Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Desktop says "Your system is infected" [Solved]

Started by sgt_paul , Oct 17 2009 04:46 PM

  • Please log in to reply

#1
sgt_paul
Posted 17 October 2009 - 04:46 PM

sgt_paul

    Member

  • Member
  • PipPip
  • 10 posts
I followed the Malware and Spyware cleaning guide. I am unable to complete all the task as requested.

TCF ran OK.

System restore returned an error:


See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.Runtime.InteropServices.COMException (0x80080005): Server execution failed
at Microsoft.VisualBasic.CompilerServices.LateBinding.LateGet(Object o, Type objType, String name, Object[] args, String[] paramnames, Boolean[] CopyBack)
at Microsoft.VisualBasic.CompilerServices.NewLateBinding.LateGet(Object Instance, Type Type, String MemberName, Object[] Arguments, String[] ArgumentNames, Type[] TypeArguments, Boolean[] CopyBack)
at SysRestorePoint.Module1.CreateRestorePoint()
at SysRestorePoint.Form1.Form1_Load(Object eventSender, EventArgs eventArgs)
at System.EventHandler.Invoke(Object sender, EventArgs e)
at System.Windows.Forms.Form.OnLoad(EventArgs e)
at System.Windows.Forms.Form.OnCreateControl()
at System.Windows.Forms.Control.CreateControl(Boolean fIgnoreVisible)
at System.Windows.Forms.Control.CreateControl()
at System.Windows.Forms.Control.WmShowWindow(Message& m)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ScrollableControl.WndProc(Message& m)
at System.Windows.Forms.ContainerControl.WndProc(Message& m)
at System.Windows.Forms.Form.WmShowWindow(Message& m)
at System.Windows.Forms.Form.WndProc(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


************** Loaded Assemblies **************
mscorlib
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3082 (QFE.050727-3000)
CodeBase: file:///c:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll
----------------------------------------
SysRestorePoint
Assembly Version: 1.3.0.0
Win32 Version: 1.3.0.0
CodeBase: file:///J:/SysRestorePoint.exe
----------------------------------------
Microsoft.VisualBasic
Assembly Version: 8.0.0.0
Win32 Version: 8.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/Microsoft.VisualBasic/8.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualBasic.dll
----------------------------------------
System
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Windows.Forms
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Runtime.Remoting
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Runtime.Remoting/2.0.0.0__b77a5c561934e089/System.Runtime.Remoting.dll
----------------------------------------
System.Configuration
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Configuration/2.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Xml
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3082 (QFE.050727-3000)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

<configuration>
<system.windows.forms jitDebugging="true" />
</configuration>

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.


ERUNT ran OK.

Malwarebytes starts scan and closes unexpectedly. No results to post.

Unable to install any antivirus.
Unable to run Windows updates. Service is stopped and says I don't have privilages to start in services.msc.

RootRepeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/17 17:21
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 1b5981ef.sys
Image Path: C:\WINDOWS\System32\drivers\1b5981ef.sys
Address: 0xB5C9F000 Size: 80000 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB5C3B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79CB000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5DC4000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF77DF000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF76E7000 Size: 61440 File Visible: No Signed: -
Status: -

Hidden Services
-------------------
Service Name: 1b5981ef
Image Path: C:\WINDOWS\System32\drivers\1b5981ef.sys

Service Name: gasfkyubcdtaqd
Image Path: C:\WINDOWS\system32\drivers\gasfkyonfaqusv.sys

==EOF==

OTL.txt
OTL logfile created on: 10/17/2009 5:26:13 PM - Run 1
OTL by OldTimer - Version 3.0.21.0 Folder = J:\
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 1.13 Gb Available Physical Memory | 75.62% Memory free
3.35 Gb Paging File | 3.10 Gb Available in Paging File | 92.48% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.32 Gb Total Space | 55.09 Gb Free Space | 72.19% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 488.00 Mb Total Space | 259.70 Mb Free Space | 53.22% Space Free | Partition Type: FAT

Computer Name: OWNER-3IIDJGMQC
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/10/17 16:33:44 | 00,521,216 | ---- | M] (OldTimer Tools) -- J:\OTL.exe
PRC - [2009/07/29 20:54:38 | 00,122,368 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
PRC - [2008/10/10 06:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/09 02:27:52 | 00,073,728 | ---- | M] (HP) -- C:\WINDOWS\System32\HPZipm12.exe
PRC - [2007/05/08 16:24:20 | 00,054,840 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
PRC - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe
PRC - [2006/03/31 18:37:33 | 00,028,672 | ---- | M] () -- C:\WINDOWS\System32\qttask.exe
PRC - [2006/02/21 22:39:15 | 00,405,504 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe
PRC - [2003/06/20 00:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

========== Win32 Services (SafeList) ==========

SRV - [2009/10/03 05:47:47 | 00,022,016 | ---- | M] () -- C:\WINDOWS\System32\mssrv32.exe -- (msupdate [Auto | Stopped])
SRV - [2009/09/24 06:17:32 | 01,169,232 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (lavasoft ad-aware service [Auto | Stopped])
SRV - [2009/07/29 20:54:33 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2008/10/10 06:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService [Auto | Running])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2007/08/09 02:27:52 | 00,073,728 | ---- | M] (HP) -- C:\WINDOWS\System32\HPZipm12.exe -- (Pml Driver HPZ12 [Auto | Running])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [Auto | Running])
SRV - [2006/02/21 22:39:15 | 00,405,504 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
SRV - [2006/02/21 22:05:00 | 00,520,192 | ---- | M] () -- C:\WINDOWS\System32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])
SRV - [2003/07/28 13:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2003/06/20 00:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/06 03:00:23 | 00,000,000 | ---D | M]


O1 HOSTS File: (755 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 microsoft
O2 - BHO: (C:\WINDOWS\system32\ybr37z5.dll) - {a249bc15-23f2-42ad-f4e4-00aac39c0004} - C:\WINDOWS\System32\ybr37z5.dll ()
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [adobe photo downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [calc] C:\WINDOWS\System32\calc.DLL (Microsoft)
O4 - HKLM..\Run: [cmaudio] ._.Trashes ()
O4 - HKLM..\Run: [google quick search box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)
O4 - HKLM..\Run: [hp software update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [jivolibik] c:\Documents and Settings\All Users\Application Data\biwagile\biwagile.dll ()
O4 - HKLM..\Run: [kernelfaultcheck] File not found
O4 - HKLM..\Run: [quicktime task] C:\WINDOWS\System32\qttask.exe ()
O4 - HKCU..\Run: [h/pc connection agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
O4 - HKCU..\Run: [spybotsd teatimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [wmpnscfg] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\OWNERO~1.000\LOCALS~1\Temp\lsass.exe File not found
O4 - HKCU..\Run: [zipscript] C:\Program Files\WORDsearch 8\ZipScript.exe (WORDsearch Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe (Sonic Solutions)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: 93 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1142023616523 (WUWebControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.10.1 4.2.2.2
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\lbxfile {56831180-F115-11d2-B6AA-00104B2B9943} - C:\Program Files\Libronix DLS\System\FileProt.dll (Libronix Corporation)
O18 - Protocol\Handler\lbxres {24508F1B-9E94-40EE-9759-9AF5795ADF52} - C:\Program Files\Libronix DLS\System\ResProt.dll (Libronix Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\TEMP\3618xxx.dll) - C:\WINDOWS\TEMP\3618xxx.dll File not found
O20 - AppInit_DLLs: (joyikeza.dll) - C:\WINDOWS\System32\joyikeza.dll ()
O20 - AppInit_DLLs: (C:\WINDOWS\TEMP\3634xxx.dll) - C:\WINDOWS\TEMP\3634xxx.dll File not found
O20 - AppInit_DLLs: (C:\WINDOWS\TEMP\371xxx.dll) - C:\WINDOWS\TEMP\371xxx.dll File not found
O20 - AppInit_DLLs: (C:\WINDOWS\TEMP\385xxx.dll) - C:\WINDOWS\TEMP\385xxx.dll File not found
O20 - AppInit_DLLs: (C:\WINDOWS\TEMP\3921xxx.dll) - C:\WINDOWS\TEMP\3921xxx.dll File not found
O20 - AppInit_DLLs: (C:\WINDOWS\TEMP\3937xxx.dll) - C:\WINDOWS\TEMP\3937xxx.dll File not found
O20 - AppInit_DLLs: (C:\WINDOWS\TEMP\3947xxx.dll) - C:\WINDOWS\TEMP\3947xxx.dll File not found
O20 - AppInit_DLLs: (C:\WINDOWS\TEMP\4015xxx.dll) - C:\WINDOWS\TEMP\4015xxx.dll File not found
O20 - AppInit_DLLs: (c:\DOCUME~1\ALLUSE~1\APPLIC~1\biwagile\biwagile.dll) - c:\Documents and Settings\All Users\Application Data\biwagile\biwagile.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\sdra64.exe) - C:\WINDOWS\System32\sdra64.exe ()
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\Ati2evxx.dll (ATI Technologies Inc.)
O21 - SSODL: divulamat - {7abce5ca-8e96-4f27-9345-a7424183332c} - c:\Documents and Settings\All Users\Application Data\biwagile\biwagile.dll ()
O22 - SharedTaskScheduler: {7abce5ca-8e96-4f27-9345-a7424183332c} - gahurihor - c:\Documents and Settings\All Users\Application Data\biwagile\biwagile.dll ()
O22 - SharedTaskScheduler: {A249BC15-23F2-42AD-F4E4-00AAC39C0004} - iukjsf8w3jirojs9f8u3jruhsf78s3jijdif - C:\WINDOWS\System32\ybr37z5.dll ()
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/03/09 17:16:56 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{b287eb01-b0fc-11dc-b607-000d875637b0}\Shell - "" = AutoRun
O33 - MountPoints2\{b287eb01-b0fc-11dc-b607-000d875637b0}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b287eb01-b0fc-11dc-b607-000d875637b0}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

NetSvcs: Ias - Service key not found. File not found
NetSvcs: Iprip - Service key not found. File not found
NetSvcs: Irmon - Service key not found. File not found
NetSvcs: NWCWorkstation - Service key not found. File not found
NetSvcs: Nwsapagent - Service key not found. File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - Service key not found. File not found
NetSvcs: helpsvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
NetSvcs: Wmipsc - Service key not found. File not found

========== Files/Folders - Created Within 14 Days ==========

[1 C:\WINDOWS\*.tmp files]
[2009/10/17 15:47:51 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
[2009/10/04 01:41:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\biwagile
[2009/10/04 01:41:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\darakibe
[2009/10/04 01:41:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\lusiyuge
[2009/10/05 15:37:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/10/04 01:41:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\rorusofa
[2009/10/04 01:41:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\semoyesi
[2009/10/04 01:41:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\tifeliri
[2009/10/05 13:31:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\BILEVSE
[2009/10/05 15:37:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Malwarebytes
[2009/10/05 13:35:43 | 00,000,000 | ---D | C] -- C:\Program Files\Angle Interactive
[2009/10/17 16:43:25 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/10/06 13:33:26 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/10/05 15:40:38 | 00,000,000 | ---D | C] -- C:\Program Files\New Folder
[2009/10/05 13:31:37 | 00,000,000 | ---D | C] -- C:\Program Files\Registry Convoy 2009
[2009/10/04 18:47:10 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Police Pro
[2009/10/17 16:44:20 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/10/17 15:48:09 | 00,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/10/17 15:48:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2009/10/06 13:33:27 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/10/06 13:33:26 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/10/06 13:28:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/10/05 16:45:03 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2009/10/05 13:35:43 | 00,000,000 | ---D | C] -- C:\ProgramData
[2009/10/04 22:01:20 | 04,165,792 | ---- | C] (Sammsoft ) -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\My Documents\AROTrial_mt.exe

