.
Service LVRS stopped successfully!
Service LVRS deleted successfully!
File system32\DRIVERS\lvrs.sys not found.
Service FilterService stopped successfully!
Service FilterService deleted successfully!
File system32\DRIVERS\lvuvcflt.sys not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}\ not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{D3D233D5-9F6D-436C-B6C7-E63F77503B30} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ deleted successfully.
C:\Program Files\Java\jre7\bin\ssv.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
C:\Program Files\Java\jre7\bin\jp2ssv.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4B3803EA-5230-4DC3-A7FC-33638F3D3542} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ not found.
Folder C:\Documents and Settings\Jim\Application Data\PriceGong\ not found.
C:\Program Files\Conduit\Community Alerts folder moved successfully.
C:\Program Files\Conduit folder moved successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\Conduit\Community Alerts\Log folder moved successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\Conduit\Community Alerts\LanguagePacks folder moved successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\Conduit\Community Alerts\Feeds folder moved successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\Conduit\Community Alerts\Dialogs\AppNotificationDialog\Images\light folder moved successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\Conduit\Community Alerts\Dialogs\AppNotificationDialog\Images\dark folder moved successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\Conduit\Community Alerts\Dialogs\AppNotificationDialog\Images folder moved successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\Conduit\Community Alerts\Dialogs\AppNotificationDialog folder moved successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\Conduit\Community Alerts\Dialogs folder moved successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\Conduit\Community Alerts folder moved successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\Conduit folder moved successfully.
C:\WINDOWS\msiserv.exe moved successfully.
File C:\WINDOWS\System32\drivers\52c68b51ad2755ee.sys not found.
File C:\Documents and Settings\Jim\Local Settings\Application Data\nxnww.exe not found.
========== FILES ==========
< xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\Jim\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Jim\Desktop\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\Jim\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Jim\Desktop\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\Jim\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Jim\Desktop\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\Jim\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Jim\Desktop\cmd.txt deleted successfully.
File\Folder C:\Documents and Settings\Owner\Application Data\*.exe not found.
File\Folder C:\Documents and Settings\All Users\Application Data\*.exe not found.
C:\Documents and Settings\Jim\Local Settings\Application Data\qkelmaos.exe moved successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\ycjxugf.exe moved successfully.
< sc config W32Sch start= disabled /c >
[SC] ChangeServiceConfig SUCCESS
C:\Documents and Settings\Jim\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Jim\Desktop\cmd.txt deleted successfully.
< sc delete W32Sch /c >
[SC] DeleteService SUCCESS
C:\Documents and Settings\Jim\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Jim\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: Administrator

User: Administrator.BOSS

User: All Users

User: Default User

User: Jim
->Java cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: Administrator

User: Administrator.BOSS
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: Jim
->Flash cache emptied: 506 bytes

User: LocalService
->Flash cache emptied: 6726 bytes

User: NetworkService
->Flash cache emptied: 15582 bytes

Total Flash Files Cleaned = 0.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.61.1 log created on 09102012_113736

#14
RKinner

Posted 10 September 2012 - 02:25 PM

Malware Expert

Expert
24,625 posts

What you have in the Custom Scan/Fixes box is only a part of a custom scan. I can see how that might annoy OTL.

You want:

SaveMBR:0
DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll 
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
user32.dll
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemdrive%\$Recycle.Bin|@;true;true;true
CREATERESTOREPOINT

Then you press the Run Scan button.

