Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Google redirect and other problems [Solved]

Started by gtaco94 , May 05 2009 10:47 AM

This topic is locked

#1
gtaco94

Posted 05 May 2009 - 10:47 AM

New Member

Member
8 posts

Hi,

Like many other people, I have had problems with this google redirect virus/malware. It all started off on my laptop. I had McAfee Enterprise antivirus running and I scanned everything before I opened. However, this didn't help and I was still infected. Everytime I clicked on a google search result, it would redirect me to some place else and my computer would run real slow...I would have to click "Back" and then do it again to get to where I need to. It also disabled my McAfee. So I grabbed a few Cruzer flash drives and moved all my important files to my family desktop. I reformatted my laptop and it's running fine now.

BUT, after I moved all my important files (school stuff, a few songs, no drivers or programs of any sort) to my family desktop, I think it transfered the malware? I'm not sure since I hardly use this computer. However, the redirect virus seems to be different because it opens up a new browser and I am unable to get to that location till I copy and paste the shortcut. My sister told me that it didn't have any problems before that day but she doesn't really know anything about malware etc. I have Uniblue SpyEraser running and it didn't catch anything...Enterprise on-demand scan caught a few things (I think they were called 88.exe) that day. I downloaded Spybot and Ad-Aware and ran those and it found a few trojans and malware registry entries...I ran Spybot a few times and the trojans seem to be gone but the malware wont go away.

Once every so often, a thing would pop up and say that my computer might be infected and a window will pop up saying that it's "scaning"..I know it's malware but I can't seem to get rid of it either.

So now i'm stuck, I don't know whether if the flash drives will move it back to my laptop if I plug it in and I don't want to lose the files that I transfered. I really don't want to reformat my computer because I have a lot of other important files here. I've searched the whole forum but I know that everyone's computer is different and I can't go off what someone else posted...

Please help!

#2
andrewuk

Posted 09 May 2009 - 05:46 PM

Trusted Helper

Malware Removal
5,297 posts

Hello gtaco94

welcome to geekstogo

and sorry to keep you waiting.

Please go to this page here and start at Step Five: Rootkit Detection and post the Rooter.exe log and OTListIT logs here in reply.

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

#3
gtaco94

Posted 09 May 2009 - 06:59 PM

New Member

Topic Starter
Member
8 posts

Hi, Thanks!

Umm...There seems to be an added problem since the last time I posted...now I am not even able to get on the internet. When I want to go to google or something, I type in "www.google.com" but it automatically changes it to Http:///?%20www.google.com....

iuno, I was hoping you will be able to help me out thru all this

here is the rooter log:

Microsoft Windows XP Home Edition (5.1.2600) Service Pack 3

C:\ [Fixed] - NTFS - (Total:152625 Mo/Free:1844 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
F:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
G:\ [Removable] (Total:0 Mo/Free:0 Mo)
H:\ [Removable] (Total:0 Mo/Free:0 Mo)
I:\ [Removable] (Total:0 Mo/Free:0 Mo)
J:\ [Removable] (Total:0 Mo/Free:0 Mo)
K:\ [Removable] (Total:0 Mo/Free:0 Mo)
L:\ [CD-Rom] (Total:4 Mo/Free:0 Mo)
M:\ [Removable] (Total:3897 Mo/Free:3250 Mo)

Sat 09/05/2009|19:25

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
---------- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
---------- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
---------- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
---------- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
---------- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
---------- C:\WINDOWS\system32\mfevtps.exe
---------- C:\WINDOWS\system32\nvsvc32.exe
---------- C:\WINDOWS\system32\HPZipm12.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\Program Files\Viewpoint\Common\ViewpointService.exe
---------- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
---------- C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
---------- C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
---------- C:\WINDOWS\zHotkey.exe
---------- C:\Program Files\Multimedia Card Reader\shwicon2k.exe
---------- C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
---------- C:\WINDOWS\system32\RUNDLL32.EXE
---------- C:\Program Files\McAfee\Common Framework\udaterui.exe
---------- C:\WINDOWS\system32\sstray.exe
---------- C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
---------- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
---------- C:\Program Files\McAfee\Common Framework\McTray.exe
---------- C:\Documents and Settings\Norman\Application Data\U3\000017E6CA6255A2\LaunchPad.exe
---------- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
---------- C:\Program Files\Real\RealPlayer\RealPlay.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!

----------------------\\ Cracks & Keygens..

C:\DOCUME~1\Norman\My Documents\download\skippy94179\Dead_AIM_v4.5\Dead Aim 4.5+crack fix\DeadAIM.exe
C:\DOCUME~1\Norman\My Documents\download\skippy94179\Dead_AIM_v4.5\Dead Aim 4.5+crack fix\ReadMe.txt

1 - "C:\Rooter$\Rooter_1.txt" - Sat 09/05/2009|19:26

----------------------\\ Scan completed at 19:26

And here is the OTL log

OTListIt logfile created on: 9/05/2009 7:45:23 PM - Run 2
OTListIt2 by OldTimer - Version 2.0.15.5 Folder = C:\Documents and Settings\Norman\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

447.48 Mb Total Physical Memory | 47.93 Mb Available Physical Memory | 10.71% Memory free
1.03 Gb Paging File | 0.71 Gb Available in Paging File | 68.50% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 89.80 Gb Free Space | 60.25% Space Free | Partition Type: NTFS
Drive D: | 544.44 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive L: | 5.45 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive M: | 3.81 Gb Total Space | 3.17 Gb Free Space | 83.40% Space Free | Partition Type: FAT32

Computer Name: DAD
Current User Name: Norman
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe (McAfee, Inc.)
PRC - C:\WINDOWS\zHotkey.exe (Chicony)
PRC - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
PRC - C:\Program Files\Multimedia Card Reader\shwicon2k.exe (Alcor Micro, Corp.)
PRC - C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
PRC - C:\WINDOWS\system32\sstray.exe (NVIDIA Corporation)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe (Uniblue Software)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\WINDOWS\system32\HPZipm12.exe (HP)
PRC - C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
PRC - C:\Program Files\McAfee\Common Framework\naPrdMgr.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\McTray.exe (McAfee, Inc.)
PRC - C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe (Viewpoint Corporation)
PRC - C:\Documents and Settings\Norman\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple, Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (Microsoft Corporation)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (iPod Service [On_Demand | Stopped]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (lxbt_device [On_Demand | Stopped]) -- C:\WINDOWS\System32\lxbtcoms.exe (Lexmark International, Inc.)
SRV - (McAfeeEngineService [Unknown | Running]) -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe (McAfee, Inc.)
SRV - (McAfeeFramework [Unknown | Running]) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
SRV - (McShield [Unknown | Running]) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)
SRV - (McTaskManager [Unknown | Running]) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)
SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
SRV - (mfevtp [Unknown | Running]) -- C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
SRV - (NVSvc [Auto | Running]) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (Pml Driver HPZ12 [Auto | Running]) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (usnjsvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (Viewpoint Manager Service [Auto | Running]) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
SRV - (WLSetupSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (ENETHUSB [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\enethusb.sys (Efficient Networks, Inc.)
DRV - (enodpl [Auto | Running]) -- C:\WINDOWS\System32\drivers\enodpl.sys ()
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (GoProto [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\goprot51.sys (Gteko Ltd.)
DRV - (HPZid412 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZid412.sys (HP)
DRV - (HPZipr12 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZipr12.sys (HP)
DRV - (HPZius12 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZius12.sys (HP)
DRV - (HSFHWBS2 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (HSF_DP [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (mdmxsdk [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (mfeapfk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (mfeavfk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfebopk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mfehidk [Boot | Running]) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mferkdet [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\mferkdet.sys (McAfee, Inc.)
DRV - (mfetdik [System | Running]) -- C:\WINDOWS\system32\drivers\mfetdik.sys (McAfee, Inc.)
DRV - (MREMPR5 [On_Demand | Stopped]) -- C:\Program Files\Common Files\Motive\MREMPR5.sys (Motive, Inc.)
DRV - (MRENDIS5 [On_Demand | Stopped]) -- c:\Program Files\Common Files\Motive\MRENDIS5.sys (Motive, Inc.)
DRV - (nv [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)
DRV - (nvax [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\nvax.sys (NVIDIA Corporation)
DRV - (NVENET [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\NVENET.sys (NVIDIA Corporation)
DRV - (nvnforce [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\nvapu.sys (NVIDIA Corporation)
DRV - (nv_agp [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\nv_agp.sys (NVIDIA Corporation)
DRV - (ppmoucls [System | Running]) -- C:\WINDOWS\System32\DRIVERS\ppmoucls.sys (Windows ® 2000 DDK provider)
DRV - (pptchpad [System | Running]) -- C:\WINDOWS\System32\DRIVERS\pptchpd5.sys ()
DRV - (prodrv06 [System | Running]) -- C:\WINDOWS\System32\drivers\prodrv06.sys (Protection Technology)
DRV - (prohlp02 [Boot | Running]) -- C:\WINDOWS\System32\drivers\prohlp02.sys (Protection Technology)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (Secdrv [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (sfhlp01 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfhlp01.sys (Protection Technology)
DRV - (SunkFilt [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\sunkfilt.sys (Alcor Micro Corp.)
DRV - (tandpl [Auto | Running]) -- C:\WINDOWS\System32\drivers\tandpl.sys ()
DRV - (winachsf [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys (Conexant Systems, Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_Url = http://www.microsoft...p...&ar=msnhome
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_Url = http://www.microsoft...p...&ar=msnhome
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Live Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.live.c...ferrer:source?}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\PROGRAM FILES\REAL\REALPLAYER\BROWSERRECORD [2008/04/03 10:31:58 | 00,000,000 | ---D | M]