========== Files - Modified Within 14 Days ==========

[1 C:\WINDOWS\*.tmp files]
[2009/10/17 17:26:35 | 00,080,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\1b5981ef.sys
[2009/10/17 17:21:38 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\miwekuro
[2009/10/17 17:19:16 | 00,052,736 | -HS- | M] () -- C:\WINDOWS\System32\mosowisi.dll
[2009/10/17 17:18:59 | 00,001,531 | ---- | M] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\Windows Police Pro.lnk
[2009/10/17 17:18:46 | 01,089,058 | -HS- | M] () -- C:\WINDOWS\System32\rinapiza.exe
[2009/10/17 17:18:46 | 01,079,842 | -HS- | M] () -- C:\WINDOWS\System32\fupipivo.exe
[2009/10/17 17:10:38 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\pupamawe.dll
[2009/10/17 16:47:11 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/10/17 16:47:03 | 00,000,000 | ---- | M] () -- C:\WINDOWS\win32k.sys
[2009/10/17 16:47:02 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/10/17 16:45:23 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/17 16:43:25 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\NTREGOPT.lnk
[2009/10/17 16:43:25 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\ERUNT.lnk
[2009/10/17 16:35:53 | 00,005,008 | ---- | M] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\My Documents\sysrestorepoint error.rtf
[2009/10/17 15:52:57 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/10/17 15:52:31 | 00,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/10/17 15:47:50 | 00,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/10/06 19:17:17 | 00,000,890 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/10/06 19:17:17 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/10/06 19:17:17 | 00,000,211 | RHS- | M] () -- C:\boot.ini
[2009/10/06 18:33:08 | 00,085,612 | ---- | M] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\My Documents\cc_20091006_1833.reg
[2009/10/05 14:16:57 | 00,052,224 | -HS- | M] () -- C:\WINDOWS\System32\kavunize.dll
[2009/10/05 14:16:39 | 01,048,099 | -HS- | M] () -- C:\WINDOWS\System32\nadejafi.exe
[2009/10/05 14:16:27 | 00,090,624 | -HS- | M] () -- C:\WINDOWS\System32\zomuhiwu.dll
[2009/10/05 14:16:27 | 00,038,912 | -HS- | M] () -- C:\WINDOWS\System32\radisezo.dll
[2009/10/05 14:04:54 | 16,409,960 | ---- | M] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\setup-spybotsd162.exe
[2009/10/05 13:31:46 | 00,000,366 | ---- | M] () -- C:\WINDOWS\tasks\RegistryConvoy.job
[2009/10/05 13:31:37 | 00,000,619 | ---- | M] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\Registry Convoy 2009.lnk
[2009/10/04 22:02:20 | 04,165,792 | ---- | M] (Sammsoft ) -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\My Documents\AROTrial_mt.exe
[2009/10/04 21:54:47 | 00,000,837 | ---- | M] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\Spybot - Search & Destroy.lnk
[2009/10/04 20:35:50 | 01,955,840 | ---- | M] () -- C:\WINDOWS\System32\AVR09.exe
[2009/10/04 20:35:39 | 00,022,528 | ---- | M] () -- C:\WINDOWS\System32\winhelper.dll
[2009/10/04 20:35:23 | 00,000,831 | ---- | M] () -- C:\WINDOWS\System32\critical_warning.html
[2009/10/04 18:47:14 | 00,000,046 | ---- | M] () -- C:\p2hhr.bat
[2009/10/04 18:47:07 | 00,034,243 | ---- | M] () -- C:\pmkvle.exe
[2009/10/04 18:47:05 | 00,189,960 | ---- | M] () -- C:\ngvh.exe
[2009/10/04 18:47:02 | 00,015,000 | ---- | M] () -- C:\WINDOWS\System32\px7jlhlaa.dll
[2009/10/04 18:47:01 | 00,213,067 | ---- | M] () -- C:\gpsjumwh.exe
[2009/10/04 18:47:00 | 00,052,224 | ---- | M] () -- C:\nysin.exe
[2009/10/04 18:46:58 | 00,019,456 | ---- | M] () -- C:\tlvkon.exe
[2009/10/04 18:46:57 | 00,161,280 | ---- | M] () -- C:\apkjixyw.exe
[2009/10/04 18:46:57 | 00,045,568 | ---- | M] () -- C:\rurqq.exe
[2009/10/04 18:46:55 | 00,009,728 | ---- | M] () -- C:\lqxebik.exe
[2009/10/04 18:06:09 | 00,000,442 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration.job
[2009/10/04 13:41:42 | 00,052,736 | -HS- | M] () -- C:\WINDOWS\System32\melamiro.dll
[2009/10/04 13:41:16 | 01,048,611 | -HS- | M] () -- C:\WINDOWS\System32\hememefo.exe
[2009/10/04 13:41:12 | 00,090,624 | -HS- | M] () -- C:\WINDOWS\System32\pularewi.dll
[2009/10/04 13:41:11 | 00,038,912 | -HS- | M] () -- C:\WINDOWS\System32\silulawo.dll
[2009/10/04 01:40:23 | 00,051,200 | ---- | M] () -- C:\dkvyax.exe
[2009/10/04 01:40:21 | 00,079,360 | ---- | M] () -- C:\hsjcyle.exe
[2009/10/04 01:40:20 | 00,043,520 | ---- | M] () -- C:\rmnkbgw.exe
[2009/10/04 01:40:19 | 00,015,000 | ---- | M] () -- C:\WINDOWS\System32\ybr37z5.dll
[2009/10/04 01:40:18 | 00,009,728 | ---- | M] () -- C:\luqnovd.exe
[2009/10/04 01:39:54 | 00,015,000 | ---- | M] () -- C:\WINDOWS\System32\pj2yox5.dll
[2009/10/04 01:39:29 | 00,015,000 | ---- | M] () -- C:\WINDOWS\System32\kqkeo7.dll
[2009/10/04 01:38:52 | 00,015,000 | ---- | M] () -- C:\WINDOWS\System32\xyvj1dk.dll
[2009/10/04 01:38:10 | 00,015,000 | ---- | M] () -- C:\WINDOWS\System32\mru1ycog.dll
[2009/10/04 01:37:59 | 00,015,000 | ---- | M] () -- C:\WINDOWS\System32\ln9m9vv.dll
[2009/10/04 01:37:16 | 00,189,841 | ---- | M] () -- C:\ituycggj.exe
[2009/10/04 01:36:56 | 00,015,000 | ---- | M] () -- C:\WINDOWS\System32\bgrej.dll
[2009/10/04 01:36:32 | 00,015,000 | ---- | M] () -- C:\WINDOWS\System32\c3fx01t.dll
[2009/10/04 01:36:15 | 00,015,000 | ---- | M] () -- C:\WINDOWS\System32\lybmp.dll
[2009/10/04 01:35:39 | 00,015,000 | ---- | M] () -- C:\WINDOWS\System32\zsn4yys4.dll
[2009/10/04 00:33:00 | 00,000,416 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Update Version2.job

========== Files - No Company Name ==========
[2009/10/17 17:18:59 | 00,001,531 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\Windows Police Pro.lnk
[2009/10/17 16:45:23 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/17 16:43:25 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\NTREGOPT.lnk
[2009/10/17 16:43:25 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\ERUNT.lnk
[2009/10/17 16:35:53 | 00,005,008 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\My Documents\sysrestorepoint error.rtf
[2009/10/17 15:49:09 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/10/17 15:47:50 | 00,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/10/06 19:35:50 | 00,472,064 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\RootRepeal.exe
[2009/10/06 19:29:14 | 00,361,369 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\dds.scr
[2009/10/06 19:17:17 | 00,001,879 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
[2009/10/06 19:17:17 | 00,001,757 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
[2009/10/06 19:17:17 | 00,000,869 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
[2009/10/06 19:17:17 | 00,000,773 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Sonic CinePlayer Quick Launch.lnk
[2009/10/06 18:33:06 | 00,085,612 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\My Documents\cc_20091006_1833.reg
[2009/10/05 14:02:31 | 16,409,960 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\setup-spybotsd162.exe
[2009/10/05 13:31:45 | 00,000,366 | ---- | C] () -- C:\WINDOWS\tasks\RegistryConvoy.job
[2009/10/05 13:31:37 | 00,000,619 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\Registry Convoy 2009.lnk
[2009/10/04 18:47:14 | 00,000,046 | ---- | C] () -- C:\p2hhr.bat
[2009/10/04 18:47:06 | 00,034,243 | ---- | C] () -- C:\pmkvle.exe
[2009/10/04 18:47:02 | 00,015,000 | ---- | C] () -- C:\WINDOWS\System32\px7jlhlaa.dll
[2009/10/04 18:47:00 | 00,189,960 | ---- | C] () -- C:\ngvh.exe
[2009/10/04 18:46:57 | 00,019,456 | ---- | C] () -- C:\tlvkon.exe
[2009/10/04 18:46:56 | 00,045,568 | ---- | C] () -- C:\rurqq.exe
[2009/10/04 18:46:55 | 00,009,728 | ---- | C] () -- C:\lqxebik.exe
[2009/10/04 01:45:30 | 00,000,000 | ---- | C] () -- C:\WINDOWS\win32k.sys
[2009/10/04 01:40:19 | 00,015,000 | ---- | C] () -- C:\WINDOWS\System32\ybr37z5.dll
[2009/10/04 01:40:08 | 00,009,728 | ---- | C] () -- C:\luqnovd.exe
[2009/10/04 01:39:54 | 00,015,000 | ---- | C] () -- C:\WINDOWS\System32\pj2yox5.dll
[2009/10/04 01:39:35 | 00,079,360 | ---- | C] () -- C:\hsjcyle.exe
[2009/10/04 01:39:29 | 00,015,000 | ---- | C] () -- C:\WINDOWS\System32\kqkeo7.dll
[2009/10/04 01:38:52 | 00,015,000 | ---- | C] () -- C:\WINDOWS\System32\xyvj1dk.dll
[2009/10/04 01:38:25 | 01,955,840 | ---- | C] () -- C:\WINDOWS\System32\AVR09.exe
[2009/10/04 01:38:24 | 00,022,528 | ---- | C] () -- C:\WINDOWS\System32\winhelper.dll
[2009/10/04 01:38:10 | 00,015,000 | ---- | C] () -- C:\WINDOWS\System32\mru1ycog.dll
[2009/10/04 01:37:59 | 00,015,000 | ---- | C] () -- C:\WINDOWS\System32\ln9m9vv.dll
[2009/10/04 01:36:56 | 00,015,000 | ---- | C] () -- C:\WINDOWS\System32\bgrej.dll
[2009/10/04 01:36:32 | 00,015,000 | ---- | C] () -- C:\WINDOWS\System32\c3fx01t.dll
[2009/10/04 01:36:15 | 00,015,000 | ---- | C] () -- C:\WINDOWS\System32\lybmp.dll
[2009/10/04 01:36:12 | 00,189,841 | ---- | C] () -- C:\ituycggj.exe
[2009/10/04 01:36:09 | 00,051,200 | ---- | C] () -- C:\dkvyax.exe
[2009/10/04 01:36:03 | 00,043,520 | ---- | C] () -- C:\rmnkbgw.exe
[2009/10/04 01:35:58 | 00,080,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\1b5981ef.sys
[2009/10/04 01:35:39 | 00,015,000 | ---- | C] () -- C:\WINDOWS\System32\zsn4yys4.dll
[2009/10/04 01:35:35 | 00,000,831 | ---- | C] () -- C:\WINDOWS\System32\critical_warning.html
[2009/10/04 01:35:32 | 00,213,067 | ---- | C] () -- C:\gpsjumwh.exe
[2009/10/04 01:35:29 | 00,052,224 | ---- | C] () -- C:\nysin.exe
[2009/10/04 01:35:28 | 00,161,280 | ---- | C] () -- C:\apkjixyw.exe
[2009/08/03 14:37:17 | 00,000,023 | ---- | C] () -- C:\WINDOWS\Mahjongg Variations.INI
[2009/07/17 17:10:38 | 00,091,648 | -HS- | C] () -- C:\WINDOWS\System32\nujaduha.dll
[2009/07/17 17:10:38 | 00,052,736 | -HS- | C] () -- C:\WINDOWS\System32\mosowisi.dll
[2009/07/17 17:10:38 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\pupamawe.dll
[2009/07/05 14:16:26 | 00,090,624 | -HS- | C] () -- C:\WINDOWS\System32\zomuhiwu.dll
[2009/07/05 14:16:26 | 00,052,224 | -HS- | C] () -- C:\WINDOWS\System32\kavunize.dll
[2009/07/05 14:16:26 | 00,038,912 | -HS- | C] () -- C:\WINDOWS\System32\radisezo.dll
[2009/07/04 13:41:11 | 00,090,624 | -HS- | C] () -- C:\WINDOWS\System32\pularewi.dll
[2009/07/04 13:41:11 | 00,052,736 | -HS- | C] () -- C:\WINDOWS\System32\melamiro.dll
[2009/07/04 13:41:11 | 00,038,912 | -HS- | C] () -- C:\WINDOWS\System32\silulawo.dll
[2009/07/04 01:35:35 | 00,051,200 | -HS- | C] () -- C:\WINDOWS\System32\zihanine.dll
[2009/07/04 01:35:35 | 00,051,200 | -HS- | C] () -- C:\WINDOWS\System32\yokifafa.dll
[2009/07/04 01:35:35 | 00,051,200 | -HS- | C] () -- C:\WINDOWS\System32\joyikeza.dll
[2008/08/16 11:11:46 | 00,000,058 | ---- | C] () -- C:\WINDOWS\TTN.INI
[2007/09/22 19:28:31 | 00,000,071 | ---- | C] () -- C:\WINDOWS\EurekaLog.ini
[2007/09/16 14:59:19 | 00,000,429 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2007/07/20 10:18:49 | 00,000,335 | ---- | C] () -- C:\WINDOWS\Trpmaker.INI
[2007/07/20 10:18:19 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\PlugFile.dll
[2007/07/20 10:08:25 | 00,000,039 | ---- | C] () -- C:\WINDOWS\Winhelp.INI
[2007/07/20 10:08:24 | 00,000,186 | ---- | C] () -- C:\WINDOWS\RPlanner.INI
[2007/07/20 10:07:48 | 00,038,688 | ---- | C] () -- C:\WINDOWS\System32\Leaddib.drv
[2007/07/20 10:07:46 | 00,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2007/07/20 10:07:41 | 00,011,136 | ---- | C] () -- C:\WINDOWS\System32\Fprun300.dll
[2006/12/23 15:57:01 | 00,000,894 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Hewlett-PackardHP Photosmart 3300 series1160495728_PROTOCOL.log
[2006/12/23 15:57:00 | 00,004,619 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Hewlett-PackardHP Photosmart 3300 series1160495728_UI.log
[2006/12/23 15:57:00 | 00,000,221 | ---- | C] () -- C:\WINDOWS\NCLogConfig.ini
[2006/12/23 15:57:00 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Hewlett-PackardHP Photosmart 3300 series1160495728_API.log
[2006/09/11 20:38:49 | 00,003,584 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/09/11 20:20:45 | 00,000,063 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/07/18 08:01:46 | 00,344,479 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\PatchUpdate_HP_CounterReport_Update_HPSU.log
[2006/07/18 08:01:46 | 00,000,227 | ---- | C] () -- C:\WINDOWS\HP_CounterReport_Update_HPSU.ini
[2006/07/18 08:01:36 | 00,004,176 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\HPSU_48BitScanUpdate.log
[2006/07/18 08:01:36 | 00,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2006/07/18 08:00:30 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\HelpFilesUpdatePatch_HELPFILEREPLACE.log
[2006/07/18 08:00:29 | 00,000,716 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\HelpFilesUpdatePatch_PRINTHELPWRAPPER.log
[2006/07/18 08:00:29 | 00,000,234 | ---- | C] () -- C:\WINDOWS\PrnHlpLogConfig.ini
[2006/07/18 08:00:17 | 00,004,828 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\PatchUpdate_HP_ISRegionListUpdatelog_HPSU.log
[2006/07/18 08:00:17 | 00,000,228 | ---- | C] () -- C:\WINDOWS\HP_ISRegionListUpdatelog_HPSU.ini
[2006/07/18 08:00:05 | 00,005,646 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\PatchUpdate_InstantShareJPG.log
[2006/07/18 08:00:05 | 00,000,214 | ---- | C] () -- C:\WINDOWS\HP_InstantSHareJPG.ini
[2006/07/18 07:59:39 | 00,007,321 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\PatchUpdate_IZClosingDiscError.log
[2006/07/18 07:59:39 | 00,000,217 | ---- | C] () -- C:\WINDOWS\HP_IZClosingDiscErrorPatch.ini
[2006/07/18 07:56:44 | 00,005,848 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log
[2006/07/18 07:56:44 | 00,000,206 | ---- | C] () -- C:\WINDOWS\HPGdiPlus.ini
[2006/07/18 07:53:44 | 00,269,908 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Update_HP_RedboxHprblog_HPSU.log
[2006/07/18 07:53:44 | 00,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2006/07/16 21:38:10 | 00,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2006/03/31 19:01:21 | 00,001,607 | ---- | C] () -- C:\Program Files\uninstal.log
[2006/03/14 21:07:09 | 00,009,711 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2006/03/14 14:13:32 | 00,002,508 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\$_hpcst$.hpc
[2006/03/13 16:28:40 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/03/10 21:14:55 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\UnAudioNT.dll
[2006/03/10 20:46:08 | 00,000,148 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Local Settings\Application Data\fusioncache.dat
[2006/03/10 20:42:44 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\vusetup.dll
[2006/03/10 20:36:20 | 00,000,092 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
[2006/03/10 20:36:19 | 00,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI
[2006/03/10 16:21:37 | 00,082,848 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2006/03/10 15:02:01 | 06,395,536 | -H-- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Local Settings\Application Data\IconCache.db
[2006/03/10 15:01:22 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\desktop.ini
[2006/03/09 11:01:34 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2005/08/27 19:41:50 | 00,032,768 | R--- | C] () -- C:\WINDOWS\System32\dwsvclnt.dll
[2004/09/17 18:37:42 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2003/02/18 19:26:28 | 00,028,672 | R--- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
[2003/01/07 16:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/12/04 03:24:26 | 00,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2001/08/18 07:00:00 | 00,061,952 | ---- | C] () -- C:\WINDOWS\System32\eventlog.dll
[2001/08/18 07:00:00 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\Wmipsiv32.dll
[2001/08/18 07:00:00 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\Wmipscv32.dll
[2001/08/18 07:00:00 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\WmdmPv32.dll
[2001/08/18 07:00:00 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\Nwsapv32.dll
[2001/08/18 07:00:00 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\NWCWov32.dll
[2001/08/18 07:00:00 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\Irmonv32.dll
[2001/08/18 07:00:00 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\Ipripv32.dll
[2001/08/18 07:00:00 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\Iasv32.dll
[2001/08/18 07:00:00 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\6to4v32.dll
[2001/08/18 07:00:00 | 00,002,304 | ---- | C] () -- C:\WINDOWS\System32\isasdk.sys
[2001/08/18 07:00:00 | 00,000,890 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/18 07:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2001/07/06 15:30:00 | 00,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2009/10/17 15:47:51 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2008/10/29 19:17:05 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{4A8C70B4-22EC-4060-8BF4-A88F7B8448DE}
[2008/01/19 16:57:27 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{B306A3A9-A7C4-4B0D-9D6A-DD50F415168A}
[2009/10/17 15:47:51 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
[2008/10/29 19:13:38 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{F86C4463-4448-48BD-9E9E-83A333A8E98B}
[2009/10/04 01:41:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\biwagile
[2009/10/04 01:41:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\darakibe
[2009/01/23 19:37:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
[2009/05/02 09:42:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
[2009/02/11 21:22:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Intuit
[2009/08/09 14:43:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\JollyBear
[2008/10/29 19:13:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LESSONmaker
[2006/10/29 22:27:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Libronix DLS
[2009/10/04 01:41:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\lusiyuge
[2009/01/23 19:38:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2009/10/04 01:41:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\rorusofa
[2009/10/04 01:41:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\semoyesi
[2009/08/09 15:54:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/10/04 01:41:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\tifeliri
[2008/10/29 19:39:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WORDsearch
[2008/01/19 16:56:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\wsc
[2009/10/05 15:37:43 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data
[2006/03/10 20:46:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\ATI
[2009/10/05 13:31:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\BILEVSE
[2009/01/23 19:39:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\DriverCure
[2009/08/03 15:51:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Gaijin Ent
[2008/04/09 15:18:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Intuit
[2006/08/07 17:41:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Leadertech
[2006/10/29 22:27:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Libronix DLS
[2009/08/09 14:36:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\SpinTop
[2009/08/30 14:25:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\U3
[2008/11/16 16:38:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\W Photo Studio Viewer
[2009/10/17 15:52:57 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2001/08/18 07:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/10/04 18:06:09 | 00,000,442 | ---- | M] () -- C:\WINDOWS\Tasks\ParetoLogic Registration.job
[2009/10/04 00:33:00 | 00,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\ParetoLogic Update Version2.job
[2009/10/05 13:31:46 | 00,000,366 | ---- | M] () -- C:\WINDOWS\Tasks\RegistryConvoy.job
[2009/10/17 16:47:11 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2009/10/04 18:46:57 | 00,161,280 | ---- | M] () -- C:\apkjixyw.exe
[2009/10/04 01:40:23 | 00,051,200 | ---- | M] () -- C:\dkvyax.exe
[2009/10/04 18:47:05 | 00,167,424 | ---- | M] (Microsoft Corporation) -- C:\fmmvqn.exe
[2009/10/04 18:47:01 | 00,213,067 | ---- | M] () -- C:\gpsjumwh.exe
[2009/10/04 01:40:21 | 00,079,360 | ---- | M] () -- C:\hsjcyle.exe
[2009/10/04 01:37:16 | 00,189,841 | ---- | M] () -- C:\ituycggj.exe
[2009/10/04 18:46:55 | 00,009,728 | ---- | M] () -- C:\lqxebik.exe
[2009/10/04 01:40:18 | 00,009,728 | ---- | M] () -- C:\luqnovd.exe
[2009/10/04 18:47:05 | 00,189,960 | ---- | M] () -- C:\ngvh.exe
[2009/10/04 18:47:00 | 00,052,224 | ---- | M] () -- C:\nysin.exe
[2009/10/04 18:47:07 | 00,034,243 | ---- | M] () -- C:\pmkvle.exe
[2009/10/04 01:40:20 | 00,043,520 | ---- | M] () -- C:\rmnkbgw.exe
[2009/10/04 18:46:57 | 00,045,568 | ---- | M] () -- C:\rurqq.exe
[2009/10/04 18:46:58 | 00,019,456 | ---- | M] () -- C:\tlvkon.exe
[2009/10/04 01:36:07 | 00,161,280 | ---- | M] (Microsoft Corporation) -- C:\uheu.exe