#15
3mateo

Posted 10 September 2012 - 03:35 PM

Member

Topic Starter
Member
47 posts

Looks like the same thing happened in that there is still data in the OTL Cust Scan/Fixes box (see below), however, an OTL log popped up on Notepad a minute or two later...altho the first date on the top line of the log is 9/8/2012, but maybe that's normal. I'm pretty sure I pasted the entire box, triple checked it. Maybe the settings for OTL should be differnt??
I'll get to work on bootable disk.
Thanks,
~M

########### Still in the Cust Scan/Fixes box of OTL ##############

DRIVES
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
user32.dll
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemdrive%\$Recycle.Bin|@;true;true;true

@######################### OTL LOG that popped up on Notepad after running OTL ########################

OTL logfile created on: 9/8/2012 9:26:30 PM - Run 2
OTL by OldTimer - Version 3.2.61.1 Folder = C:\Documents and Settings\Jim\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.59 Gb Available Physical Memory | 79.58% Memory free
3.85 Gb Paging File | 3.62 Gb Available in Paging File | 93.91% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.96 Gb Total Space | 108.36 Gb Free Space | 72.74% Space Free | Partition Type: NTFS
Drive F: | 7.45 Gb Total Space | 6.59 Gb Free Space | 88.50% Space Free | Partition Type: FAT32

Computer Name: BOSS | User Name: Jim | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/07 15:27:19 | 000,599,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (No Company Name) ==========

========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\system32\drivers\KodakCCS.exe -- (KodakCCS)
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2012/09/08 12:21:35 | 000,254,888 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\msiserv.exe -- (W32Sch)
SRV - [2012/08/21 02:12:25 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Stopped] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2012/08/08 16:05:09 | 000,161,776 | ---- | M] (Oracle Corporation) [Auto | Stopped] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\PTDUWWAN.sys -- (PTDUWWAN)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\PTDUWFLT.sys -- (PTDUWFLT)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\PTDUVsp.sys -- (PTDUVsp)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\PTDUMdm.sys -- (PTDUMdm)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\PTDUBus.sys -- (PTDUBus)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lvuvc.sys -- (LVUVC)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\LVUSBSta.sys -- (LVUSBSta)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lvrs.sys -- (LVRS)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lvuvcflt.sys -- (FilterService)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/08/21 02:13:15 | 000,729,752 | ---- | M] (AVAST Software) [File_System | System | Stopped] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/08/21 02:13:15 | 000,355,632 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/08/21 02:13:15 | 000,054,232 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/08/21 02:13:14 | 000,097,608 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2012/08/21 02:13:14 | 000,035,928 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (AswRdr)
DRV - [2012/08/21 02:13:13 | 000,025,256 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2012/08/21 02:13:13 | 000,021,256 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2007/07/22 14:27:12 | 004,424,704 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2004/04/21 22:09:00 | 000,120,448 | R--- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RT2500.sys -- (RT2500)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
IE - HKCU\..\URLSearchHook: {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{02C2FC17-3FA4-475F-9F6F-099E21DA079D}: "URL" = http://www.bing.com/...ferrer:source?}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{1E02B687-EA27-4815-A25C-25B51B037734}: "URL" = http://www.flickr.co...q={searchTerms}
IE - HKCU\..\SearchScopes\{1F397D90-488D-4800-BAEE-F0BCD701E15C}: "URL" = http://delicious.com...p={searchTerms}
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...&rlz=1I7DKUS_en
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.condui...&ctid=CT3201318
IE - HKCU\..\SearchScopes\{C62CFA05-44B5-4B60-917B-9289833B2AD5}: "URL" = http://rover.ebay.co...e={searchTerms}
IE - HKCU\..\SearchScopes\{F1359F9E-D2BE-4403-A7C6-D7B2998237C7}: "URL" = http://search.yahoo....0834,6901,0,8,0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@mozilla.zeniko.ch/PDFlite_Browser_Plugin: C:\Program Files\PDFlite\npPdfViewer.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@mozilla.zeniko.ch/PDFlite_Browser_Plugin: C:\Program Files\PDFlite\npPdfViewer.dll File not found

[2008/10/09 16:42:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jim\Application Data\Mozilla\Extensions
[2008/10/09 16:42:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jim\Application Data\Mozilla\Extensions\[email protected]

