1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Really need some help, having no luck.

Discussion in 'Virus & Other Malware Removal' started by the-drew, Sep 7, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. the-drew

    the-drew Thread Starter

    Joined:
    Sep 7, 2010
    Messages:
    14
    Cant go to windows update, iexplorer is getting redirected, cant turn on windows firewall, cant post to hijack this forums, I have used several anti malware/virus/spyware solutions with no luck. Running windows xp 3


    1 Hijack This

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:03:35 AM, on 9/7/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
    C:\WINDOWS\system32\lxddcoms.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Rob\Desktop\HijackThis.exe

    O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\RunOnce: [iolo 3rd Party Reboot] C:\Documents and Settings\Rob\Application Data\iolo\IRestartStub.exe /t "System Mechanic Professional" /i "fromreg" /v "iolo 3rd Party Reboot" /av "fromreg"
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Escape%20Rosecliff%20Island/Images/stg_drm.ocx
    O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166103550577
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Escape%20Rosecliff%20Island/Images/armhelper.ocx
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file:///D:/CDVIEWER/CdViewer.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
    O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
    O23 - Service: Windows Network Service (MCIService) - Unknown owner - (no file)
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    --
    End of file - 6832 bytes

    2 DDS.txt


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Rob at 9:06:33.02 on Tue 09/07/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.254.17 [GMT -5:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
    C:\WINDOWS\system32\lxddcoms.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Rob\My Documents\Downloads\SysInfo.exe
    C:\Documents and Settings\Rob\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://my.yahoo.com/
    uInternet Settings,ProxyOverride = <local>
    mURLSearchHooks: H - No File
    BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
    TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File
    TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Google Update] "c:\documents and settings\rob\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    IE: Google Sidewiki...
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Escape%20Rosecliff%20Island/Images/stg_drm.ocx
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
    DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166103550577
    DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} - hxxp://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
    DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
    DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Escape%20Rosecliff%20Island/Images/armhelper.ocx
    DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} - file:///D:/CDVIEWER/CdViewer.cab
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: LMIinit - LMIinit.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
    mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-9-4 64288]
    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-9-2 28552]
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-9-3 11608]
    R1 MpKsld4dc232b;MpKsld4dc232b;c:\program files\windows live safety center\MpKsld4dc232b.sys [2010-9-5 28752]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-9-3 60936]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-1-12 47640]
    S1 mas;mas;\??\c:\windows\system32\drivers\mas.sys --> c:\windows\system32\drivers\mas.sys [?]
    S3 BW2NDIS5;BW2NDIS5; [x]
    S3 ExterminateIt;ExterminateIt;c:\windows\system32\drivers\extit.sys [2009-10-25 22016]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
    S4 LMIRfsClientNP;LMIRfsClientNP; [x]

    =============== Created Last 30 ================

    2010-09-07 03:41:34 0 d-----w- C:\VundoFix Backups
    2010-09-06 16:46:26 0 d-----w- c:\program files\Spybot - Search & Destroy
    2010-09-06 16:46:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2010-09-05 18:27:52 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-09-04 22:46:01 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-09-04 22:45:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-09-04 19:42:16 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
    2010-09-04 19:37:22 0 d-----w- c:\program files\Lavasoft
    2010-09-04 19:18:25 0 d-----w- C:\iolo
    2010-09-04 18:16:31 74703 ----a-w- c:\windows\system32\mfc45.dll
    2010-09-04 18:16:23 0 d-----w- c:\docume~1\rob\applic~1\iolo
    2010-09-04 18:16:23 0 d-----w- c:\docume~1\alluse~1\applic~1\iolo
    2010-09-03 12:20:23 0 d-----w- c:\docume~1\rob\applic~1\SUPERAntiSpyware.com
    2010-09-03 11:56:22 0 d-----w- c:\docume~1\rob\applic~1\Avira
    2010-09-03 10:53:19 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-09-03 10:53:16 0 d-----w- c:\program files\Avira
    2010-09-03 10:53:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
    2010-09-03 00:56:08 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2010-09-03 00:54:33 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2010-09-03 00:53:57 0 d-----w- c:\program files\SUPERAntiSpyware
    2010-09-03 00:53:49 0 d-----w- c:\program files\Panda Security
    2010-08-28 20:43:34 0 d-----w- c:\program files\CCleaner
    2010-08-26 22:58:21 0 d-----w- c:\windows\system32\NtmsData
    2010-08-26 21:20:03 0 d-----w- c:\docume~1\rob\applic~1\Malwarebytes
    2010-08-26 21:19:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-26 21:19:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-08-26 21:19:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-26 21:19:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-26 21:10:06 1324 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-08-16 04:52:44 54156 ---ha-w- c:\windows\QTFont.qfn
    2010-08-16 04:52:44 1409 ----a-w- c:\windows\QTFont.for
    2010-08-14 19:51:09 0 d-----w- c:\docume~1\rob\applic~1\EasyPDFReader
    2010-08-14 19:50:38 0 d-----w- c:\program files\Search Toolbar
    2010-08-14 19:48:36 0 d-----w- c:\program files\Easy PDF Reader
    2010-08-14 19:11:43 0 d-----w- c:\docume~1\alluse~1\applic~1\FileCure

    ==================== Find3M ====================

    2010-08-27 23:36:14 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2010-08-27 23:36:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
    2010-08-27 23:36:11 29568 ----a-w- c:\windows\system32\LMIport.dll
    2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2006-11-18 05:24:32 29784 -c--a-w- c:\program files\popcorn Terms.html
    2002-11-18 11:26:06 61440 -c--a-w- c:\windows\inf\i386\onetUSD.dll
    2002-10-24 13:29:30 36864 -c--a-w- c:\windows\inf\i386\Vizmicro.dll
    2002-10-24 13:28:28 172032 -c--a-w- c:\windows\inf\i386\viceo.dll
    2002-10-24 13:02:22 225280 -c--a-w- c:\windows\inf\i386\rtscan.dll
    2001-08-03 23:29:18 13824 -c--a-w- c:\windows\inf\i386\Usbscan.sys
    2009-02-15 07:32:55 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021520090216\index.dat

    ============= FINISH: 9:10:02.88 ===============

    3 Attached txt is attached

    4 Ark.txt


    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-09-07 17:19:46
    Windows 5.1.2600 Service Pack 3
    Running: 2db6gluv.exe; Driver: C:\DOCUME~1\Rob\LOCALS~1\Temp\axrirpow.sys


    ---- System - GMER 1.0.15 ----

    SSDT F99A9DCE ZwCreateKey
    SSDT F99A9DC4 ZwCreateThread
    SSDT F99A9DD3 ZwDeleteKey
    SSDT F99A9DDD ZwDeleteValueKey
    SSDT F99A9DE2 ZwLoadKey
    SSDT F99A9DB0 ZwOpenProcess
    SSDT F99A9DB5 ZwOpenThread
    SSDT F99A9DEC ZwReplaceKey
    SSDT F99A9DE7 ZwRestoreKey
    SSDT F99A9DD8 ZwSetValueKey

    INT 0x06 \??\C:\WINDOWS\System32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) EE58116D
    INT 0x0E \??\C:\WINDOWS\System32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) EE580FC2

    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xED76D400, 0x82482, 0xE8000020]
    .protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xED80D420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xED80D420]
    .protectÿÿÿÿhardlockunknown last code section [0xED80D200, 0x5105, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xED80D200, 0x5105, 0xE0000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[988] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
    .text C:\WINDOWS\System32\svchost.exe[988] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
    .text C:\WINDOWS\System32\svchost.exe[988] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
    .text C:\WINDOWS\System32\svchost.exe[988] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0145000A
    .text C:\WINDOWS\System32\svchost.exe[988] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00D8000A
    .text C:\WINDOWS\Explorer.EXE[2468] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
    .text C:\WINDOWS\Explorer.EXE[2468] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
    .text C:\WINDOWS\Explorer.EXE[2468] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs InCDrec.SYS (InCD File System Recognizer/Nero AG)
    AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat InCDrec.SYS (InCD File System Recognizer/Nero AG)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1

    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

  2. the-drew

    the-drew Thread Starter

    Joined:
    Sep 7, 2010
    Messages:
    14
  3. the-drew

    the-drew Thread Starter

    Joined:
    Sep 7, 2010
    Messages:
    14
    Any chance of getting some help. Its been a few days since my original post. I would really appreciate some help.
     
  4. emeraldnzl

    emeraldnzl Malware Specialist

    Joined:
    Nov 3, 2007
    Messages:
    2,570
    Hello the-drew,

    Please download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Save ComboFix.exe to your Desktop
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    [​IMG]

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]

    Click on Yes, to continue scanning for malware.

    **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
     
  5. the-drew

    the-drew Thread Starter

    Joined:
    Sep 7, 2010
    Messages:
    14
    Hello Emeraldnzl,

    Thanks for the reply!