< %systemroot%\system32\eventlog.dll >
[2008/04/13 19:11:53 | 00,061,952 | ---- | M] () -- C:\WINDOWS\system32\eventlog.dll

< %systemroot%\system32\scecli.dll >
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\netlogon.dll >

< %systemroot%\system32\cngaudit.dll >

< %systemroot%\system32\sceclt.dll >

< %systemroot%\ntelogon.dll >

< %systemroot%\system32\logevent.dll >
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\logevent.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:47BC930A
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F8104EE7
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:08FAADE1
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:84E7BFEB
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DA18FD1D
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:211ED887
< End of report >


Extras.txt:

OTL Extras logfile created on: 10/17/2009 5:26:13 PM - Run 1
OTL by OldTimer - Version 3.0.21.0 Folder = J:\
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 1.13 Gb Available Physical Memory | 75.62% Memory free
3.35 Gb Paging File | 3.10 Gb Available in Paging File | 92.48% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.32 Gb Total Space | 55.09 Gb Free Space | 72.19% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 488.00 Mb Total Space | 259.70 Mb Free Space | 53.22% Space Free | Partition Type: FAT

Computer Name: OWNER-3IIDJGMQC
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWUCli.exe" = C:\Program Files\Hewlett-Packard\HP Software Update\HPWUCli.exe:*:Enabled:HP Software Update Client -- (Hewlett-Packard)
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposid01.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqscnvw.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe -- ()
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe -- (Hewlett-Packard)
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Co.)
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- ()
"C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\Rand McNally\TripMaker\Trpmaker.exe" = C:\Program Files\Rand McNally\TripMaker\Trpmaker.exe:*:Enabled:Trpmaker -- ()
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"H:\TTN.exe" = H:\TTN.exe:*:Enabled:TTN -- File not found
"C:\TTN\TTN.exe" = C:\TTN\TTN.exe:*:Enabled:TTN -- (Nikasoft)
"C:\Program Files\TurboTax\Premier 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Premier 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Premier 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Premier 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\WINDOWS\TEMP\p.exe" = C:\WINDOWS\TEMP\p.exe:*:Enabled:Enabled -- ()
"C:\WINDOWS\system32\qttask.exe" = C:\WINDOWS\system32\qttask.exe:*:Enabled:qttask -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0378C1D0-3F01-4074-AB93-E68A1CA32B7E}" = Bible Explorer 4 for LESSONmaker
"{03B1B42B-F6DE-41d9-8CFF-DC44E895C7A7}" = PhotoGallery
"{0611BD4E-4FE4-4a62-B0C0-18A4CC463428}" = CP_Package_Variety1
"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations
"{1330F885-F8E4-4c36-9B88-E19F82042C06}" = 3100_3200_3300trb
"{172975EB-9465-4861-95B5-C7BB6D3DE62A}" = DocumentViewer
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{19991EAD-C273-47EB-87E8-0D274925230B}" = Oeb Resource Driver
"{1C139D7D-9FEA-468d-A9C8-2A6E3BDE564A}" = CP_Package_Variety3
"{21DB3D90-D816-4092-A260-CA3F6B55A6DD}" = Sonic_PrimoSDK
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23A7B376-BBEC-4e76-BBD7-0F155E70D74B}" = CP_Panorama1Config
"{25771101-7948-4591-ABF3-B1ECE7A7F45F}" = HP Update
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}" = Unload
"{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{32BDCCB8-9DC8-496d-9DB1-F77510775BDB}" = InstantShareDevices
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36E47DA1-10E1-45d9-8B19-14D19607CDCF}" = CP_CalendarTemplates1
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{3E386744-10FA-44b2-98C9-DF7A270DECB3}" = HP PSC & OfficeJet 5.3.A
"{4B9E068C-12BC-4B4F-9799-EE2ACE576BDD}" = WORDsearch 8 Basic Edition
"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
"{4ED47439-5232-4BBC-93F2-7BC895B56246}" = 3300
"{50E7BB78-02B4-469a-9D8B-B2F42835F90E}" = ProductContextNPI
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
"{5421155F-B033-49DB-9B33-8F80F233D4D5}" = GdiplusUpgrade
"{567C23E1-7580-4185-B8C2-30805677297C}" = NewCopy_CDA
"{56EE8B17-8274-418d-89AC-C057C5DB251E}" = RandMap
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg
"{57707A73-5901-4306-B927-AA5B9A006EFF}" = LESSONmaker 8 Complete Edition
"{5A01C58E-B0EC-49b9-AD71-7C0468688087}" = CP_Package_Basic1
"{5B622B7A-60FB-4630-B11D-F121D20BCCD6}" = MarketResearch
"{5F26311C-B135-4F7F-B11E-8E650F83651E}" = DeviceFunctionQFolder
"{5F81DD84-6A2F-11D4-903E-00E0293397B7}" = Bible Data Type System Files
"{5F81DD89-6A2F-11D4-903E-00E0293397B7}" = Common System Files
"{5F81DD92-6A2F-11D4-903E-00E0293397B7}" = Libronix Digital Library System
"{5F81DD97-6A2F-11D4-903E-00E0293397B7}" = Libronix DLS Application
"{5F81DD9B-6A2F-11D4-903E-00E0293397B7}" = LibronixUpdate
"{5F81DD9F-6A2F-11D4-903E-00E0293397B7}" = LLS Resource Driver
"{5F81DDA3-6A2F-11D4-903E-00E0293397B7}" = PDF Resource Driver
"{66BA8C26-AFE4-4408-807B-43E76B57EF53}" = SkinsHP1
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6BB6627C-694F-4FDC-A3E5-C7F4BED4C724}" = DocProc
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{76effc7c-17a6-479d-9e47-8e658c1695ae}" = Windows Backup Utility
"{7C03270C-4FAB-4F5C-B10D-52FEDA190790}" = DocumentViewerQFolder
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{7E27304E-BAA2-4d90-A34E-76641FAFABB4}" = CP_AtenaShokunin1Config
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}" = URGE
"{90437E5F-0A9E-4B63-AD8B-D232897D18BF}" = ATI Parental Control & Encoder
"{91E30409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{923A7F5A-1E8C-4FBE-8DF6-85940A60A79F}" = Readme
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{A195B13E-A5E3-4BAF-A995-7F70F445CD06}" = ScannerCopy
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5BB5365-EFB4-44c3-A7E2-EB59B7EFD23D}" = CueTour
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}" = TurboTax ItsDeductible 2006
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B208806F-A231-4FA0-AB3F-5C1B8979223E}" = Microsoft ActiveSync 4.0
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B276997E-4367-4b1b-A39C-4CAE7464337A}" = AiO_Scan_CDA
"{b4092c6d-e886-4cb2-ba68-fe5a88d31de6}_is1" = Spybot - Search & Destroy
"{B4D279F1-4309-49cc-A4B5-3A0D2E59C7B5}" = PanoStandAlone
"{B60E7826-F117-4d26-8165-D2DC5A494AB0}" = Fax_CDA
"{B64E3AFC-59EF-4f18-BF11-E751462450D3}" = AiOSoftwareNPI
"{B824B5C9-849F-4b9e-9EA7-6FD8CD8116DA}" = CP_Package_Variety2
"{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}" = BufferChm
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C506A18C-1469-4678-B094-F4EC9DAE6DB7}" = Scan
"{CB2D95C7-189C-4596-B071-CE99C309573D}" = ATI Catalyst Control Center
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCDD8C24-EB4A-4BCC-BAFD-4812F9B70FDE}" = TurboTax 2008 wokiper
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D4576E0D-2295-4B8E-B663-B68086B00EE5}" = Sonic CinePlayer DVD Pack
"{ded53b0b-b67c-4244-ae6a-d6fd3c28d1ef}" = Ad-Aware
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"{F1931CAB-C7DD-4825-8A58-BC5278805200}" = 3100_3200_3300_Help
"{f333a33d-125c-32a2-8dce-5c5d14231e27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{f333a33d-125c-32a2-8dce-5c5d14231e27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status
"ad-aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"Bible Explorer 4 for LESSONmaker" = Bible Explorer 4 for LESSONmaker
"CCleaner" = CCleaner (remove only)
"C-Media Audio Driver" = C-Media WDM Audio Driver
"Encyclopædia Britannica Ultimate Reference Suite" = Encyclopædia Britannica Ultimate Reference Suite
"erunt_is1" = ERUNT 1.1j
"Hoyle Classic Games" = Hoyle Classic Games
"HP Document Viewer" = HP Document Viewer 5.3
"HP Imaging Device Functions" = HP Imaging Device Functions 5.3
"HP Photo & Imaging" = HP Image Zone 5.3
"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.3
"HPExtendedCapabilities" = HP Extended Capabilities 5.3
"ie8" = Windows Internet Explorer 8
"LEARN Microsoft® Word xp" = LEARN Microsoft® Word xp
"LESSONmaker 8 Complete Edition" = LESSONmaker 8 Complete Edition
"Libronix DLS" = Libronix Digital Library System
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Mahjong Match" = Mahjong Match
"malwarebytes' anti-malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"QuickTime" = QuickTime
"Rahjongg The Curse of Ra" = Rahjongg The Curse of Ra
"registry convoy" = Registry Convoy 2009
"Sierra Utilities" = Sierra Utilities
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.5.2.20
"TripMaker" = Rand McNally TripMaker 2000
"TurboTax 2008" = TurboTax 2008
"TurboTax Deluxe 2005" = TurboTax Deluxe 2005
"TurboTax Deluxe Deduction Maximizer 2006" = TurboTax Deluxe Deduction Maximizer 2006
"TurboTax Premier 2007" = TurboTax Premier 2007
"VIA Audio Driver Setup Program" = VIA Audio Driver Setup Program
"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast Ethernet Adapter
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMCSetup" = Windows Media Connect
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"WORDsearch 8 Basic Edition" = WORDsearch 8 Basic Edition
"WORDsearch Basic Edition" = WORDsearch Basic Edition
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar for Internet Explorer
"Yahoo! Toolbar" = Yahoo! Toolbar
"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Route Planner" = Rand McNally Route Planner

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/13/2009 8:30:34 PM | Computer Name = OWNER-3IIDJGMQC | Source = NTBackup | ID = 8019
Description = End Operation: Warnings or errors were encountered. Consult the backup
report for more details.