O1 HOSTS File: (813 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O2 - BHO: (AOL Toolbar Launcher) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - Reg Error: Key error. File not found
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - Reg Error: Key error. File not found
O3 - HKLM\..\Toolbar: (AIM Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)
O4 - HKLM..\Run: [CHotkey] zHotkey.exe (Chicony)
O4 - HKLM..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16 (Lexmark International, Inc.)
O4 - HKLM..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey (McAfee, Inc.)
O4 - HKLM..\Run: [nForce Tray Options] sstray.exe /r (NVIDIA Corporation)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] nwiz.exe /install (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE (McAfee, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe (Alcor Micro, Corp.)
O4 - HKLM..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
O4 - HKCU..\Run: [SYS32DLL] SYS32DLL File not found
O4 - HKCU..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m (Uniblue Software)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html ()
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (Intertrust Technologies, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft....k/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} http://gamerival.obe...web.1.0.0.9.cab (CPlayFirstCookingDasControl Object)
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} https://activation.a...aller_2-0-0.cab (Reg Error: Value error.)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail....es/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebo...toUploader3.cab (Facebook Photo Uploader 4 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} http://java.sun.com/...all-131-win.cab (Java Plug-in 1.3.1)
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} http://java.sun.com/...-131_02-win.cab (Java Plug-in 1.3.1_02)
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_05)
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_06)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} http://gamerival.obe...ronGameHost.cab (Oberon Flash Game Host)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} http://gamerival.obe...sh.1.0.0.47.cab (CPlayFirstWeddingDashControl Object)
O16 - DPF: {F135A813-7152-4532-AC8D-28AC2136DFC7} http://gamerival.obe...sh.1.0.0.15.cab (CPlayFirstParkingDasControl Object)
O16 - DPF: Microsoft XML Parser for Java (Reg Error: Key error.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/02/06 21:07:54 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2000/11/17 23:33:28 | 00,000,058 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [2006/12/11 15:03:59 | 00,000,277 | R--- | M] () - L:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{d0f779d9-ece3-11dd-a364-0040ca761a72}\Shell - "" = AutoRun
O33 - MountPoints2\{d0f779d9-ece3-11dd-a364-0040ca761a72}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d0f779d9-ece3-11dd-a364-0040ca761a72}\Shell\AutoRun\command - "" = L:\LaunchU3.exe -- [2006/12/07 13:45:13 | 01,095,224 | R--- | M] ()
O33 - MountPoints2\{d155ae60-3864-11db-9b4d-00038a000015}\Shell - "" = AutoRun
O33 - MountPoints2\{d155ae60-3864-11db-9b4d-00038a000015}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d155ae60-3864-11db-9b4d-00038a000015}\Shell\AutoRun\command - "" = L:\LaunchU3.exe -- [2006/12/07 13:45:13 | 01,095,224 | R--- | M] ()
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[5 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2009/05/09 19:24:57 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/05/09 19:14:46 | 00,501,760 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Norman\Desktop\OTListIt2.exe
[2009/05/09 19:14:24 | 00,267,612 | ---- | C] () -- C:\Documents and Settings\Norman\Desktop\Rooter.exe
[2009/05/07 18:54:18 | 46,929,1008 | -HS- | C] () -- C:\hiberfil.sys
[2009/05/07 17:10:52 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/07 17:10:51 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/05/07 17:10:49 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/05/07 17:10:46 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/05/07 17:10:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/05/07 17:10:01 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\Norman\Desktop\NTREGOPT.lnk
[2009/05/07 17:10:01 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Norman\Desktop\ERUNT.lnk
[2009/05/07 17:10:00 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/05/07 16:53:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Norman\Application Data\Malwarebytes
[2009/05/07 16:52:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/05/07 15:53:13 | 00,001,827 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Windows Live Messenger .lnk
[2009/05/06 02:05:17 | 00,000,001 | -H-- | C] () -- C:\WINDOWS\f23567.dat
[2009/05/06 00:10:07 | 00,064,432 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdet.sys
[2009/05/06 00:10:07 | 00,042,424 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2009/05/06 00:10:06 | 00,074,648 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeapfk.sys
[2009/05/06 00:10:05 | 00,090,360 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2009/05/06 00:10:05 | 00,062,704 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfetdik.sys
[2009/05/06 00:10:04 | 00,340,592 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys
[2009/05/06 00:10:03 | 00,067,904 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\mfevtps.exe
[2009/05/06 00:07:41 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee
[2009/05/05 22:10:13 | 00,000,385 | ---- | C] () -- C:\WINDOWS\System32\NVU001.nvu
[2009/05/05 22:09:00 | 00,023,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wdmaud.drv
[2009/05/05 22:09:00 | 00,023,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wdmaud.drv
[2009/05/05 22:04:44 | 00,225,280 | R--- | C] () -- C:\WINDOWS\System32\nvwrsda.dll
[2009/05/05 00:38:50 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/05/05 00:34:36 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/05/05 00:34:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/05/05 00:13:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\796525
[2009/05/04 21:03:35 | 00,000,000 | ---D | C] -- C:\QUARANTINE
[2009/05/04 19:34:03 | 00,000,001 | ---- | C] () -- C:\WINDOWS\9g2234wesdf3dfgjf23
[2009/05/04 11:55:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Norman\Desktop\New Folder
[2009/04/19 23:53:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Norman\My Documents\AIS
[2009/04/19 16:06:39 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Cisco Systems
[2009/04/19 16:06:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2009/04/19 16:06:11 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee
[2009/04/19 16:00:57 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2009/04/19 15:08:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2009/04/19 15:08:08 | 00,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2009/04/19 15:08:07 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2009/04/19 14:38:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Norman\Desktop\CS Saved PFC
[2009/04/15 22:23:05 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/15 22:23:05 | 00,035,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sc.exe
[2009/04/15 22:23:02 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/15 22:23:01 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/15 22:23:00 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/15 22:22:59 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/15 22:22:59 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/15 22:22:58 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/15 22:22:58 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/15 22:22:57 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/15 22:22:54 | 02,145,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2009/04/15 22:22:51 | 02,189,056 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2009/04/15 22:22:44 | 02,023,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2009/04/15 22:20:11 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/15 22:20:10 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2008/08/18 19:21:22 | 00,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2008/02/04 18:23:10 | 00,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2008/01/21 22:34:49 | 00,000,064 | ---- | C] () -- C:\WINDOWS\QBWCD.INI
[2006/11/11 21:27:55 | 00,000,004 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/07/18 14:06:07 | 00,000,682 | ---- | C] () -- C:\WINDOWS\TTutor7.ini
[2006/06/30 17:19:54 | 00,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.dll
[2006/04/29 11:33:27 | 00,000,060 | ---- | C] () -- C:\WINDOWS\PPHIDPAD.INI
[2006/02/05 15:41:50 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/12/29 00:54:16 | 00,017,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\PPTCHPD5.SYS
[2005/12/29 00:54:15 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\PPADAPI.DLL
[2005/11/13 21:35:07 | 00,000,000 | ---- | C] () -- C:\WINDOWS\MSDraw.ini
[2005/05/10 19:54:08 | 00,001,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2005/05/02 12:22:05 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2004/12/09 18:17:06 | 00,000,034 | ---- | C] () -- C:\WINDOWS\System32\rnplf12.dll
[2004/07/27 15:09:21 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2004/07/21 17:30:33 | 00,001,029 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2004/07/19 23:07:48 | 00,000,120 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2004/07/09 11:53:39 | 00,007,552 | ---- | C] () -- C:\WINDOWS\System32\drivers\enodpl.sys
[2004/07/09 11:53:39 | 00,004,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\tandpl.sys
[2004/06/30 16:04:46 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\SDelete.dll
[2004/06/30 13:59:39 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXPRMON.DLL
[2004/06/30 13:59:39 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\LXPMONUI.DLL
[2004/06/30 13:56:11 | 00,126,976 | R--- | C] () -- C:\WINDOWS\System32\lxbtsnls.dll
[2004/06/30 13:56:10 | 00,139,264 | R--- | C] () -- C:\WINDOWS\System32\lxbtcoin.dll
[2004/06/30 13:56:08 | 00,001,832 | R--- | C] () -- C:\WINDOWS\System32\lxbtprod.ini
[2004/06/29 23:50:30 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/05/10 17:04:54 | 00,192,512 | R--- | C] () -- C:\WINDOWS\System32\GCCollection.dll
[2004/03/07 14:51:00 | 00,024,924 | ---- | C] () -- C:\WINDOWS\System32\openports.dll
[2004/02/19 12:31:34 | 00,151,552 | ---- | C] () -- C:\WINDOWS\System32\lxbthwdf.dll
[2003/06/23 11:06:02 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbtvs.dll
[2003/02/06 23:23:22 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/02/06 22:41:02 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/02/06 22:40:09 | 00,532,544 | ---- | C] () -- C:\WINDOWS\PIC.dll
[2003/02/06 22:40:09 | 00,024,576 | ---- | C] () -- C:\WINDOWS\HKNTDLL.dll
[2003/02/06 21:48:54 | 00,000,132 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2003/02/06 21:48:18 | 00,000,310 | ---- | C] () -- C:\WINDOWS\net2fone.ini
[2003/02/06 19:48:50 | 00,027,136 | R--- | C] () -- C:\WINDOWS\System32\nvcod.dll
[2003/02/06 19:48:44 | 00,018,253 | R--- | C] () -- C:\WINDOWS\System32\ssnvfx.ini
[2003/02/06 19:48:37 | 00,001,094 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/02/06 19:48:37 | 00,000,466 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2003/02/06 19:48:07 | 00,000,880 | ---- | C] () -- C:\WINDOWS\win.ini
[2003/02/06 19:48:02 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/01/07 16:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Files - Modified Within 30 Days ==========

[5 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2009/05/09 19:43:53 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/09 19:41:32 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/09 19:41:29 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Norman\Local Settings\desktop.ini
[2009/05/09 19:41:20 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/09 19:41:14 | 46,929,1008 | -HS- | M] () -- C:\hiberfil.sys
[2009/05/09 19:06:20 | 00,501,760 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Norman\Desktop\OTListIt2.exe
[2009/05/09 19:06:12 | 00,267,612 | ---- | M] () -- C:\Documents and Settings\Norman\Desktop\Rooter.exe
[2009/05/07 17:10:52 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/07 17:10:01 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\Norman\Desktop\NTREGOPT.lnk
[2009/05/07 17:10:01 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Norman\Desktop\ERUNT.lnk
[2009/05/07 15:57:06 | 00,000,575 | ---- | M] () -- C:\Documents and Settings\Norman\My Documents\My Sharing Folders.lnk
[2009/05/07 15:53:13 | 00,001,827 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Windows Live Messenger .lnk
[2009/05/06 02:05:17 | 00,000,001 | -H-- | M] () -- C:\WINDOWS\f23567.dat
[2009/05/05 22:10:13 | 00,000,385 | ---- | M] () -- C:\WINDOWS\System32\NVU001.nvu
[2009/05/05 21:59:48 | 00,017,145 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/05/05 00:38:51 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/05/04 19:34:03 | 00,000,001 | ---- | M] () -- C:\WINDOWS\9g2234wesdf3dfgjf23
[2009/04/20 00:26:57 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/19 16:02:56 | 00,384,904 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/19 16:02:56 | 00,054,396 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/19 16:02:55 | 00,445,630 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/19 16:00:31 | 00,282,128 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/04/19 15:02:45 | 00,250,048 | RHS- | M] () -- C:\ntldr
[2009/04/19 14:39:00 | 00,000,880 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/04/19 14:38:52 | 00,000,004 | ---- | M] () -- C:\WINDOWS\msoffice.ini
[2009/04/19 14:15:48 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn

========== Alternate Data Streams ==========

@Alternate Data Stream - 2628 bytes -> C:\WINDOWS\System32\OEMLOGO.BMP:Q30lsldxJoudresxAaaqpcawXc
< End of report >

#4
andrewuk

Posted 09 May 2009 - 07:15 PM

Trusted Helper

Malware Removal
5,297 posts

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

also:

We will run OTListIt , but go for a shortened log.

Close all windows and open it by double clicking on the icon
we are targetting a selective output, hence:
- on the left hand side, in the box titled "Processes" select none
- on the left hand side, in the box titled "Drivers" select none
- on the left hand side, in the box titled "Extra Registry" select none
- on the right hand side, in the box titled "Files created within" select none
- on the right hand side, in the box titled "Files modified within" select none
- tick both the boxes marked Purity check and Lop check
Click Run Scan and let the program run uninterrupted
It will produce one log for you called OTListIt.txt. Please post both that log here in reply.
You may need to use two posts to get it all on the forum

andrewuk

#5
gtaco94

Posted 09 May 2009 - 07:53 PM

New Member

Topic Starter
Member
8 posts

ComboFix Log:

ComboFix 09-05-08.03 - Norman 09/05/2009 20:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.447.102 [GMT -5:00]
Running from: c:\documents and settings\Norman\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\f23567.dat
c:\windows\IE4 Error Log.txt

.
((((((((((((((((((((((((( Files Created from 2009-04-10 to 2009-05-10 )))))))))))))))))))))))))))))))
.

