[Solved] Can't stop two rogue iexplore.exe processes from running

Broni · Dec 24, 2010

I need you to re-run OTL "Quick scans" with a very same script as in my reply #14 and post fresh log.

slimjim028 · Dec 27, 2010

OTL logfile created on: 12/27/2010 8:48:16 AM - Run 3
OTL by OldTimer - Version 3.2.18.0 Folder = C:\Documents and Settings\Jim\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 196.00 Mb Available Physical Memory | 38.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 127.99 Gb Total Space | 87.97 Gb Free Space | 68.73% Space Free | Partition Type: NTFS
Drive D: | 74.52 Gb Total Space | 51.03 Gb Free Space | 68.48% Space Free | Partition Type: NTFS

Computer Name: JIM-249ZZ6HRUIF | User Name: Jim | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/24 12:45:05 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.exe
PRC - [2010/09/07 11:12:02 | 002,838,912 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/09/07 11:11:59 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/03/30 08:15:44 | 000,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2001/08/31 08:44:30 | 000,025,600 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\devldr32.exe

========== Modules (SafeList) ==========

MOD - [2010/12/24 12:45:05 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2010/09/07 11:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/09/07 11:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/09/07 11:11:59 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/09/29 09:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2006/03/30 08:15:44 | 000,096,341 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\scrcap.sys -- (scrcap)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABProcEnum.sys -- (SABProcEnum)
DRV - File not found [Kernel | System | Stopped] -- C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys -- (SABKUTIL)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Jim\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/09/07 10:52:25 | 000,046,672 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/09/07 10:52:03 | 000,165,584 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/09/07 10:47:46 | 000,023,376 | ---- | M] (AVAST Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/09/07 10:47:19 | 000,100,176 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/09/07 10:47:07 | 000,017,744 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/09/07 10:46:51 | 000,028,880 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/03/30 20:58:04 | 000,009,200 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2010/03/30 20:58:04 | 000,009,072 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2008/04/13 13:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2005/04/10 08:27:24 | 000,241,280 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_xp)
DRV - [2005/04/10 08:27:24 | 000,206,464 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2005/04/10 08:27:24 | 000,144,250 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2K)
DRV - [2005/04/10 08:27:24 | 000,030,662 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2005/04/10 08:27:24 | 000,025,930 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2004/08/04 00:29:54 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2001/09/13 13:09:48 | 000,777,088 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emu10k1f.sys -- (emu10k) Creative SB Live! Value (WDM)
DRV - [2001/08/31 08:37:58 | 000,036,992 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sfman.sys -- (sfman) Creative SoundFont Manager Driver (WDM)
DRV - [2001/08/17 14:05:44 | 000,141,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Icam3.sys -- (ICAM3NT5)
DRV - [2001/08/17 08:28:12 | 000,488,383 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_V124.sys -- (V124)
DRV - [2001/08/17 08:28:12 | 000,050,751 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_TONE.sys -- (Tones)
DRV - [2001/08/17 08:28:10 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_MSFT.sys -- (hsf_msft)
DRV - [2001/08/17 08:28:10 | 000,073,279 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_SPKP.sys -- (SpeakerPhone)
DRV - [2001/08/17 08:28:10 | 000,057,471 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_SAMP.sys -- (Rksample)
DRV - [2001/08/17 08:28:08 | 000,391,199 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_K56K.sys -- (K56)
DRV - [2001/08/17 08:28:06 | 000,289,887 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FALL.sys -- (Fallback)
DRV - [2001/08/17 08:28:06 | 000,199,711 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FAXX.sys -- (SoftFax)
DRV - [2001/08/17 08:28:06 | 000,115,807 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FSKS.sys -- (Fsks)
DRV - [2001/08/17 08:28:04 | 000,067,167 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_BSC2.sys -- (basic2)
DRV - [2001/08/17 07:50:26 | 000,731,648 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4.sys -- (nv4)
DRV - [2001/08/17 07:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk)
DRV - [2001/08/17 07:11:42 | 000,029,696 | ---- | M] (CNet Technology, Inc. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DM9PCI5.SYS -- (DM9102) DAVICOM 9102(A)
DRV - [2001/07/11 06:34:52 | 000,006,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctlface.sys -- (emu10k1) Creative Interface Manager Driver (WDM)
DRV - [1999/12/17 00:00:00 | 000,006,752 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\PfModNT.sys -- (PfModNT)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = E0 F2 3A 17 EF 3B CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.msn.com"

FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2008/10/27 18:55:29 | 000,000,000 | ---D | M]

[2006/07/28 14:57:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\mzdh43z4.default\extensions
[2006/07/28 14:57:55 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\mzdh43z4.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2005/04/03 10:12:29 | 000,000,000 | ---D | M] (Firefox (default)) -- C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\mzdh43z4.default\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

O1 HOSTS File: ([2010/12/24 08:48:05 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE (Creative Technology Ltd)
O4 - HKCU..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: =
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_21.dll (Sun Microsystems, Inc.)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O15 - HKCU\..Trusted Domains: onmycam.com ([]* is out of zone range - 6)
O15 - HKCU\..Trusted Domains: onmycam.net ([]* is out of zone range - 6)
O15 - HKCU\..Trusted Domains: onmycam.org ([]* is out of zone range - 6)
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw_promo.cab (Shockwave ActiveX Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Value error.)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1258917926928 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1285347440390 (MUWebControl Class)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab (Housecall ActiveX 6.5)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab (HouseCall Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Value error.)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Prairie Wind.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Prairie Wind.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/03/31 18:37:48 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2003/11/27 11:51:28 | 000,000,000 | ---- | M] () - D:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: aux - C:\WINDOWS\System32\ctwdm32.dll (Creative Technology Ltd.)
Drivers32: msacm.ctmp3 - C:\WINDOWS\system32\ctmp3.acm File not found
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.MJPG - PMJPEG32.DLL File not found
Drivers32: wave1 - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/12/24 13:29:25 | 001,345,624 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Jim\Desktop\TDSSKiller.exe
[2010/12/24 12:45:04 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.exe
[2010/12/24 09:11:37 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/12/24 09:05:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/12/23 14:54:24 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\TFC.exe
[2010/12/23 12:56:22 | 000,038,848 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2010/12/23 12:51:54 | 000,017,744 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/12/23 12:51:53 | 000,165,584 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/12/23 12:51:52 | 000,023,376 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/12/23 12:51:50 | 000,046,672 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/12/23 12:51:48 | 000,100,176 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/12/23 12:51:48 | 000,094,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/12/23 12:51:48 | 000,028,880 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/12/23 12:51:08 | 000,167,592 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/12/22 17:53:44 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/12/22 16:28:18 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/12/22 12:55:32 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2010/12/19 18:14:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\My Documents\Simply Super Software
[2010/12/16 08:05:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Desktop\autoruns
[2010/12/11 16:43:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Application Data\SuperAdBlocker.com
[2010/12/11 16:42:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\URTTemp
[2010/12/11 16:42:41 | 000,000,000 | ---D | C] -- C:\Program Files\SuperAdBlocker.com
[2010/12/11 14:40:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Desktop\Microsoft Process Explorer
[2010/12/11 14:35:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\My Documents\Downloads
[2010/12/11 13:38:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Local Settings\Application Data\Temp
[2010/12/11 13:37:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Local Settings\Application Data\Deployment
[2010/12/08 20:07:57 | 000,000,000 | ---D | C] -- C:\e0c1fc482e91c9a2c3
[2010/12/08 11:50:24 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/12/08 11:50:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/12/08 10:37:20 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/12/08 10:31:34 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/12/08 10:31:34 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/12/08 10:31:34 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/12/08 10:31:34 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/12/08 10:30:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/12/08 10:00:46 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Jim\Recent
[2010/12/08 08:41:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/12/05 20:21:06 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2005/04/15 15:18:56 | 000,059,392 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll

========== Files - Modified Within 30 Days ==========

[2010/12/27 08:45:08 | 000,887,066 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/12/27 08:45:08 | 000,243,718 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/12/27 08:42:55 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/12/27 08:40:34 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/12/27 08:40:33 | 535,904,256 | -HS- | M] () -- C:\hiberfil.sys
[2010/12/24 13:29:07 | 001,232,020 | ---- | M] () -- C:\Documents and Settings\Jim\Desktop\tdsskiller.zip
[2010/12/24 12:45:05 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.exe
[2010/12/24 08:48:05 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/12/24 08:15:24 | 000,001,224 | ---- | M] () -- C:\CF-Submit.htm
[2010/12/23 19:02:22 | 000,001,192 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\875788619.dat
[2010/12/23 18:05:32 | 003,997,850 | R--- | M] () -- C:\Documents and Settings\Jim\Desktop\ComboFix.exe
[2010/12/23 18:03:51 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Jim\Desktop\MBRCheck.exe
[2010/12/23 17:51:30 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/12/23 15:20:52 | 000,296,448 | ---- | M] () -- C:\Documents and Settings\Jim\Desktop\v959njrt.exe
[2010/12/23 14:54:25 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\TFC.exe
[2010/12/23 12:56:23 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/12/23 12:51:57 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/12/23 12:47:09 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\Jim\Desktop\HiJackThis.lnk
[2010/12/20 21:19:53 | 000,002,268 | ---- | M] () -- C:\Documents and Settings\Jim\Desktop\Google Chrome.lnk
[2010/12/20 21:19:53 | 000,002,246 | ---- | M] () -- C:\Documents and Settings\Jim\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/12/16 09:47:52 | 001,345,624 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Jim\Desktop\TDSSKiller.exe
[2010/12/16 08:18:03 | 000,000,046 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/12/16 08:14:05 | 000,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-1364589140-725345543-1003UA.job
[2010/12/16 08:14:05 | 000,000,918 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-1364589140-725345543-1003Core.job
[2010/12/14 12:58:55 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Jim\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/12/13 16:07:21 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2010/12/12 06:32:30 | 000,212,880 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/12/12 06:12:43 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\YSUKXVESZ
[2010/12/10 20:17:05 | 000,059,392 | R--- | M] () -- C:\WINDOWS\System32\streamhlp.dll
[2010/12/08 20:02:12 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/12/08 09:49:09 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/12/03 06:32:14 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\Ÿ9Ÿ9

========== Files Created - No Company Name ==========

[2010/12/24 13:28:58 | 001,232,020 | ---- | C] () -- C:\Documents and Settings\Jim\Desktop\tdsskiller.zip
[2010/12/24 08:15:24 | 000,001,224 | ---- | C] () -- C:\CF-Submit.htm
[2010/12/23 18:05:22 | 003,997,850 | R--- | C] () -- C:\Documents and Settings\Jim\Desktop\ComboFix.exe
[2010/12/23 18:03:51 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Jim\Desktop\MBRCheck.exe
[2010/12/23 15:20:51 | 000,296,448 | ---- | C] () -- C:\Documents and Settings\Jim\Desktop\v959njrt.exe
[2010/12/23 12:51:57 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/12/14 12:58:55 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/12/12 06:12:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\YSUKXVESZ
[2010/12/11 13:39:38 | 000,002,268 | ---- | C] () -- C:\Documents and Settings\Jim\Desktop\Google Chrome.lnk
[2010/12/11 13:39:38 | 000,002,246 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/12/11 13:38:06 | 000,000,970 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-1364589140-725345543-1003UA.job
[2010/12/11 13:38:05 | 000,000,918 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-1364589140-725345543-1003Core.job
[2010/12/11 12:56:14 | 000,002,443 | ---- | C] () -- C:\Documents and Settings\Jim\Desktop\HiJackThis.lnk
[2010/12/11 12:35:14 | 535,904,256 | -HS- | C] () -- C:\hiberfil.sys
[2010/12/10 20:16:52 | 000,059,392 | R--- | C] () -- C:\WINDOWS\System32\streamhlp.dll
[2010/12/08 19:27:12 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/12/08 11:42:49 | 000,001,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[2010/12/08 10:37:36 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/12/08 10:37:24 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/12/08 10:31:34 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/12/08 10:31:34 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/12/08 10:31:34 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/12/08 10:31:34 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/12/08 10:31:34 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/12/08 09:43:07 | 000,000,046 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/12/05 17:17:40 | 000,001,192 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\875788619.dat
[2009/09/25 11:41:17 | 000,019,408 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\ebic.dat
[2009/09/25 11:41:17 | 000,018,393 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\cuvumowaxu.exe
[2009/09/25 11:41:17 | 000,018,001 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ijodyfigu.pif
[2009/09/25 11:41:17 | 000,017,324 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\umoxywumol.vbs
[2009/09/25 11:41:16 | 000,015,309 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\guvotozaze.com
[2009/09/25 11:41:16 | 000,014,141 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\natarogaje.inf
[2009/09/25 11:41:16 | 000,010,845 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\afacynaj.bin
[2009/09/25 11:41:15 | 000,019,301 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\tunonyhyd.dll
[2009/09/25 11:41:15 | 000,018,206 | ---- | C] () -- C:\Program Files\Common Files\iluqovag._dl
[2009/09/25 11:41:15 | 000,010,829 | ---- | C] () -- C:\Program Files\Common Files\timybidu.inf
[2009/09/25 11:06:11 | 000,019,556 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\esyset.lib
[2009/09/25 11:06:10 | 000,015,392 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\gaty.ban
[2009/09/25 11:06:10 | 000,013,547 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\ywurob.vbs
[2009/09/25 10:24:46 | 000,016,084 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\rematuzej.db
[2009/09/25 10:24:46 | 000,015,230 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\hagehe.scr
[2009/09/25 10:24:46 | 000,013,862 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\bogufapo.exe
[2009/09/25 10:24:45 | 000,018,807 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\mylegany.lib
[2009/09/25 10:24:45 | 000,013,878 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\cerufuku._sy
[2009/09/25 10:24:45 | 000,012,801 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\atik.lib
[2009/09/25 10:24:45 | 000,011,125 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\farib.com
[2009/09/25 10:24:45 | 000,010,428 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\awitygos.ban
[2009/09/25 10:24:44 | 000,015,630 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\jypy.sys
[2009/08/30 15:06:15 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\housecall.guid.cache
[2009/02/15 08:55:59 | 000,000,082 | ---- | C] () -- C:\WINDOWS\decode[1].INI
[2009/02/10 17:16:46 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2009/02/10 17:14:06 | 000,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2009/02/10 17:14:04 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2008/10/27 18:42:09 | 000,001,449 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/08/15 11:16:47 | 000,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2006/10/06 14:37:37 | 000,000,002 | ---- | C] () -- C:\WINDOWS\System32\srecorder.dll
[2006/08/30 13:25:56 | 000,000,137 | ---- | C] () -- C:\WINDOWS\qti.ini
[2006/07/14 11:49:26 | 000,000,019 | ---- | C] () -- C:\WINDOWS\systemsplit.ini
[2006/07/14 11:02:55 | 000,000,264 | ---- | C] () -- C:\WINDOWS\MPPAGER.INI
[2006/06/12 14:00:05 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ITNetUtils.dll
[2006/06/12 14:00:04 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\diffiedll.dll
[2006/04/09 12:19:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PestPatrol5.INI
[2006/01/24 10:31:15 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\ncvDS61.dll
[2006/01/24 10:31:15 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\ncCompress.dll
[2006/01/24 10:31:15 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\ncUtil62.dll
[2006/01/24 10:31:14 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\howl.dll
[2006/01/24 10:31:14 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\nczlib.dll
[2006/01/24 10:31:13 | 000,053,760 | ---- | C] () -- C:\WINDOWS\System32\zlib32.dll
[2006/01/24 10:31:13 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\RegistrationId.dll
[2006/01/21 18:43:42 | 000,684,032 | ---- | C] () -- C:\WINDOWS\libeay32.dll
[2006/01/21 18:43:42 | 000,155,648 | ---- | C] () -- C:\WINDOWS\ssleay32.dll
[2005/07/04 11:50:26 | 000,000,003 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DirectCDUserNameF.txt
[2005/04/15 15:18:00 | 000,000,231 | ---- | C] () -- C:\WINDOWS\ac3api.ini
[2005/04/15 15:17:04 | 000,000,184 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2005/04/15 15:00:09 | 000,071,749 | ---- | C] () -- C:\WINDOWS\hcextoutput.dll
[2005/04/15 15:00:09 | 000,000,823 | ---- | C] () -- C:\WINDOWS\TSC.ini
[2005/04/15 14:59:44 | 000,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2005/04/10 08:22:36 | 000,000,003 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DirectCDUserName.txt
[2005/04/02 15:22:25 | 000,032,768 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/04/02 15:16:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2005/04/02 15:14:18 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\CNMVS58.DLL
[2005/03/31 19:51:14 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/03/31 13:26:15 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2002/11/01 16:17:50 | 000,000,256 | ---- | C] () -- C:\WINDOWS\aucfg.ini
[2002/07/04 15:05:34 | 000,000,269 | ---- | C] () -- C:\WINDOWS\tmupdate.ini
[2001/12/14 13:34:46 | 000,164,864 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2001/08/10 12:14:16 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\ImapiRoxPS.dll
[1999/07/23 13:46:48 | 000,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini
[1999/07/23 10:53:20 | 000,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll

========== LOP Check ==========

[2010/12/23 12:50:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2007/06/02 07:13:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BitDefender
[2010/09/25 07:18:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA
[2009/02/10 17:20:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2010/12/19 18:16:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2006/05/05 07:53:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Camfrog
[2006/08/25 10:03:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\CamfrogWEB
[2010/09/25 07:35:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\IObit
[2007/06/22 15:51:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Leadertech
[2007/01/20 14:24:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\OfficeUpdate12
[2006/06/14 11:05:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Paltalk
[2009/02/10 17:16:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\pdf995
[2010/12/11 16:43:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\SuperAdBlocker.com

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2005/03/31 18:37:48 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/12/08 09:49:09 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/12/13 16:07:21 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2006/04/09 11:27:56 | 000,008,246 | ---- | M] () -- C:\caavsetup.log
[2008/02/09 15:23:11 | 000,035,227 | ---- | M] () -- C:\caavsetupLog.txt
[2010/09/25 07:18:27 | 000,086,540 | ---- | M] () -- C:\caisslog.txt
[2010/12/24 08:15:24 | 000,001,224 | ---- | M] () -- C:\CF-Submit.htm
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2010/12/24 09:04:14 | 000,015,299 | ---- | M] () -- C:\ComboFix.txt
[2005/03/31 18:37:48 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/02/13 09:49:55 | 000,006,810 | ---- | M] () -- C:\devicetable.log
[2006/04/09 11:27:34 | 000,000,026 | ---- | M] () -- C:\ezsetuplog.txt
[2010/12/27 08:40:33 | 535,904,256 | -HS- | M] () -- C:\hiberfil.sys
[2005/03/31 18:37:48 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/08/13 11:15:10 | 000,000,720 | -H-- | M] () -- C:\IPH.PH
[2006/07/02 14:41:20 | 000,102,465 | ---- | M] () -- C:\lma_log.html
[2006/07/02 14:41:29 | 000,000,243 | ---- | M] () -- C:\log.html
[2005/03/31 18:37:48 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2005/03/31 19:21:28 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/11/22 14:44:45 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/12/27 08:40:32 | 805,306,368 | -HS- | M] () -- C:\pagefile.sys
[2006/06/14 11:11:22 | 000,000,000 | ---- | M] () -- C:\palsound.txt
[2010/12/14 12:44:13 | 000,000,470 | ---- | M] () -- C:\rapport.txt
[2010/12/19 18:19:21 | 000,000,359 | ---- | M] () -- C:\rkill.log
[2010/12/24 13:31:05 | 000,042,432 | ---- | M] () -- C:\TDSSKiller.2.4.12.0_24.12.2010_13.29.51_log.txt
[2010/10/01 15:09:00 | 000,041,038 | ---- | M] () -- C:\TDSSKiller.2.4.2.1_01.10.2010_16.07.28_log.txt
[2008/10/29 13:41:53 | 000,000,594 | ---- | M] () -- C:\updatedatfix.log
[2007/03/16 11:43:34 | 000,000,146 | ---- | M] () -- C:\YServer.txt