Error - 10/13/2009 8:31:51 PM | Computer Name = OWNER-3IIDJGMQC | Source = NTBackup | ID = 8019
Description = End Operation: Warnings or errors were encountered. Consult the backup
report for more details.

Error - 10/13/2009 8:32:21 PM | Computer Name = OWNER-3IIDJGMQC | Source = NTBackup | ID = 8019
Description = End Operation: Warnings or errors were encountered. Consult the backup
report for more details.

Error - 10/13/2009 8:33:52 PM | Computer Name = OWNER-3IIDJGMQC | Source = NTBackup | ID = 8019
Description = End Operation: Warnings or errors were encountered. Consult the backup
report for more details.

Error - 10/13/2009 9:42:26 PM | Computer Name = OWNER-3IIDJGMQC | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 10/17/2009 4:10:43 PM | Computer Name = OWNER-3IIDJGMQC | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 10/17/2009 4:47:59 PM | Computer Name = OWNER-3IIDJGMQC | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 10/17/2009 5:05:52 PM | Computer Name = OWNER-3IIDJGMQC | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x00e39554.

Error - 10/17/2009 5:06:09 PM | Computer Name = OWNER-3IIDJGMQC | Source = Application Error | ID = 1000
Description = Faulting application wmpnetwk.exe, version 11.0.5721.5145, faulting
module unknown, version 0.0.0.0, fault address 0x0000000b.

Error - 10/17/2009 5:07:41 PM | Computer Name = OWNER-3IIDJGMQC | Source = Application Error | ID = 1000
Description = Faulting application imapi.exe, version 5.1.2600.5512, faulting module
ntdll.dll, version 5.1.2600.5755, fault address 0x0000fe60.

[ Application Events ]
Error - 10/13/2009 8:30:34 PM | Computer Name = OWNER-3IIDJGMQC | Source = NTBackup | ID = 8019
Description = End Operation: Warnings or errors were encountered. Consult the backup
report for more details.

Error - 10/13/2009 8:31:51 PM | Computer Name = OWNER-3IIDJGMQC | Source = NTBackup | ID = 8019
Description = End Operation: Warnings or errors were encountered. Consult the backup
report for more details.

Error - 10/13/2009 8:32:21 PM | Computer Name = OWNER-3IIDJGMQC | Source = NTBackup | ID = 8019
Description = End Operation: Warnings or errors were encountered. Consult the backup
report for more details.

Error - 10/13/2009 8:33:52 PM | Computer Name = OWNER-3IIDJGMQC | Source = NTBackup | ID = 8019
Description = End Operation: Warnings or errors were encountered. Consult the backup
report for more details.

Error - 10/13/2009 9:42:26 PM | Computer Name = OWNER-3IIDJGMQC | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 10/17/2009 4:10:43 PM | Computer Name = OWNER-3IIDJGMQC | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 10/17/2009 4:47:59 PM | Computer Name = OWNER-3IIDJGMQC | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 10/17/2009 5:05:52 PM | Computer Name = OWNER-3IIDJGMQC | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x00e39554.

Error - 10/17/2009 5:06:09 PM | Computer Name = OWNER-3IIDJGMQC | Source = Application Error | ID = 1000
Description = Faulting application wmpnetwk.exe, version 11.0.5721.5145, faulting
module unknown, version 0.0.0.0, fault address 0x0000000b.

Error - 10/17/2009 5:07:41 PM | Computer Name = OWNER-3IIDJGMQC | Source = Application Error | ID = 1000
Description = Faulting application imapi.exe, version 5.1.2600.5512, faulting module
ntdll.dll, version 5.1.2600.5755, fault address 0x0000fe60.

[ System Events ]
Error - 10/17/2009 6:12:23 PM | Computer Name = OWNER-3IIDJGMQC | Source = Service Control Manager | ID = 7028
Description = The wuauserv Registry key denied access to SYSTEM account programs
so the Service Control Manager took ownership of the Registry key.

Error - 10/17/2009 6:13:39 PM | Computer Name = OWNER-3IIDJGMQC | Source = Service Control Manager | ID = 7028
Description = The BITS Registry key denied access to SYSTEM account programs so
the Service Control Manager took ownership of the Registry key.

Error - 10/17/2009 6:14:43 PM | Computer Name = OWNER-3IIDJGMQC | Source = Service Control Manager | ID = 7028
Description = The wuauserv Registry key denied access to SYSTEM account programs
so the Service Control Manager took ownership of the Registry key.

Error - 10/17/2009 6:18:52 PM | Computer Name = OWNER-3IIDJGMQC | Source = Service Control Manager | ID = 7028
Description = The wuauserv Registry key denied access to SYSTEM account programs
so the Service Control Manager took ownership of the Registry key.

Error - 10/17/2009 6:19:56 PM | Computer Name = OWNER-3IIDJGMQC | Source = Service Control Manager | ID = 7028
Description = The wuauserv Registry key denied access to SYSTEM account programs
so the Service Control Manager took ownership of the Registry key.

Error - 10/17/2009 6:19:58 PM | Computer Name = OWNER-3IIDJGMQC | Source = Service Control Manager | ID = 7028
Description = The wuauserv Registry key denied access to SYSTEM account programs
so the Service Control Manager took ownership of the Registry key.

Error - 10/17/2009 6:20:52 PM | Computer Name = OWNER-3IIDJGMQC | Source = Service Control Manager | ID = 7028
Description = The wuauserv Registry key denied access to SYSTEM account programs
so the Service Control Manager took ownership of the Registry key.

Error - 10/17/2009 6:23:13 PM | Computer Name = OWNER-3IIDJGMQC | Source = Service Control Manager | ID = 7028
Description = The wuauserv Registry key denied access to SYSTEM account programs
so the Service Control Manager took ownership of the Registry key.

Error - 10/17/2009 6:23:39 PM | Computer Name = OWNER-3IIDJGMQC | Source = Service Control Manager | ID = 7028
Description = The BITS Registry key denied access to SYSTEM account programs so
the Service Control Manager took ownership of the Registry key.

Error - 10/17/2009 6:25:18 PM | Computer Name = OWNER-3IIDJGMQC | Source = Service Control Manager | ID = 7028
Description = The wuauserv Registry key denied access to SYSTEM account programs
so the Service Control Manager took ownership of the Registry key.


< End of report >


Thanks for any help in advance.
  • 0

Advertisements

#2
BHowett
Posted 17 October 2009 - 05:20 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hello sgt_paul, and welcome to Geeks To Go! My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again.

oh you have some nasty junk in there so lets see what we can do :)

ComboFix

Please download ComboFix from Here or Here

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  • 0

#3
sgt_paul
Posted 17 October 2009 - 05:56 PM

sgt_paul

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Got ComboFix installed and run. Got this message after the scan started and thought I would add it now.

ComboFix has detected the presence of Rootkit activity and needs to reboot.

C:\WINDOWS\System32\drivers\gasfkyoufaqvsv.sys
C:\WINDOWS\System32\gasfkycqfvqypb.dll
C:\WINDOWS\System32\gasfkjnnbqfnev.dat
C:\WINDOWS\System32\gasfkyqsttnpev.dll
C:\WINDOWS\System32\gasfkymyripyym.dat
C:\WINDOWS\System32\gasfkyfvspxfdi.dll]

ComboFix.txt:

ComboFix 09-10-16.09 - Owner 10/17/2009 18:43.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1214 [GMT -5:00]
Running from: c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\alluse~1\applic~1\biwagile\biwagile.dll
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\Bobby\ntuser.dll
c:\documents and settings\Bobby\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Bobby\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\Default User\ntuser.dll
c:\documents and settings\Default User\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Default User\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\LocalService\ntuser.dll
c:\documents and settings\NetworkService\ntuser.dll
c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Desktop\Windows Police Pro.lnk
c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\ntuser.dll
c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Start Menu\Programs\Windows Police Pro
c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\documents and settings\Robert\ntuser.dll
c:\documents and settings\Robert\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Robert\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\Ruth\ntuser.dll
c:\documents and settings\Ruth\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Ruth\Start Menu\Programs\Startup\scandisk.lnk
C:\p2hhr.bat
c:\program files\Windows Police Pro
c:\windows\Installer\1803fb.msp
c:\windows\Installer\2302c38d.msp
c:\windows\Installer\2dcf2064.msp
c:\windows\Installer\42119a.msi
c:\windows\Installer\42119e.msi
c:\windows\Installer\78abf95.msp
c:\windows\Installer\8f513c2c.msp
c:\windows\system32\6to4v32.dll
c:\windows\system32\AVR09.exe
c:\windows\system32\axaltocm.dll
c:\windows\system32\bgrej.dll
c:\windows\system32\c3fx01t.dll
c:\windows\system32\calc.dll
c:\windows\system32\config\systemprofile\ntuser.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.lnk
c:\windows\system32\critical_warning.html
c:\windows\system32\drivers\1b5981ef.sys
c:\windows\system32\drivers\gasfkyonfaqusv.sys
c:\windows\system32\fupipivo.exe
c:\windows\system32\gasfkycqfvqypb.dll
c:\windows\system32\gasfkyfvspxfdi.dll
c:\windows\system32\gasfkyjnbqfnev.dat
c:\windows\system32\gasfkymyripyym.dat
c:\windows\system32\gasfkyqsttnpev.dll
c:\windows\system32\Iasv32.dll
c:\windows\system32\Ipripv32.dll
c:\windows\system32\Irmonv32.dll
c:\windows\system32\isasdk.sys
c:\windows\system32\joyikeza.dll
c:\windows\system32\kavunize.dll
c:\windows\system32\kqkeo7.dll
c:\windows\system32\ln9m9vv.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lybmp.dll
c:\windows\system32\melamiro.dll
c:\windows\system32\mosowisi.dll
c:\windows\system32\mru1ycog.dll
c:\windows\system32\mssrv32.exe
c:\windows\system32\nadejafi.exe
c:\windows\system32\nujaduha.dll
c:\windows\system32\pj2yox5.dll
c:\windows\system32\pularewi.dll
c:\windows\system32\pupamawe.dll
c:\windows\system32\px7jlhlaa.dll
c:\windows\system32\radisezo.dll
c:\windows\system32\rinapiza.exe
c:\windows\system32\sdra64.exe
c:\windows\system32\silulawo.dll
c:\windows\system32\winhelper.dll
c:\windows\system32\xyvj1dk.dll
c:\windows\system32\ybR37z5.dll
c:\windows\system32\yokifafa.dll
c:\windows\system32\zihanine.dll
c:\windows\system32\zomuhiwu.dll
c:\windows\system32\zsn4yys4.dll
c:\windows\win32k.sys
c:\windows\winhelp.ini

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkyubcdtaqd
-------\Legacy_gasfkyubcdtaqd
-------\Legacy_6to4
-------\Legacy_ISASDK
-------\Legacy_msupdate
-------\Legacy_{79007602-0cdb-4405-9dbf-1257bb3226ed}
-------\Service_6to4
-------\Service_isasdk
-------\Service_msupdate
-------\Service_1b5981ef


((((((((((((((((((((((((( Files Created from 2009-09-17 to 2009-10-17 )))))))))))))))))))))))))))))))
.