Hosts file not found
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (Yontoo) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo\YontooIEClient.dll File not found
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [syshost32] C:\WINDOWS\Installer\{06009DE9-CE52-5394-4A34-C9162998F4E3}\syshost.exe (HighTech Information System)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} http://www.fcd.maric...mgaxctrl6.5.cab (Autodesk MapGuide ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1346283026031 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1346283014625 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_05)
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius....tiveXPlugin.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_05)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} http://update.hpphot.../HPSWUpdate.ocx (CUpdateCtl Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{70FC676B-AE41-4E18-B39D-20CB5E48B32C}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Jim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 12:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (sdnclean.exe)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/09/08 21:25:41 | 004,747,716 | ---- | C] (Swearware) -- C:\Documents and Settings\Jim\Desktop\GEORGEelSEGUNDO.exe
[2012/09/08 14:39:19 | 000,355,632 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2012/09/08 14:39:19 | 000,021,256 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2012/09/08 14:39:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
[2012/09/08 14:39:16 | 000,054,232 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2012/09/08 14:39:16 | 000,035,928 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2012/09/08 14:39:15 | 000,729,752 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2012/09/08 14:39:15 | 000,097,608 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2012/09/08 14:39:15 | 000,089,624 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2012/09/08 14:39:14 | 000,025,256 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2012/09/08 14:39:01 | 000,227,648 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2012/09/08 14:39:01 | 000,041,224 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2012/09/08 14:03:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\CC Support
[2012/09/08 14:00:53 | 000,138,120 | ---- | C] (ESET) -- C:\Documents and Settings\Jim\Desktop\ESETSirefefRemover.exe
[2012/09/08 13:57:02 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2012/09/08 13:54:16 | 004,747,117 | R--- | C] (Swearware) -- C:\Documents and Settings\Jim\Desktop\GEORGE.exe
[2012/09/08 13:41:41 | 001,629,088 | ---- | C] (Bleeping Computer, LLC) -- C:\Documents and Settings\Jim\Desktop\rkill.exe
[2012/09/08 10:44:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Desktop\JUST TOO OLD
[2012/09/07 15:48:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Apple Computer
[2012/09/07 15:47:04 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/09/07 15:27:18 | 000,599,552 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.exe
[2012/09/07 11:16:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Desktop\Pics n Music 2012
[2012/09/06 21:53:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/09/06 21:53:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/09/06 20:51:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2012/09/06 20:51:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2012/09/06 20:37:49 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Jim\Recent
[2012/09/06 19:00:42 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Jim\Recent(2)
[2012/09/04 15:30:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Application Data\ImgBurn
[2012/08/30 20:45:41 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Jim\My Documents\Downloads
[2012/08/29 16:30:52 | 000,015,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll.mui
[2012/08/23 21:14:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Application Data\Sibelius Software
[2012/08/23 18:14:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Application Data\PriceGong
[2012/08/23 18:14:24 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2012/08/23 18:14:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Local Settings\Application Data\Conduit
[2012/08/19 23:51:32 | 000,000,000 | ---D | C] -- C:\Program Files\WiseConvert