    Here is the combo fix log

    ComboFix 10-09-09.04 - Rob 09/10/2010 21:21:14.1.1 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.254.15 [GMT -5:00]
    Running from: c:\documents and settings\Rob\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ADS - WINDOWS: deleted 72 bytes in 1 streams.
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\program files\Common Files\zumf
    c:\program files\Common Files\zumf\zumfd\class-barrel
    c:\program files\popcorn Terms.html
    c:\program files\Search Toolbar
    c:\program files\Search Toolbar\icon.ico
    c:\windows\system32\tmp.reg
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    -------\Legacy_BOONTY_GAMES
    -------\Legacy_MAS
    -------\Legacy_MICROSOFT_MEDIA_TOOLS
    -------\Legacy_RDRIV
    -------\Service_Boonty Games
    -------\Service_mas
    -------\Service_MicroSoft Media Tools

    ((((((((((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 )))))))))))))))))))))))))))))))
    .
    2010-09-06 16:46 . 2010-09-06 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-09-04 19:37 . 2010-09-08 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2010-09-04 19:21 . 2010-07-06 20:11 492208 ----a-w- c:\documents and settings\Rob\Application Data\iolo\IRestartStub.exe
    2010-09-04 18:16 . 2010-09-07 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
    2010-09-04 18:16 . 2010-09-04 19:21 -------- d-----w- c:\documents and settings\Rob\Application Data\iolo
    2010-09-03 12:23 . 2010-09-03 12:23 63488 ----a-w- c:\documents and settings\Rob\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    2010-09-03 12:23 . 2010-09-03 12:23 52224 ----a-w- c:\documents and settings\Rob\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-09-03 12:22 . 2010-09-03 12:22 117760 ----a-w- c:\documents and settings\Rob\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-09-03 12:20 . 2010-09-03 12:20 -------- d-----w- c:\documents and settings\Rob\Application Data\SUPERAntiSpyware.com
    2010-09-03 11:56 . 2010-09-03 11:56 -------- d-----w- c:\documents and settings\Rob\Application Data\Avira
    2010-09-03 11:06 . 2010-09-03 11:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-09-03 11:04 . 2010-09-03 11:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
    2010-09-03 10:53 . 2010-09-03 10:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-09-03 00:57 . 2010-09-03 00:57 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    2010-09-03 00:57 . 2010-09-03 00:57 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-09-03 00:56 . 2010-09-03 00:56 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-09-03 00:56 . 2010-09-03 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-09-03 00:56 . 2010-09-03 00:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
    2010-08-29 04:22 . 2010-08-29 04:22 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
    2010-08-26 21:20 . 2010-08-26 21:20 -------- d-----w- c:\documents and settings\Rob\Application Data\Malwarebytes
    2010-08-26 21:19 . 2010-08-26 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-08-14 19:51 . 2010-08-14 19:51 -------- d-----w- c:\documents and settings\Rob\Application Data\EasyPDFReader
    2010-08-14 19:11 . 2010-08-14 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\FileCure
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-10 11:35 . 2010-01-13 00:00 -------- d-----w- c:\program files\LogMeIn
    2010-09-08 01:08 . 2002-09-03 19:53 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
    2010-09-06 17:30 . 2010-09-06 16:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-09-05 22:33 . 2010-09-05 21:49 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-09-04 22:45 . 2010-09-04 22:45 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-09-04 19:24 . 2010-09-04 19:24 -------- d-----w- c:\program files\Windows Defender
    2010-09-04 18:16 . 2010-09-04 18:16 74703 ----a-w- c:\windows\system32\mfc45.dll
    2010-09-03 12:02 . 2010-09-10 02:05 254324 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aesbx.dll
    2010-09-03 12:02 . 2010-09-10 02:05 106868 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aevdf.dll
    2010-09-03 12:02 . 2010-09-10 02:05 1364346 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aescript.dll
    2010-09-03 12:02 . 2010-09-10 02:05 127347 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aescn.dll
    2010-09-03 12:02 . 2010-09-10 02:05 614772 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aerdl.dll
    2010-09-03 12:02 . 2010-09-10 02:05 471412 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aepack.dll
    2010-09-03 12:02 . 2010-09-10 02:05 201081 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aeoffice.dll
    2010-09-03 12:02 . 2010-09-10 02:05 2883958 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aeheur.dll
    2010-09-03 12:02 . 2010-09-10 02:05 242038 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aehelp.dll
    2010-09-03 12:02 . 2010-09-10 02:05 397684 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aegen.dll
    2010-09-03 12:02 . 2010-09-10 02:05 393588 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aeemu.dll
    2010-09-03 12:02 . 2010-09-10 02:05 192887 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aecore.dll
    2010-09-03 10:53 . 2010-09-03 10:53 -------- d-----w- c:\program files\Avira
    2010-09-03 00:56 . 2010-09-03 00:53 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-09-03 00:53 . 2010-09-03 00:53 -------- d-----w- c:\program files\Panda Security
    2010-08-29 05:00 . 2010-05-16 19:57 -------- d-----w- c:\program files\PokerStars.NET
    2010-08-29 04:07 . 2010-08-26 21:10 1324 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-08-28 20:44 . 2010-08-28 20:43 -------- d-----w- c:\program files\CCleaner
    2010-08-27 23:36 . 2010-01-13 00:03 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2010-08-27 23:36 . 2010-01-13 00:04 29568 ----a-w- c:\windows\system32\LMIport.dll
    2010-08-27 23:36 . 2010-01-13 00:03 87424 ----a-w- c:\windows\system32\LMIinit.dll
    2010-08-27 20:09 . 2009-07-10 22:01 -------- d-----w- c:\program files\Lx_cats
    2010-08-26 22:25 . 2010-02-28 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-08-26 21:19 . 2010-08-26 21:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-17 23:52 . 2008-11-06 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-08-14 20:32 . 2010-01-13 01:04 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
    2010-08-14 19:50 . 2010-08-14 19:48 -------- d-----w- c:\program files\Easy PDF Reader
    2010-07-24 01:31 . 2008-06-21 18:03 -------- d-----w- c:\documents and settings\Rob\Application Data\Chessmaster Challenge
    2010-06-30 12:31 . 2002-09-03 19:54 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44 . 2002-09-03 20:03 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27 . 2002-09-03 19:57 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03 . 2002-09-03 19:39 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31 . 2006-08-12 08:29 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
    2010-06-14 07:41 . 2006-09-13 05:09 1172480 ----a-w- c:\windows\system32\msxml3.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="c:\documents and settings\Rob\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-08-28 136176]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2010-08-27 23:36 87424 ----a-w- c:\windows\system32\LMIinit.dll
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\.protected
    backup=c:\windows\pss\.protectedCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^Startup^.protected]
    path=c:\documents and settings\Rob\Start Menu\Programs\Startup\.protected
    backup=c:\windows\pss\.protectedStartup
    [HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    path=c:\documents and settings\Rob\Start Menu\Programs\Startup\LimeWire On Startup.lnk
    backup=c:\windows\pss\LimeWire On Startup.lnkStartup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMUpdate
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HelpCenter
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\License Manager
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MenaceFighter
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spc_w
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyShredder
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
    2005-10-11 23:25 1961984 -c----w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
    2002-11-18 11:17 94208 -c--a-w- c:\program files\Visioneer OneTouch\OneTouchMon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2006-10-12 09:10 49152 -c--a-w- c:\program files\Java\jre1.5.0_09\bin\jusched.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WZCSVC"=2 (0x2)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=
    R2 MCIService;Windows Network Service; [x]
    R3 BW2NDIS5;BW2NDIS5; [x]
    R3 ExterminateIt;ExterminateIt;c:\windows\system32\drivers\extit.sys [2009-10-25 22016]
    R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [x]
    R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2008-04-14 14336]
    S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
    S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-08-11 12856]
    S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [2007-05-25 537520]
    S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-05-25 99248]
    S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
    2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
    .
    Contents of the 'Scheduled Tasks' folder
    2010-09-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1993962763-1563985344-1957994488-1003Core.job
    - c:\documents and settings\Rob\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-28 20:14]
    2010-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1993962763-1563985344-1957994488-1003UA.job
    - c:\documents and settings\Rob\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-28 20:14]
    2010-09-11 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
    2010-09-10 c:\windows\Tasks\User_Feed_Synchronization-{04F5700C-F654-472D-BCEA-47DB8CB9AB9A}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://my.yahoo.com/
    uInternet Settings,ProxyOverride = <local>
    IE: Google Sidewiki...
    IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
    DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} - file:///D:/CDVIEWER/CdViewer.cab
    .
    - - - - ORPHANS REMOVED - - - -
    Toolbar-Locked - (no file)
    WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    SafeBoot-klmdb.sys
    MSConfigStartUp-NetZero_uoltray - c:\program files\NetZero\exec.exe

    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-10 21:46
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    @DACL=(02 0000)
    @=""
    "Installed"="1"
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    @DACL=(02 0000)
    @=""
    "Installed"="1"
    "NoChange"="1"
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    @DACL=(02 0000)
    @=""
    "Installed"="1"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    - - - - - - - > 'winlogon.exe'(532)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\LMIinit.dll
    - - - - - - - > 'explorer.exe'(3228)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\windows\system32\LMIRfsClientNP.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Ahead\InCD\InCDsrv.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\LogMeIn\x86\RaMaint.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\program files\LogMeIn\x86\LogMeIn.exe
    c:\program files\LogMeIn\x86\LMIGuardian.exe
    c:\windows\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2010-09-10 22:01:44 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-09-11 03:01
    Pre-Run: 18,830,417,920 bytes free
    Post-Run: 19,217,137,664 bytes free
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
    - - End Of File - - 1E213ACD840564B251DEEBCB6AC99105
     
  6. emeraldnzl

    emeraldnzl Malware Specialist

    Joined:
    Nov 3, 2007
    Messages:
    2,570
    Hello

    I take it you use the remote Logmein program? If not please tell me when you return.