2009-10-17 21:43 . 2009-10-17 21:43 -------- d-----w- c:\program files\ERUNT
2009-10-17 20:48 . 2009-10-17 20:48 -------- dc----w- c:\windows\system32\DRVSTORE
2009-10-17 20:48 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-17 20:47 . 2009-10-17 20:47 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-06 18:33 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-06 18:33 . 2009-10-17 21:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-06 18:33 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-05 21:45 . 2009-10-05 21:51 -------- d--h--w- c:\windows\PIF
2009-10-05 20:40 . 2009-10-05 20:40 -------- d-----w- c:\program files\New Folder
2009-10-05 20:37 . 2009-10-05 20:37 -------- d-----w- c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Malwarebytes
2009-10-05 20:37 . 2009-10-05 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-05 18:35 . 2009-10-05 22:10 -------- d-----w- c:\program files\Angle Interactive
2009-10-05 18:35 . 2009-10-05 18:35 -------- d-----w- C:\ProgramData
2009-10-05 18:31 . 2009-10-05 18:31 -------- d-----w- c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Application Data\BILEVSE
2009-10-05 18:31 . 2009-10-05 18:31 -------- d-----w- c:\program files\Registry Convoy 2009
2009-10-04 23:47 . 2009-10-04 23:47 49152 ----a-w- c:\windows\system32\intro.dll
2009-10-04 23:47 . 2009-10-04 23:47 34243 ----a-w- C:\pmkvle.exe
2009-10-04 23:47 . 2009-10-04 23:47 189960 ----a-w- C:\ngvh.exe
2009-10-04 23:46 . 2009-10-04 23:46 19456 ----a-w- C:\tlvkon.exe
2009-10-04 23:46 . 2009-10-04 23:46 45568 ----a-w- C:\rurqq.exe
2009-10-04 23:46 . 2009-10-04 23:46 9728 ----a-w- C:\lqxebik.exe
2009-10-04 06:41 . 2009-10-17 23:46 -------- d-----w- c:\documents and settings\All Users\Application Data\biwagile
2009-10-04 06:41 . 2009-10-04 06:41 -------- d-----w- c:\documents and settings\All Users\Application Data\tifeliri
2009-10-04 06:41 . 2009-10-04 06:41 -------- d-----w- c:\documents and settings\All Users\Application Data\semoyesi
2009-10-04 06:41 . 2009-10-04 06:41 -------- d-----w- c:\documents and settings\All Users\Application Data\rorusofa
2009-10-04 06:41 . 2009-10-04 06:41 -------- d-----w- c:\documents and settings\All Users\Application Data\lusiyuge
2009-10-04 06:41 . 2009-10-04 06:41 -------- d-----w- c:\documents and settings\All Users\Application Data\darakibe
2009-10-04 06:40 . 2009-10-04 06:40 9728 ----a-w- C:\luqnovd.exe
2009-10-04 06:39 . 2009-10-04 06:40 79360 ----a-w- C:\hsjcyle.exe
2009-10-04 06:36 . 2009-10-04 06:37 189841 ----a-w- C:\ituycggj.exe
2009-10-04 06:36 . 2009-10-04 06:40 51200 ----a-w- C:\dkvyax.exe
2009-10-04 06:36 . 2009-10-04 06:40 43520 ----a-w- C:\rmnkbgw.exe
2009-10-04 06:35 . 2009-10-04 06:36 161280 ----a-w- C:\uheu.exe
2009-10-04 06:35 . 2009-10-04 23:47 213067 ----a-w- C:\gpsjumwh.exe
2009-10-04 06:35 . 2009-10-04 23:47 52224 ----a-w- C:\nysin.exe
2009-10-04 06:35 . 2009-10-04 23:46 161280 ----a-w- C:\apkjixyw.exe
2009-10-04 06:35 . 2009-10-04 23:47 167424 ----a-w- C:\fmmvqn.exe
2009-09-26 17:08 . 2009-09-27 01:54 -------- d-sh--w- c:\documents and settings\Ruth\Application Data\lowsec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-17 21:45 . 2009-10-17 21:45 693760 ----a-w- c:\windows\isRS-000.tmp
2009-10-05 21:37 . 2006-04-28 00:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-05 20:49 . 2006-04-28 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-04 18:41 . 2009-07-04 18:41 1048611 --sha-w- c:\windows\system32\hememefo.exe
2009-10-04 12:40 . 2008-01-19 21:56 -------- d-----w- c:\program files\WORDsearch 8
2009-10-04 06:47 . 2009-09-13 03:01 -------- d-sh--w- c:\documents and settings\Robert\Application Data\lowsec
2009-09-29 02:49 . 2008-10-30 00:15 -------- d-----w- c:\program files\Bible Explorer 4
2009-09-20 17:55 . 2006-04-02 00:01 -------- d-----w- c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Application Data\AdobeUM
2009-09-10 00:10 . 2009-09-10 00:08 70835 ----a-w- c:\windows\hpqins04.dat
2009-09-10 00:08 . 2009-09-10 00:07 70775 ----a-w- c:\windows\hpqins06.dat
2009-09-02 15:22 . 2009-09-02 15:22 -------- d-----w- c:\documents and settings\Robert\Application Data\HpUpdate
2009-08-30 19:25 . 2007-12-23 02:55 -------- d-----w- c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Application Data\U3
2009-08-23 02:43 . 2006-03-15 02:59 82848 ----a-w- c:\documents and settings\Robert\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 17:03 . 2006-03-15 04:19 82848 ----a-w- c:\documents and settings\Ruth\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 14:23 . 2006-03-10 21:21 82848 ----a-w- c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\program files\MSBuild
2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\program files\Reference Assemblies
2009-08-07 00:24 . 2006-03-10 20:49 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2005-05-26 10:19 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2006-03-09 22:13 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2001-08-18 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2006-03-10 20:49 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2006-03-09 22:13 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2001-08-18 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2006-04-01 00:01 . 2006-04-01 00:01 1607 ----a-w- c:\program files\uninstal.log
2009-07-17 22:10 . 2009-07-17 22:10 24576 --sha-w- c:\windows\system32\joduharu.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zipscript"="c:\program files\WORDsearch 8\ZipScript.exe" [2009-02-06 1390592]
"wmpnscfg"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-30 39408]
"spybotsd teatimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"h/pc connection agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2005-11-16 1200128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"quicktime task"="c:\windows\system32\qttask.exe" [2006-03-31 28672]
"hp software update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"google quick search box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-07-30 122368]
"adobe photo downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\CineTray.exe [2006-7-25 114688]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Rand McNally\\TripMaker\\Trpmaker.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\TTN\\TTN.exe"=
"c:\\WINDOWS\\system32\\qttask.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/17/2009 3:48 PM 64288]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
S2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1169232]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Wmipsc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:06]

2009-10-05 c:\windows\Tasks\RegistryConvoy.job
- c:\program files\Registry Convoy 2009\RegistryConvoy.exe [2009-09-28 15:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myscanonline.info/antivirus/?aff_id=47&aff_Aid=20062&ref
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.
- - - - ORPHANS REMOVED - - - -

BHO-{7a7da335-ad8f-4fd8-9f0e-4a5cff30b251} - zihanine.dll
HKLM-Run-jivolibik - c:\docume~1\alluse~1\applic~1\biwagile\biwagile.dll
HKLM-Run-cmaudio - cmicnfg.cpl
HKLM-Run-nofunabape - yokifafa.dll
HKU-Default-Run-calc - c:\docume~1\DEFAUL~1\ntuser.dll
SharedTaskScheduler-{7abce5ca-8e96-4f27-9345-a7424183332c} - c:\docume~1\alluse~1\applic~1\biwagile\biwagile.dll
SSODL-divulamat-{7abce5ca-8e96-4f27-9345-a7424183332c} - c:\docume~1\alluse~1\applic~1\biwagile\biwagile.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-17 18:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\user preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9d,51,a8,d0,c0,b7,cc,45,aa,f1,39,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9d,51,a8,d0,c0,b7,cc,45,aa,f1,39,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(464)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2948)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\progra~1\WINDOW~3\wmpband.dll
c:\program files\Google\Quick Search Box\bin\1.2.1150.158\qsb.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-10-17 18:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-17 23:52

Pre-Run: 59,087,716,352 bytes free
Post-Run: 58,990,694,400 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
319 --- E O F --- 2009-09-09 02:15
  • 0

#4
BHowett
Posted 18 October 2009 - 08:38 AM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi sgt_paul,

please do the following....

Combofix Script.txt

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\intro.dll
C:\pmkvle.exe
C:\ngvh.exe
C:\tlvkon.exe
C:\rurqq.exe
C:\lqxebik.exe
c:\windows\isRS-000.tmp
C:\luqnovd.exe
C:\hsjcyle.exe
C:\ituycggj.exe
C:\dkvyax.exe
C:\rmnkbgw.exe
C:\uheu.exe
C:\gpsjumwh.exe
C:\nysin.exe
C:\apkjixyw.exe
C:\fmmvqn.exec:\windows\system32\joduharu.exe
c:\windows\system32\hememefo.exec:\documents and settings\Robert\Local Settings\Application Data\GDIPFONTCACHEV1.DATc:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
Folder::
c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Application Data\BILEVSEc:\program files\Registry Convoy 2009
c:\documents and settings\Ruth\Application Data\lowsec
c:\documents and settings\All Users\Application Data\biwagile
c:\documents and settings\All Users\Application Data\tifeliri
c:\documents and settings\All Users\Application Data\semoyesi
c:\documents and settings\All Users\Application Data\rorusofa
c:\documents and settings\All Users\Application Data\lusiyuge
c:\documents and settings\All Users\Application Data\darakibe
c:\documents and settings\Robert\Application Data\lowsec


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt .

Also let me know how things are running now :)
  • 0

#5
sgt_paul
Posted 18 October 2009 - 09:01 AM

sgt_paul

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Things are looking much better. Desktop picture has returned to normal and I could even turn the firewall back on.

Here is the ComboFix.txt

ComboFix 09-10-16.09 - Owner 10/18/2009 9:50.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1093 [GMT -5:00]
Running from: c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Desktop\CFScript.txt

FILE ::
"C:\apkjixyw.exe"
"C:\dkvyax.exe"
"c:\fmmvqn.exec:\windows\system32\joduharu.exe"
"C:\gpsjumwh.exe"
"C:\hsjcyle.exe"
"C:\ituycggj.exe"
"C:\lqxebik.exe"
"C:\luqnovd.exe"
"C:\ngvh.exe"
"C:\nysin.exe"
"C:\pmkvle.exe"
"C:\rmnkbgw.exe"
"C:\rurqq.exe"
"C:\tlvkon.exe"
"C:\uheu.exe"
"c:\windows\isRS-000.tmp"
"c:\windows\system32\hememefo.exec:\documents and settings\Robert\Local Settings\Application Data\GDIPFONTCACHEV1.DATc:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT"
"c:\windows\system32\intro.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\apkjixyw.exe
C:\dkvyax.exe
c:\documents and settings\All Users\Application Data\biwagile
c:\documents and settings\All Users\Application Data\darakibe
c:\documents and settings\All Users\Application Data\darakibe\darakibe.exe
c:\documents and settings\All Users\Application Data\lusiyuge
c:\documents and settings\All Users\Application Data\lusiyuge\lusiyuge.dll
c:\documents and settings\All Users\Application Data\rorusofa
c:\documents and settings\All Users\Application Data\rorusofa\rorusofa.dll
c:\documents and settings\All Users\Application Data\semoyesi
c:\documents and settings\All Users\Application Data\semoyesi\semoyesi.exe
c:\documents and settings\All Users\Application Data\tifeliri
c:\documents and settings\All Users\Application Data\tifeliri\tifeliri.exe
c:\documents and settings\Robert\Application Data\lowsec
c:\documents and settings\Robert\Application Data\lowsec\local.ds
c:\documents and settings\Robert\Application Data\lowsec\user.ds
c:\documents and settings\Robert\Application Data\lowsec\user.ds.lll
c:\documents and settings\Ruth\Application Data\lowsec
c:\documents and settings\Ruth\Application Data\lowsec\local.ds
c:\documents and settings\Ruth\Application Data\lowsec\user.ds
C:\gpsjumwh.exe
C:\hsjcyle.exe
C:\ituycggj.exe
C:\lqxebik.exe
C:\luqnovd.exe
C:\ngvh.exe
C:\nysin.exe
C:\pmkvle.exe
C:\rmnkbgw.exe
C:\rurqq.exe
C:\tlvkon.exe
C:\uheu.exe
c:\windows\isRS-000.tmp
c:\windows\system32\intro.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-18 to 2009-10-18 )))))))))))))))))))))))))))))))
.

2009-10-17 21:43 . 2009-10-17 21:43 -------- d-----w- c:\program files\ERUNT
2009-10-17 20:48 . 2009-10-17 20:48 -------- dc----w- c:\windows\system32\DRVSTORE
2009-10-17 20:48 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-17 20:47 . 2009-10-17 20:47 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-06 18:33 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-06 18:33 . 2009-10-17 21:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-06 18:33 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-05 21:45 . 2009-10-17 23:47 -------- d--h--w- c:\windows\PIF
2009-10-05 20:40 . 2009-10-05 20:40 -------- d-----w- c:\program files\New Folder
2009-10-05 20:37 . 2009-10-05 20:37 -------- d-----w- c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Malwarebytes
2009-10-05 20:37 . 2009-10-05 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-05 18:35 . 2009-10-05 22:10 -------- d-----w- c:\program files\Angle Interactive
2009-10-05 18:35 . 2009-10-05 18:35 -------- d-----w- C:\ProgramData
2009-10-05 18:31 . 2009-10-05 18:31 -------- d-----w- c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Application Data\BILEVSE
2009-10-05 18:31 . 2009-10-05 18:31 -------- d-----w- c:\program files\Registry Convoy 2009
2009-10-04 06:35 . 2009-10-04 23:47 167424 ----a-w- C:\fmmvqn.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-05 21:37 . 2006-04-28 00:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-05 20:49 . 2006-04-28 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-04 18:41 . 2009-07-04 18:41 1048611 --sha-w- c:\windows\system32\hememefo.exe
2009-10-04 12:40 . 2008-01-19 21:56 -------- d-----w- c:\program files\WORDsearch 8
2009-09-29 02:49 . 2008-10-30 00:15 -------- d-----w- c:\program files\Bible Explorer 4
2009-09-20 17:55 . 2006-04-02 00:01 -------- d-----w- c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Application Data\AdobeUM
2009-09-10 00:10 . 2009-09-10 00:08 70835 ----a-w- c:\windows\hpqins04.dat
2009-09-10 00:08 . 2009-09-10 00:07 70775 ----a-w- c:\windows\hpqins06.dat
2009-09-02 15:22 . 2009-09-02 15:22 -------- d-----w- c:\documents and settings\Robert\Application Data\HpUpdate
2009-08-30 19:25 . 2007-12-23 02:55 -------- d-----w- c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Application Data\U3
2009-08-23 02:43 . 2006-03-15 02:59 82848 ----a-w- c:\documents and settings\Robert\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 17:03 . 2006-03-15 04:19 82848 ----a-w- c:\documents and settings\Ruth\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 14:23 . 2006-03-10 21:21 82848 ----a-w- c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\program files\MSBuild
2009-08-22 08:05 . 2009-08-22 08:05 -------- d-----w- c:\program files\Reference Assemblies
2009-08-07 00:24 . 2006-03-10 20:49 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2005-05-26 10:19 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2006-03-09 22:13 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2001-08-18 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2006-03-10 20:49 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2006-03-09 22:13 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2001-08-18 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2006-04-01 00:01 . 2006-04-01 00:01 1607 ----a-w- c:\program files\uninstal.log
2009-07-17 22:10 . 2009-07-17 22:10 24576 --sha-w- c:\windows\system32\joduharu.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zipscript"="c:\program files\WORDsearch 8\ZipScript.exe" [2009-02-06 1390592]
"wmpnscfg"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-30 39408]
"spybotsd teatimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"h/pc connection agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2005-11-16 1200128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"quicktime task"="c:\windows\system32\qttask.exe" [2006-03-31 28672]
"hp software update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"google quick search box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-07-30 122368]
"adobe photo downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\CineTray.exe [2006-7-25 114688]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Rand McNally\\TripMaker\\Trpmaker.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\TTN\\TTN.exe"=
"c:\\WINDOWS\\system32\\qttask.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/17/2009 3:48 PM 64288]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
S2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1169232]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Wmipsc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:06]

2009-10-05 c:\windows\Tasks\RegistryConvoy.job
- c:\program files\Registry Convoy 2009\RegistryConvoy.exe [2009-09-28 15:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myscanonline.info/antivirus/?aff_id=47&aff_Aid=20062&ref
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-18 09:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\user preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9d,51,a8,d0,c0,b7,cc,45,aa,f1,39,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9d,51,a8,d0,c0,b7,cc,45,aa,f1,39,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(464)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-18 9:55
ComboFix-quarantined-files.txt 2009-10-18 14:55
ComboFix2.txt 2009-10-17 23:52

Pre-Run: 58,952,843,264 bytes free
Post-Run: 58,911,199,232 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
219 --- E O F --- 2009-09-09 02:15
  • 0

#6
BHowett
Posted 18 October 2009 - 09:32 AM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi sgt_paul,

please do the following...