2009-05-10 01:34 . 2009-05-10 01:35 -------- d-----w C:\32788R22FWJFW.0.tmp
2009-05-10 00:24 . 2009-05-10 00:26 -------- d-----w C:\Rooter$
2009-05-07 23:34 . 2009-05-07 23:34 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-07 22:10 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-07 22:10 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-07 22:10 . 2009-05-07 22:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-07 22:10 . 2009-05-07 22:10 -------- d-----w c:\program files\ERUNT
2009-05-07 21:53 . 2009-05-07 21:53 -------- d-----w c:\documents and settings\Norman\Application Data\Malwarebytes
2009-05-07 21:52 . 2009-05-07 21:52 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-06 05:10 . 2008-09-29 13:07 64432 ----a-w c:\windows\system32\drivers\mferkdet.sys
2009-05-06 05:10 . 2008-09-29 13:07 42424 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-05-06 05:10 . 2008-09-29 13:07 74648 ----a-w c:\windows\system32\drivers\mfeapfk.sys
2009-05-06 05:10 . 2008-09-29 13:07 90360 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-05-06 05:10 . 2008-09-29 13:07 62704 ----a-w c:\windows\system32\drivers\mfetdik.sys
2009-05-06 05:10 . 2008-09-29 13:07 340592 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-05-06 05:10 . 2008-09-29 13:07 67904 ----a-w c:\windows\system32\mfevtps.exe
2009-05-06 05:07 . 2009-05-06 05:07 -------- d-----w c:\program files\Common Files\McAfee
2009-05-06 03:09 . 2008-04-14 00:12 23552 -c--a-w c:\windows\system32\dllcache\wdmaud.drv
2009-05-06 03:09 . 2008-04-14 00:12 23552 ----a-w c:\windows\system32\wdmaud.drv
2009-05-06 03:05 . 2003-10-06 21:16 131072 ----a-r c:\windows\system32\nvwrszht.dll
2009-05-06 03:05 . 2003-10-06 21:16 200704 ----a-r c:\windows\system32\nvrszht.dll
2009-05-06 03:05 . 2003-10-06 21:16 126976 ----a-r c:\windows\system32\nvwrszhc.dll
2009-05-06 03:05 . 2003-10-06 21:16 200704 ----a-r c:\windows\system32\nvrszhc.dll
2009-05-06 03:05 . 2003-10-06 21:16 233472 ----a-r c:\windows\system32\nvwrstr.dll
2009-05-06 03:05 . 2003-10-06 21:16 262144 ----a-r c:\windows\system32\nvrstr.dll
2009-05-06 03:05 . 2003-10-06 21:16 225280 ----a-r c:\windows\system32\nvwrssv.dll
2009-05-06 03:05 . 2003-10-06 21:16 258048 ----a-r c:\windows\system32\nvrssv.dll
2009-05-06 03:03 . 2003-10-06 21:16 131072 ----a-r c:\windows\system32\nvinstnt.dll
2009-05-05 05:34 . 2009-05-07 23:18 -------- d-----w c:\program files\Lavasoft
2009-05-05 05:34 . 2009-05-07 23:18 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-05 05:13 . 2009-05-07 00:55 -------- d-----w c:\windows\system32\796525
2009-05-05 02:03 . 2009-05-07 21:56 -------- d-----w C:\QUARANTINE
2009-04-19 21:06 . 2009-04-19 21:06 -------- d-----w c:\program files\Common Files\Cisco Systems
2009-04-19 21:06 . 2009-05-06 05:09 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-19 21:06 . 2009-05-06 05:07 -------- d-----w c:\program files\McAfee
2009-04-19 20:08 . 2009-04-19 20:08 -------- d-----w c:\windows\system32\scripting
2009-04-19 20:08 . 2009-04-19 20:08 -------- d-----w c:\windows\l2schemas
2009-04-19 20:08 . 2009-04-19 20:08 -------- d-----w c:\windows\system32\en
2009-04-16 03:23 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 03:23 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-04-16 03:23 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 03:23 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 03:23 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 03:22 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 03:22 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 03:22 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 03:22 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 03:22 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 03:22 . 2009-02-06 11:06 2145280 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-16 03:22 . 2009-02-06 11:08 2189056 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-16 03:22 . 2009-02-06 10:32 2023936 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-16 03:20 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 03:20 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 23:20 . 2004-12-09 21:23 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-02 22:31 . 2004-06-30 18:56 -------- d-----w c:\program files\Lx_cats
2009-04-19 20:11 . 2003-02-07 02:06 76487 ----a-w c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-04-19 19:48 . 2003-02-07 03:37 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-19 19:44 . 2003-02-07 03:37 -------- d-----w c:\program files\Symantec
2009-04-19 19:42 . 2003-02-07 03:40 -------- d-----w c:\program files\BigFix
2009-04-19 19:41 . 2008-11-19 01:35 -------- d-----w c:\program files\ATT
2009-04-19 19:33 . 2003-02-07 02:43 -------- d-----w c:\program files\aim
2009-03-06 14:22 . 2003-02-07 00:47 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-02-06 23:05 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2008-10-06 22:04 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2003-02-07 00:47 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-07-02 00:17 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2003-02-07 00:47 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2003-02-07 00:47 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2003-02-07 00:48 1846784 ----a-w c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SYS32DLL"="SYS32DLL" [X]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Uniblue SpyEraser"="c:\program files\Uniblue\SpyEraser\SpyEraser.exe" [2008-01-29 1424648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-11-20 139264]
"LXBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-02-23 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 36975]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-10-06 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-03 185896]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2003-06-03 496640]
"nForce Tray Options"="sstray.exe" - c:\windows\system32\sstray.exe [2003-09-03 73728]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\EA SPORTS\\NHL 2005\\nhl2005.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3658:UDP"= 3658:UDP:Peer-to-peer gameplay
"6000:UDP"= 6000:UDP:Voice Over IP
"30300:TCP"= 30300:TCP:Lobby
"13505:TCP"= 13505:TCP:EA Messenger
"9555:UDP"= 9555:UDP:EA Sports Ticker

R1 ppmoucls;ppmoucls;c:\windows\system32\drivers\PPMOUCLS.SYS [29/12/2005 12:54 AM 20704]
R1 pptchpad;PenPower Touchpad;c:\windows\system32\drivers\PPTCHPD5.SYS [29/12/2005 12:54 AM 17216]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [29/09/2008 8:07 AM 19456]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [6/05/2009 12:10 AM 67904]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [23/12/2007 4:00 PM 24652]
S3 adxapie;adxapie;\??\c:\docume~1\Norman\LOCALS~1\Temp\adxapie.sys --> c:\docume~1\Norman\LOCALS~1\Temp\adxapie.sys [?]
S3 L2XPSR;L2XPSR;\??\e:\release\L2XPSR.SYS --> e:\release\L2XPSR.SYS [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [6/05/2009 12:10 AM 64432]
S3 NTSTPL2;NTSTPL2;\??\e:\release\NTSTPL2.SYS --> e:\release\NTSTPL2.SYS [?]
S3 TAPBIND;TAPBIND;\??\e:\release\TAPBIND1.SYS --> e:\release\TAPBIND1.SYS [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d0f779d9-ece3-11dd-a364-0040ca761a72}]
\Shell\AutoRun\command - L:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d155ae60-3864-11db-9b4d-00038a000015}]
\Shell\AutoRun\command - L:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2007-12-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]

2008-04-04 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-04-04 14:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://gamerival.oberon-media.com/gameshell/games/channel--110371637/lc--en/room--6328f04d-15cd-4a0a-bb7b-851c80c72e0f/online/cooking_dash/en/cookingdashweb.1.0.0.9.cab
DPF: {F135A813-7152-4532-AC8D-28AC2136DFC7} - hxxp://gamerival.oberon-media.com/gameshell/games/channel--110371637/lc--en/room--af0660ae-aad9-4f83-bf71-6c687db7f328/online/parking_dash/en/parkingdash.1.0.0.15.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-09 20:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-613716896-3593522462-463401915-1005\Software\America Online\ieToolbar\ersion\CustomSearch\*]
"Url"=""
"Post"=""
"Index"=dword:00000000
"Installed"=dword:00000000
.
Completion time: 2009-05-10 20:47
ComboFix-quarantined-files.txt 2009-05-10 01:46

Pre-Run: 96,326,012,928 bytes free
Post-Run: 96,935,600,128 bytes free

192 --- E O F --- 2009-04-29 19:12

OTL short log

OTListIt logfile created on: 9/05/2009 8:50:54 PM - Run 3
OTListIt2 by OldTimer - Version 2.0.15.5 Folder = C:\Documents and Settings\Norman\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

447.48 Mb Total Physical Memory | 139.01 Mb Available Physical Memory | 31.07% Memory free
1.03 Gb Paging File | 0.81 Gb Available in Paging File | 78.69% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 90.29 Gb Free Space | 60.58% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 5.45 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive K: | 3.81 Gb Total Space | 3.17 Gb Free Space | 83.32% Space Free | Partition Type: FAT32

Computer Name: DAD
Current User Name: Norman
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple, Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (Microsoft Corporation)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (iPod Service [On_Demand | Stopped]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (lxbt_device [On_Demand | Stopped]) -- C:\WINDOWS\System32\lxbtcoms.exe (Lexmark International, Inc.)
SRV - (McAfeeEngineService [Auto | Running]) -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe (McAfee, Inc.)
SRV - (McAfeeFramework [Auto | Running]) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
SRV - (McShield [Auto | Paused]) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)
SRV - (McTaskManager [Auto | Running]) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)
SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
SRV - (mfevtp [Unknown | Running]) -- C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
SRV - (NVSvc [Auto | Running]) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (Pml Driver HPZ12 [Auto | Running]) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (usnjsvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (Viewpoint Manager Service [Auto | Running]) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
SRV - (WLSetupSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== LOP Check ==========