    Now

    Please download OTL to your Desktop
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in

      Code:
      netsvcs
      drivers32
      %SYSTEMDRIVE%\*.*
      %systemroot%\Fonts\*.com
      %systemroot%\Fonts\*.dll
      %systemroot%\Fonts\*.ini
      %systemroot%\Fonts\*.ini2
      %systemroot%\Fonts\*.exe
      %systemroot%\system32\spool\prtprocs\w32x86\*.*
      %systemroot%\REPAIR\*.bak1
      %systemroot%\REPAIR\*.ini
      %systemroot%\system32\*.jpg
      %systemroot%\*.jpg
      %systemroot%\*.png
      %systemroot%\*.scr
      %systemroot%\*._sy
      %APPDATA%\Adobe\Update\*.*
      %ALLUSERSPROFILE%\Favorites\*.*
      %APPDATA%\Microsoft\*.*
      %PROGRAMFILES%\*.*
      %APPDATA%\Update\*.*
      %systemroot%\*. /mp /s
      CREATERESTOREPOINT
      %systemroot%\System32\config\*.sav
      %PROGRAMFILES%\bak. /s
      %systemroot%\system32\bak. /s
      %ALLUSERSPROFILE%\Start Menu\*.lnk /x
      %systemroot%\system32\config\systemprofile\*.dat /x
      %systemroot%\*.config
      %systemroot%\system32\*.db
      %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
      %USERPROFILE%\Desktop\*.exe
      %PROGRAMFILES%\Common Files\*.*
      %systemroot%\*.src
      %systemroot%\install\*.*
      %systemroot%\system32\DLL\*.*
      %systemroot%\system32\HelpFiles\*.*
      %systemroot%\system32\rundll\*.*
      %systemroot%\winn32\*.*
      %systemroot%\Java\*.*
      %systemroot%\system32\test\*.*
      %systemroot%\system32\Rundll32\*.*
      %systemroot%\AppPatch\Custom\*.*
      %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
      %PROGRAMFILES%\PC-Doctor\Downloads\*.*
      %PROGRAMFILES%\Internet Explorer\*.tmp
      %PROGRAMFILES%\Internet Explorer\*.dat
      %USERPROFILE%\My Documents\*.exe
      %USERPROFILE%\*.exe
      %systemroot%\ADDINS\*.*
      %systemroot%\assembly\*.bak2
      %systemroot%\Config\*.*
      %systemroot%\REPAIR\*.bak2
      %systemroot%\SECURITY\Database\*.sdb /x
      %systemroot%\SYSTEM\*.bak2
      %systemroot%\Web\*.bak2
      %systemroot%\Driver Cache\*.*
      %PROGRAMFILES%\Mozilla Firefox\0*.exe
      %ProgramFiles%\Microsoft Common\*.*
      %ProgramFiles%\TinyProxy.
      %USERPROFILE%\Favorites\*.url /x
      %systemroot%\system32\*.bk
      %systemroot%\*.te
      %systemroot%\system32\system32\*.*
      %ALLUSERSPROFILE%\*.dat /x
      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
      
      
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so.

      • o When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
        o Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post back here.
    So when you return please post
    • the two OTL logs - OTL.txt and Extras.txt


    Note: Unless otherwise instructed always post the logs in the forum. If reports don't fit on one post. It might be necessary to break the logs up to get them on the forum. Just use as many posts as you need, that's fine. :)
     
  7. the-drew

    the-drew Thread Starter

    Joined:
    Sep 7, 2010
    Messages:
    14
    Yes I do use logmein on this machine.

    Here is the otl.txt file

    OTL logfile created on: 9/10/2010 10:57:58 PM - Run 1
    OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Rob\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    254.00 Mb Total Physical Memory | 71.00 Mb Available Physical Memory | 28.00% Memory free
    625.00 Mb Paging File | 255.00 Mb Available in Paging File | 41.00% Paging File free
    Paging file location(s): C:\pagefile.sys 384 800 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.24 Gb Total Space | 17.90 Gb Free Space | 48.06% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    Drive E: | 1.84 Gb Total Space | 1.57 Gb Free Space | 85.60% Space Free | Partition Type: FAT
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: ROB-JIDY
    Current User Name: Rob
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: Off
    Skip Microsoft Files: Off
    File Age = 30 Days
    Output = Standard

    ========== Processes (SafeList) ==========

    PRC - [2010/09/10 22:57:01 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rob\Desktop\OTL.exe
    PRC - [2010/08/27 18:37:06 | 000,116,104 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
    PRC - [2010/08/27 18:36:07 | 000,378,248 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    PRC - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    PRC - [2010/03/02 11:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    PRC - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
    PRC - [2010/01/14 22:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    PRC - [2008/08/11 13:41:00 | 000,063,040 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
    PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2007/05/25 04:41:53 | 000,099,248 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddserv.exe
    PRC - [2007/05/25 04:41:37 | 000,537,520 | ---- | M] ( ) -- C:\WINDOWS\system32\lxddcoms.exe
    PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
    PRC - [2005/07/25 11:00:56 | 000,876,032 | ---- | M] (Nero AG) -- C:\Program Files\Ahead\InCD\InCDsrv.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/09/10 22:57:01 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rob\Desktop\OTL.exe
    MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- -- (MCIService)
    SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
    SRV - [2010/08/27 18:37:06 | 000,116,104 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
    SRV - [2010/07/26 16:00:24 | 000,066,112 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus(R)
    SRV - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
    SRV - [2010/03/29 08:51:54 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
    SRV - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
    SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
    SRV - [2008/08/11 13:41:00 | 000,063,040 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
    SRV - [2007/05/25 04:41:53 | 000,099,248 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe -- (lxddCATSCustConnectService)
    SRV - [2007/05/25 04:41:37 | 000,537,520 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxddcoms.exe -- (lxdd_device)
    SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
    SRV - [2005/07/25 11:00:56 | 000,876,032 | ---- | M] (Nero AG) [Auto | Stopped] -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrvR) InCD Helper (read only)
    SRV - [2005/07/25 11:00:56 | 000,876,032 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrv)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Internet Explorer\SABProcEnum.sys -- (SABProcEnum)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys -- (Lavasoft Kernexplorer)
    DRV - File not found [Kernel | On_Demand | Running] -- C:\ComboFix\catchme.sys -- (catchme)
    DRV - [2010/08/27 18:36:14 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
    DRV - [2010/05/10 13:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
    DRV - [2010/04/23 11:31:01 | 000,106,432 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AnyDVD.sys -- (AnyDVD)
    DRV - [2010/03/01 10:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
    DRV - [2010/02/17 13:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
    DRV - [2010/02/16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
    DRV - [2010/01/01 12:20:34 | 000,026,024 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO)
    DRV - [2009/10/25 11:45:20 | 000,022,016 | ---- | M] (Curiolab) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\extit.sys -- (ExterminateIt)
    DRV - [2009/06/30 09:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
    DRV - [2009/05/11 12:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
    DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
    DRV - [2008/08/11 13:41:00 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
    DRV - [2008/08/11 13:41:00 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
    DRV - [2006/10/16 09:47:22 | 000,053,344 | ---- | M] (Warp Nine Engineering) [Kernel | Auto | Running] -- C:\Program Files\FlexiSIGN-PRO 8.1v1\Program\Par1284.sys -- (Par1284)
    DRV - [2006/08/15 19:59:16 | 000,047,616 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Haspnt.sys -- (Haspnt)
    DRV - [2005/07/25 10:53:28 | 000,101,504 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\System32\drivers\InCDfs.sys -- (InCDfs)
    DRV - [2005/07/25 10:53:04 | 000,029,696 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDpass.sys -- (InCDPass)
    DRV - [2005/07/25 04:52:59 | 000,028,672 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\InCDrm.sys -- (incdrm)
    DRV - [2004/08/04 00:29:49 | 000,019,455 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wvchntxx.sys -- (iAimFP4)
    DRV - [2004/08/04 00:29:47 | 000,012,063 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wsiintxx.sys -- (iAimFP3)
    DRV - [2004/08/04 00:29:45 | 000,025,471 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv10nt.sys -- (iAimTV5)
    DRV - [2004/08/04 00:29:45 | 000,023,615 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wch7xxnt.sys -- (iAimTV4)
    DRV - [2004/08/04 00:29:44 | 000,022,271 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv06nt.sys -- (iAimTV6)
    DRV - [2004/08/04 00:29:43 | 000,033,599 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv04nt.sys -- (iAimTV3)
    DRV - [2004/08/04 00:29:42 | 000,019,551 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv02nt.sys -- (iAimTV1)
    DRV - [2004/08/04 00:29:41 | 000,029,311 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv01nt.sys -- (iAimTV0)
    DRV - [2004/08/04 00:29:40 | 000,011,871 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv09nt.sys -- (iAimFP7)
    DRV - [2004/08/04 00:29:39 | 000,011,295 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv08nt.sys -- (iAimFP6)
    DRV - [2004/08/04 00:29:38 | 000,011,807 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv07nt.sys -- (iAimFP5)
    DRV - [2004/08/04 00:29:37 | 000,012,415 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv01nt.sys -- (iAimFP0)
    DRV - [2004/08/04 00:29:37 | 000,012,127 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv02nt.sys -- (iAimFP1)
    DRV - [2004/08/04 00:29:37 | 000,011,775 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv05nt.sys -- (iAimFP2)
    DRV - [2004/08/04 00:29:36 | 000,161,020 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\i81xnt5.sys -- (i81x)
    DRV - [2004/07/14 12:54:42 | 000,676,864 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (Hardlock)
    DRV - [2003/11/13 13:19:48 | 000,210,304 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
    DRV - [2003/11/13 13:18:36 | 000,679,808 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
    DRV - [2003/11/13 13:17:00 | 001,042,816 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
    DRV - [2002/12/15 18:41:10 | 000,076,288 | ---- | M] (Rainbow Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS -- (Sentinel)
    DRV - [2002/12/15 18:41:10 | 000,026,120 | R--- | M] (Rainbow Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SNTNLUSB.SYS -- (Sntnlusb)
    DRV - [2001/08/17 07:20:04 | 000,096,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ac97intc.sys -- (ac97intc) Intel(r) 82801 Audio Driver Install Service (WDM)
    DRV - [2001/08/17 07:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 20 2E 6B 6C DE 81 CA 01 [binary data]
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.yahoo.com/?fr=fp-yie8
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>


    [2009/03/29 02:30:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\Mozilla\Extensions
    [2009/03/29 02:30:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\Mozilla\Extensions\[email protected]

    O1 HOSTS File: ([2010/09/10 21:46:22 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
    O3 - HKLM\..\Toolbar: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C7768536-96F8-4001-B1A2-90EE21279187} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No CLSID value found.
    O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra Button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe (PokerStars)
    O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file:///C:/Program Files/Escape Rosecliff Island/Images/stg_drm.ocx (SpinTop DRM Control)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4505-8fb8-d0d2d160e512/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab (Reg Error: Key error.)
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab (Windows Live Safety Center Base Module)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166103550577 (WUWebControl Class)
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} http://www.callwave.com/include/cab/CWDL_DownLoad.CAB (CWDL_DownLoadControl Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)
    O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} http://www.superadblocker.com/activex/sabspx.cab (SABScanProcesses Class)
    O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
    O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} file:///C:/Program Files/Escape Rosecliff Island/Images/armhelper.ocx (ArmHelper Control)
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab (Reg Error: Key error.)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} file:///D:/CDVIEWER/CdViewer.cab (AMI DicomDir TreeView Control 2.1)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.130 68.105.28.11 68.105.29.11
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
    O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
    O24 - Desktop WallPaper: C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
    O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/08/12 03:33:10 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.DivXa32 - C:\WINDOWS\System32\DivXa32.acm (Kristal StudioDFileDescription)
    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\System32\l3codecp.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: SENTINEL - C:\WINDOWS\System32\SNTI386.DLL (Rainbow Technologies, Inc.)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.DIV3 - C:\WINDOWS\System32\DivXc32.dll (Hacked with Joy !)
    Drivers32: vidc.div4 - C:\WINDOWS\System32\DivXc32f.dll (Hacked with Joy !)
    Drivers32: vidc.DIVX - C:\WINDOWS\System32\divx.dll (DivXNetworks, Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: VIDC.IV40 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: VIDC.IV41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: VIDC.IV50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
    Drivers32: vidc.MP42 - C:\WINDOWS\System32\MPG4c32.dll (Microsoft Corporation)
    Drivers32: vidc.MP43 - C:\WINDOWS\System32\MPG4c32.dll (Microsoft Corporation)
    Drivers32: vidc.MPG4 - C:\WINDOWS\System32\MPG4c32.dll (Microsoft Corporation)
    Drivers32: vidc.xvid - C:\WINDOWS\System32\xvid.dll ()

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point (16902109354000384)

    ========== Files/Folders - Created Within 30 Days ==========

    [2010/09/10 22:56:53 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Rob\Desktop\OTL.exe
    [2010/09/10 22:55:01 | 000,000,000 | -HSD | C] -- C:\RECYCLER
    [2010/09/10 21:18:32 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2010/09/10 21:14:02 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2010/09/10 21:14:02 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2010/09/10 21:14:02 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2010/09/10 21:14:02 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2010/09/10 21:13:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2010/09/10 21:13:09 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/09/07 22:31:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Local Settings\Application Data\ApplicationHistory
    [2010/09/07 20:52:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\URTTEMP
    [2010/09/07 20:02:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Desktop\tdsskiller
    [2010/09/07 09:17:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Desktop\New Folder
    [2010/09/06 22:41:34 | 000,000,000 | ---D | C] -- C:\VundoFix Backups
    [2010/09/06 11:46:26 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
    [2010/09/06 11:46:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    [2010/09/05 16:49:02 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
    [2010/09/04 17:45:14 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
    [2010/09/04 14:47:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Local Settings\Application Data\Sunbelt Software
    [2010/09/04 14:37:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
    [2010/09/04 14:24:34 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Defender
    [2010/09/04 14:18:25 | 000,000,000 | ---D | C] -- C:\iolo
    [2010/09/04 13:16:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\iolo
    [2010/09/04 13:16:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\iolo
    [2010/09/03 07:20:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\SUPERAntiSpyware.com
    [2010/09/03 06:56:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\Avira
    [2010/09/03 05:53:24 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
    [2010/09/03 05:53:19 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
    [2010/09/03 05:53:19 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
    [2010/09/03 05:53:19 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
    [2010/09/03 05:53:18 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
    [2010/09/03 05:53:16 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
    [2010/09/03 05:53:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
    [2010/09/02 19:56:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    [2010/09/02 19:54:33 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
    [2010/09/02 19:53:57 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
    [2010/09/02 19:53:49 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
    [2010/08/28 23:22:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Yahoo
    [2010/08/28 23:22:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
    [2010/08/28 23:16:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\lrhdydpsm
    [2010/08/28 23:14:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
    [2010/08/28 15:59:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Rob\Recent
    [2010/08/28 15:43:34 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
    [2010/08/28 15:38:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\My Documents\Downloads
    [2010/08/28 15:16:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Local Settings\Application Data\Temp
    [2010/08/26 17:58:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
    [2010/08/26 16:20:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\Malwarebytes
    [2010/08/26 16:19:17 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010/08/26 16:19:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2010/08/26 16:19:10 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2010/08/26 16:19:08 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2010/08/26 16:16:11 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Rob\My Documents\mbam-setup-1.46.exe
    [2010/08/25 01:29:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
    [2010/08/25 01:29:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
    [2010/08/14 14:51:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\EasyPDFReader
    [2010/08/14 14:48:36 | 000,000,000 | ---D | C] -- C:\Program Files\Easy PDF Reader
    [2010/08/14 14:11:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FileCure
    [2010/06/06 13:07:23 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddinpa.dll
    [2010/06/06 13:07:23 | 000,397,312 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddiesc.dll
    [2010/06/06 13:07:23 | 000,323,584 | ---- | C] ( ) -- C:\WINDOWS\System32\LXDDhcp.dll
    [2010/06/06 13:07:22 | 000,999,424 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddusb1.dll
    [2010/06/06 13:07:21 | 001,232,896 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddserv.dll
    [2010/06/06 13:07:20 | 000,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddpmui.dll
    [2010/06/06 13:07:20 | 000,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddprox.dll
    [2010/06/06 13:07:20 | 000,094,208 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddpplc.dll
    [2010/06/06 13:07:19 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddlmpm.dll
    [2010/06/06 13:07:16 | 000,700,416 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddhbn3.dll
    [2010/06/06 13:07:11 | 000,425,984 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddcomm.dll
    [2010/06/06 13:07:09 | 000,684,032 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddcomc.dll
    [6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [12 C:\Documents and Settings\Rob\My Documents\*.tmp files -> C:\Documents and Settings\Rob\My Documents\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2010/09/10 22:57:01 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rob\Desktop\OTL.exe
    [2010/09/10 22:21:03 | 000,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1993962763-1563985344-1957994488-1003UA.job
    [2010/09/10 21:47:50 | 000,000,465 | ---- | M] () -- C:\WINDOWS\system.ini
    [2010/09/10 21:46:22 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2010/09/10 21:44:25 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/09/10 21:43:54 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
    [2010/09/10 21:40:08 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2010/09/10 21:40:02 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/09/10 21:39:58 | 266,645,504 | -HS- | M] () -- C:\hiberfil.sys
    [2010/09/10 21:38:22 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Rob\ntuser.ini
    [2010/09/10 21:38:21 | 004,874,240 | ---- | M] () -- C:\Documents and Settings\Rob\ntuser.dat
    [2010/09/10 21:18:41 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2010/09/10 21:06:27 | 002,549,156 | -H-- | M] () -- C:\Documents and Settings\Rob\Local Settings\Application Data\IconCache.db
    [2010/09/10 21:05:39 | 000,000,183 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\Really need some help, having no luck. - Tech Support Guy Forums.url
    [2010/09/10 21:00:29 | 003,842,041 | R--- | M] () -- C:\Documents and Settings\Rob\Desktop\ComboFix.exe
    [2010/09/10 19:28:15 | 000,002,246 | ---- | M] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
    [2010/09/10 19:28:14 | 000,002,268 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\Google Chrome.lnk
    [2010/09/10 17:19:37 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{04F5700C-F654-472D-BCEA-47DB8CB9AB9A}.job
    [2010/09/10 15:20:01 | 000,000,918 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1993962763-1563985344-1957994488-1003Core.job
    [2010/09/07 22:28:48 | 000,440,684 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/09/07 22:28:48 | 000,071,002 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/09/07 22:28:47 | 000,509,574 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
    [2010/09/07 20:57:57 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2010/09/07 20:01:22 | 001,193,882 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\tdsskiller.zip
    [2010/09/06 11:47:16 | 000,000,951 | ---- | M] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
    [2010/09/06 11:47:16 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\Spybot - Search & Destroy.lnk
    [2010/09/04 17:45:13 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
    [2010/09/04 13:16:31 | 000,074,703 | ---- | M] () -- C:\WINDOWS\System32\mfc45.dll
    [2010/09/03 05:54:08 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
    [2010/09/02 19:54:24 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
    [2010/08/28 23:07:35 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2010/08/27 18:36:14 | 000,083,360 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIRfsClientNP.dll
    [2010/08/27 18:36:11 | 000,087,424 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIinit.dll
    [2010/08/27 18:36:11 | 000,029,568 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIport.dll
    [2010/08/27 14:41:46 | 000,248,832 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\BBQ SHRIMP.FS
    [2010/08/27 12:51:15 | 000,220,672 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\loeffelholtz prop inv lp.FS
    [2010/08/27 12:38:20 | 000,032,768 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\LOEFFLEHOLTZ.FS
    [2010/08/26 17:23:27 | 000,002,621 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
    [2010/08/26 16:42:16 | 044,089,904 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\avira_antivir_personal_en.exe
    [2010/08/26 16:19:24 | 000,000,714 | ---- | M] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
    [2010/08/26 16:16:27 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Rob\My Documents\mbam-setup-1.46.exe
    [2010/08/23 16:02:41 | 000,072,038 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\LA DEMOLITION INV.jpg
    [2010/08/23 16:02:18 | 000,355,840 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\LA DEMOLITION INV.FS
    [2010/08/22 15:22:17 | 091,249,152 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\la demo changes.FS cut one.FS
    [2010/08/22 13:25:38 | 002,724,864 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\LA DEMOLITION LAYOUT.FS
    [2010/08/22 13:23:59 | 002,725,376 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\la demo changes.FS
    [2010/08/21 18:46:58 | 000,260,608 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\loeffleholtz.doc
    [2010/08/20 14:54:58 | 011,700,736 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\sno-ball new
    [2010/08/20 14:53:35 | 012,273,664 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\SNOW-BALL.FS
    [2010/08/20 09:50:05 | 000,225,792 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\sno-ball trailor inv.FS
    [2010/08/17 19:52:27 | 000,045,568 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\sno-ball.FS
    [2010/08/17 19:44:17 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\sno-ball newest.fs
    [2010/08/17 11:05:57 | 005,883,392 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\sno-balls side 2.FS
    [2010/08/17 10:49:57 | 008,612,864 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\SNOW-BALL !!.fs
    [2010/08/15 23:52:44 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
    [2010/08/15 23:52:44 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
    [2010/08/15 23:46:51 | 091,134,464 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\la demo changes 3
    [2010/08/15 23:44:47 | 001,084,441 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\la demo change 3.jpg
    [2010/08/15 22:53:07 | 001,084,441 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\la demo changes 2.jpg
    [2010/08/15 22:15:46 | 001,084,441 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\la demo changes.jpg
    [2010/08/15 21:39:08 | 001,076,295 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\LA DEMOLITION LAYOUT.jpg
    [2010/08/14 14:50:28 | 000,000,756 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\Easy PDF Reader.lnk
    [2010/08/13 03:57:44 | 000,946,248 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2010/08/12 22:22:34 | 005,829,120 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\snoball
    [2010/08/12 12:24:35 | 000,266,812 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\sno-balls front.jpg
    [2010/08/12 12:24:10 | 005,862,912 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\sno-balls front.FS
    [2010/08/12 12:21:17 | 000,262,980 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\sno-balls side 2.jpg
    [2010/08/12 11:59:18 | 000,079,872 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\sno-balls pro.fs
    [2010/08/12 11:40:18 | 000,342,072 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\SNOW-BALL.jpg
    [2010/08/12 00:04:50 | 000,338,950 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\SNOW-BALL PIC.jpg
    [2010/08/11 23:21:26 | 009,092,096 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\SNO-BALLS PICS.FS
    [6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [12 C:\Documents and Settings\Rob\My Documents\*.tmp files -> C:\Documents and Settings\Rob\My Documents\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2010/09/10 21:39:58 | 266,645,504 | -HS- | C] () -- C:\hiberfil.sys
    [2010/09/10 21:18:41 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2010/09/10 21:18:35 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2010/09/10 21:14:02 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2010/09/10 21:14:02 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2010/09/10 21:14:02 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2010/09/10 21:14:02 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2010/09/10 21:14:02 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2010/09/10 21:05:39 | 000,000,183 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\Really need some help, having no luck. - Tech Support Guy Forums.url
    [2010/09/10 21:00:17 | 003,842,041 | R--- | C] () -- C:\Documents and Settings\Rob\Desktop\ComboFix.exe
    [2010/09/07 20:57:52 | 000,001,355 | ---- | C] () -- C:\WINDOWS\imsins.BAK
    [2010/09/07 20:01:17 | 001,193,882 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\tdsskiller.zip
    [2010/09/06 11:47:16 | 000,000,951 | ---- | C] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
    [2010/09/06 11:47:16 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\Spybot - Search & Destroy.lnk
    [2010/09/04 18:06:25 | 000,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
    [2010/09/04 13:16:31 | 000,074,703 | ---- | C] () -- C:\WINDOWS\System32\mfc45.dll
    [2010/09/03 05:54:08 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
    [2010/09/02 19:54:24 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
    [2010/08/28 15:30:24 | 000,002,246 | ---- | C] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
    [2010/08/28 15:30:22 | 000,002,268 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\Google Chrome.lnk
    [2010/08/28 15:16:03 | 000,000,970 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1993962763-1563985344-1957994488-1003UA.job
    [2010/08/28 15:15:49 | 000,000,918 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1993962763-1563985344-1957994488-1003Core.job
    [2010/08/27 12:51:13 | 000,220,672 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\loeffelholtz prop inv lp.FS
    [2010/08/26 16:39:41 | 044,089,904 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\avira_antivir_personal_en.exe
    [2010/08/26 16:19:24 | 000,000,714 | ---- | C] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
    [2010/08/26 16:10:06 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2010/08/23 16:02:37 | 000,072,038 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\LA DEMOLITION INV.jpg
    [2010/08/23 16:02:16 | 000,355,840 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\LA DEMOLITION INV.FS
    [2010/08/22 15:21:33 | 091,249,152 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\la demo changes.FS cut one.FS
    [2010/08/21 21:28:46 | 000,032,768 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\LOEFFLEHOLTZ.FS
    [2010/08/21 18:46:55 | 000,260,608 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\loeffleholtz.doc
    [2010/08/20 09:50:01 | 000,225,792 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\sno-ball trailor inv.FS
    [2010/08/17 19:44:17 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\sno-ball newest.fs
    [2010/08/17 19:43:43 | 000,045,568 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\sno-ball.FS
    [2010/08/17 18:30:36 | 011,700,736 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\sno-ball new
    [2010/08/17 11:06:11 | 012,273,664 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\SNOW-BALL.FS
    [2010/08/17 10:33:52 | 008,612,864 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\SNOW-BALL !!.fs
    [2010/08/15 23:52:44 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
    [2010/08/15 23:52:44 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
    [2010/08/15 23:46:20 | 091,134,464 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\la demo changes 3
    [2010/08/15 23:44:17 | 001,084,441 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\la demo change 3.jpg
    [2010/08/15 22:52:36 | 001,084,441 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\la demo changes 2.jpg
    [2010/08/15 22:17:27 | 002,725,376 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\la demo changes.FS
    [2010/08/15 22:15:12 | 001,084,441 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\la demo changes.jpg
    [2010/08/14 14:50:28 | 000,000,756 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\Easy PDF Reader.lnk
    [2010/08/12 22:22:24 | 005,829,120 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\snoball
    [2010/08/12 12:24:25 | 000,266,812 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\sno-balls front.jpg
    [2010/08/12 12:24:09 | 005,862,912 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\sno-balls front.FS
    [2010/08/12 12:21:07 | 000,262,980 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\sno-balls side 2.jpg
    [2010/08/12 12:20:48 | 005,883,392 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\sno-balls side 2.FS
    [2010/08/12 11:59:01 | 000,079,872 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\sno-balls pro.fs
    [2010/08/12 11:39:59 | 000,342,072 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\SNOW-BALL.jpg
    [2010/08/12 00:04:32 | 000,338,950 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\SNOW-BALL PIC.jpg
    [2010/08/11 23:21:47 | 009,092,096 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\SNO-BALLS PICS.FS
    [2010/06/06 13:17:41 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxddvs.dll
    [2010/06/06 13:17:26 | 000,344,064 | ---- | C] () -- C:\WINDOWS\System32\lxddcoin.dll
    [2010/06/06 13:10:15 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\lxddrwrd.ini
    [2010/06/06 13:07:24 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\LXDDinst.dll
    [2010/06/06 13:07:15 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxddgrd.dll
    [2009/08/16 17:53:46 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
    [2009/07/10 16:54:11 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXF3FXPU.DLL
    [2009/07/10 16:54:09 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\LXF3PMON.DLL
    [2009/07/10 16:53:47 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\lxf3oem.dll
    [2009/07/10 16:53:47 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\LXF3PMRC.DLL
    [2009/01/13 00:00:04 | 000,000,014 | ---- | C] () -- C:\WINDOWS\System32\SysEngine2.SYS
    [2008/12/06 11:05:17 | 000,000,125 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
    [2008/11/11 01:35:29 | 000,223,232 | ---- | C] () -- C:\WINDOWS\System32\sqlite3.dll
    [2008/10/08 10:34:59 | 000,000,073 | ---- | C] () -- C:\WINDOWS\st_affiliate.ini
    [2007/08/15 00:13:08 | 000,000,972 | ---- | C] () -- C:\Documents and Settings\Rob\Application Data\update.log
    [2007/06/07 16:28:43 | 000,000,103 | ---- | C] () -- C:\WINDOWS\TTINSTAL.INI
    [2007/02/20 00:50:05 | 000,000,064 | ---- | C] () -- C:\Documents and Settings\Rob\Application Data\dm.ini
    [2007/01/26 17:39:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
    [2007/01/23 13:40:03 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\lxddcaps.dll
    [2007/01/09 11:13:08 | 000,692,224 | ---- | C] () -- C:\WINDOWS\System32\lxdddrs.dll
    [2007/01/01 22:58:14 | 000,001,616 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
    [2007/01/01 22:58:04 | 000,269,312 | ---- | C] () -- C:\WINDOWS\System32\FPXIG.DLL
    [2007/01/01 22:58:04 | 000,068,096 | ---- | C] () -- C:\WINDOWS\System32\IGFPX32P.DLL
    [2007/01/01 22:58:04 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\JPEGACC.DLL
    [2007/01/01 22:57:52 | 000,101,376 | ---- | C] () -- C:\WINDOWS\System32\WELSOF32.DLL
    [2006/12/29 15:32:56 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\BJAXSecurityManager.dll
    [2006/12/29 15:32:39 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\BJInstaller.dll
    [2006/12/05 19:20:10 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
    [2006/10/06 12:08:04 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxddcnv4.dll
    [2006/10/03 00:06:41 | 000,018,944 | ---- | C] () -- C:\Documents and Settings\Rob\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2006/08/15 19:59:16 | 000,000,383 | ---- | C] () -- C:\WINDOWS\System32\haspdos.sys
    [2006/08/12 15:56:02 | 000,000,034 | ---- | C] () -- C:\WINDOWS\AuthMgr.INI
    [2006/08/12 15:48:50 | 000,000,453 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2006/08/12 15:03:51 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
    [2006/08/12 14:37:26 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
    [2003/04/05 11:17:52 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\xvid.dll
    [2002/12/14 15:46:04 | 000,921,600 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
    [2002/12/14 15:46:04 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\oggDS.dll
    [2002/12/14 15:46:04 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
    [2002/12/14 15:46:04 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
    [2002/03/13 15:46:46 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\zlib.dll
    [1999/01/22 13:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2010/01/12 19:03:00 | 000,001,024 | ---- | M] () -- C:\.rnd
    [2010/09/07 21:04:10 | 000,004,285 | ---- | M] () -- C:\aaw7boot.log
    [2008/01/31 10:54:14 | 000,036,352 | ---- | M] () -- C:\arm mcall new.FS
    [2006/08/12 03:33:10 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2010/01/12 19:46:51 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2010/09/10 21:18:41 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2007/11/20 11:40:12 | 000,263,713 | ---- | M] () -- C:\children's orc comb.eps
    [2007/11/20 11:40:59 | 000,178,176 | ---- | M] () -- C:\children's orc comb.FS
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2010/09/10 22:01:47 | 000,019,382 | ---- | M] () -- C:\ComboFix.txt
    [2006/08/12 03:33:10 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2008/10/30 17:56:54 | 000,086,677 | ---- | M] () -- C:\CybDefInstallInfo.log
    [2008/07/26 15:32:25 | 000,000,076 | ---- | M] () -- C:\DVDPATH.TXT
    [2010/09/10 21:39:58 | 266,645,504 | -HS- | M] () -- C:\hiberfil.sys
    [2009/07/09 20:44:06 | 000,241,622 | ---- | M] () -- C:\hpfr3320.log
    [2009/07/09 20:44:08 | 000,000,532 | ---- | M] () -- C:\hpfr3320.xml
    [2006/08/12 03:33:10 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2010/07/18 17:36:29 | 000,523,671 | ---- | M] () -- C:\lxdd.log
    [2006/11/06 20:31:18 | 000,066,048 | ---- | M] () -- C:\MARTIN LAST NOT CUT
    [2006/11/02 22:06:12 | 000,057,856 | ---- | M] () -- C:\MARTIN LAWRENCE NEW LAYOUT
    [2006/08/12 03:33:10 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2006/11/07 13:37:20 | 000,158,720 | ---- | M] () -- C:\NEW CITIES
    [2006/11/06 22:35:50 | 000,000,000 | ---- | M] () -- C:\New FlexiSTARTER Desay Edition.FS
    [2006/12/16 13:17:50 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2009/02/15 01:35:43 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2010/09/10 21:39:51 | 402,653,184 | -HS- | M] () -- C:\pagefile.sys
    [2007/08/17 14:06:32 | 000,007,324 | ---- | M] () -- C:\rapport.txt
    [2006/04/14 23:05:02 | 000,009,952 | ---- | M] () -- C:\regxpcom.exe
    [2010/09/07 20:07:17 | 000,042,356 | ---- | M] () -- C:\TDSSKiller.2.4.2.1_07.09.2010_20.03.19_log.txt
    [2006/11/07 11:29:33 | 000,010,240 | ---- | M] () -- C:\Untitled.FS
    [2010/09/07 06:23:26 | 000,000,136 | ---- | M] () -- C:\VundoFix.txt
    [2006/11/03 13:06:48 | 000,044,032 | ---- | M] () -- C:\w.i.n.o. inset

    < %systemroot%\Fonts\*.com >
    [2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2006/08/12 03:32:29 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2010/08/27 18:36:13 | 000,053,632 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\LMIproc.dll
    [2007/02/26 23:16:25 | 000,103,936 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\lxdddrpp.dll
    [2003/06/18 18:31:48 | 000,018,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
    [2008/07/06 05:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2006/08/11 22:16:04 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2006/08/11 22:16:03 | 000,626,688 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2006/08/11 22:16:03 | 000,393,216 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2009/02/15 01:59:20 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2006/12/16 14:58:27 | 000,000,177 | -HS- | M] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2006/08/12 03:42:42 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2010/09/10 21:00:29 | 003,842,041 | R--- | M] () -- C:\Documents and Settings\Rob\Desktop\ComboFix.exe
    [2010/09/10 22:57:01 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rob\Desktop\OTL.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >
    [2006/07/11 11:57:48 | 017,344,752 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\avg71free_394a763.exe
    [2010/08/26 16:42:16 | 044,089,904 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\avira_antivir_personal_en.exe
    [2006/11/15 15:50:02 | 015,505,200 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Rob\My Documents\IE7-WindowsXP-x86-enu.exe
    [2010/08/26 16:16:27 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Rob\My Documents\mbam-setup-1.46.exe
    [2006/12/16 15:57:12 | 000,161,280 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\rmsality.exe
    [2010/03/16 15:12:56 | 025,685,128 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Rob\My Documents\wordview_en-us.exe
    [12 C:\Documents and Settings\Rob\My Documents\*.tmp files -> C:\Documents and Settings\Rob\My Documents\*.tmp -> ]

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >
    [2001/08/03 18:29:18 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Driver Cache\Usbscan.sys

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2006/12/16 14:58:28 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Rob\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2010/07/20 12:29:41 | 000,005,547 | ---- | M] () -- C:\Documents and Settings\All Users\lxdd

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-09-10 12:11:27

    < Click the Run Scan button. Do not change any settings unless otherwise told to do so. >

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7C60A173
    @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E8B5993B
    @Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F321F01E
    @Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3A691DDB
    @Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8BB2EC84
    @Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D158BAF9
    @Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AC78DA48
    @Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:93E9C78D
    < End of report >
     
  8. the-drew

    the-drew Thread Starter

    Joined:
    Sep 7, 2010
    Messages:
    14
    Here is the Extra.txt file.

    OTL Extras logfile created on: 9/10/2010 10:57:58 PM - Run 1
    OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Rob\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    254.00 Mb Total Physical Memory | 71.00 Mb Available Physical Memory | 28.00% Memory free
    625.00 Mb Paging File | 255.00 Mb Available in Paging File | 41.00% Paging File free
    Paging file location(s): C:\pagefile.sys 384 800 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.24 Gb Total Space | 17.90 Gb Free Space | 48.06% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    Drive E: | 1.84 Gb Total Space | 1.57 Gb Free Space | 85.60% Space Free | Partition Type: FAT
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: ROB-JIDY
    Current User Name: Rob
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: Off
    Skip Microsoft Files: Off
    File Age = 30 Days
    Output = Standard

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = htmlfile] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- "C:\PROGRA~1\MICROS~2\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "UpdatesDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0
    "FirstRunDisabled" = 

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\Lexmark 2500 Series\lxddmon.exe" = C:\Program Files\Lexmark 2500 Series\lxddmon.exe:*:Enabled: -- ()


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" = Lexmark Toolbar
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 17
    "{30BB4D60-81DB-11D5-BB77-00400536ABAC}" = OLYMPUS CAMEDIA Master Pro 4.1
    "{3248F0A8-6813-11D6-A77B-00B0D0150030}" = J2SE Runtime Environment 5.0 Update 3
    "{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
    "{34F93E31-E1A0-421C-8E86-BCF7C4193A91}" = LogMeIn
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
    "{71F6DF7D-B639-4FAD-BA93-E6DF267AA44D}" = DesignPro 5.4 Limited Edition
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{77F9D52A-C8D7-4FE8-8510-19FC6CF75BC3}" = Access Drivers
    "{8386E3AD-7DEA-1D17-601E-644D9C84C19B}" = Chessmaster Challenge
    "{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003
    "{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
    "{95264530-5A22-8E7E-FE9D-D63A927BCAEA}" = Adobe Media Player
    "{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
    "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
    "{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{B5924CA6-24A7-48F5-BC9C-8BFA94ED4564}" = LightScribe 1.4.67.1
    "{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus(R) for Adobe
    "{E728216D-A1C4-487B-A4C5-AC0105DB74D6}" = FlexiSIGN-PRO 8.1v1
    "{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
    "{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
    "{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
    "ActiveScan 2.0" = Panda ActiveScan 2.0
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "AnyDVD" = AnyDVD
    "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
    "CCleaner" = CCleaner
    "Chessmaster Challenge" = Chessmaster Challenge (remove only)
    "com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
    "DVD Shrink_is1" = DVD Shrink 3.2
    "Easy PDF Reader" = Easy PDF Reader 1.0
    "FinalMediaPlayer_is1" = Final Media Player 2010
    "FlexiSTARTER Desay Edition 7.6v2" = FlexiSTARTER Desay Edition 7.6v2
    "Fonts" = Fonts
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "ie8" = Windows Internet Explorer 8
    "InstallShield_{71F6DF7D-B639-4FAD-BA93-E6DF267AA44D}" = DesignPro 5.4 Limited Edition
    "Lexmark 2500 Series" = Lexmark 2500 Series
    "Lexmark Fax Solutions" = Lexmark Fax Solutions
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "OneTouch Version 3.0" = OneTouch Version 3.0
    "PokerStars.net" = PokerStars.net
    "QuickTime" = QuickTime
    "Rainbow Sentinel Driver" = Sentinel System Driver
    "SignCut" = SignCut (remove only)
    "SpongeBob SquarePants" = SpongeBob SquarePants® Operation Krabby Patty
    "SpongeBob SquarePants Employee of the Month" = SpongeBob SquarePants Employee of the Month
    "The Print Shop 6.0" = The Print Shop®
    "Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
    "Yahoo! Companion" = Yahoo! Toolbar
    "Yahoo! Software Update" = Yahoo! Software Update

    ========== HKEY_CURRENT_USER Uninstall List ==========

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Google Chrome" = Google Chrome

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 9/5/2010 3:18:37 PM | Computer Name = ROB-JIDY | Source = Application Error | ID = 1000
    Description = Faulting application setup.exe, version 1.0.1963.0, faulting module
    unknown, version 0.0.0.0, fault address 0x8004ff1f.

    Error - 9/5/2010 5:23:42 PM | Computer Name = ROB-JIDY | Source = MPSampleSubmission | ID = 5000
    Description = EventType mptelemetry, P1 80072efe, P2 endsearch, P3 search, P4 1.1.1593.0,
    P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 NIL, P10 NIL.

    Error - 9/6/2010 9:01:01 AM | Computer Name = ROB-JIDY | Source = MPSampleSubmission | ID = 5000
    Description = EventType mptelemetry, P1 80072efe, P2 endsearch, P3 search, P4 1.1.1593.0,
    P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 NIL, P10 NIL.

    Error - 9/7/2010 7:53:04 AM | Computer Name = ROB-JIDY | Source = Avira AntiVir | ID = 4118
    Description = EXCEPTION calling function <Scan> for the file C:\Documents and Settings\Rob\Local
    Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_00007b [ACCESS_VIOLATION
    Exception!! EIP = 0x1d811cc] Please inform Avira and submit the appropriate file!

    Error - 9/7/2010 9:01:52 AM | Computer Name = ROB-JIDY | Source = MPSampleSubmission | ID = 5000
    Description = EventType mptelemetry, P1 80072efe, P2 endsearch, P3 search, P4 1.1.1593.0,
    P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 NIL, P10 NIL.

    Error - 9/7/2010 10:21:20 AM | Computer Name = ROB-JIDY | Source = Application Hang | ID = 1002
    Description = Hanging application SpybotSD.exe, version 1.6.2.46, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    Error - 9/7/2010 10:21:21 AM | Computer Name = ROB-JIDY | Source = Application Hang | ID = 1002
    Description = Hanging application SpybotSD.exe, version 1.6.2.46, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    Error - 9/7/2010 12:38:45 PM | Computer Name = ROB-JIDY | Source = Application Error | ID = 1000
    Description = Faulting application 8s0b3pqt.exe, version 1.0.15.15281, faulting
    module 8s0b3pqt.exe, version 1.0.15.15281, fault address 0x0005c887.

    Error - 9/7/2010 11:18:17 PM | Computer Name = ROB-JIDY | Source = Application Hang | ID = 1002
    Description = Hanging application rundll32.exe, version 5.1.2600.5512, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 9/7/2010 11:18:26 PM | Computer Name = ROB-JIDY | Source = Application Hang | ID = 1001
    Description = Fault bucket 734562961.

    [ System Events ]
    Error - 9/7/2010 12:44:09 PM | Computer Name = ROB-JIDY | Source = Ftdisk | ID = 262193
    Description = Configuring the Page file for crash dump failed. Make sure there is
    a page file on the boot partition and that is large enough to contain all physical
    memory.

    Error - 9/7/2010 12:44:44 PM | Computer Name = ROB-JIDY | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    avgio avipbb ElbyCDIO Fips mas P3 pavboot SASDIFSV SASKUTIL ssmdrv

    Error - 9/7/2010 9:07:51 PM | Computer Name = ROB-JIDY | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service EventSystem
    with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error - 9/7/2010 9:10:20 PM | Computer Name = ROB-JIDY | Source = sr | ID = 1
    Description = The System Restore filter encountered the unexpected error '0xC0000001'
    while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
    the volume.

    Error - 9/7/2010 9:13:59 PM | Computer Name = ROB-JIDY | Source = Service Control Manager | ID = 7000
    Description = The Windows Network Service service failed to start due to the following
    error: %%3

    Error - 9/7/2010 9:17:01 PM | Computer Name = ROB-JIDY | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    mas

    Error - 9/10/2010 10:11:52 PM | Computer Name = ROB-JIDY | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service EventSystem
    with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error - 9/10/2010 10:12:07 PM | Computer Name = ROB-JIDY | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    avgio avipbb ElbyCDIO Fips mas P3 pavboot SASDIFSV SASKUTIL ssmdrv

    Error - 9/10/2010 10:38:15 PM | Computer Name = ROB-JIDY | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service EventSystem
    with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error - 9/10/2010 10:40:52 PM | Computer Name = ROB-JIDY | Source = Service Control Manager | ID = 7000
    Description = The Windows Network Service service failed to start due to the following
    error: %%3


    < End of report >
     
  9. emeraldnzl

    emeraldnzl Malware Specialist

    Joined:
    Nov 3, 2007
    Messages:
    2,570
    Hello the-drew,

    Bit to do in this post.

    Now

    Please run OTL.exe
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C7768536-96F8-4001-B1A2-90EE21279187} - No CLSID value found.
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No CLSID value found.
      [12 C:\Documents and Settings\Rob\My Documents\*.tmp files -> C:\Documents and Settings\Rob\My Documents\*.tmp -> ]
      @Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7C60A173
      @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E8B5993B
      @Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F321F01E
      @Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3A691DDB
      @Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8BB2EC84
      @Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP158BAF9
      @Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AC78DA48
      @Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:93E9C78D
      
      :Commands
      [emptytemp]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot when it is done
    • It will produce a log for you on reboot, please post that log in your next reply.
    After that

    You have used Malwarebytes before. If you still have it on your machine please update and run. Post the scan report back here.

    If you no-longer have Malwarebytes please download from Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

    Next

    Kaspersky on line scanner is very thorough. It can take a long time and for periods may seem not to be working. Just be patient and let it do its job.

    Kaspersky works with Internet Explorer and Firefox 3.

    Go to Kaspersky website and perform an online antivirus scan.

    Note: you will need to turn off your security programs to allow Kaspersky to do its job.

    • Read through the requirements and privacy statement and click on Accept button.
    • It will start dowanloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    Copy and paste that information in your next post.

    So when you return please post
    • OTL fix log
    • MBAM log
    • Kaspersky scan results
    • and tell me how your computer is performing now
     
  10. the-drew

    the-drew Thread Starter

    Joined:
    Sep 7, 2010
    Messages:
    14
    So I passed out last night

    Here is the OTL fix log

    All processes killed
    ========== OTL ==========
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C7768536-96F8-4001-B1A2-90EE21279187} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C7768536-96F8-4001-B1A2-90EE21279187}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{F0F8ECBE-D460-4B34-B007-56A92E8F84A7} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F0F8ECBE-D460-4B34-B007-56A92E8F84A7}\ not found.
    C:\Documents and Settings\Rob\My Documents\_fs108.tmp deleted successfully.
    C:\Documents and Settings\Rob\My Documents\_fs17.tmp deleted successfully.
    C:\Documents and Settings\Rob\My Documents\_fs1B.tmp deleted successfully.
    C:\Documents and Settings\Rob\My Documents\_fs1C.tmp deleted successfully.
    C:\Documents and Settings\Rob\My Documents\_fs20.tmp deleted successfully.
    C:\Documents and Settings\Rob\My Documents\_fs37.tmp deleted successfully.
    C:\Documents and Settings\Rob\My Documents\_fs4.tmp deleted successfully.
    C:\Documents and Settings\Rob\My Documents\_fs5E.tmp deleted successfully.
    C:\Documents and Settings\Rob\My Documents\_fs83.tmp deleted successfully.
    C:\Documents and Settings\Rob\My Documents\_fs9B.tmp deleted successfully.
    C:\Documents and Settings\Rob\My Documents\_fsAC.tmp deleted successfully.
    C:\Documents and Settings\Rob\My Documents\_fsC2.tmp deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:7C60A173 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:E8B5993B deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:F321F01E deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:3A691DDB deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:8BB2EC84 deleted successfully.
    Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP158BAF9 .
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:AC78DA48 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:93E9C78D deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 78991 bytes
    ->Flash cache emptied: 456 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->Flash cache emptied: 41620 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 111826 bytes

    User: NetworkService
    ->Temp folder emptied: 970 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 7880 bytes

    User: Rob
    ->Temp folder emptied: 36864 bytes
    ->Temporary Internet Files folder emptied: 3480072 bytes
    ->Java cache emptied: 0 bytes
    ->Google Chrome cache emptied: 45438217 bytes
    ->Flash cache emptied: 45972 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 1145933 bytes
    %systemroot%\System32 .tmp files removed: 19068945 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 882 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 81576 bytes
    RecycleBin emptied: 19094 bytes

    Total Files Cleaned = 66.00 mb


    OTL by OldTimer - Version 3.2.11.0 log created on 09112010_063149
    Files\Folders moved on Reboot...
    C:\Documents and Settings\Rob\Local Settings\Temporary Internet Files\Content.IE5\WYCAP9VG\donate[1].html moved successfully.
    C:\Documents and Settings\Rob\Local Settings\Temporary Internet Files\Content.IE5\WYCAP9VG\sh23[1].html moved successfully.
    C:\Documents and Settings\Rob\Local Settings\Temporary Internet Files\Content.IE5\TBYDMEJ0\948569-really-need-some-help-having[1].html moved successfully.
    Registry entries deleted on Reboot...
     
  11. the-drew

    the-drew Thread Starter

    Joined:
    Sep 7, 2010
    Messages:
    14
    Here is the mbam log

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org
    Database version: 4594
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702
    9/11/2010 7:29:24 AM
    mbam-log-2010-09-11 (07-29-24).txt
    Scan type: Quick scan
    Objects scanned: 141423
    Time elapsed: 27 minute(s), 10 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    (No malicious items detected)


    The kasperky scan is still running but things look much better already! I can't thank you enough!
     
  12. the-drew

    the-drew Thread Starter

    Joined:
    Sep 7, 2010
    Messages:
    14
    I wanted to ask you before I forget. What virus/anti malware do you use?
     
  13. emeraldnzl

    emeraldnzl Malware Specialist

    Joined:
    Nov 3, 2007
    Messages:
    2,570
    Three answers to that:

    On my ME OS laptop I use Avast with Agnitum firewall. On my XP machine I use Avira with the Windows firewall and on my Windows 7 computer I have Microsoft Security Essentials working with Windows Firewall. Further, I have Malwarebytes on my XP and Windows 7 machine which I update and run once a week just to check. In addition I clean out my XP & W7 computers temp files (I use the Windows utility to do this on my ME machine) each week with TFC and carry out a defrag.

    Look forward to hearing back from you with the Kaspersky results.:)
     
  14. the-drew

    the-drew Thread Starter

    Joined:
    Sep 7, 2010
    Messages:
    14
    sooo the Kaspersky scan is running again for the third time and the dog is locked in her cage ( she stepped on the keyboard once and her ball hit the mouse, both times canceling the scan ). Its awsome having a 60 pound puppy some times. :(
     
  15. the-drew

    the-drew Thread Starter

    Joined:
    Sep 7, 2010
    Messages:
    14
    Thanks for the antivirus info. I use almost the same configuration on my machines except for cleaning the temp files ( which I will now be doing ). The computer we are working on is the father in laws. He got an fake facebook email and followed the link. weeee. Oh and its the machine he uses for his sign business.

    Thanks again for all the help, I am truly gratefull. This is the first time I havent been able to clean a machine by myself. This thing was crazy. I couldnt even post to the hijack this forum or techguy. I had to use my laptop and transfer with a usb drive to get the first of the log files to post. I did run tskiller and that let me post off of his machine. I just havent seen anything so persistant and wide spread. Anyway, thanks again and I will post the log as soon as it is done.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/948569