OTM by OldTimer

Please download OTM
  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Processes
explorer.exe

:Services

:Reg

:Files
c:\program files\Registry Convoy 2009
c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Application Data\BILEVSE
c:\windows\system32\joduharu.exe
c:\windows\system32\hememefo.exe

:Commands
[purity]
[emptytemp]
[Reboot]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post..


===============================================

Malwarebytes' Anti-Malware
I see you already have Malwarebytes' Anti-Malware on your system, so lets update and run it.

Double Click mbam-setup.exe to run the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
===============================================

TFC

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

===============================================

Kaspersky WebScanner
please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
===============================================

Please post the following logs in your next reply:

OTM log
Malwarebytes log
Kaspersky WebScanner results

And as always let me know how its running, and if you have any problems.
  • 0

#7
sgt_paul
Posted 18 October 2009 - 06:14 PM

sgt_paul

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here is the OTM log

All processes killed
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
c:\program files\Registry Convoy 2009 moved successfully.
c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Application Data\BILEVSE\RegistryConvoy2009\Backup\Registry moved successfully.
c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Application Data\BILEVSE\RegistryConvoy2009\Backup moved successfully.
c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Application Data\BILEVSE\RegistryConvoy2009 moved successfully.
c:\documents and settings\Owner.OWNER-3IIDJGMQC.000\Application Data\BILEVSE moved successfully.

Kaspersky WebScanner results:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, October 18, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, October 18, 2009 18:21:51
Records in database: 3027281
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 66647
Threats found: 24
Infected objects found: 80
Suspicious objects found: 0
Scan duration: 06:01:26


File name / Threat / Threats count
C:\Documents and Settings\Bobby\Application Data\sdra64.exe Infected: Packed.Win32.Krap.z 1
C:\Documents and Settings\Robert\Application Data\sdra64.exe Infected: Packed.Win32.Krap.z 1
C:\Documents and Settings\Ruth\Application Data\sdra64.exe Infected: Packed.Win32.Krap.z 1
C:\Qoobox\Quarantine\C\apkjixyw.exe.vir Infected: Packed.Win32.Krap.af 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\darakibe\darakibe.exe.vir Infected: Trojan.Win32.Scar.zgn 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\lusiyuge\lusiyuge.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\rorusofa\rorusofa.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\semoyesi\semoyesi.exe.vir Infected: Trojan.Win32.FraudPack.vds 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\tifeliri\tifeliri.exe.vir Infected: Trojan.Win32.FraudPack.vds 1
C:\Qoobox\Quarantine\C\Documents and Settings\Bobby\ntuser.dll.vir Infected: Trojan.Win32.Scar.aakg 1
C:\Qoobox\Quarantine\C\Documents and Settings\Bobby\Start Menu\Programs\Startup\scandisk.dll.vir Infected: Trojan.Win32.Scar.aakg 1
C:\Qoobox\Quarantine\C\Documents and Settings\Default User\ntuser.dll.vir Infected: Trojan.Win32.Scar.aakg 1
C:\Qoobox\Quarantine\C\Documents and Settings\Default User\Start Menu\Programs\Startup\scandisk.dll.vir Infected: Trojan.Win32.Scar.aakg 1
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\ntuser.dll.vir Infected: Trojan.Win32.Scar.aakg 1
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\ntuser.dll.vir Infected: Trojan.Win32.Scar.aakg 1
C:\Qoobox\Quarantine\C\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\ntuser.dll.vir Infected: Trojan.Win32.Scar.aakg 1
C:\Qoobox\Quarantine\C\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Start Menu\Programs\Startup\scandisk.dll.vir Infected: Trojan.Win32.Scar.aakg 1
C:\Qoobox\Quarantine\C\Documents and Settings\Robert\ntuser.dll.vir Infected: Trojan.Win32.Scar.aakg 1
C:\Qoobox\Quarantine\C\Documents and Settings\Robert\Start Menu\Programs\Startup\scandisk.dll.vir Infected: Trojan.Win32.Scar.aakg 1
C:\Qoobox\Quarantine\C\Documents and Settings\Ruth\ntuser.dll.vir Infected: Trojan.Win32.Scar.aakg 1
C:\Qoobox\Quarantine\C\Documents and Settings\Ruth\Start Menu\Programs\Startup\scandisk.dll.vir Infected: Trojan.Win32.Scar.aakg 1
C:\Qoobox\Quarantine\C\DOCUME~1\ALLUSE~1\APPLIC~1\biwagile\biwagile.dll.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\ituycggj.exe.vir Infected: Backdoor.Win32.NewRest.bc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\6to4v32.dll.vir Infected: Backdoor.Win32.Agent.alml 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\AVR09.exe.vir Infected: Trojan.Win32.FraudPack.utt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bgrej.dll.vir Infected: Trojan-Downloader.Win32.Small.ante 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\c3fx01t.dll.vir Infected: Trojan-Downloader.Win32.Small.ante 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\calc.dll.vir Infected: Trojan.Win32.Scar.aakg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\ntuser.dll.vir Infected: Trojan.Win32.Scar.aakg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll.vir Infected: Trojan.Win32.Scar.aakg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\critical_warning.html.vir Infected: Trojan.HTML.Fraud.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\1b5981ef.sys.vir Infected: Backdoor.Win32.NewRest.ni 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gasfkyonfaqusv.sys.vir Infected: Packed.Win32.TDSS.z 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_1b5981ef_.sys.zip Infected: Backdoor.Win32.NewRest.ni 2
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir Infected: Trojan.Win32.Sirefef.a 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkycqfvqypb.dll.vir Infected: Packed.Win32.TDSS.z 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkyfvspxfdi.dll.vir Infected: Packed.Win32.TDSS.z 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gasfkyqsttnpev.dll.vir Infected: Packed.Win32.TDSS.z 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Iasv32.dll.vir Infected: Backdoor.Win32.Agent.alml 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Ipripv32.dll.vir Infected: Backdoor.Win32.Agent.alml 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Irmonv32.dll.vir Infected: Backdoor.Win32.Agent.alml 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\joyikeza.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kqkeo7.dll.vir Infected: Trojan-Downloader.Win32.Small.ante 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ln9m9vv.dll.vir Infected: Trojan-Downloader.Win32.Small.ante 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lybmp.dll.vir Infected: Trojan-Downloader.Win32.Small.ante 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mru1ycog.dll.vir Infected: Trojan-Downloader.Win32.Small.ante 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nujaduha.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pj2yox5.dll.vir Infected: Trojan-Downloader.Win32.Small.ante 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\px7jlhlaa.dll.vir Infected: Trojan-Downloader.Win32.Small.ante 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\radisezo.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\silulawo.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\xyvj1dk.dll.vir Infected: Trojan-Downloader.Win32.Small.ante 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ybr37z5.dll.vir Infected: Trojan-Downloader.Win32.Small.ante 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yokifafa.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zihanine.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zsn4yys4.dll.vir Infected: Trojan-Downloader.Win32.Small.ante 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_mssrv32_.exe.zip Infected: Backdoor.Win32.Kbot.s 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_sdra64_.exe.zip Infected: Packed.Win32.Krap.z 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-18_09.50.17.zip Infected: Packed.Win32.TDSS.aa 2
C:\Qoobox\Quarantine\[4]-Submit_2009-10-18_09.50.17.zip Infected: Backdoor.Win32.NewRest.bc 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-18_09.50.17.zip Infected: Backdoor.Win32.Bredavi.xe 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-18_09.50.17.zip Infected: Packed.Win32.Krap.w 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-18_09.50.17.zip Infected: Trojan.Win32.Scar.zgn 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-18_09.50.17.zip Infected: Trojan-Downloader.Win32.FraudLoad.wsym 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-18_09.50.17.zip Infected: Trojan-Downloader.Win32.FraudLoad.fsz 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-18_09.50.17.zip Infected: Trojan.Win32.Agent2.cira 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-18_09.50.17.zip Infected: Trojan.Win32.Agent.cyku 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-18_09.50.17.zip Infected: Backdoor.Win32.Bredavi.wl 1
C:\System Volume Information\_restore{E76662C6-8311-44F6-BCD2-FCDCA9A90DB0}\RP1\A0000025.exe Infected: Packed.Win32.Krap.af 1
C:\System Volume Information\_restore{E76662C6-8311-44F6-BCD2-FCDCA9A90DB0}\RP1\A0000026.exe Infected: Packed.Win32.TDSS.aa 1
C:\System Volume Information\_restore{E76662C6-8311-44F6-BCD2-FCDCA9A90DB0}\RP1\A0000027.exe Infected: Trojan.Win32.Scar.zgn 1
C:\System Volume Information\_restore{E76662C6-8311-44F6-BCD2-FCDCA9A90DB0}\RP1\A0000028.dll Infected: Packed.Win32.TDSS.aa 1
C:\System Volume Information\_restore{E76662C6-8311-44F6-BCD2-FCDCA9A90DB0}\RP1\A0000029.dll Infected: Packed.Win32.TDSS.aa 1
C:\System Volume Information\_restore{E76662C6-8311-44F6-BCD2-FCDCA9A90DB0}\RP1\A0000030.exe Infected: Trojan.Win32.FraudPack.vds 1
C:\System Volume Information\_restore{E76662C6-8311-44F6-BCD2-FCDCA9A90DB0}\RP1\A0000031.exe Infected: Trojan.Win32.FraudPack.vds 1
C:\System Volume Information\_restore{E76662C6-8311-44F6-BCD2-FCDCA9A90DB0}\RP1\A0000038.exe Infected: Backdoor.Win32.NewRest.bc 1
C:\System Volume Information\_restore{E76662C6-8311-44F6-BCD2-FCDCA9A90DB0}\RP1\A0000042.exe Infected: Packed.Win32.TDSS.aa 1
C:\_OTM\MovedFiles\10182009_104201\windows\system32\joduharu.exe Infected: Trojan-Downloader.Win32.FraudLoad.fva 1

Selected area has been scanned.

c:\windows\system32\joduharu.exe moved successfully.
c:\windows\system32\hememefo.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Bobby
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32835 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Owner.OWNER-3IIDJGMQC
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Owner.OWNER-3IIDJGMQC.000
->Temp folder emptied: 29161 bytes
->Temporary Internet Files folder emptied: 2400174 bytes

User: Robert
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Ruth
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 2.38 mb


OTM by OldTimer - Version 3.0.0.6 log created on 10182009_104201

Files moved on Reboot...

Registry entries deleted on Reboot...


Malwarebytes log:

Malwarebytes' Anti-Malware 1.41
Database version: 2981
Windows 5.1.2600 Service Pack 3

10/18/2009 12:28:37 PM
mbam-log-2009-10-18 (12-28-37).txt

Scan type: Quick Scan
Objects scanned: 136225
Time elapsed: 4 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\BILEVSE (Rogue.RegTidy) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\AUserinit.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\fmmvqn.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NWCWov32.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Nwsapv32.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WmdmPv32.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Wmipscv32.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Wmipsiv32.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Microsoft\Internet Explorer\Quick Launch.lnk (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AUserinit.exe (Trojan.Agent) -> Quarantined and deleted successfully.


Sorry about the delay. The web scan took over six hours. No others problems notes with the computer at this time.
  • 0

#8
BHowett
Posted 18 October 2009 - 09:21 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi

OTM by OldTimer


  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Processes
explorer.exe

:Services

:Reg

:Files
C:\Documents and Settings\Bobby\Application Data\sdra64.exe
C:\Documents and Settings\Robert\Application Data\sdra64.exe 
C:\Documents and Settings\Ruth\Application Data\sdra64.exe 
:Commands
[purity]
[emptytemp]
[Reboot]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post..

===============================================


Please post the OTM log, and a fresh OTL log :)
  • 0

#9
sgt_paul
Posted 18 October 2009 - 09:47 PM

sgt_paul

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
OTM Log:

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\Bobby\Application Data\sdra64.exe moved successfully.
C:\Documents and Settings\Robert\Application Data\sdra64.exe moved successfully.
C:\Documents and Settings\Ruth\Application Data\sdra64.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Bobby
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Owner.OWNER-3IIDJGMQC
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Owner.OWNER-3IIDJGMQC.000
->Temp folder emptied: 86465032 bytes
->Temporary Internet Files folder emptied: 3490407 bytes
->Java cache emptied: 25621453 bytes

User: Robert
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Ruth
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 110.25 mb


OTM by OldTimer - Version 3.0.0.6 log created on 10182009_224207

Files moved on Reboot...

Registry entries deleted on Reboot...


Thanks for all your help so far.
  • 0

#10
BHowett
Posted 19 October 2009 - 07:04 AM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hello again,

can you post a fresh OTL log please?
  • 0

Advertisements

#11
sgt_paul
Posted 19 October 2009 - 10:44 AM

sgt_paul

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Sorry. I missed the fact that you wanted OTM and OTL. Will post it as soon as I get home this afternoon. I am not trying to waste your time and am very thankful for your help.
  • 0

#12
BHowett
Posted 19 October 2009 - 11:07 AM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
no worries, Im pretty sure you are good to go but I just want to make sure before we finish up.


just post it when you can. :)
  • 0

#13
sgt_paul
Posted 19 October 2009 - 05:00 PM

sgt_paul

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I ran OTL following the instructions in the malware and spyware cleaning guide. I only got the OTL.txt file and not the extras.txt file. I will post what I got.