[2009/05/07 18:20:35 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2008/08/09 19:19:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2008/07/12 12:34:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL
[2008/11/18 18:25:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL Downloads
[2007/06/06 13:16:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL OCP
[2007/12/28 14:21:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2007/12/28 14:25:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2003/02/06 22:36:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2004/06/30 13:59:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FaxCtr
[2008/07/05 13:10:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FreshGames
[2007/03/17 11:23:17 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\GTek
[2006/04/25 19:57:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HP
[2009/05/07 18:18:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2008/06/25 12:45:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ludia
[2009/05/07 16:52:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/05/06 00:09:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2009/05/07 18:14:03 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2006/06/30 17:01:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Motive
[2006/06/30 17:20:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MotiveSysIDs
[2004/07/01 22:52:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSN6
[2004/07/02 11:03:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NFS Underground
[2004/06/29 17:56:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\nView_Profiles
[2008/07/07 14:25:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Oberon Games
[2008/04/19 14:42:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2008/07/08 16:14:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2003/02/06 22:35:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\QuickTime
[2008/07/08 21:46:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sandlot Games
[2009/05/07 18:13:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/04/19 14:44:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2008/07/08 22:17:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2004/10/30 19:19:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trymedia
[2008/04/04 11:27:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uniblue
[2008/07/12 12:34:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/07/06 15:30:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\VirtualFarm
[2006/05/09 14:32:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2008/04/03 10:36:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WLInstaller
[2009/05/07 16:53:31 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Norman\Application Data
[2004/12/23 18:56:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\.BitTornado
[2007/06/06 13:17:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\acccore
[2008/01/14 14:30:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Adobe
[2008/08/09 19:10:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\AdobeUM
[2008/02/02 21:53:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Aim
[2008/10/13 23:02:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Apple Computer
[2003/02/06 23:10:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\CyberLink
[2009/03/27 01:49:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\FaxCtr
[2008/07/08 15:21:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Gaijin Ent
[2007/04/02 19:32:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Google
[2007/03/17 11:23:05 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\Norman\Application Data\GTek
[2004/07/02 13:30:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Help
[2003/02/06 21:08:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Identities
[2003/02/06 21:41:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\InterTrust
[2004/10/22 21:45:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Kontiki
[2008/04/04 11:31:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Lavasoft
[2008/07/02 21:47:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Ludia
[2004/12/23 19:06:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Macromedia
[2009/05/07 16:53:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Malwarebytes
[2009/01/14 20:42:21 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Norman\Application Data\Microsoft
[2006/07/03 19:59:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Motive
[2009/04/19 14:43:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Move Networks
[2007/02/04 02:22:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\MSN6
[2008/07/08 16:14:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\PlayFirst
[2006/06/02 16:32:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Real
[2004/10/27 20:43:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Sun
[2003/02/06 22:37:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Symantec
[2004/07/02 10:58:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Template
[2009/05/07 17:08:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\U3
[2008/04/04 11:27:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Uniblue
[2007/01/17 17:45:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Viewpoint
[2008/07/08 12:41:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\ViquaSoft
[2009/05/05 00:38:51 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2007/12/28 14:22:38 | 00,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2003/03/31 07:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/05/09 20:47:01 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
[2008/04/04 11:30:08 | 00,000,340 | ---- | M] () -- C:\WINDOWS\Tasks\Uniblue SpyEraser.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:444C53BA
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D644D3DF
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ADE16379
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:38849DE5
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5466F106
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8DD623B3
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DF2EA4BB
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4F636E25
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FA8B212D
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:90E3641D
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4F58D818
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D8A7F3FF
< End of report >

#6
andrewuk

Posted 09 May 2009 - 08:16 PM

Trusted Helper

Malware Removal
5,297 posts

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\docume~1\Norman\LOCALS~1\Temp\adxapie.sys

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SYS32DLL"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d0f779d9-ece3-11dd-a364-0040ca761a72}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d155ae60-3864-11db-9b4d-00038a000015}]

Driver::
adxapie

DirLook::
c:\windows\system32\796525

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

also, i did not quite get all i expected from the OTListIT log . . . . i think perhaps some of the ticking was not all done:

We will run OTListIt , but go for a shortened log.

Close all windows and open it by double clicking on the icon
we are targetting a selective output, hence:
- on the left hand side, in the box titled "Processes" select none
- on the left hand side, in the box titled "Drivers" select none
- on the left hand side, in the box titled "Extra Registry" select none
- on the right hand side, in the box titled "Files created within" select none
- on the right hand side, in the box titled "Files modified within" select none
- tick both the boxes marked Purity check and Lop check
Click Run Scan and let the program run uninterrupted
It will produce one log for you called OTListIt.txt. Please post both that log here in reply.
You may need to use two posts to get it all on the forum

andrewuk

#7
gtaco94

Posted 09 May 2009 - 08:56 PM

New Member

Topic Starter
Member
8 posts

wow, right after running combofix for the first time, Internet's working again and no google virus for now.

Here's the second combofix log you requested.
ComboFix 09-05-08.03 - Norman 09/05/2009 21:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.447.272 [GMT -5:00]
Running from: c:\documents and settings\Norman\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Norman\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)

FILE ::
c:\docume~1\Norman\LOCALS~1\Temp\adxapie.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ADXAPIE
-------\Service_adxapie

((((((((((((((((((((((((( Files Created from 2009-04-10 to 2009-05-10 )))))))))))))))))))))))))))))))
.

2009-05-10 01:34 . 2009-05-10 01:35 -------- d-----w C:\32788R22FWJFW.0.tmp
2009-05-10 00:24 . 2009-05-10 00:26 -------- d-----w C:\Rooter$
2009-05-07 23:34 . 2009-05-07 23:34 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-07 22:10 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-07 22:10 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-07 22:10 . 2009-05-07 22:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-07 22:10 . 2009-05-07 22:10 -------- d-----w c:\program files\ERUNT
2009-05-07 21:53 . 2009-05-07 21:53 -------- d-----w c:\documents and settings\Norman\Application Data\Malwarebytes
2009-05-07 21:52 . 2009-05-07 21:52 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-06 05:10 . 2008-09-29 13:07 64432 ----a-w c:\windows\system32\drivers\mferkdet.sys
2009-05-06 05:10 . 2008-09-29 13:07 42424 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-05-06 05:10 . 2008-09-29 13:07 74648 ----a-w c:\windows\system32\drivers\mfeapfk.sys
2009-05-06 05:10 . 2008-09-29 13:07 90360 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-05-06 05:10 . 2008-09-29 13:07 62704 ----a-w c:\windows\system32\drivers\mfetdik.sys
2009-05-06 05:10 . 2008-09-29 13:07 340592 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-05-06 05:10 . 2008-09-29 13:07 67904 ----a-w c:\windows\system32\mfevtps.exe
2009-05-06 05:07 . 2009-05-06 05:07 -------- d-----w c:\program files\Common Files\McAfee
2009-05-06 03:09 . 2008-04-14 00:12 23552 -c--a-w c:\windows\system32\dllcache\wdmaud.drv
2009-05-06 03:09 . 2008-04-14 00:12 23552 ----a-w c:\windows\system32\wdmaud.drv
2009-05-06 03:05 . 2003-10-06 21:16 131072 ----a-r c:\windows\system32\nvwrszht.dll
2009-05-06 03:05 . 2003-10-06 21:16 200704 ----a-r c:\windows\system32\nvrszht.dll
2009-05-06 03:05 . 2003-10-06 21:16 126976 ----a-r c:\windows\system32\nvwrszhc.dll
2009-05-06 03:05 . 2003-10-06 21:16 200704 ----a-r c:\windows\system32\nvrszhc.dll
2009-05-06 03:05 . 2003-10-06 21:16 233472 ----a-r c:\windows\system32\nvwrstr.dll
2009-05-06 03:05 . 2003-10-06 21:16 262144 ----a-r c:\windows\system32\nvrstr.dll
2009-05-06 03:05 . 2003-10-06 21:16 225280 ----a-r c:\windows\system32\nvwrssv.dll
2009-05-06 03:05 . 2003-10-06 21:16 258048 ----a-r c:\windows\system32\nvrssv.dll
2009-05-06 03:03 . 2003-10-06 21:16 131072 ----a-r c:\windows\system32\nvinstnt.dll
2009-05-05 05:34 . 2009-05-07 23:18 -------- d-----w c:\program files\Lavasoft
2009-05-05 05:34 . 2009-05-07 23:18 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-05 05:13 . 2009-05-07 00:55 -------- d-----w c:\windows\system32\796525
2009-05-05 02:03 . 2009-05-07 21:56 -------- d-----w C:\QUARANTINE
2009-04-19 21:06 . 2009-04-19 21:06 -------- d-----w c:\program files\Common Files\Cisco Systems
2009-04-19 21:06 . 2009-05-06 05:09 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-19 21:06 . 2009-05-06 05:07 -------- d-----w c:\program files\McAfee
2009-04-19 20:08 . 2009-04-19 20:08 -------- d-----w c:\windows\system32\scripting
2009-04-19 20:08 . 2009-04-19 20:08 -------- d-----w c:\windows\l2schemas
2009-04-19 20:08 . 2009-04-19 20:08 -------- d-----w c:\windows\system32\en
2009-04-16 03:23 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 03:23 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-04-16 03:23 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 03:23 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 03:23 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 03:22 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 03:22 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 03:22 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 03:22 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 03:22 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 03:22 . 2009-02-06 11:06 2145280 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-16 03:22 . 2009-02-06 11:08 2189056 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-16 03:22 . 2009-02-06 10:32 2023936 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-16 03:20 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 03:20 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 23:20 . 2004-12-09 21:23 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-02 22:31 . 2004-06-30 18:56 -------- d-----w c:\program files\Lx_cats
2009-04-19 20:11 . 2003-02-07 02:06 76487 ----a-w c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-04-19 19:48 . 2003-02-07 03:37 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-19 19:44 . 2003-02-07 03:37 -------- d-----w c:\program files\Symantec
2009-04-19 19:42 . 2003-02-07 03:40 -------- d-----w c:\program files\BigFix
2009-04-19 19:41 . 2008-11-19 01:35 -------- d-----w c:\program files\ATT
2009-04-19 19:33 . 2003-02-07 02:43 -------- d-----w c:\program files\aim
2009-03-06 14:22 . 2003-02-07 00:47 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-02-06 23:05 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2008-10-06 22:04 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2003-02-07 00:47 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-07-02 00:17 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2003-02-07 00:47 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2003-02-07 00:47 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2003-02-07 00:48 1846784 ----a-w c:\windows\system32\win32k.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\system32\796525 ----

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Uniblue SpyEraser"="c:\program files\Uniblue\SpyEraser\SpyEraser.exe" [2008-01-29 1424648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-11-20 139264]
"LXBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-02-23 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 36975]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-10-06 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-03 185896]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2003-06-03 496640]
"nForce Tray Options"="sstray.exe" - c:\windows\system32\sstray.exe [2003-09-03 73728]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\EA SPORTS\\NHL 2005\\nhl2005.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3658:UDP"= 3658:UDP:Peer-to-peer gameplay
"6000:UDP"= 6000:UDP:Voice Over IP
"30300:TCP"= 30300:TCP:Lobby
"13505:TCP"= 13505:TCP:EA Messenger
"9555:UDP"= 9555:UDP:EA Sports Ticker

R1 ppmoucls;ppmoucls;c:\windows\system32\drivers\PPMOUCLS.SYS [29/12/2005 12:54 AM 20704]
R1 pptchpad;PenPower Touchpad;c:\windows\system32\drivers\PPTCHPD5.SYS [29/12/2005 12:54 AM 17216]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [29/09/2008 8:07 AM 19456]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [6/05/2009 12:10 AM 67904]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [23/12/2007 4:00 PM 24652]
S3 L2XPSR;L2XPSR;\??\e:\release\L2XPSR.SYS --> e:\release\L2XPSR.SYS [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [6/05/2009 12:10 AM 64432]
S3 NTSTPL2;NTSTPL2;\??\e:\release\NTSTPL2.SYS --> e:\release\NTSTPL2.SYS [?]
S3 TAPBIND;TAPBIND;\??\e:\release\TAPBIND1.SYS --> e:\release\TAPBIND1.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2007-12-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]

2008-04-04 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-04-04 14:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://gamerival.oberon-media.com/gameshell/games/channel--110371637/lc--en/room--6328f04d-15cd-4a0a-bb7b-851c80c72e0f/online/cooking_dash/en/cookingdashweb.1.0.0.9.cab
DPF: {F135A813-7152-4532-AC8D-28AC2136DFC7} - hxxp://gamerival.oberon-media.com/gameshell/games/channel--110371637/lc--en/room--af0660ae-aad9-4f83-bf71-6c687db7f328/online/parking_dash/en/parkingdash.1.0.0.15.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-09 21:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-613716896-3593522462-463401915-1005\Software\America Online\ieToolbar\ersion\CustomSearch\*]
"Url"=""
"Post"=""
"Index"=dword:00000000
"Installed"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2424)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\windows\system32\rundll32.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2009-05-10 21:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-10 02:49
ComboFix2.txt 2009-05-10 01:47

Pre-Run: 96,795,262,976 bytes free
Post-Run: 96,785,387,520 bytes free

220 --- E O F --- 2009-04-29 19:12

Here's the OTL log...