========== Files - Modified Within 30 Days ==========

[2012/09/08 21:25:54 | 004,747,716 | ---- | M] (Swearware) -- C:\Documents and Settings\Jim\Desktop\GEORGEelSEGUNDO.exe
[2012/09/08 21:13:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/09/08 19:03:47 | 000,000,310 | -H-- | M] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2012/09/08 19:02:22 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/09/08 14:39:19 | 000,001,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2012/09/08 14:39:15 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2012/09/08 14:35:13 | 000,083,541 | ---- | M] () -- C:\Documents and Settings\Jim\Desktop\Disk Mg Wind SHOT.JPG
[2012/09/08 14:01:17 | 004,009,167 | ---- | M] () -- C:\Documents and Settings\Jim\Desktop\ServicesRepair.exe
[2012/09/08 14:00:54 | 000,138,120 | ---- | M] (ESET) -- C:\Documents and Settings\Jim\Desktop\ESETSirefefRemover.exe
[2012/09/08 14:00:43 | 002,033,481 | ---- | M] () -- C:\Documents and Settings\Jim\Desktop\EZ_Sirefix.exe
[2012/09/08 13:54:26 | 004,747,117 | R--- | M] (Swearware) -- C:\Documents and Settings\Jim\Desktop\GEORGE.exe
[2012/09/08 13:23:18 | 001,629,088 | ---- | M] (Bleeping Computer, LLC) -- C:\Documents and Settings\Jim\Desktop\rkill.exe
[2012/09/08 12:21:35 | 000,254,888 | ---- | M] () -- C:\WINDOWS\msiserv.exe
[2012/09/08 12:17:51 | 000,069,504 | ---- | M] () -- C:\WINDOWS\System32\drivers\52c68b51ad2755ee.sys
[2012/09/08 12:17:29 | 000,312,320 | ---- | M] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\nxnww.exe
[2012/09/07 15:27:19 | 000,599,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.exe
[2012/09/07 10:27:04 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/09/06 22:45:22 | 000,088,576 | ---- | M] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/09/06 21:34:14 | 000,000,066 | ---- | M] () -- C:\Documents and Settings\Jim\Application Data\mbam.context.scan
[2012/09/06 20:40:00 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/09/05 12:44:40 | 221,672,648 | -H-- | M] () -- C:\Documents and Settings\Jim\Desktop\1x15 - So Sorry, My Island Now.avi
[2012/08/28 15:47:45 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\Jim\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2012/08/27 09:33:34 | 000,367,304 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/08/21 02:13:15 | 000,729,752 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2012/08/21 02:13:15 | 000,355,632 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2012/08/21 02:13:15 | 000,054,232 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2012/08/21 02:13:14 | 000,097,608 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2012/08/21 02:13:14 | 000,089,624 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2012/08/21 02:13:14 | 000,035,928 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2012/08/21 02:13:13 | 000,025,256 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2012/08/21 02:13:13 | 000,021,256 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2012/08/21 02:12:33 | 000,041,224 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2012/08/21 02:12:23 | 000,227,648 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe

========== Files Created - No Company Name ==========

[2012/09/08 14:39:19 | 000,001,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2012/09/08 14:39:15 | 000,000,310 | -H-- | C] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2012/09/08 14:33:48 | 000,083,541 | ---- | C] () -- C:\Documents and Settings\Jim\Desktop\Disk Mg Wind SHOT.JPG
[2012/09/08 14:01:10 | 004,009,167 | ---- | C] () -- C:\Documents and Settings\Jim\Desktop\ServicesRepair.exe
[2012/09/08 14:00:41 | 002,033,481 | ---- | C] () -- C:\Documents and Settings\Jim\Desktop\EZ_Sirefix.exe
[2012/09/08 12:21:32 | 000,254,888 | ---- | C] () -- C:\WINDOWS\msiserv.exe
[2012/09/08 12:17:51 | 000,069,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\52c68b51ad2755ee.sys
[2012/09/08 12:17:29 | 000,312,320 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\nxnww.exe
[2012/09/06 20:42:33 | 000,000,066 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\mbam.context.scan
[2012/09/05 12:46:00 | 221,672,648 | -H-- | C] () -- C:\Documents and Settings\Jim\Desktop\1x15 - So Sorry, My Island Now.avi
[2012/08/07 23:01:45 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\usbaapl.sys
[2012/06/01 23:25:57 | 000,184,696 | -H-- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/05/31 11:34:25 | 000,000,288 | -H-- | C] () -- C:\Documents and Settings\Jim\Application Data\.backup.dm
[2012/02/28 08:42:14 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/15 21:16:41 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/07/12 10:29:47 | 000,026,600 | ---- | C] () -- C:\WINDOWS\System32\drivers\GEARAspiWDM.sys
[2010/11/04 16:22:07 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Jim\Application Data\bibstats
[2010/10/14 14:50:36 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2008/08/20 13:10:43 | 000,000,022 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\kodakpcd.ini
[2008/07/21 13:18:42 | 000,088,576 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/01/31 10:15:58 | 000,260,544 | -H-- | C] () -- C:\Documents and Settings\Jim\BD=1

< End of report >