OTL logfile created on: 10/19/2009 5:57:44 PM - Run 4
OTL by OldTimer - Version 3.0.21.0 Folder = C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 1.03 Gb Available Physical Memory | 68.95% Memory free
3.35 Gb Paging File | 2.99 Gb Available in Paging File | 89.25% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.32 Gb Total Space | 54.19 Gb Free Space | 71.00% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-3IIDJGMQC
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/10/19 17:49:24 | 00,521,216 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\OTL.exe
PRC - [2009/10/18 12:39:09 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/10/18 12:39:09 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/07/29 20:54:40 | 00,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/07/29 20:54:38 | 00,122,368 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/05 16:07:20 | 02,260,480 | -HS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/02/06 15:22:26 | 01,390,592 | ---- | M] (WORDsearch Corp.) -- C:\Program Files\WORDsearch 8\ZipScript.exe
PRC - [2008/10/10 06:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2008/04/13 19:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wscntfy.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2007/05/08 16:24:20 | 00,054,840 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
PRC - [2006/10/18 21:05:26 | 00,204,288 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNSCFG.exe
PRC - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe
PRC - [2006/07/25 02:01:00 | 00,114,688 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Sonic Shared\CineTray.exe
PRC - [2006/03/31 18:37:33 | 00,028,672 | ---- | M] () -- C:\WINDOWS\System32\qttask.exe
PRC - [2006/02/21 22:39:15 | 00,405,504 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe
PRC - [2006/01/02 18:41:22 | 00,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
PRC - [2005/11/15 20:44:14 | 01,200,128 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PRC - [2005/11/15 20:42:22 | 00,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe
PRC - [2005/06/07 00:46:24 | 00,057,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
PRC - [2005/05/12 00:40:38 | 00,204,800 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
PRC - [2005/05/12 00:33:52 | 00,479,232 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
PRC - [2005/05/11 23:23:26 | 00,282,624 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
PRC - [2003/06/20 00:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

========== Win32 Services (SafeList) ==========

SRV - [2009/10/18 12:39:09 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2009/09/24 06:17:32 | 01,169,232 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (lavasoft ad-aware service [Auto | Stopped])
SRV - [2009/07/29 20:54:33 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2008/10/10 06:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService [Auto | Running])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2007/08/09 02:27:52 | 00,073,728 | ---- | M] (HP) -- C:\WINDOWS\System32\HPZipm12.exe -- (Pml Driver HPZ12 [Auto | Stopped])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [Auto | Running])
SRV - [2006/02/21 22:39:15 | 00,405,504 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
SRV - [2006/02/21 22:05:00 | 00,520,192 | ---- | M] () -- C:\WINDOWS\System32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])
SRV - [2003/07/28 13:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2003/06/20 00:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/06 03:00:23 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/10/18 12:39:09 | 00,000,000 | ---D | M]


O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [adobe photo downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [google quick search box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)
O4 - HKLM..\Run: [hp software update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [quicktime task] C:\WINDOWS\System32\qttask.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [h/pc connection agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
O4 - HKCU..\Run: [spybotsd teatimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [wmpnscfg] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)
O4 - HKCU..\Run: [zipscript] C:\Program Files\WORDsearch 8\ZipScript.exe (WORDsearch Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe (Sonic Solutions)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: 93 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1142023616523 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.10.1 4.2.2.2
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\lbxfile {56831180-F115-11d2-B6AA-00104B2B9943} - C:\Program Files\Libronix DLS\System\FileProt.dll (Libronix Corporation)
O18 - Protocol\Handler\lbxres {24508F1B-9E94-40EE-9759-9AF5795ADF52} - C:\Program Files\Libronix DLS\System\ResProt.dll (Libronix Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\Ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/03/09 17:16:56 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

NetSvcs: 6to4 - Service key not found. File not found
NetSvcs: Ias - Service key not found. File not found
NetSvcs: Iprip - Service key not found. File not found
NetSvcs: Irmon - Service key not found. File not found
NetSvcs: NWCWorkstation - Service key not found. File not found
NetSvcs: Nwsapagent - Service key not found. File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - Service key not found. File not found
NetSvcs: helpsvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
NetSvcs: Wmipsc - Service key not found. File not found

========== Files/Folders - Created Within 14 Days ==========

[2009/10/17 15:47:51 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
[2009/10/18 12:38:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Sun
[2009/10/17 16:43:25 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/10/18 12:39:05 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/10/18 12:22:56 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/10/19 17:49:22 | 00,521,216 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\OTL.exe
[2009/10/19 05:53:56 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/10/18 12:39:40 | 00,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2009/10/18 12:35:01 | 00,271,872 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\TFC.exe
[2009/10/18 12:22:57 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/10/18 12:22:56 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/10/18 10:42:03 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/10/18 10:42:01 | 00,000,000 | ---D | C] -- C:\_OTM
[2009/10/18 10:41:16 | 00,408,064 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\OTM.exe
[2009/10/18 09:58:07 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/10/18 09:49:37 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/10/17 18:31:57 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/10/17 18:31:57 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/10/17 18:31:57 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/10/17 18:31:57 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/10/17 18:29:24 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/10/17 16:44:20 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/10/17 15:48:09 | 00,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/10/17 15:48:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2009/10/06 13:28:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss

========== Files - Modified Within 14 Days ==========

[2009/10/19 17:49:24 | 00,521,216 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\OTL.exe
[2009/10/19 12:30:00 | 00,000,366 | ---- | M] () -- C:\WINDOWS\tasks\RegistryConvoy.job
[2009/10/19 05:01:22 | 00,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/10/19 03:23:30 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/10/19 03:23:27 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/10/19 03:07:08 | 00,505,298 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/10/19 03:07:08 | 00,444,028 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/10/19 03:07:08 | 00,071,904 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/10/19 03:03:07 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/10/18 12:35:03 | 00,271,872 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\TFC.exe
[2009/10/18 12:22:59 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/18 10:41:17 | 00,408,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\OTM.exe
[2009/10/18 09:54:17 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/10/18 09:49:42 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/10/17 18:49:21 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/10/17 18:47:12 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\miwekuro
[2009/10/17 18:19:54 | 03,348,750 | R--- | M] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\ComboFix.exe
[2009/10/17 16:43:25 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\NTREGOPT.lnk
[2009/10/17 16:43:25 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\ERUNT.lnk
[2009/10/17 16:35:53 | 00,005,008 | ---- | M] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\My Documents\sysrestorepoint error.rtf
[2009/10/17 15:52:57 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/10/17 15:47:50 | 00,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/10/11 08:10:09 | 00,236,544 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/10/06 19:17:17 | 00,000,890 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/10/06 19:17:17 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2009/10/06 18:33:08 | 00,085,612 | ---- | M] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\My Documents\cc_20091006_1833.reg

========== Files - No Company Name ==========
[2009/10/19 03:01:03 | 00,001,393 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/10/18 12:22:59 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/18 09:49:42 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/10/18 09:49:38 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/10/17 18:31:57 | 00,236,544 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/10/17 18:31:57 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/10/17 18:31:57 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/10/17 18:31:57 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/10/17 18:29:03 | 03,348,750 | R--- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\ComboFix.exe
[2009/10/17 16:43:25 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\NTREGOPT.lnk
[2009/10/17 16:43:25 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\ERUNT.lnk
[2009/10/17 16:35:53 | 00,005,008 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\My Documents\sysrestorepoint error.rtf
[2009/10/17 15:49:09 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/10/17 15:47:50 | 00,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/10/06 19:35:50 | 00,472,064 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\RootRepeal.exe
[2009/10/06 19:29:14 | 00,361,369 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\dds.scr
[2009/10/06 19:17:17 | 00,001,879 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
[2009/10/06 19:17:17 | 00,001,757 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
[2009/10/06 19:17:17 | 00,000,869 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
[2009/10/06 19:17:17 | 00,000,773 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Sonic CinePlayer Quick Launch.lnk
[2009/10/06 18:33:06 | 00,085,612 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\My Documents\cc_20091006_1833.reg
[2009/08/03 14:37:17 | 00,000,023 | ---- | C] () -- C:\WINDOWS\Mahjongg Variations.INI
[2008/08/16 11:11:46 | 00,000,058 | ---- | C] () -- C:\WINDOWS\TTN.INI
[2007/09/22 19:28:31 | 00,000,071 | ---- | C] () -- C:\WINDOWS\EurekaLog.ini
[2007/09/16 14:59:19 | 00,000,429 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2007/07/20 10:18:49 | 00,000,335 | ---- | C] () -- C:\WINDOWS\Trpmaker.INI
[2007/07/20 10:18:19 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\PlugFile.dll
[2007/07/20 10:08:24 | 00,000,186 | ---- | C] () -- C:\WINDOWS\RPlanner.INI
[2007/07/20 10:07:48 | 00,038,688 | ---- | C] () -- C:\WINDOWS\System32\Leaddib.drv
[2007/07/20 10:07:46 | 00,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2007/07/20 10:07:41 | 00,011,136 | ---- | C] () -- C:\WINDOWS\System32\Fprun300.dll
[2006/12/23 15:57:01 | 00,000,894 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Hewlett-PackardHP Photosmart 3300 series1160495728_PROTOCOL.log
[2006/12/23 15:57:00 | 00,004,619 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Hewlett-PackardHP Photosmart 3300 series1160495728_UI.log
[2006/12/23 15:57:00 | 00,000,221 | ---- | C] () -- C:\WINDOWS\NCLogConfig.ini
[2006/12/23 15:57:00 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Hewlett-PackardHP Photosmart 3300 series1160495728_API.log
[2006/09/11 20:38:49 | 00,003,584 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/09/11 20:20:45 | 00,000,063 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/07/18 08:01:46 | 00,344,479 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\PatchUpdate_HP_CounterReport_Update_HPSU.log
[2006/07/18 08:01:46 | 00,000,227 | ---- | C] () -- C:\WINDOWS\HP_CounterReport_Update_HPSU.ini
[2006/07/18 08:01:36 | 00,004,176 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\HPSU_48BitScanUpdate.log
[2006/07/18 08:01:36 | 00,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2006/07/18 08:00:30 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\HelpFilesUpdatePatch_HELPFILEREPLACE.log
[2006/07/18 08:00:29 | 00,000,716 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\HelpFilesUpdatePatch_PRINTHELPWRAPPER.log
[2006/07/18 08:00:29 | 00,000,234 | ---- | C] () -- C:\WINDOWS\PrnHlpLogConfig.ini
[2006/07/18 08:00:17 | 00,004,828 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\PatchUpdate_HP_ISRegionListUpdatelog_HPSU.log
[2006/07/18 08:00:17 | 00,000,228 | ---- | C] () -- C:\WINDOWS\HP_ISRegionListUpdatelog_HPSU.ini
[2006/07/18 08:00:05 | 00,005,646 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\PatchUpdate_InstantShareJPG.log
[2006/07/18 08:00:05 | 00,000,214 | ---- | C] () -- C:\WINDOWS\HP_InstantSHareJPG.ini
[2006/07/18 07:59:39 | 00,007,321 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\PatchUpdate_IZClosingDiscError.log
[2006/07/18 07:59:39 | 00,000,217 | ---- | C] () -- C:\WINDOWS\HP_IZClosingDiscErrorPatch.ini
[2006/07/18 07:56:44 | 00,005,848 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log
[2006/07/18 07:56:44 | 00,000,206 | ---- | C] () -- C:\WINDOWS\HPGdiPlus.ini
[2006/07/18 07:53:44 | 00,269,908 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Update_HP_RedboxHprblog_HPSU.log
[2006/07/18 07:53:44 | 00,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2006/07/16 21:38:10 | 00,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2006/03/31 19:01:21 | 00,001,607 | ---- | C] () -- C:\Program Files\uninstal.log
[2006/03/14 21:07:09 | 00,009,711 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2006/03/14 14:13:32 | 00,002,508 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\$_hpcst$.hpc
[2006/03/13 16:28:40 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/03/10 21:14:55 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\UnAudioNT.dll
[2006/03/10 20:46:08 | 00,000,148 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Local Settings\Application Data\fusioncache.dat
[2006/03/10 20:42:44 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\vusetup.dll
[2006/03/10 20:36:20 | 00,000,092 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
[2006/03/10 20:36:19 | 00,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI
[2006/03/10 16:21:37 | 00,082,848 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2006/03/10 15:02:01 | 06,395,536 | -H-- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Local Settings\Application Data\IconCache.db
[2006/03/10 15:01:22 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\desktop.ini
[2006/03/09 11:01:34 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2005/08/27 19:41:50 | 00,032,768 | R--- | C] () -- C:\WINDOWS\System32\dwsvclnt.dll
[2004/09/17 18:37:42 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2003/02/18 19:26:28 | 00,028,672 | R--- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
[2003/01/07 16:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/12/04 03:24:26 | 00,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2001/08/18 07:00:00 | 00,000,890 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/18 07:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2001/07/06 15:30:00 | 00,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2009/10/18 09:53:53 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2008/10/29 19:17:05 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{4A8C70B4-22EC-4060-8BF4-A88F7B8448DE}
[2008/01/19 16:57:27 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{B306A3A9-A7C4-4B0D-9D6A-DD50F415168A}
[2009/10/17 15:47:51 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
[2008/10/29 19:13:38 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{F86C4463-4448-48BD-9E9E-83A333A8E98B}
[2009/01/23 19:37:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
[2009/05/02 09:42:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
[2009/02/11 21:22:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Intuit
[2009/08/09 14:43:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\JollyBear
[2008/10/29 19:13:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LESSONmaker
[2006/10/29 22:27:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Libronix DLS
[2009/01/23 19:38:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2009/08/09 15:54:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/10/29 19:39:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WORDsearch
[2008/01/19 16:56:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\wsc
[2009/10/18 12:38:46 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data
[2006/03/10 20:46:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\ATI
[2009/01/23 19:39:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\DriverCure
[2009/08/03 15:51:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Gaijin Ent
[2008/04/09 15:18:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Intuit
[2006/08/07 17:41:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Leadertech
[2006/10/29 22:27:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Libronix DLS
[2009/08/09 14:36:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\SpinTop
[2009/08/30 14:25:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\U3
[2008/11/16 16:38:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\W Photo Studio Viewer
[2009/10/17 15:52:57 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2001/08/18 07:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/10/19 12:30:00 | 00,000,366 | ---- | M] () -- C:\WINDOWS\Tasks\RegistryConvoy.job
[2009/10/19 03:23:30 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %systemroot%\system32\eventlog.dll >
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\eventlog.dll

< %systemroot%\system32\scecli.dll >
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\netlogon.dll >

< %systemroot%\system32\cngaudit.dll >

< %systemroot%\system32\sceclt.dll >

< %systemroot%\ntelogon.dll >

< %systemroot%\system32\logevent.dll >
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\logevent.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:47BC930A
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F8104EE7
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:08FAADE1
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:84E7BFEB
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DA18FD1D
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:211ED887
< End of report >
  • 0

#14
BHowett
Posted 19 October 2009 - 05:43 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi sgt_paul,

please do the following...

OTM by OldTimer

  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Processes
explorer.exe

:Services

:Reg

:Files
C:\WINDOWS\PEV.exe
C:\WINDOWS\sed.exe
C:\WINDOWS\grep.exe
C:\WINDOWS\zip.exe
C:\WINDOWS\System32\miwekuro
C:\WINDOWS\tasks\RegistryConvoy.job
:Commands
[purity]
[emptytemp]
[Reboot]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


also please post a new OTL log :)
  • 0

#15
sgt_paul
Posted 19 October 2009 - 05:55 PM

sgt_paul

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Ran both OTM and OTL. Here are the results.



All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\WINDOWS\PEV.exe moved successfully.
C:\WINDOWS\sed.exe moved successfully.
C:\WINDOWS\grep.exe moved successfully.
C:\WINDOWS\zip.exe moved successfully.
C:\WINDOWS\System32\miwekuro moved successfully.
C:\WINDOWS\tasks\RegistryConvoy.job moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Bobby
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Owner.OWNER-3IIDJGMQC
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Owner.OWNER-3IIDJGMQC.000
->Temp folder emptied: 55487 bytes
->Temporary Internet Files folder emptied: 7089115 bytes
->Java cache emptied: 25493434 bytes

User: Robert
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Ruth
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 2712680 bytes
RecycleBin emptied: 153022 bytes

Total Files Cleaned = 33.95 mb


OTM by OldTimer - Version 3.0.0.6 log created on 10192009_184845

Files moved on Reboot...