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2005/03/31 18:37:23 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2003/04/21 00:00:00 | 000,016,384 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPD58.DLL
[2003/04/21 00:00:00 | 000,048,128 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPP58.DLL
[2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2007/12/17 17:05:32 | 000,278,016 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp5mu.dll
[2008/07/06 05:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2010/09/07 11:12:17 | 000,038,848 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2005/03/31 13:23:58 | 000,090,112 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2005/03/31 13:23:58 | 000,630,784 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2005/03/31 13:23:58 | 000,393,216 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2009/11/22 15:00:17 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2005/03/31 19:30:42 | 000,000,177 | -HS- | M] () -- C:\Documents and Settings\Jim\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2005/03/31 18:44:10 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Jim\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2010/12/23 18:05:32 | 003,997,850 | R--- | M] () -- C:\Documents and Settings\Jim\Desktop\ComboFix.exe
[2010/12/23 18:03:51 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Jim\Desktop\MBRCheck.exe
[2010/12/24 12:45:05 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\OTL.exe
[2010/12/16 09:47:52 | 001,345,624 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Jim\Desktop\TDSSKiller.exe
[2010/12/23 14:54:25 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\TFC.exe
[2010/12/23 15:20:52 | 000,296,448 | ---- | M] () -- C:\Documents and Settings\Jim\Desktop\v959njrt.exe

< %PROGRAMFILES%\Common Files\*.* >
[2009/09/25 11:41:15 | 000,018,206 | ---- | M] () -- C:\Program Files\Common Files\iluqovag._dl
[2009/09/25 11:41:15 | 000,010,829 | ---- | M] () -- C:\Program Files\Common Files\timybidu.inf

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2005/03/31 19:30:42 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Jim\Favorites\Desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2010/08/14 15:26:43 | 000,000,067 | -HS- | M] () -- C:\Documents and Settings\Jim\Cookies\desktop.ini
[2010/12/27 08:44:03 | 000,180,224 | -HS- | M] () -- C:\Documents and Settings\Jim\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2007/06/26 22:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe
[1 C:\WINDOWS\inf\*.tmp files -> C:\WINDOWS\inf\*.tmp -> ]

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >
[2008/04/13 19:11:51 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
[2001/03/07 06:00:26 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
[2008/05/02 09:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
[2008/04/13 12:30:28 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
[2008/04/13 19:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
[2004/07/17 13:41:08 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
[2004/07/17 13:41:08 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
[2004/07/17 13:41:08 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
[2000/12/05 13:10:32 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
[2004/07/17 13:41:04 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >

========== Alternate Data Streams ==========

@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2CA54532
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMPFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP1B5B4F1
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9

< End of report >

slimjim028 · Dec 27, 2010

Regarding the OLT.log post. The original file didn't fit within the 50000 character limit. I had to remove some blank lines and all the empty characters that are at the beginning of each remaining blank line. Hope this doesn't matter.

Broni · Dec 27, 2010

The original file didn't fit within the 50000 character limit

In the future, simply split the log between couple of replies.

=======================================================================

Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.

Accept any prompts.

====================================================================

Run OTL
Under the Custom Scans/Fixes box at the bottom, paste in the following
Code:
:OTL
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O15 - HKCU\..Trusted Domains: onmycam.com ([]* is out of zone range - 6)
O15 - HKCU\..Trusted Domains: onmycam.net ([]* is out of zone range - 6)
O15 - HKCU\..Trusted Domains: onmycam.org ([]* is out of zone range - 6)
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/downlo...8f/wvc1dmo.cab (Reg Error: Value error.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
[2010/12/12 06:12:43 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\YSUKXVESZ
[2010/12/03 06:32:14 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\Ÿ9Ÿ9
[2009/09/25 11:41:17 | 000,019,408 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\ebic.dat
[2009/09/25 11:41:17 | 000,018,393 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\cuvumowaxu.exe
[2009/09/25 11:41:17 | 000,018,001 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ijodyfigu.pif
[2009/09/25 11:41:17 | 000,017,324 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\umoxywumol.vbs
[2009/09/25 11:41:16 | 000,015,309 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\guvotozaze.com
[2009/09/25 11:41:16 | 000,014,141 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\natarogaje.inf
[2009/09/25 11:41:16 | 000,010,845 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\afacynaj.bin
[2009/09/25 11:41:15 | 000,019,301 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\tunonyhyd.dll
[2009/09/25 11:41:15 | 000,018,206 | ---- | C] () -- C:\Program Files\Common Files\iluqovag._dl
[2009/09/25 11:41:15 | 000,010,829 | ---- | C] () -- C:\Program Files\Common Files\timybidu.inf
[2009/09/25 11:06:11 | 000,019,556 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\esyset.lib
[2009/09/25 11:06:10 | 000,015,392 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\gaty.ban
[2009/09/25 11:06:10 | 000,013,547 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\ywurob.vbs
[2009/09/25 10:24:46 | 000,016,084 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\rematuzej.db
[2009/09/25 10:24:46 | 000,015,230 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\hagehe.scr
[2009/09/25 10:24:46 | 000,013,862 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\bogufapo.exe
[2009/09/25 10:24:45 | 000,018,807 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\mylegany.lib
[2009/09/25 10:24:45 | 000,013,878 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\cerufuku._sy
[2009/09/25 10:24:45 | 000,012,801 | ---- | C] () -- C:\Documents and Settings\Jim\Application Data\atik.lib
[2009/09/25 10:24:45 | 000,011,125 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\farib.com
[2009/09/25 10:24:45 | 000,010,428 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\awitygos.ban
[2009/09/25 10:24:44 | 000,015,630 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\jypy.sys
@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2CA54532
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9

:Services

:Reg

:Files
D:\Program Files\Common Files\Real\Toolbar\RealBar.dll


:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

You will get a log that shows the results of the fix. Please post it.
=====================================================================

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Download Temp File Cleaner (TFC)

Double click on TFC.exe to run the program.

Click on Start button to begin cleaning process.

TFC will close all running programs, and it may ask you to restart computer.

slimjim028 · Dec 27, 2010

JAVA updated and old stuff removed per instructions. Here's the OLT and Security Check logs. Also, TFC run complete.

All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\intuit.com\ttlc\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\onmycam.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\onmycam.net\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\onmycam.org\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\turbotax.com\ deleted successfully.
Starting removal of ActiveX control {31435657-9980-0010-8000-00AA00389B71}
C:\WINDOWS\Downloaded Program Files\wvc1dmo.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{31435657-9980-0010-8000-00AA00389B71}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Starting removal of ActiveX control {7530BFB8-7293-4D34-9923-61A11451AFC5}
C:\WINDOWS\Downloaded Program Files\OnlineScanner.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
File oft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
C:\WINDOWS\system32\YSUKXVESZ moved successfully.
C:\WINDOWS\system32\Ÿ9Ÿ9 moved successfully.
C:\Documents and Settings\Jim\Application Data\ebic.dat moved successfully.
C:\Documents and Settings\Jim\Application Data\cuvumowaxu.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\ijodyfigu.pif moved successfully.
C:\Documents and Settings\Jim\Application Data\umoxywumol.vbs moved successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\guvotozaze.com moved successfully.
C:\Documents and Settings\Jim\Application Data\natarogaje.inf moved successfully.
C:\Documents and Settings\All Users\Application Data\afacynaj.bin moved successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\tunonyhyd.dll moved successfully.
C:\Program Files\Common Files\iluqovag._dl moved successfully.
C:\Program Files\Common Files\timybidu.inf moved successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\esyset.lib moved successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\gaty.ban moved successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\ywurob.vbs moved successfully.
C:\Documents and Settings\Jim\Application Data\rematuzej.db moved successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\hagehe.scr moved successfully.
C:\Documents and Settings\All Users\Application Data\bogufapo.exe moved successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\mylegany.lib moved successfully.
C:\Documents and Settings\Jim\Application Data\cerufuku._sy moved successfully.
C:\Documents and Settings\Jim\Application Data\atik.lib moved successfully.
C:\Documents and Settings\All Users\Application Data\farib.com moved successfully.
C:\Documents and Settings\All Users\Application Data\awitygos.ban moved successfully.
C:\Documents and Settings\Jim\Local Settings\Application Data\jypy.sys moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:2CA54532 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMPFC5A2B2 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP1B5B4F1 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9 deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
D:\Program Files\Common Files\Real\Toolbar\RealBar.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Aimee
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Jim
->Temp folder emptied: 9283114 bytes
->Temporary Internet Files folder emptied: 38569316 bytes
->Java cache emptied: 2040 bytes
->Google Chrome cache emptied: 222453282 bytes
->Flash cache emptied: 8614 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 45294 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33632 bytes
RecycleBin emptied: 3064853 bytes

Total Files Cleaned = 261.00 mb

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: Aimee
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: Jim
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.18.0 log created on 12272010_194444

Files\Folders moved on Reboot...
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\QL1S63CH\sh29[1].html moved successfully.
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\KCL0E02O\ads[6].htm moved successfully.
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\DS1MTIA2\topic158611-2[3].html moved successfully.
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\4M4SA3BT\crosspixel-dest[1].htm moved successfully.
File\Folder C:\WINDOWS\temp\_avast5_\Webshlock.txt not found!

Registry entries deleted on Reboot...

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
avast! Free Antivirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 23
Out of date Java installed!
Adobe Flash Player
Adobe Reader 7.0.9
Adobe Reader 7.0.5 Language Support
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Alwil Software Avast5 AvastSvc.exe
ALWILS~1 Avast5 avastUI.exe
``````````End of Log````````````

Broni · Dec 27, 2010

Update Adobe Reader

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.
On this page:

make sure, you have both boxes UN-checked AND (important!) click on Decline button

==================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:
Code:
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.

Close all other programs apart from OTL as this step will require a reboot

On the OTL main screen, press the CLEANUP button

Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how your computer is doing.

slimjim028 · Dec 27, 2010

Below is the latest OTL log from the restore point reset. The computer seems to be doing fine. We'll see how the next cold boot up goes. As for the iexplore.exe problem, that seems to be fixed. Would you please summarize what was wrong? Thanks. I really appreciate all your help.

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Aimee
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56502 bytes

User: Jim
->Temp folder emptied: 258978 bytes
->Temporary Internet Files folder emptied: 7493350 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 7471487 bytes
->Flash cache emptied: 456 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4673 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 15.00 mb

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: Aimee
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: Jim
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.18.0 log created on 12272010_210300

Files\Folders moved on Reboot...
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\XRZ3AUT2\ads[3].htm moved successfully.
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\XRZ3AUT2\crosspixel-dest[1].htm moved successfully.
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\XB1BQT2L\sh29[1].html moved successfully.
C:\Documents and Settings\Jim\Local Settings\Temporary Internet Files\Content.IE5\VVQX7GSC\topic158611-2[1].html moved successfully.
File\Folder C:\WINDOWS\temp\_avast5_\Webshlock.txt not found!

Registry entries deleted on Reboot...

Broni · Dec 27, 2010

Good news

The main culprit was a rootkit, but there were also some "baddies", we removed through Combofix.

Good luck and stay safe

slimjim028 · Dec 28, 2010

The computer is running good once logged in and when we rebooted yesterday while I was executing your last sets of instructions there were no boot problems. Today however, when I initially powered on and booted up, the computer rebooted numerous times before finally stablizing. During the first 3 reboots (never got to the logon screen) I was asked if I wanted to start Windows normally or revert to the last know good configuration. I chose start normally. Next, it rebooted two times in a row after reaching the logon on screen and logging on. Finally, after the third logon, here I am. So, I'm not sure if it has something to do with the Microsoft update I did a couple weeks ago or all the "fixing" we did over the last week. Thoughts?

Broni · Dec 28, 2010

Run the computer for couple more days and keep me updated.

slimjim028 · Dec 30, 2010

The same "cold" boot up problems still exists and seems identical every time. If I'm logged in and reboot, like we did ove the last week everythign seems to be ok. It's only on boot up from "cold". Thoughts?

Broni · Dec 30, 2010

In this forum, we make sure, your computer is free of malware and your computer is clean
Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
You'll get more attention.

Good luck there

slimjim028 · Dec 30, 2010

ok thanks.

Broni · Dec 30, 2010

Sure thing

TechSpot

[Solved] Can't stop two rogue iexplore.exe processes from running

Broni Malware Annihilator

slimjim028 Newcomer, in training

slimjim028 Newcomer, in training

Broni Malware Annihilator

slimjim028 Newcomer, in training

Broni Malware Annihilator

slimjim028 Newcomer, in training

Broni Malware Annihilator

slimjim028 Newcomer, in training

Broni Malware Annihilator

slimjim028 Newcomer, in training

Broni Malware Annihilator

slimjim028 Newcomer, in training

Broni Malware Annihilator