I hope I did it right...the only things on run on safelist I have was Standard registry and services..the others were none and everything is ticked.

OTListIt logfile created on: 9/05/2009 9:53:33 PM - Run 4
OTListIt2 by OldTimer - Version 2.0.15.5 Folder = C:\Documents and Settings\Norman\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

447.48 Mb Total Physical Memory | 100.29 Mb Available Physical Memory | 22.41% Memory free
1.03 Gb Paging File | 0.76 Gb Available in Paging File | 73.51% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 90.15 Gb Free Space | 60.49% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 5.45 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive K: | 3.81 Gb Total Space | 3.17 Gb Free Space | 83.32% Space Free | Partition Type: FAT32

Computer Name: DAD
Current User Name: Norman
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple, Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (Microsoft Corporation)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (iPod Service [On_Demand | Stopped]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (lxbt_device [On_Demand | Stopped]) -- C:\WINDOWS\System32\lxbtcoms.exe (Lexmark International, Inc.)
SRV - (McAfeeEngineService [Auto | Running]) -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe (McAfee, Inc.)
SRV - (McAfeeFramework [Auto | Running]) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
SRV - (McShield [Auto | Running]) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)
SRV - (McTaskManager [Auto | Running]) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)
SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
SRV - (mfevtp [Unknown | Running]) -- C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
SRV - (NVSvc [Auto | Running]) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (Pml Driver HPZ12 [Auto | Running]) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (usnjsvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (Viewpoint Manager Service [Auto | Running]) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
SRV - (WLSetupSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
IE - URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - Reg Error: Key error. File not found
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_Url = http://www.microsoft...p...&ar=msnhome
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Live Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.live.c...ferrer:source?}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\PROGRAM FILES\REAL\REALPLAYER\BROWSERRECORD [2008/04/03 10:31:58 | 00,000,000 | ---D | M]

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O2 - BHO: (AOL Toolbar Launcher) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - Reg Error: Key error. File not found
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - Reg Error: Key error. File not found
O3 - HKLM\..\Toolbar: (AIM Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)
O4 - HKLM..\Run: [CHotkey] zHotkey.exe (Chicony)
O4 - HKLM..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16 (Lexmark International, Inc.)
O4 - HKLM..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey (McAfee, Inc.)
O4 - HKLM..\Run: [nForce Tray Options] sstray.exe /r (NVIDIA Corporation)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] nwiz.exe /install (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE (McAfee, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe (Alcor Micro, Corp.)
O4 - HKLM..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
O4 - HKCU..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m (Uniblue Software)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html ()
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (Intertrust Technologies, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft....k/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} http://gamerival.obe...web.1.0.0.9.cab (CPlayFirstCookingDasControl Object)
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} https://activation.a...aller_2-0-0.cab (Reg Error: Value error.)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail....es/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebo...toUploader3.cab (Facebook Photo Uploader 4 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} http://java.sun.com/...all-131-win.cab (Java Plug-in 1.3.1)
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} http://java.sun.com/...-131_02-win.cab (Java Plug-in 1.3.1_02)
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_05)
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_06)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} http://gamerival.obe...ronGameHost.cab (Oberon Flash Game Host)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} http://gamerival.obe...sh.1.0.0.47.cab (CPlayFirstWeddingDashControl Object)
O16 - DPF: {F135A813-7152-4532-AC8D-28AC2136DFC7} http://gamerival.obe...sh.1.0.0.15.cab (CPlayFirstParkingDasControl Object)
O16 - DPF: Microsoft XML Parser for Java (Reg Error: Key error.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/02/06 21:07:54 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/12/11 15:03:59 | 00,000,277 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== LOP Check ==========

[2009/05/07 18:20:35 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2008/08/09 19:19:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2008/07/12 12:34:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL
[2008/11/18 18:25:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL Downloads
[2007/06/06 13:16:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL OCP
[2007/12/28 14:21:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2007/12/28 14:25:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2003/02/06 22:36:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2004/06/30 13:59:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FaxCtr
[2008/07/05 13:10:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FreshGames
[2007/03/17 11:23:17 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\GTek
[2006/04/25 19:57:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HP
[2009/05/07 18:18:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2008/06/25 12:45:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ludia
[2009/05/07 16:52:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/05/06 00:09:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2009/05/07 18:14:03 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2006/06/30 17:01:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Motive
[2006/06/30 17:20:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MotiveSysIDs
[2004/07/01 22:52:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSN6
[2004/07/02 11:03:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NFS Underground
[2004/06/29 17:56:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\nView_Profiles
[2008/07/07 14:25:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Oberon Games
[2008/04/19 14:42:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2008/07/08 16:14:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2003/02/06 22:35:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\QuickTime
[2008/07/08 21:46:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sandlot Games
[2009/05/07 18:13:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/04/19 14:44:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2008/07/08 22:17:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2004/10/30 19:19:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trymedia
[2008/04/04 11:27:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uniblue
[2008/07/12 12:34:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/07/06 15:30:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\VirtualFarm
[2006/05/09 14:32:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2008/04/03 10:36:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WLInstaller
[2009/05/07 16:53:31 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Norman\Application Data
[2004/12/23 18:56:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\.BitTornado
[2007/06/06 13:17:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\acccore
[2008/01/14 14:30:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Adobe
[2008/08/09 19:10:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\AdobeUM
[2008/02/02 21:53:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Aim
[2008/10/13 23:02:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Apple Computer
[2003/02/06 23:10:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\CyberLink
[2009/03/27 01:49:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\FaxCtr
[2008/07/08 15:21:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Gaijin Ent
[2007/04/02 19:32:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Google
[2007/03/17 11:23:05 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\Norman\Application Data\GTek
[2004/07/02 13:30:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Help
[2003/02/06 21:08:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Identities
[2003/02/06 21:41:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\InterTrust
[2004/10/22 21:45:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Kontiki
[2008/04/04 11:31:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Lavasoft
[2008/07/02 21:47:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Ludia
[2004/12/23 19:06:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Macromedia
[2009/05/07 16:53:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Malwarebytes
[2009/01/14 20:42:21 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Norman\Application Data\Microsoft
[2006/07/03 19:59:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Motive
[2009/04/19 14:43:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Move Networks
[2007/02/04 02:22:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\MSN6
[2008/07/08 16:14:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\PlayFirst
[2006/06/02 16:32:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Real
[2004/10/27 20:43:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Sun
[2003/02/06 22:37:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Symantec
[2004/07/02 10:58:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Template
[2009/05/09 20:52:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\U3
[2008/04/04 11:27:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Uniblue
[2007/01/17 17:45:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Viewpoint
[2008/07/08 12:41:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\ViquaSoft
[2009/05/05 00:38:51 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2007/12/28 14:22:38 | 00,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2003/03/31 07:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/05/09 21:38:17 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
[2008/04/04 11:30:08 | 00,000,340 | ---- | M] () -- C:\WINDOWS\Tasks\Uniblue SpyEraser.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:444C53BA
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D644D3DF
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ADE16379
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:38849DE5
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5466F106
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8DD623B3
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DF2EA4BB
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4F636E25
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FA8B212D
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:90E3641D
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4F58D818
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D8A7F3FF
< End of report >

#8
andrewuk

Posted 09 May 2009 - 09:36 PM

Trusted Helper

Malware Removal
5,297 posts

Looking better.

in this post we will remove some items, do some general scans to clear out the remnants and ensure nothing else sneaked onto your machine.

the scans will likely take 4 hours, quite possibly much longer. so just let them run.

we will also update your java.

====STEP 1====
Run OTListIt2.exe

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTLI
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"=-
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=-
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{195B4BBF-E1E4-4020-9773-0A8C6F65EA35}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{F135A813-7152-4532-AC8D-28AC2136DFC7}]

:Commands
[resethosts]
[purity]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
Then post a new OTL2 log

====STEP 2====
Please download ATF Cleaner by Atribune.

Caution: This program is for Windows 2000, XP and Vista only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

====STEP 3====
we will update and re-run your malwarebytes:

double click the malwarebytes icon on your desktop to open the program

on the tabs at the top, select Update and then press the Check for Updates button on that page. If an update is found, it will download and install the latest version.
once complete (a new version of malwarebytes may download) select the tab Scanner
select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

====STEP 4====
Download and scan with SUPERAntiSpyware Free for Home Users

Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

====STEP 5====
Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts. A log will appear (JavaRa.log), no need to post the log in reply.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

====STEP 6====
Please do an online scan with Kaspersky WebScanner (this will identify any issues, we will clear them in the following post)

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure the following is checked.
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

Upgrading Java:

Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 13.
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation (jre-6u13-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u13-windows-i586-p.exe and select "Run as an Administrator.")

In your next reply could i see:
1. the OTListIT log
2. the malwarebytes log
3. the superantispyware log
4. the kaspersky log
5. some idea of how your machine is running now

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

#9
gtaco94

Posted 10 May 2009 - 09:44 PM

New Member

Topic Starter
Member
8 posts

OTL:
========== OTLISTIT ==========
Process explorer.exe killed successfully!
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{195B4BBF-E1E4-4020-9773-0A8C6F65EA35}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{195B4BBF-E1E4-4020-9773-0A8C6F65EA35}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{F135A813-7152-4532-AC8D-28AC2136DFC7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F135A813-7152-4532-AC8D-28AC2136DFC7}\ deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
File delete failed. C:\Documents and Settings\Norman\Local Settings\Temp\McAfeeLogs\UpdaterUI_DAD.log scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Norman\Local Settings\Temp\McAfeeLogs\UpdaterUI_DAD_error.log scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Norman\Local Settings\Temp\~DF12D8.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Norman\Local Settings\Temp\~DF131E.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Norman\Local Settings\Temp\~DF1CDF.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Norman\Local Settings\Temp\~DF1CEF.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\WFV1.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.15.5 log created on 05092009_224837

Files moved on Reboot...
C:\Documents and Settings\Norman\Local Settings\Temp\McAfeeLogs\UpdaterUI_DAD.log moved successfully.
C:\Documents and Settings\Norman\Local Settings\Temp\McAfeeLogs\UpdaterUI_DAD_error.log moved successfully.
File C:\Documents and Settings\Norman\Local Settings\Temp\~DF12D8.tmp not found!
File C:\Documents and Settings\Norman\Local Settings\Temp\~DF131E.tmp not found!
File C:\Documents and Settings\Norman\Local Settings\Temp\~DF1CDF.tmp not found!
File C:\Documents and Settings\Norman\Local Settings\Temp\~DF1CEF.tmp not found!
File C:\WINDOWS\temp\WFV1.tmp not found!

Registry entries deleted on Reboot...

MBAM:

Malwarebytes' Anti-Malware 1.36
Database version: 2102
Windows 5.1.2600 Service Pack 3

10/05/2009 12:32:31 AM
mbam-log-2009-05-10 (00-32-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 203042
Time elapsed: 1 hour(s), 27 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\796525 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.

SuperAntiSpyware:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/10/2009 at 03:12 AM

Application Version : 4.26.1002

Core Rules Database Version : 3885
Trace Rules Database Version: 1833

Scan type : Complete Scan
Total Scan Time : 02:10:17

Memory items scanned : 490
Memory threats detected : 0
Registry items scanned : 5976
Registry threats detected : 0
File items scanned : 111810
File threats detected : 15

Adware.Tracking Cookie
C:\Documents and Settings\Norman\Cookies\norman@statcounter[1].txt
C:\Documents and Settings\Norman\Cookies\norman@specificclick[1].txt
C:\Documents and Settings\Norman\Cookies\norman@zedo[2].txt
C:\Documents and Settings\Norman\Cookies\norman@interclick[1].txt
C:\Documents and Settings\Norman\Cookies\[email protected][2].txt
C:\Documents and Settings\Norman\Cookies\norman@revsci[1].txt
C:\Documents and Settings\Norman\Cookies\norman@imrworldwide[2].txt
C:\Documents and Settings\Norman\Cookies\norman@questionmarket[1].txt
C:\Documents and Settings\Norman\Cookies\norman@dmtracker[1].txt
C:\Documents and Settings\Norman\Cookies\norman@trafficmp[1].txt
C:\Documents and Settings\Norman\Cookies\norman@fastclick[1].txt
C:\Documents and Settings\Norman\Cookies\norman@realmedia[2].txt
C:\Documents and Settings\Norman\Cookies\norman@tribalfusion[1].txt
C:\Documents and Settings\Norman\Cookies\[email protected][1].txt
C:\Documents and Settings\Norman\Cookies\[email protected][1].txt

Kapersky:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, May 10, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, May 11, 2009 01:20:02
Records in database: 2156866
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 115235
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 02:55:04

No malware has been detected. The scan area is clean.

The selected area was scanned.

Well, one noticable difference is that I can go online, the loading time and my computer in general is slow though...a lot of times things don't respond. I don't know whether it's got to do with anything virus-y or just my computer. I hardly use this computer so I wouldn't know how it runs regularly.

#10
andrewuk

Posted 11 May 2009 - 11:30 AM

Trusted Helper

Malware Removal
5,297 posts

the malwarebytes scan only found remnants, the superantispyware scan and kaspersky scan was clean.

lets do some final scans to see if there is any malware left:

====STEP 1====
could you run Rooter.exe again and post the log here in reply.

====STEP 2====
We will run OTListIt again, but go for fuller logs.

Close all windows and open it by double clicking on the icon
When the window appears, underneath Output at the top change it to Minimal Output
Check the boxes beside LOP Check and Purity Check
Under "Extra Registry" check the box "Use Safelist"
Click Run Scan and let the program run uninterrupted
It will produce two logs for you, one will pop up called OTListIt.txt, the other will be saved on your desktop and called Extras. Post both those logs here.
You may need to use two posts to get it all on the forum

andrewuk

#11
gtaco94

Posted 11 May 2009 - 08:01 PM

New Member

Topic Starter
Member
8 posts

Microsoft Windows XP Home Edition (5.1.2600) Service Pack 3

C:\ [Fixed] - NTFS - (Total:152625 Mo/Free:1772 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
G:\ [Removable] (Total:0 Mo/Free:0 Mo)
H:\ [Removable] (Total:0 Mo/Free:0 Mo)
I:\ [Removable] (Total:0 Mo/Free:0 Mo)
J:\ [Removable] (Total:0 Mo/Free:0 Mo)

Mon 11/05/2009|20:48

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\WINDOWS\zHotkey.exe
---------- C:\Program Files\Multimedia Card Reader\shwicon2k.exe
---------- C:\Program Files\Java\jre6\bin\jusched.exe
---------- C:\WINDOWS\system32\RUNDLL32.EXE
---------- C:\Program Files\McAfee\Common Framework\udaterui.exe
---------- C:\WINDOWS\system32\sstray.exe
---------- C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
---------- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
---------- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
---------- C:\Program Files\AIM6\aim6.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
---------- C:\Program Files\Java\jre6\bin\jqs.exe
---------- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
---------- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
---------- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
---------- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
---------- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
---------- C:\WINDOWS\system32\mfevtps.exe
---------- C:\WINDOWS\system32\nvsvc32.exe
---------- C:\WINDOWS\system32\HPZipm12.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\Program Files\Viewpoint\Common\ViewpointService.exe
---------- C:\Program Files\McAfee\Common Framework\McTray.exe
---------- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
---------- C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
---------- C:\Program Files\Windows Live\Messenger\msnmsgr.exe
---------- C:\Program Files\AIM6\aolsoftware.exe
---------- C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\Program Files\Windows Live\Messenger\usnsvc.exe
---------- C:\Program Files\Internet Explorer\IEXPLORE.EXE
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!

----------------------\\ Cracks & Keygens..

C:\DOCUME~1\Norman\My Documents\download\skippy94179\Dead_AIM_v4.5\Dead Aim 4.5+crack fix\DeadAIM.exe
C:\DOCUME~1\Norman\My Documents\download\skippy94179\Dead_AIM_v4.5\Dead Aim 4.5+crack fix\ReadMe.txt

1 - "C:\Rooter$\Rooter_1.txt" - Sat 09/05/2009|19:26
2 - "C:\Rooter$\Rooter_2.txt" - Mon 11/05/2009|20:49

----------------------\\ Scan completed at 20:49

OTL:
OTListIt logfile created on: 11/05/2009 8:54:41 PM - Run 5
OTListIt2 by OldTimer - Version 2.0.15.5 Folder = C:\Documents and Settings\Norman\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

447.48 Mb Total Physical Memory | 157.76 Mb Available Physical Memory | 35.26% Memory free
1.03 Gb Paging File | 0.60 Gb Available in Paging File | 58.51% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 89.72 Gb Free Space | 60.20% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DAD
Current User Name: Norman
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\zHotkey.exe (Chicony)
PRC - C:\Program Files\Multimedia Card Reader\shwicon2k.exe (Alcor Micro, Corp.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
PRC - C:\WINDOWS\system32\sstray.exe (NVIDIA Corporation)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe (Uniblue Software)
PRC - C:\Program Files\AIM6\aim6.exe (AOL LLC)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
PRC - C:\Program Files\McAfee\Common Framework\naPrdMgr.exe (McAfee, Inc.)
PRC - C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\WINDOWS\system32\HPZipm12.exe (HP)
PRC - C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
PRC - C:\Program Files\McAfee\Common Framework\McTray.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe (McAfee, Inc.)
PRC - C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
PRC - C:\Program Files\AIM6\aolsoftware.exe (AOL LLC)
PRC - C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe (Viewpoint Corporation)
PRC - C:\Program Files\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation)
PRC - C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\system32\dumprep.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\Norman\Desktop\OTListIt2.exe (OldTimer Tools)
PRC - C:\WINDOWS\system32\dwwin.exe (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device [Disabled | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple, Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (Microsoft Corporation)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (iPod Service [Disabled | Stopped]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (JavaQuickStarterService [Disabled | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (lxbt_device [On_Demand | Stopped]) -- C:\WINDOWS\System32\lxbtcoms.exe (Lexmark International, Inc.)
SRV - (McAfeeEngineService [Auto | Running]) -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe (McAfee, Inc.)
SRV - (McAfeeFramework [Auto | Running]) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
SRV - (McShield [Auto | Running]) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)
SRV - (McTaskManager [Auto | Running]) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)
SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
SRV - (mfevtp [Unknown | Running]) -- C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
SRV - (NVSvc [Auto | Running]) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (Pml Driver HPZ12 [Auto | Running]) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (usnjsvc [On_Demand | Running]) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (Viewpoint Manager Service [Auto | Running]) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
SRV - (WLSetupSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (ENETHUSB [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\enethusb.sys (Efficient Networks, Inc.)
DRV - (enodpl [Auto | Running]) -- C:\WINDOWS\System32\drivers\enodpl.sys ()
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (GoProto [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\goprot51.sys (Gteko Ltd.)
DRV - (HPZid412 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZid412.sys (HP)
DRV - (HPZipr12 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZipr12.sys (HP)
DRV - (HPZius12 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZius12.sys (HP)
DRV - (HSFHWBS2 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (HSF_DP [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (mdmxsdk [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (mfeapfk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (mfeavfk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfebopk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mfehidk [Boot | Running]) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mferkdet [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\mferkdet.sys (McAfee, Inc.)
DRV - (mfetdik [System | Running]) -- C:\WINDOWS\system32\drivers\mfetdik.sys (McAfee, Inc.)
DRV - (MREMPR5 [On_Demand | Stopped]) -- C:\Program Files\Common Files\Motive\MREMPR5.sys (Motive, Inc.)
DRV - (MRENDIS5 [On_Demand | Stopped]) -- c:\Program Files\Common Files\Motive\MRENDIS5.sys (Motive, Inc.)
DRV - (nv [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)
DRV - (nvax [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\nvax.sys (NVIDIA Corporation)
DRV - (NVENET [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\NVENET.sys (NVIDIA Corporation)
DRV - (nvnforce [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\nvapu.sys (NVIDIA Corporation)
DRV - (nv_agp [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\nv_agp.sys (NVIDIA Corporation)
DRV - (ppmoucls [System | Running]) -- C:\WINDOWS\System32\DRIVERS\ppmoucls.sys (Windows ® 2000 DDK provider)
DRV - (pptchpad [System | Running]) -- C:\WINDOWS\System32\DRIVERS\pptchpd5.sys ()
DRV - (prodrv06 [System | Running]) -- C:\WINDOWS\System32\drivers\prodrv06.sys (Protection Technology)
DRV - (prohlp02 [Boot | Running]) -- C:\WINDOWS\System32\drivers\prohlp02.sys (Protection Technology)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (SASDIFSV [System | Running]) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASENUM [On_Demand | Stopped]) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL [System | Running]) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (Secdrv [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (sfhlp01 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfhlp01.sys (Protection Technology)
DRV - (SunkFilt [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\sunkfilt.sys (Alcor Micro Corp.)
DRV - (tandpl [Auto | Running]) -- C:\WINDOWS\System32\drivers\tandpl.sys ()
DRV - (winachsf [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys (Conexant Systems, Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
IE - URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - Reg Error: Key error. File not found
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_Url = http://www.microsoft...p...&ar=msnhome
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Live Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.live.c...ferrer:source?}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\PROGRAM FILES\REAL\REALPLAYER\BROWSERRECORD [2008/04/03 10:31:58 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/05/10 15:01:19 | 00,000,000 | ---D | M]

O1 HOSTS File: (56 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O2 - BHO: (AOL Toolbar Launcher) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - Reg Error: Key error. File not found
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - Reg Error: Key error. File not found
O3 - HKLM\..\Toolbar: (AIM Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC)
O4 - HKLM..\Run: [CHotkey] zHotkey.exe (Chicony)
O4 - HKLM..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16 (Lexmark International, Inc.)
O4 - HKLM..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey (McAfee, Inc.)
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto (Microsoft Corporation)
O4 - HKLM..\Run: [nForce Tray Options] sstray.exe /r (NVIDIA Corporation)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE (McAfee, Inc.)
O4 - HKLM..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe (Alcor Micro, Corp.)
O4 - HKCU..\Run: [Aim6] File not found
O4 - HKCU..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m (Uniblue Software)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html ()
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (Intertrust Technologies, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft....k/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} https://activation.a...aller_2-0-0.cab (Reg Error: Value error.)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail....es/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebo...toUploader3.cab (Facebook Photo Uploader 4 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} http://gamerival.obe...ronGameHost.cab (Oberon Flash Game Host)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} http://gamerival.obe...sh.1.0.0.47.cab (CPlayFirstWeddingDashControl Object)
O16 - DPF: Microsoft XML Parser for Java (Reg Error: Key error.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/02/06 21:07:54 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\*.tmp files]
[5 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2009/05/10 00:49:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/05/10 00:49:23 | 00,000,780 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/05/10 00:49:18 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/05/10 00:49:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Norman\Application Data\SUPERAntiSpyware.com
[2009/05/10 00:48:50 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/05/09 22:48:37 | 00,000,000 | ---D | C] -- C:\_OTListIt
[2009/05/09 21:36:30 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/05/09 20:51:32 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/05/09 20:38:25 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/05/09 20:38:15 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/05/09 20:38:05 | 00,000,000 | ---D | C] -- C:\cmdcons
[2009/05/09 20:36:12 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/05/09 20:36:12 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/05/09 20:36:12 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/05/09 20:36:12 | 00,117,248 | ---- | C] () -- C:\WINDOWS\vFind.exe
[2009/05/09 20:36:12 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/05/09 20:36:12 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/05/09 20:36:12 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/05/09 20:36:12 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/05/09 20:35:23 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/05/09 20:34:58 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW.0.tmp
[2009/05/09 19:24:57 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/05/09 19:14:46 | 00,501,760 | ---- | C] (OldTimer Tools) -- C:\DOCUME~1\Norman\Desktop\OTListIt2.exe
[2009/05/09 19:14:24 | 00,267,612 | ---- | C] () -- C:\DOCUME~1\Norman\Desktop\Rooter.exe
[2009/05/07 18:54:18 | 46,929,1008 | -HS- | C] () -- C:\hiberfil.sys
[2009/05/07 17:10:52 | 00,000,696 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/07 17:10:51 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/05/07 17:10:49 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/05/07 17:10:46 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/05/07 17:10:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/05/07 16:53:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Norman\Application Data\Malwarebytes
[2009/05/07 16:52:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/05/06 00:10:07 | 00,064,432 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdet.sys
[2009/05/06 00:10:07 | 00,042,424 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2009/05/06 00:10:06 | 00,074,648 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeapfk.sys
[2009/05/06 00:10:05 | 00,090,360 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2009/05/06 00:10:05 | 00,062,704 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfetdik.sys
[2009/05/06 00:10:04 | 00,340,592 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys
[2009/05/06 00:10:03 | 00,067,904 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\mfevtps.exe
[2009/05/06 00:07:41 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee
[2009/05/05 22:10:13 | 00,000,385 | ---- | C] () -- C:\WINDOWS\System32\NVU001.nvu
[2009/05/05 22:09:00 | 00,023,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wdmaud.drv
[2009/05/05 22:09:00 | 00,023,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wdmaud.drv
[2009/05/05 22:04:44 | 00,225,280 | R--- | C] () -- C:\WINDOWS\System32\nvwrsda.dll
[2009/05/05 00:38:50 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/05/05 00:34:36 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/05/05 00:34:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/05/04 21:03:35 | 00,000,000 | ---D | C] -- C:\QUARANTINE
[2009/05/04 11:55:41 | 00,000,000 | ---D | C] -- C:\DOCUME~1\Norman\Desktop\New Folder
[2009/04/19 23:53:31 | 00,000,000 | ---D | C] -- C:\DOCUME~1\Norman\My Documents\AIS
[2009/04/19 16:06:39 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Cisco Systems
[2009/04/19 16:06:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2009/04/19 16:06:11 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee
[2009/04/19 16:00:57 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2009/04/19 15:08:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2009/04/19 15:08:08 | 00,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2009/04/19 15:08:07 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2009/04/19 14:38:52 | 00,000,000 | ---D | C] -- C:\DOCUME~1\Norman\Desktop\CS Saved PFC
[2009/04/15 22:23:05 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/15 22:23:05 | 00,035,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sc.exe
[2009/04/15 22:23:02 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/15 22:23:01 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/15 22:23:00 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/15 22:22:59 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/15 22:22:59 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/15 22:22:58 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/15 22:22:58 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/15 22:22:57 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/15 22:22:54 | 02,145,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2009/04/15 22:22:51 | 02,189,056 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2009/04/15 22:22:44 | 02,023,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2009/04/15 22:20:11 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/15 22:20:10 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2008/08/18 19:21:22 | 00,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2008/02/04 18:23:10 | 00,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2008/01/21 22:34:49 | 00,000,064 | ---- | C] () -- C:\WINDOWS\QBWCD.INI
[2006/11/11 21:27:55 | 00,000,004 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/07/18 14:06:07 | 00,000,682 | ---- | C] () -- C:\WINDOWS\TTutor7.ini
[2006/06/30 17:19:54 | 00,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.dll
[2006/04/29 11:33:27 | 00,000,060 | ---- | C] () -- C:\WINDOWS\PPHIDPAD.INI
[2006/02/05 15:41:50 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/12/29 00:54:16 | 00,017,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\PPTCHPD5.SYS
[2005/12/29 00:54:15 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\PPADAPI.DLL
[2005/11/13 21:35:07 | 00,000,000 | ---- | C] () -- C:\WINDOWS\MSDraw.ini
[2005/05/10 19:54:08 | 00,001,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2005/05/02 12:22:05 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2004/12/09 18:17:06 | 00,000,034 | ---- | C] () -- C:\WINDOWS\System32\rnplf12.dll
[2004/07/27 15:09:21 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2004/07/21 17:30:33 | 00,001,029 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2004/07/19 23:07:48 | 00,000,120 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2004/07/09 11:53:39 | 00,007,552 | ---- | C] () -- C:\WINDOWS\System32\drivers\enodpl.sys
[2004/07/09 11:53:39 | 00,004,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\tandpl.sys
[2004/06/30 16:04:46 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\SDelete.dll
[2004/06/30 13:59:39 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXPRMON.DLL
[2004/06/30 13:59:39 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\LXPMONUI.DLL
[2004/06/30 13:56:11 | 00,126,976 | R--- | C] () -- C:\WINDOWS\System32\lxbtsnls.dll
[2004/06/30 13:56:10 | 00,139,264 | R--- | C] () -- C:\WINDOWS\System32\lxbtcoin.dll
[2004/06/30 13:56:08 | 00,001,832 | R--- | C] () -- C:\WINDOWS\System32\lxbtprod.ini
[2004/06/29 23:50:30 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/05/10 17:04:54 | 00,192,512 | R--- | C] () -- C:\WINDOWS\System32\GCCollection.dll
[2004/03/07 14:51:00 | 00,024,924 | ---- | C] () -- C:\WINDOWS\System32\openports.dll
[2004/02/19 12:31:34 | 00,151,552 | ---- | C] () -- C:\WINDOWS\System32\lxbthwdf.dll
[2003/06/23 11:06:02 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbtvs.dll
[2003/02/06 23:23:22 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/02/06 22:41:02 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/02/06 22:40:09 | 00,532,544 | ---- | C] () -- C:\WINDOWS\PIC.dll
[2003/02/06 22:40:09 | 00,024,576 | ---- | C] () -- C:\WINDOWS\HKNTDLL.dll
[2003/02/06 21:48:54 | 00,000,132 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2003/02/06 21:48:18 | 00,000,310 | ---- | C] () -- C:\WINDOWS\net2fone.ini
[2003/02/06 19:48:50 | 00,027,136 | R--- | C] () -- C:\WINDOWS\System32\nvcod.dll
[2003/02/06 19:48:44 | 00,018,253 | R--- | C] () -- C:\WINDOWS\System32\ssnvfx.ini
[2003/02/06 19:48:37 | 00,001,094 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/02/06 19:48:37 | 00,000,466 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2003/02/06 19:48:07 | 00,000,880 | ---- | C] () -- C:\WINDOWS\win.ini
[2003/02/06 19:48:02 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/01/07 16:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Files - Modified Within 30 Days ==========

[1 C:\*.tmp files]
[5 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2009/05/11 20:30:46 | 00,000,880 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/05/11 20:30:46 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/05/11 20:30:46 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/05/11 20:17:37 | 00,000,575 | ---- | M] () -- C:\DOCUME~1\Norman\My Documents\My Sharing Folders.lnk
[2009/05/11 20:15:47 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/11 20:12:51 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Norman\Local Settings\desktop.ini
[2009/05/11 20:12:51 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/11 20:12:49 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/11 20:12:47 | 46,929,1008 | -HS- | M] () -- C:\hiberfil.sys
[2009/05/10 00:49:23 | 00,000,780 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/05/09 22:49:26 | 00,000,056 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2009/05/09 19:06:20 | 00,501,760 | ---- | M] (OldTimer Tools) -- C:\DOCUME~1\Norman\Desktop\OTListIt2.exe
[2009/05/09 19:06:12 | 00,267,612 | ---- | M] () -- C:\DOCUME~1\Norman\Desktop\Rooter.exe
[2009/05/07 17:10:52 | 00,000,696 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/05 22:10:13 | 00,000,385 | ---- | M] () -- C:\WINDOWS\System32\NVU001.nvu
[2009/05/05 21:59:48 | 00,017,145 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/05/05 00:38:51 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/05/01 15:36:46 | 00,117,248 | ---- | M] () -- C:\WINDOWS\vFind.exe
[2009/04/20 12:56:28 | 00,031,232 | ---- | M] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/04/20 00:26:57 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/19 16:02:56 | 00,384,904 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/19 16:02:56 | 00,054,396 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/19 16:02:55 | 00,445,630 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/19 16:00:31 | 00,282,128 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/04/19 15:02:45 | 00,250,048 | RHS- | M] () -- C:\ntldr
[2009/04/19 14:38:52 | 00,000,004 | ---- | M] () -- C:\WINDOWS\msoffice.ini
[2009/04/19 14:15:48 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn

========== LOP Check ==========

[2009/05/10 00:49:30 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2008/08/09 19:19:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2008/07/12 12:34:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL
[2008/11/18 18:25:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL Downloads
[2007/06/06 13:16:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL OCP
[2007/12/28 14:21:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2007/12/28 14:25:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2003/02/06 22:36:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2004/06/30 13:59:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FaxCtr
[2008/07/05 13:10:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FreshGames
[2007/03/17 11:23:17 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\GTek
[2006/04/25 19:57:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HP
[2009/05/07 18:18:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2008/06/25 12:45:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ludia
[2009/05/07 16:52:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/05/06 00:09:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2009/05/07 18:14:03 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2006/06/30 17:01:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Motive
[2006/06/30 17:20:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MotiveSysIDs
[2004/07/01 22:52:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSN6
[2004/07/02 11:03:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NFS Underground
[2004/06/29 17:56:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\nView_Profiles
[2008/07/07 14:25:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Oberon Games
[2008/04/19 14:42:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2008/07/08 16:14:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2003/02/06 22:35:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\QuickTime
[2008/07/08 21:46:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sandlot Games
[2009/05/07 18:13:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/05/10 00:49:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/04/19 14:44:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2008/07/08 22:17:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2004/10/30 19:19:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trymedia
[2008/04/04 11:27:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uniblue
[2008/07/12 12:34:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/07/06 15:30:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\VirtualFarm
[2006/05/09 14:32:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2008/04/03 10:36:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WLInstaller
[2009/05/10 00:49:17 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Norman\Application Data
[2004/12/23 18:56:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\.BitTornado
[2007/06/06 13:17:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\acccore
[2008/01/14 14:30:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Adobe
[2008/08/09 19:10:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\AdobeUM
[2008/02/02 21:53:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Aim
[2008/10/13 23:02:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Apple Computer
[2003/02/06 23:10:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\CyberLink
[2009/03/27 01:49:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\FaxCtr
[2008/07/08 15:21:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Gaijin Ent
[2007/04/02 19:32:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Google
[2007/03/17 11:23:05 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\Norman\Application Data\GTek
[2004/07/02 13:30:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Help
[2003/02/06 21:08:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Identities
[2003/02/06 21:41:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\InterTrust
[2004/10/22 21:45:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Kontiki
[2008/04/04 11:31:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Lavasoft
[2008/07/02 21:47:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Ludia
[2004/12/23 19:06:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Macromedia
[2009/05/07 16:53:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Malwarebytes
[2009/01/14 20:42:21 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Norman\Application Data\Microsoft
[2006/07/03 19:59:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Motive
[2009/04/19 14:43:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Move Networks
[2007/02/04 02:22:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\MSN6
[2008/07/08 16:14:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\PlayFirst
[2006/06/02 16:32:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Real
[2004/10/27 20:43:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Sun
[2009/05/10 00:49:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\SUPERAntiSpyware.com
[2003/02/06 22:37:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Symantec
[2004/07/02 10:58:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Template
[2009/05/09 20:52:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\U3
[2008/04/04 11:27:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Uniblue
[2007/01/17 17:45:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\Viewpoint
[2008/07/08 12:41:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Norman\Application Data\ViquaSoft
[2009/05/05 00:38:51 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2007/12/28 14:22:38 | 00,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2003/03/31 07:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/05/11 20:12:51 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
[2008/04/04 11:30:08 | 00,000,340 | ---- | M] () -- C:\WINDOWS\Tasks\Uniblue SpyEraser.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 2628 bytes -> C:\WINDOWS\System32\OEMLOGO.BMP:Q30lsldxJoudresxAaaqpcawXc
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:444C53BA
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D644D3DF
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ADE16379
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:38849DE5
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5466F106
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8DD623B3
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DF2EA4BB
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4F636E25
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FA8B212D
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:90E3641D
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4F58D818
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D8A7F3FF
< End of report >

Extras:
OTListIt Extras logfile created on: 11/05/2009 8:54:41 PM - Run 5
OTListIt2 by OldTimer - Version 2.0.15.5 Folder = C:\Documents and Settings\Norman\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

447.48 Mb Total Physical Memory | 157.76 Mb Available Physical Memory | 35.26% Memory free
1.03 Gb Paging File | 0.60 Gb Available in Paging File | 58.51% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 89.72 Gb Free Space | 60.20% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DAD
Current User Name: Norman
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"3658:UDP" = 3658:UDP:*:Enabled:Peer-to-peer gameplay
"6000:UDP" = 6000:UDP:*:Enabled:Voice Over IP
"30300:TCP" = 30300:TCP:*:Enabled:Lobby
"13505:TCP" = 13505:TCP:*:Enabled:EA Messenger
"9555:UDP" = 9555:UDP:*:Enabled:EA Sports Ticker

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
C:\Program Files\Common Files\AOL\1124310099\ee\aolservicehost.exe:*:Enabled:AOL Services File not found
C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader (AOL LLC)
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)
C:\Program Files\aim\aim.exe:*:Enabled:AOL Instant Messenger File not found
C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger (Microsoft Corporation)
C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger (Microsoft Corporation)
C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test (Microsoft Corporation)
C:\Program Files\BitTorrent\btdownloadgui.exe:*:Enabled:btdownloadgui ()
C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui ()
C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer (RealNetworks, Inc.)
C:\Program Files\EA SPORTS\NHL 2005\nhl2005.exe:*:Enabled:nhl2005 ()
C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire ()
C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader (AOL LLC)
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)
C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes (Apple Inc.)
C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM (AOL LLC)
C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service (McAfee, Inc.)
C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger (Microsoft Corporation)
C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01F9D88C-3C86-4E82-840A-101A3221F67A}" = Microsoft Money 2003
"{02B42D23-10F2-4862-ADA4-3DF1EA0021B2}" = Microsoft Money 2003 System Pack
"{147BCE03-C0F1-4C9F-8157-6A89B6D2D973}" = McAfee VirusScan Enterprise
"{172423F9-522A-483A-AD65-03600CE4CA4F}" = Microsoft Works 6-9 Converter
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{2A9A40C7-6670-4D5F-8F41-D12E2E08B48B}" = Star Wars®: Knights of the Old Republic ™
"{2C78229E-69AE-4BE4-8C31-99183EAF2E67}" = e-Sword
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{49FC50FC-F965-40D9-89B4-CBFF80941033}" = Windows Movie Maker 2.0
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{6262DC06-FC0A-4EF1-9876-AA92EDA3188C}" = IOI Multimedia Card Reader
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}" = QuickTime
"{764C0C8F-B1B1-49BF-AEDC-4E48E857A667}" = Lexmark Fax Solutions
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{92B94569-6683-4617-8C54-EB27A1B51B30}" = GTAIII
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{A638557B-1F13-40A0-9627-C892FBCA6960}" = McAfee Agent
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{AC76BA86-7AD7-2448-0000-705000000001}" = Adobe Reader Chinese Traditional Fonts
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}" = iTunes
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{D0DC1674-B5E8-4364-009E-B350048DD006}" = NHL 2005
"{D1696920-9794-4BBC-8A30-7A88763DE5A2}" = ABBYY FineReader 5.0 Sprint Plus
"{D1F6BB2F-E9A4-4233-BA03-BB62E8AED82A}" = Star Wars Jedi Knight Jedi Academy Demo
"{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}" = Apple Mobile Device Support
"{EFE1AB94-5466-4B6E-BE31-FF4C115FD25D}" = Max Payne 2
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F7D53B02-2C51-4CF5-9A51-F7A6D658EA5A}" = PenPowerJR-6.0
"{F8D0829C-9C6F-11D3-8080-00C04FA329AA}" = Microsoft Works 6.0
"{FF262740-C85A-11D5-BBEC-00D0B740900A}" = Multimedia Keyboard Driver
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"AIM Toolbar" = AIM Toolbar 5.0
"AIM_6" = AIM 6
"BroadJump Client Foundation" = BroadJump Client Foundation
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1" = SoftV92 Data Fax Modem with SmartCP
"EasyLinkAdvisor" = Linksys EasyLink Advisor 1.5 (1010)
"EfntSSDSL" = Efficient Networks SpeedStream DSL
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{6262DC06-FC0A-4EF1-9876-AA92EDA3188C}" = IOI Multimedia Card Reader
"InstallShield_{764C0C8F-B1B1-49BF-AEDC-4E48E857A667}" = Lexmark Fax Solutions
"Lexmark 5200 Series" = Lexmark 5200 Series
"Lexmark Skin: PotatoSkin" = Lexmark Skin: PotatoSkin
"LucasArts' Grim Fandango" = LucasArts' Grim Fandango
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Display Driver" = NVIDIA Display Driver
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nForce Drivers" = NVIDIA nForce Drivers
"QuickBooks 99" = QuickBooks Pro 99
"RealPlayer 6.0" = RealPlayer
"SBC.MCCInstall" = AT&T Self Support Tool
"StreetPlugin" = Learn2 Player (Uninstall Only)
"SYSTEMCARE_025B3ECB-F8A1-45ff-BABC-140E08C7D8C5_is1" = Uniblue PowerSuite
"Typing Tutor 7" = Typing Tutor 7
"Viewpoint Manager" = Viewpoint Manager (Remove Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/05/2009 7:11:20 PM | Computer Name = DAD | Source = Application Error | ID = 1000
Description = Faulting application teatimer.exe, version 1.6.6.32, faulting module
teatimer.exe, version 1.6.6.32, fault address 0x0006e66e.

Error - 9/05/2009 8:38:11 PM | Computer Name = DAD | Source = Application Hang | ID = 1002
Description = Hanging application OTListIt2.exe, version 2.0.15.5, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 9/05/2009 10:30:59 PM | Computer Name = DAD | Source = Application Error | ID = 1000
Description = Faulting application pev.cfexe, version 0.0.0.0, faulting module pev.cfexe,
version 0.0.0.0, fault address 0x00027ed2.

Error - 10/05/2009 1:20:09 AM | Computer Name = DAD | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16827, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/05/2009 3:56:36 PM | Computer Name = DAD | Source = Application Error | ID = 1000
Description = Faulting application javara.exe, version 1.0.12.1565, faulting module
ntdll.dll, version 5.1.2600.5755, fault address 0x0000100b.

Error - 10/05/2009 7:44:25 PM | Computer Name = DAD | Source = Application Hang | ID = 1002
Description = Hanging application pinball.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/05/2009 7:44:25 PM | Computer Name = DAD | Source = Application Hang | ID = 1002
Description = Hanging application pinball.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/05/2009 7:44:34 PM | Computer Name = DAD | Source = Application Hang | ID = 1001
Description = Fault bucket 751912186.

Error - 11/05/2009 9:54:27 PM | Computer Name = DAD | Source = Application Hang | ID = 1002
Description = Hanging application OTListIt2.exe, version 2.0.15.5, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/05/2009 9:54:41 PM | Computer Name = DAD | Source = Application Hang | ID = 1001
Description = Fault bucket 1267791247.

[ System Events ]
Error - 10/05/2009 9:49:39 PM | Computer Name = DAD | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 10/05/2009 9:49:41 PM | Computer Name = DAD | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 10/05/2009 9:51:21 PM | Computer Name = DAD | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 10/05/2009 9:51:30 PM | Computer Name = DAD | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 10/05/2009 9:51:39 PM | Computer Name = DAD | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 10/05/2009 9:51:49 PM | Computer Name = DAD | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 10/05/2009 9:51:58 PM | Computer Name = DAD | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 10/05/2009 9:52:07 PM | Computer Name = DAD | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 10/05/2009 9:52:17 PM | Computer Name = DAD | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 10/05/2009 9:52:27 PM | Computer Name = DAD | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

< End of report >

#12
andrewuk

Posted 12 May 2009 - 03:54 PM

Trusted Helper

Malware Removal
5,297 posts

Hello gtaco94

from a malware stand point, your logs are clean

hence, go through the steps below and if your machine performance does not improve then post the issue in this part of the forum here and say your machine is clear of malware.

====STEP 1====
Follow these steps to uninstall Combofix, the tools used in the removal of malware and to flush your system restore points

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

====STEP 2====
Double-click OTListIt.exe to run it. (Vista users, please right click on OTListIt.exe and select "Run as an Administrator")

Click the Clean up button and let the program run
when prompted, click Yes to the reboot.

you can also clear away any other tools we used.

====IDEAS TO SPEED UP YOUR MACHINE====
this page http://users.telenet...owcomputer.html gives some good ideas on how to improve the efficiency of your machine and has one or two useful links to help you further.

====AND FINALLY====
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

MBAM - Malware Bytes Anti Malware is an excellent tool for anyone's antimalware arsenal. This program should be updated and run often.
SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
Comodo Firewall - The use of a firewall is a personal preference, but its certainly a good idea. Comodo is free and light. Remember, never install more than 1 firewall. also remember, do not download the comodo antivirus program if you already have an antivirus program on your machine.
Digsby or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
FireFox - Alternate web browser. Open source and quick, Firefox is usually the first thing I install on a new system.
NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

best wishes

andrewuk

#13
gtaco94

Posted 13 May 2009 - 06:27 AM

New Member

Topic Starter
Member
8 posts

Thank you SO much for your help. I couldn't have done it without you!

#14
andrewuk

Posted 15 May 2009 - 04:41 PM

Trusted Helper

Malware Removal
5,297 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.