Registry entries deleted on Reboot...




OTL logfile created on: 10/19/2009 6:52:51 PM - Run 5
OTL by OldTimer - Version 3.0.21.0 Folder = C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 1.05 Gb Available Physical Memory | 69.86% Memory free
3.35 Gb Paging File | 2.98 Gb Available in Paging File | 88.87% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.32 Gb Total Space | 54.22 Gb Free Space | 71.04% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-3IIDJGMQC
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/10/19 17:49:24 | 00,521,216 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\OTL.exe
PRC - [2009/10/18 12:39:09 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/10/18 12:39:09 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/07/29 20:54:40 | 00,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/07/29 20:54:38 | 00,122,368 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/05 16:07:20 | 02,260,480 | -HS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/02/06 15:22:26 | 01,390,592 | ---- | M] (WORDsearch Corp.) -- C:\Program Files\WORDsearch 8\ZipScript.exe
PRC - [2009/02/06 05:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2008/10/10 06:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2008/04/23 03:38:16 | 00,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
PRC - [2008/04/13 19:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wscntfy.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2007/05/08 16:24:20 | 00,054,840 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
PRC - [2006/10/18 21:05:26 | 00,204,288 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNSCFG.exe
PRC - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe
PRC - [2006/07/25 02:01:00 | 00,114,688 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Sonic Shared\CineTray.exe
PRC - [2006/03/31 18:37:33 | 00,028,672 | ---- | M] () -- C:\WINDOWS\System32\qttask.exe
PRC - [2006/02/21 22:39:15 | 00,405,504 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe
PRC - [2006/01/02 18:41:22 | 00,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
PRC - [2005/11/15 20:44:14 | 01,200,128 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PRC - [2005/11/15 20:42:22 | 00,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe
PRC - [2005/06/07 00:46:24 | 00,057,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
PRC - [2005/05/12 00:40:38 | 00,204,800 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
PRC - [2005/05/12 00:33:52 | 00,479,232 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
PRC - [2005/05/11 23:23:26 | 00,282,624 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
PRC - [2003/06/20 00:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

========== Win32 Services (SafeList) ==========

SRV - [2009/10/18 12:39:09 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2009/09/24 06:17:32 | 01,169,232 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (lavasoft ad-aware service [Auto | Stopped])
SRV - [2009/07/29 20:54:33 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2008/10/10 06:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService [Auto | Running])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2007/08/09 02:27:52 | 00,073,728 | ---- | M] (HP) -- C:\WINDOWS\System32\HPZipm12.exe -- (Pml Driver HPZ12 [Auto | Stopped])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [Auto | Running])
SRV - [2006/02/21 22:39:15 | 00,405,504 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
SRV - [2006/02/21 22:05:00 | 00,520,192 | ---- | M] () -- C:\WINDOWS\System32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])
SRV - [2003/07/28 13:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2003/06/20 00:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/06 03:00:23 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/10/18 12:39:09 | 00,000,000 | ---D | M]


O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [adobe photo downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [google quick search box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)
O4 - HKLM..\Run: [hp software update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [quicktime task] C:\WINDOWS\System32\qttask.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [h/pc connection agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
O4 - HKCU..\Run: [spybotsd teatimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [wmpnscfg] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)
O4 - HKCU..\Run: [zipscript] C:\Program Files\WORDsearch 8\ZipScript.exe (WORDsearch Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe (Sonic Solutions)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: 93 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1142023616523 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.10.1 4.2.2.2
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\lbxfile {56831180-F115-11d2-B6AA-00104B2B9943} - C:\Program Files\Libronix DLS\System\FileProt.dll (Libronix Corporation)
O18 - Protocol\Handler\lbxres {24508F1B-9E94-40EE-9759-9AF5795ADF52} - C:\Program Files\Libronix DLS\System\ResProt.dll (Libronix Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\Ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/03/09 17:16:56 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

NetSvcs: 6to4 - Service key not found. File not found
NetSvcs: Ias - Service key not found. File not found
NetSvcs: Iprip - Service key not found. File not found
NetSvcs: Irmon - Service key not found. File not found
NetSvcs: NWCWorkstation - Service key not found. File not found
NetSvcs: Nwsapagent - Service key not found. File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - Service key not found. File not found
NetSvcs: helpsvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
NetSvcs: Wmipsc - Service key not found. File not found

========== Files/Folders - Created Within 14 Days ==========

[2009/10/17 15:47:51 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
[2009/10/18 12:38:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Sun
[2009/10/17 16:43:25 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/10/18 12:39:05 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/10/18 12:22:56 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/10/19 17:49:22 | 00,521,216 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\OTL.exe
[2009/10/18 12:39:40 | 00,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2009/10/18 12:35:01 | 00,271,872 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\TFC.exe
[2009/10/18 12:22:57 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/10/18 12:22:56 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/10/18 10:42:03 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/10/18 10:42:01 | 00,000,000 | ---D | C] -- C:\_OTM
[2009/10/18 10:41:16 | 00,408,064 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\OTM.exe
[2009/10/18 09:58:07 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/10/18 09:49:37 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/10/17 18:31:57 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/10/17 18:31:57 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/10/17 18:31:57 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/10/17 18:31:57 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/10/17 18:29:24 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/10/17 16:44:20 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/10/17 15:48:09 | 00,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/10/17 15:48:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2009/10/06 13:28:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss

========== Files - Modified Within 14 Days ==========

[2009/10/19 18:50:42 | 00,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/10/19 18:50:08 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/10/19 18:50:05 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/10/19 17:49:24 | 00,521,216 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\OTL.exe
[2009/10/19 03:07:08 | 00,505,298 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/10/19 03:07:08 | 00,444,028 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/10/19 03:07:08 | 00,071,904 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/10/19 03:03:07 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/10/18 12:35:03 | 00,271,872 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\TFC.exe
[2009/10/18 12:22:59 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/18 10:41:17 | 00,408,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\OTM.exe
[2009/10/18 09:54:17 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/10/18 09:49:42 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/10/17 18:49:21 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/10/17 18:19:54 | 03,348,750 | R--- | M] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\ComboFix.exe
[2009/10/17 16:43:25 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\NTREGOPT.lnk
[2009/10/17 16:43:25 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\ERUNT.lnk
[2009/10/17 16:35:53 | 00,005,008 | ---- | M] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\My Documents\sysrestorepoint error.rtf
[2009/10/17 15:52:57 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/10/17 15:47:50 | 00,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/10/06 19:17:17 | 00,000,890 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/10/06 19:17:17 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2009/10/06 18:33:08 | 00,085,612 | ---- | M] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\My Documents\cc_20091006_1833.reg

========== Files - No Company Name ==========
[2009/10/19 03:01:03 | 00,001,393 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/10/18 12:22:59 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/18 09:49:42 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/10/18 09:49:38 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/10/17 18:29:03 | 03,348,750 | R--- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\ComboFix.exe
[2009/10/17 16:43:25 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\NTREGOPT.lnk
[2009/10/17 16:43:25 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\ERUNT.lnk
[2009/10/17 16:35:53 | 00,005,008 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\My Documents\sysrestorepoint error.rtf
[2009/10/17 15:49:09 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/10/17 15:47:50 | 00,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/10/06 19:35:50 | 00,472,064 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\RootRepeal.exe
[2009/10/06 19:29:14 | 00,361,369 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Desktop\dds.scr
[2009/10/06 19:17:17 | 00,001,879 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
[2009/10/06 19:17:17 | 00,001,757 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
[2009/10/06 19:17:17 | 00,000,869 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
[2009/10/06 19:17:17 | 00,000,773 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Sonic CinePlayer Quick Launch.lnk
[2009/10/06 18:33:06 | 00,085,612 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\My Documents\cc_20091006_1833.reg
[2009/08/03 14:37:17 | 00,000,023 | ---- | C] () -- C:\WINDOWS\Mahjongg Variations.INI
[2008/08/16 11:11:46 | 00,000,058 | ---- | C] () -- C:\WINDOWS\TTN.INI
[2007/09/22 19:28:31 | 00,000,071 | ---- | C] () -- C:\WINDOWS\EurekaLog.ini
[2007/09/16 14:59:19 | 00,000,429 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2007/07/20 10:18:49 | 00,000,335 | ---- | C] () -- C:\WINDOWS\Trpmaker.INI
[2007/07/20 10:18:19 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\PlugFile.dll
[2007/07/20 10:08:24 | 00,000,186 | ---- | C] () -- C:\WINDOWS\RPlanner.INI
[2007/07/20 10:07:48 | 00,038,688 | ---- | C] () -- C:\WINDOWS\System32\Leaddib.drv
[2007/07/20 10:07:46 | 00,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2007/07/20 10:07:41 | 00,011,136 | ---- | C] () -- C:\WINDOWS\System32\Fprun300.dll
[2006/12/23 15:57:01 | 00,000,894 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Hewlett-PackardHP Photosmart 3300 series1160495728_PROTOCOL.log
[2006/12/23 15:57:00 | 00,004,619 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Hewlett-PackardHP Photosmart 3300 series1160495728_UI.log
[2006/12/23 15:57:00 | 00,000,221 | ---- | C] () -- C:\WINDOWS\NCLogConfig.ini
[2006/12/23 15:57:00 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Hewlett-PackardHP Photosmart 3300 series1160495728_API.log
[2006/09/11 20:38:49 | 00,003,584 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/09/11 20:20:45 | 00,000,063 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/07/18 08:01:46 | 00,344,479 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\PatchUpdate_HP_CounterReport_Update_HPSU.log
[2006/07/18 08:01:46 | 00,000,227 | ---- | C] () -- C:\WINDOWS\HP_CounterReport_Update_HPSU.ini
[2006/07/18 08:01:36 | 00,004,176 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\HPSU_48BitScanUpdate.log
[2006/07/18 08:01:36 | 00,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2006/07/18 08:00:30 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\HelpFilesUpdatePatch_HELPFILEREPLACE.log
[2006/07/18 08:00:29 | 00,000,716 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\HelpFilesUpdatePatch_PRINTHELPWRAPPER.log
[2006/07/18 08:00:29 | 00,000,234 | ---- | C] () -- C:\WINDOWS\PrnHlpLogConfig.ini
[2006/07/18 08:00:17 | 00,004,828 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\PatchUpdate_HP_ISRegionListUpdatelog_HPSU.log
[2006/07/18 08:00:17 | 00,000,228 | ---- | C] () -- C:\WINDOWS\HP_ISRegionListUpdatelog_HPSU.ini
[2006/07/18 08:00:05 | 00,005,646 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\PatchUpdate_InstantShareJPG.log
[2006/07/18 08:00:05 | 00,000,214 | ---- | C] () -- C:\WINDOWS\HP_InstantSHareJPG.ini
[2006/07/18 07:59:39 | 00,007,321 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\PatchUpdate_IZClosingDiscError.log
[2006/07/18 07:59:39 | 00,000,217 | ---- | C] () -- C:\WINDOWS\HP_IZClosingDiscErrorPatch.ini
[2006/07/18 07:56:44 | 00,005,848 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log
[2006/07/18 07:56:44 | 00,000,206 | ---- | C] () -- C:\WINDOWS\HPGdiPlus.ini
[2006/07/18 07:53:44 | 00,269,908 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Update_HP_RedboxHprblog_HPSU.log
[2006/07/18 07:53:44 | 00,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2006/07/16 21:38:10 | 00,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2006/03/31 19:01:21 | 00,001,607 | ---- | C] () -- C:\Program Files\uninstal.log
[2006/03/14 21:07:09 | 00,009,711 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2006/03/14 14:13:32 | 00,002,508 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\$_hpcst$.hpc
[2006/03/13 16:28:40 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/03/10 21:14:55 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\UnAudioNT.dll
[2006/03/10 20:46:08 | 00,000,148 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Local Settings\Application Data\fusioncache.dat
[2006/03/10 20:42:44 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\vusetup.dll
[2006/03/10 20:36:20 | 00,000,092 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
[2006/03/10 20:36:19 | 00,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI
[2006/03/10 16:21:37 | 00,082,848 | ---- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2006/03/10 15:02:01 | 06,395,536 | -H-- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Local Settings\Application Data\IconCache.db
[2006/03/10 15:01:22 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\desktop.ini
[2006/03/09 11:01:34 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2005/08/27 19:41:50 | 00,032,768 | R--- | C] () -- C:\WINDOWS\System32\dwsvclnt.dll
[2004/09/17 18:37:42 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2003/02/18 19:26:28 | 00,028,672 | R--- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
[2003/01/07 16:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/12/04 03:24:26 | 00,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2001/08/18 07:00:00 | 00,000,890 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/18 07:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2001/07/06 15:30:00 | 00,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2009/10/18 09:53:53 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2008/10/29 19:17:05 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{4A8C70B4-22EC-4060-8BF4-A88F7B8448DE}
[2008/01/19 16:57:27 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{B306A3A9-A7C4-4B0D-9D6A-DD50F415168A}
[2009/10/17 15:47:51 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
[2008/10/29 19:13:38 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{F86C4463-4448-48BD-9E9E-83A333A8E98B}
[2009/01/23 19:37:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
[2009/05/02 09:42:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
[2009/02/11 21:22:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Intuit
[2009/08/09 14:43:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\JollyBear
[2008/10/29 19:13:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LESSONmaker
[2006/10/29 22:27:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Libronix DLS
[2009/01/23 19:38:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2009/08/09 15:54:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/10/29 19:39:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WORDsearch
[2008/01/19 16:56:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\wsc
[2009/10/18 12:38:46 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data
[2006/03/10 20:46:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\ATI
[2009/01/23 19:39:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\DriverCure
[2009/08/03 15:51:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Gaijin Ent
[2008/04/09 15:18:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Intuit
[2006/08/07 17:41:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Leadertech
[2006/10/29 22:27:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\Libronix DLS
[2009/08/09 14:36:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\SpinTop
[2009/08/30 14:25:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\U3
[2008/11/16 16:38:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner.OWNER-3IIDJGMQC.000\Application Data\W Photo Studio Viewer
[2009/10/17 15:52:57 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2001/08/18 07:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/10/19 18:50:08 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %systemroot%\system32\eventlog.dll >
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\eventlog.dll

< %systemroot%\system32\scecli.dll >
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\netlogon.dll >

< %systemroot%\system32\cngaudit.dll >

< %systemroot%\system32\sceclt.dll >

< %systemroot%\ntelogon.dll >

< %systemroot%\system32\logevent.dll >
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\logevent.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:47BC930A
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F8104EE7
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:08FAADE1
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:84E7BFEB
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DA18FD1D
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:211ED887
< End of report >
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP