also @ TechSpot: Blizzard talks Diablo 3 facts, nerfing and buffs for legendary items

TechSpot

TechSpot News Products Downloads Forums

Register now for a live online demo to see how the Office 365 suite of tools
- professional email, calendars, video conferencing, and file sharing -

[Solved] Disconcerting Email - Suspect compromise/hack/malware

Discussion in 'Virus and Malware Removal' started by drhodsdon, Oct 13, 2010.

Thread Status:: Not open for further replies.

Page 1 of 2

drhodsdon Newcomer, in training
B00kwyrm is here with me (visiting at my home), and has helped me run the 8 steps.
The reason we decided to run them and post, is...
I received an email, which had attached - pix and notes I had composed / taken - but not sent out.
The email had an address I knew (a friend from my address book) as it origin (but they denied sending me the note)
The email headers had another address that I did not know. I deleted the email before realizing I might need the information.

My Computer is a Gateway Laptop, runing XP Media Edition, SP3.
The Hard drive has a large boot-partition and a small "recovery partition".
I have been using ZoneAlarm as my firewall. I did not have an active AV.
The computer came with McAffee, but has not been used since the "trial" period ran out.

Summary of the 8 steps...

Avira updated and ran without recongizing problems. Log will be posted.

TFC ran without problems... cleaning up a lot of temp files.

MBAM updated and ran finding two registry keys that were suspect... Initially we did not repair; then we reran and we allowed repair. Log will be posted. When MBAM ran, Avira generated a pop-up alert that it had blocked Autorun of D:\autorun.inf. The D: partition is a recovery partition on my main drive.

GMER ran, but refused to save the results (seeming to freeze after naming the file to save as). We tried several times, including disasabling FW and Avira, same results. We tried unchecked "drivers", to no avail. Finally ran it in safe mode, with success in saving.Log will be posted.

DDS ran and logs will be posted.

Your Assistance in evaluating my situation will be much appreciated.
B00kwyrm says hi.

Avira Log

Avira AntiVir Personal
Report file date: Monday, October 11, 2010 22:46

Scanning for 1990003 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : Owner
Computer name : YOUR-A0281B86C4

Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 17:37:38
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 17:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 23:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 00:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 22:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 21:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 16:29:03
VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 16:29:03
VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 16:29:03
VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 16:29:03
VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 16:29:03
VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 16:29:03
VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 16:29:03
VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 16:29:03
VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 16:29:03
VBASE013.VDF : 7.10.4.242 153088 Bytes 3/8/2010 20:43:21
VBASE014.VDF : 7.10.5.17 99328 Bytes 3/10/2010 20:24:21
VBASE015.VDF : 7.10.5.44 107008 Bytes 3/11/2010 22:41:40
VBASE016.VDF : 7.10.5.69 92672 Bytes 3/12/2010 14:25:53
VBASE017.VDF : 7.10.5.91 119808 Bytes 3/15/2010 14:39:58
VBASE018.VDF : 7.10.5.121 112640 Bytes 3/18/2010 18:01:24
VBASE019.VDF : 7.10.5.138 139776 Bytes 3/18/2010 15:24:56
VBASE020.VDF : 7.10.5.164 113152 Bytes 3/22/2010 12:04:23
VBASE021.VDF : 7.10.5.182 108032 Bytes 3/23/2010 14:23:02
VBASE022.VDF : 7.10.5.199 123904 Bytes 3/24/2010 22:47:50
VBASE023.VDF : 7.10.5.217 279552 Bytes 3/25/2010 00:11:22
VBASE024.VDF : 7.10.5.234 202240 Bytes 3/26/2010 22:53:48
VBASE025.VDF : 7.10.5.254 187904 Bytes 3/30/2010 18:56:47
VBASE026.VDF : 7.10.6.18 130560 Bytes 4/1/2010 10:56:20
VBASE027.VDF : 7.10.6.34 136192 Bytes 4/6/2010 14:43:55
VBASE028.VDF : 7.10.6.44 232448 Bytes 4/7/2010 14:59:22
VBASE029.VDF : 7.10.6.60 124416 Bytes 4/12/2010 17:43:17
VBASE030.VDF : 7.10.6.61 2048 Bytes 4/12/2010 17:43:17
VBASE031.VDF : 7.10.6.62 17408 Bytes 4/12/2010 17:43:17
Engineversion : 8.2.1.210
AEVDF.DLL : 8.1.1.3 106868 Bytes 2/13/2010 17:16:21
AESCRIPT.DLL : 8.1.3.24 1282425 Bytes 4/1/2010 21:05:26
AESCN.DLL : 8.1.5.0 127347 Bytes 2/25/2010 23:38:41
AESBX.DLL : 8.1.2.1 254323 Bytes 3/17/2010 16:09:47
AERDL.DLL : 8.1.4.3 541043 Bytes 3/17/2010 16:09:47
AEPACK.DLL : 8.2.1.1 426358 Bytes 3/19/2010 17:34:51
AEOFFICE.DLL : 8.1.0.41 201083 Bytes 3/17/2010 16:09:46
AEHEUR.DLL : 8.1.1.16 2503031 Bytes 3/26/2010 23:43:13
AEHELP.DLL : 8.1.11.3 242039 Bytes 4/1/2010 21:05:25
AEGEN.DLL : 8.1.3.6 373108 Bytes 4/1/2010 21:05:25
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/10/2009 14:04:22
AECORE.DLL : 8.1.13.1 188790 Bytes 4/1/2010 21:05:25
AEBB.DLL : 8.1.0.3 53618 Bytes 9/10/2009 17:15:06
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 17:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 17:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 21:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 17:35:46
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 17:39:51
AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 17:22:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 14:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 17:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 20:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 19:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 18:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 19:14:29

Configuration settings for the scan:
Jobname.............................: Short system scan after installation
Configuration file..................: c:\program files\avira\antivir desktop\setupprf.dat
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Monday, October 11, 2010 22:46

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avconfig.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'cidaemon.exe' - '1' Module(s) have been scanned
Scan process 'setup.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'presetup.exe' - '1' Module(s) have been scanned
Scan process 'avira_antivir_personal_en.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'BrMfcWnd.exe' - '1' Module(s) have been scanned
Scan process 'bigfix.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'lxdiamon.exe' - '1' Module(s) have been scanned
Scan process 'lxdimon.exe' - '1' Module(s) have been scanned
Scan process 'AOLSoftware.exe' - '1' Module(s) have been scanned
Scan process 'pptd40nt.exe' - '1' Module(s) have been scanned
Scan process 'lxbfbmon.exe' - '1' Module(s) have been scanned
Scan process 'lxbfbmgr.exe' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'point32.exe' - '1' Module(s) have been scanned
Scan process 'ifrmewrk.exe' - '1' Module(s) have been scanned
Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'sm56hlpr.exe' - '1' Module(s) have been scanned
Scan process 'stsystra.exe' - '1' Module(s) have been scanned
Scan process 'iaanotif.exe' - '1' Module(s) have been scanned
Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'ehtray.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'PRISMXL.SYS' - '1' Module(s) have been scanned
Scan process 'lxdicoms.exe' - '1' Module(s) have been scanned
Scan process 'iaantmon.exe' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'cisvc.exe' - '1' Module(s) have been scanned
Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'brss01a.exe' - '1' Module(s) have been scanned
Scan process 'brsvc01a.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:

Starting to scan executable files (registry).
The registry was scanned ( '491' files ).

End of the scan: Monday, October 11, 2010 22:47
Used time: 00:38 Minute(s)

The scan has been done completely.

0 Scanned directories
994 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
994 Files not concerned
3 Archives were scanned
0 Warnings
0 Notes
drhodsdon, Oct 13, 2010

#1
Broni Malware Annihilator

Welcome aboard

I still need those other logs....

Broni, Oct 13, 2010

#2
drhodsdon Newcomer, in training

aMBAM Log
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4806

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

10/12/2010 7:29:48 PM
mbam-log-2010-10-12 (19-29-48).txt

Scan type: Quick scan
Objects scanned: 155759
Time elapsed: 8 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Valueas Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

NOTE: We re-ran and allowed repair

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4806

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

10/12/2010 7:29:56 PM
mbam-log-2010-10-12 (19-29-56).txt

Scan type: Quick scan
Objects scanned: 155759
Time elapsed: 8 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER Log
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-10-13 10:10:43
Windows 5.1.2600 Service Pack 3
Running: vehc9mzl.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwxyqpog.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

DDS Log
DDS (Ver_10-10-10.03) - NTFSx86
Run by Owner at 10:19:14.81 on Wed 10/13/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1499 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\AOL\1236780990\ee\AOLSoftware.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Power2GoExpress] NA
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SynTPLpr] "c:\program files\synaptics\syntp\SynTPLpr.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\iaanotif.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SMSERIAL] "c:\program files\motorola\smserial\sm56hlpr.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Lexmark X6100 Series] "c:\program files\lexmark x6100 series\lxbfbmgr.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [ControlCenter2.0] "c:\program files\brother\controlcenter2\brctrcen.exe" /autorun
mRun: [SetDefPrt] "c:\program files\brother\brmfl04b\BrStDvPt.exe"
mRun: [FaxCenterServer] "c:\program files\\lexmark fax solutions\fm3032.exe" /s
mRun: [HostManager] c:\program files\common files\aol\1236780990\ee\AOLSoftware.exe
mRun: [lxdimon.exe] "c:\program files\lexmark 3500-4500 series\lxdimon.exe"
mRun: [lxdiamon] "c:\program files\lexmark 3500-4500 series\lxdiamon.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lotusq~1.lnk - c:\lotus\wordpro\ltsstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\status~1.lnk - c:\program files\brother\brmfcmon\BrMfcWnd.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Notify: igfxcui - igfxdev.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.you\applic~1\mozilla\firefox\profiles\we4m7u5w.default\
FF - plugin: c:\documents and settings\owner.your-a0281b86c4\application data\mozilla\firefox\profiles\we4m7u5w.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\owner.your-a0281b86c4\application data\mozilla\firefox\profiles\we4m7u5w.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-10-11 11608]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-12-6 532224]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-10-11 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-10-11 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-10-11 60936]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-1 135664]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [2010-6-14 99248]

=============== Created Last 30 ================

2010-10-12 03:19:47 -------- d-----w- c:\docume~1\owner~1.you\applic~1\Avira
2010-10-12 02:59:43 -------- d-----w- c:\docume~1\owner~1.you\applic~1\Malwarebytes
2010-10-12 02:59:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-12 02:59:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-12 02:59:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-12 02:59:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-12 02:45:02 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-10-12 02:45:01 -------- d-----w- c:\program files\Avira
2010-10-12 02:45:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-09-22 22:10:52 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-09-22 22:10:52 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

==================== Find3M ====================

2010-08-23 11:53:38 409277 ----a-w- c:\documents and settings\all users\SPL39.tmp
2010-08-23 11:49:57 225161 ----a-w- c:\documents and settings\all users\SPL38.tmp
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll

============= FINISH: 10:21:10.89 ===============

NOTE; The Events listed from 10/11 through 10/13 were from disabling processes with Windows Task Manager. B00kwyrm did this in an effort to slim down what was running and hopefully allow GMER to run without going to SafeMode.
DDS - Attach Log

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-10.03)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/29/2006 4:06:18 PM
System Uptime: 10/13/2010 10:11:34 AM (0 hours ago)

Motherboard: Gateway | |
Processor: Intel(R) Core(TM)2 CPU T5500 @ 1.66GHz | uFCPGA2 | 1663/667mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 142 GiB total, 110.027 GiB free.
D: is FIXED (FAT32) - 7 GiB total, 4.64 GiB free.
E: is CDROM (CDFS)

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Marvell Yukon 88E8038 PCI-E Fast Ethernet Controller
Device ID: PCI\VEN_11AB&DEV_4352&SUBSYS_0366107B&REV_14\4&9EE4DCE&0&00E0
Manufacturer: Marvell
Name: Marvell Yukon 88E8038 PCI-E Fast Ethernet Controller
PNP Device ID: PCI\VEN_11AB&DEV_4352&SUBSYS_0366107B&REV_14\4&9EE4DCE&0&00E0
Service: yukonwxp

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/Wireless 3945ABG Network Connection
Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10008086&REV_02\4&115ADF0F&0&00E1
Manufacturer: Intel Corporation
Name: Intel(R) PRO/Wireless 3945ABG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10008086&REV_02\4&115ADF0F&0&00E1
Service: w39n51

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\660317D3E0B803
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\660317D3E0B803
Service: NIC1394

==== System Restore Points ===================

RP838: 7/15/2010 8:18:41 AM - System Checkpoint
RP839: 7/15/2010 8:18:17 PM - Installed Adobe Reader 9.3.3.
RP840: 7/17/2010 8:32:43 AM - System Checkpoint
RP841: 7/18/2010 1:16:24 PM - System Checkpoint
RP842: 7/20/2010 9:05:11 AM - System Checkpoint
RP843: 7/21/2010 1:55:15 PM - System Checkpoint
RP844: 7/22/2010 3:31:40 PM - System Checkpoint
RP845: 7/23/2010 5:22:53 PM - System Checkpoint
RP846: 7/25/2010 3:12:58 PM - System Checkpoint
RP847: 7/26/2010 4:20:41 PM - System Checkpoint
RP848: 7/27/2010 6:57:47 PM - System Checkpoint
RP849: 7/29/2010 12:24:06 PM - System Checkpoint
RP850: 7/30/2010 2:13:57 PM - System Checkpoint
RP851: 8/1/2010 5:54:24 AM - System Checkpoint
RP852: 8/2/2010 6:01:02 PM - System Checkpoint
RP853: 8/3/2010 6:58:30 AM - Software Distribution Service 3.0
RP854: 8/5/2010 10:40:27 AM - System Checkpoint
RP855: 8/6/2010 1:27:08 PM - System Checkpoint
RP856: 8/8/2010 5:43:48 AM - System Checkpoint
RP857: 8/9/2010 5:07:29 PM - System Checkpoint
RP858: 8/11/2010 8:59:18 PM - System Checkpoint
RP859: 8/12/2010 5:35:30 AM - Software Distribution Service 3.0
RP860: 8/13/2010 10:28:53 AM - System Checkpoint
RP861: 8/15/2010 8:00:42 PM - System Checkpoint
RP862: 8/17/2010 10:15:38 AM - System Checkpoint
RP863: 8/18/2010 1:44:52 PM - System Checkpoint
RP864: 8/19/2010 2:11:00 PM - System Checkpoint
RP865: 8/20/2010 5:48:50 PM - System Checkpoint
RP866: 8/23/2010 7:36:24 AM - System Checkpoint
RP867: 8/25/2010 8:08:09 AM - System Checkpoint
RP868: 8/27/2010 7:38:36 PM - System Checkpoint
RP869: 8/29/2010 2:37:20 PM - System Checkpoint
RP870: 8/31/2010 3:27:13 PM - System Checkpoint
RP871: 9/1/2010 5:35:01 PM - System Checkpoint
RP872: 9/2/2010 7:21:50 PM - System Checkpoint
RP873: 9/5/2010 7:58:21 AM - System Checkpoint
RP874: 9/6/2010 10:55:01 AM - System Checkpoint
RP875: 9/7/2010 1:11:43 PM - System Checkpoint
RP876: 9/9/2010 7:40:58 AM - System Checkpoint
RP877: 9/12/2010 12:55:05 PM - System Checkpoint
RP878: 9/13/2010 3:52:47 PM - System Checkpoint
RP879: 9/15/2010 6:31:42 AM - System Checkpoint
RP880: 9/16/2010 7:07:33 AM - Software Distribution Service 3.0
RP881: 9/17/2010 10:57:30 AM - System Checkpoint
RP882: 9/18/2010 7:49:16 PM - System Checkpoint
RP883: 9/20/2010 9:16:51 AM - System Checkpoint
RP884: 9/21/2010 1:44:12 PM - System Checkpoint
RP885: 9/22/2010 1:59:39 PM - System Checkpoint
RP886: 9/23/2010 3:25:35 PM - System Checkpoint
RP887: 9/24/2010 5:55:34 PM - System Checkpoint
RP888: 9/26/2010 2:59:15 PM - System Checkpoint
RP889: 9/28/2010 4:17:31 PM - System Checkpoint
RP890: 9/29/2010 7:38:46 AM - Software Distribution Service 3.0
RP891: 9/30/2010 5:39:51 PM - System Checkpoint
RP892: 10/1/2010 7:23:22 PM - System Checkpoint
RP893: 10/2/2010 7:24:17 PM - System Checkpoint
RP894: 10/6/2010 1:24:39 PM - System Checkpoint
RP895: 10/9/2010 5:36:45 PM - Software Distribution Service 3.0
RP896: 10/11/2010 9:20:14 PM - System Checkpoint
RP897: 10/11/2010 10:35:00 PM - Removed Trend Micro Antivirus

=====continued next post=====

drhodsdon, Oct 13, 2010

#3
drhodsdon Newcomer, in training

==== Installed Programs ======================

ABBYY FineReader 5.0 Sprint Plus
ABBYY FineReader 6.0 Sprint
Adobe Download Manager
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.0
AOL Registration
AOL Uninstaller (Choose which Products to Remove)
ArcSoft Camera Suite
Avira AntiVir Personal - Free Antivirus
BigFix
Brother MFL-Pro Suite
Camera Window
Canon Camera Window for ZoomBrowser EX
Canon PhotoRecord
Canon Utilities File Viewer Utility 1.3
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
Critical Update for Windows Media Player 11 (KB959772)
DeLorme Street Atlas USA 2007
DeLorme Street Atlas USA 2007 Service Pack 3
DeLorme Street Atlas USA 2010 Plus
DeLorme Topo USA 6
DeLorme Topo USA 6.0 DVD Data
DeLorme Topo USA 6.0 PN Merge Modules
DVD Solution
Earthmate Image Tagger
Family Tree Maker 7.0
File Viewer Utility 1.3
Garmin USB Drivers
Garmin WebUpdater
Google Earth
Google Update Helper
gtw_logo
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel Matrix Storage Manager
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
J2SE Runtime Environment 5.0 Update 2
Learn2 Player (Uninstall Only)
Lexmark 3500-4500 Series
Lexmark Fax Solutions
Lexmark Toolbar
Lexmark X6100 Series
Lotus SmartSuite - English
Malwarebytes' Anti-Malware
mCore
mDriver
mDrWiFi
mHelp
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Starter Edition 2006
Microsoft Digital Image Starter Edition 2006 Editor
Microsoft Digital Image Starter Edition 2006 Library
Microsoft IntelliPoint 5.3
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
mIWA
mLogView
mMHouse
Motorola SM56 Data Fax Modem
Mozilla Firefox (3.6.10)
mPfMgr
mPfWiz
mProSafe
MSN
mWlsSafe
mXML
mZConfig
Napster Burn Engine
PaperPort
PhotoStitch
Power2Go 4.0
PowerDVD
Print Artist Craft & Party Maker
Print to Fax
QuickTime
RealPlayer Basic
Recovery Software Suite Gateway
RemoteCapture 2.7.3
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SigmaTel Audio
Sonic Encoders
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB2141007)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
VC 9.0 Runtime
Viewpoint Media Player
WebFldrs XP
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
ZoneAlarm
ZoneAlarm Spy Blocker

==== Event Viewer Messages From Past Week ========

10/9/2010 7:20:48 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
10/9/2010 6:20:48 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
10/9/2010 5:50:48 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
10/9/2010 5:35:48 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
10/6/2010 1:09:06 PM, error: Service Control Manager [7016] - The BrSplService service has reported an invalid current state 0.
10/6/2010 1:09:04 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the lxdiCATSCustConnectService service to connect.
10/6/2010 1:09:04 PM, error: Service Control Manager [7000] - The lxdiCATSCustConnectService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/13/2010 9:02:53 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
10/13/2010 8:55:41 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ssmdrv Tcpip vsdatant
10/13/2010 8:55:41 AM, error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the vsdatant service which failed to start because of the following error: A device attached to the system is not functioning.
10/13/2010 8:55:41 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
10/13/2010 8:55:41 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/13/2010 8:55:41 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/13/2010 8:55:41 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
10/13/2010 8:54:57 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
10/13/2010 8:54:56 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/13/2010 3:11:08 AM, error: Service Control Manager [7031] - The Media Center Extender Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
10/13/2010 3:10:21 AM, error: Service Control Manager [7031] - The Media Center Extender Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
10/13/2010 3:09:59 AM, error: Service Control Manager [7034] - The Media Center Scheduler Service service terminated unexpectedly. It has done this 1 time(s).
10/12/2010 8:11:16 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the AntiVirSchedulerService service.
10/12/2010 12:48:24 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the PolicyAgent service.
10/11/2010 11:53:43 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service ntmssvc with arguments "-Service" in order to run the server: {D61A27C6-8F53-11D0-BFA0-00A024151983}
10/11/2010 10:49:16 PM, error: Service Control Manager [7034] - The PrismXL service terminated unexpectedly. It has done this 1 time(s).
10/11/2010 10:49:16 PM, error: Service Control Manager [7034] - The lxdi_device service terminated unexpectedly. It has done this 1 time(s).
10/11/2010 10:49:16 PM, error: Service Control Manager [7034] - The LexBce Server service terminated unexpectedly. It has done this 1 time(s).
10/11/2010 10:49:16 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Service service terminated unexpectedly. It has done this 1 time(s).
10/11/2010 10:49:16 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Registry Service service terminated unexpectedly. It has done this 1 time(s).
10/11/2010 10:49:16 PM, error: Service Control Manager [7034] - The Intel(R) PROSet/Wireless Event Log service terminated unexpectedly. It has done this 1 time(s).
10/11/2010 10:49:16 PM, error: Service Control Manager [7034] - The Intel(R) Matrix Storage Event Monitor service terminated unexpectedly. It has done this 1 time(s).
10/11/2010 10:49:16 PM, error: Service Control Manager [7034] - The BrSplService service terminated unexpectedly. It has done this 1 time(s).
10/11/2010 10:49:16 PM, error: Service Control Manager [7034] - The AOL Connectivity Service service terminated unexpectedly. It has done this 1 time(s).
10/11/2010 10:43:47 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
10/11/2010 10:43:47 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
10/11/2010 10:43:47 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.

==== End Of File ===========================

drhodsdon, Oct 13, 2010

#4
drhodsdon Newcomer, in training

Thanks for your help Broni.
I had to wait to add the rest until the first post was approved by the moderator.
We were away, sight seeing today, and just got back.

drhodsdon, Oct 13, 2010

#5
Broni Malware Annihilator
Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

======================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Broni, Oct 13, 2010

#6
drhodsdon Newcomer, in training

Okay, Broni... the first mbrcheck log is on my machine.
I am logged on from another, as I just got a BSOD from combofix...
0xD1 (0xE47C0000, etc)
mbr.sys - address 9982d41d base at 9982c000 datestamp 4add63e5

I have not yet closed the blue screen or tried to reboot.

drhodsdon, Oct 13, 2010

#7
Broni Malware Annihilator

Reboot manually.
If still same problem, Combofix can be run from Safe Mode.

Broni, Oct 13, 2010

#8
drhodsdon Newcomer, in training

mbrcheck

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 177):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA5AC000 aliide.sys
0xBA5AE000 intelide.sys
0xBA5B0000 toside.sys
0xBA5B2000 viaide.sys
0xBA5B4000 cmdide.sys
0xB9F4A000 pcmcia.sys
0xBA0D8000 MountMgr.sys
0xB9F2B000 ftdisk.sys
0xBA5B6000 dmload.sys
0xB9F05000 dmio.sys
0xBA4C4000 ACPIEC.sys
0xBA671000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xBA4C8000 cpqarray.sys
0xB9EED000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xB9E17000 IASTOR.SYS
0xB9DFF000 atapi.sys
0xBA4CC000 aha154x.sys
0xBA338000 sparrow.sys
0xBA4D0000 symc810.sys
0xBA0F8000 aic78xx.sys
0xBA4D4000 dac960nt.sys
0xBA108000 ql10wnt.sys
0xBA4D8000 amsint.sys
0xBA340000 asc.sys
0xBA4DC000 asc3550.sys
0xBA348000 mraid35x.sys
0xBA350000 i2omp.sys
0xBA4E0000 ini910u.sys
0xBA118000 ql1240.sys
0xBA128000 aic78u2.sys
0xBA358000 symc8xx.sys
0xBA360000 sym_hi.sys
0xBA368000 sym_u3.sys
0xBA370000 ABP480N5.SYS
0xBA378000 asc3350p.sys
0xBA5B8000 cd20xrnt.sys
0xBA138000 ultra.sys
0xB9DE6000 adpu160m.sys
0xBA380000 dpti2o.sys
0xBA148000 ql1080.sys
0xBA158000 ql1280.sys
0xBA168000 ql12160.sys
0xBA388000 perc2.sys
0xBA5BA000 perc2hib.sys
0xBA390000 hpn.sys
0xBA4E4000 cbidf2k.sys
0xB9DBA000 dac2w2k.sys
0xBA178000 disk.sys
0xBA188000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9D9A000 fltmgr.sys
0xB9D88000 sr.sys
0xBA398000 PxHelp20.sys
0xB9D71000 KSecDD.sys
0xB9CE4000 Ntfs.sys
0xB9CB7000 NDIS.sys
0xBA198000 viaagp.sys
0xBA1A8000 sisagp.sys
0xB9C9D000 Mup.sys
0xBA1B8000 alim1541.sys
0xBA1C8000 amdagp.sys
0xBA1D8000 agp440.sys
0xBA1E8000 agpCPQ.sys
0xB9C1D000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xBA59C000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB8F82000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xB8EC7000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8E39000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB8BA2000 \SystemRoot\system32\DRIVERS\w39n51.sys
0xBA448000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB8465000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3D8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB826F000 \SystemRoot\system32\drivers\tifm21.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA4A8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB8116000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xBA5D2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA468000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB9688000 \SystemRoot\System32\Drivers\Cdr4_xp.SYS
0xB9668000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB9658000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB7B27000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA3C8000 \SystemRoot\System32\Drivers\Cdralw2k.SYS
0xBA5DA000 \SystemRoot\system32\DRIVERS\serscan.sys
0xBA745000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB9638000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9B80000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB7768000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB9628000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB9618000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA3E0000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB7589000 \SystemRoot\system32\DRIVERS\psched.sys
0xB95F8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA3F0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA428000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA410000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xB7463000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA308000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5E2000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB72F4000 \SystemRoot\system32\DRIVERS\update.sys
0xBA580000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB9C6D000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA6751000 \SystemRoot\system32\drivers\sthda.sys
0xA672D000 \SystemRoot\system32\drivers\portcls.sys
0xBA318000 \SystemRoot\system32\drivers\drmk.sys
0xA6652000 \SystemRoot\system32\DRIVERS\smserial.sys
0xBA3E8000 \SystemRoot\System32\Drivers\Modem.SYS
0xA6E3C000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB9B38000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xA54EC000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA3C0000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB9B34000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA6B3B000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xBA638000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA6EB000 \SystemRoot\System32\Drivers\Null.SYS
0xBA63A000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA480000 \SystemRoot\System32\drivers\vga.sys
0xBA63C000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA63E000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA488000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA490000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA6B33000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA2A40000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA29E7000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA29BF000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA2999000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA54DC000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA28F0000 \SystemRoot\System32\vsdatant.sys
0xA194F000 \SystemRoot\System32\drivers\afd.sys
0xA4BA9000 \SystemRoot\system32\DRIVERS\netbios.sys
0xBA450000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xA1924000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA188C000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA2B03000 \SystemRoot\System32\Drivers\Fips.SYS
0xA186A000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xBA5DE000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0x98B20000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x99E85000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x98A4A000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xA2985000 \SystemRoot\System32\drivers\Dxapi.sys
0x98ECF000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0x99518000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF021000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF043000 \SystemRoot\System32\ialmdev5.DLL
0xBF07E000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0x98A35000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xA6B03000 \SystemRoot\system32\DRIVERS\AegisP.sys
0x98DFE000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xA6B37000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x988B8000 \SystemRoot\system32\drivers\wdmaud.sys
0xBA278000 \SystemRoot\system32\drivers\sysaudio.sys
0x9883D000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA602000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0x98614000 \SystemRoot\System32\Drivers\HTTP.sys
0x9856D000 \SystemRoot\system32\DRIVERS\srv.sys
0xBA5F2000 \??\C:\WINDOWS\system32\drivers\pmemnt.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 70):
0 System Idle Process
4 System
608 C:\WINDOWS\system32\smss.exe
664 csrss.exe
688 C:\WINDOWS\system32\winlogon.exe
732 C:\WINDOWS\system32\services.exe
744 C:\WINDOWS\system32\lsass.exe
916 C:\WINDOWS\system32\svchost.exe
980 svchost.exe
1020 C:\WINDOWS\system32\svchost.exe
1076 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
1104 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
1164 svchost.exe
1240 svchost.exe
1348 C:\WINDOWS\system32\ZoneLabs\vsmon.exe
1676 C:\WINDOWS\explorer.exe
1300 C:\WINDOWS\system32\brsvc01a.exe
1312 C:\WINDOWS\system32\LEXBCES.EXE
1328 C:\WINDOWS\system32\brss01a.exe
1380 C:\WINDOWS\system32\LEXPPS.EXE
1388 C:\WINDOWS\system32\spoolsv.exe
1440 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1776 svchost.exe
192 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
196 C:\Program Files\Common Files\AOL\acs\AOLacsd.exe
220 C:\WINDOWS\system32\cisvc.exe
272 C:\WINDOWS\ehome\ehSched.exe
460 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
504 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
1652 C:\WINDOWS\system32\lxdicoms.exe
2056 C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
2104 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
2196 svchost.exe
2232 C:\WINDOWS\system32\svchost.exe
2352 mcrdsvc.exe
2804 C:\WINDOWS\system32\dllhost.exe
3140 alg.exe
3740 C:\WINDOWS\ehome\ehtray.exe
3772 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
3792 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
3860 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
3880 C:\WINDOWS\ehome\ehmsas.exe
3956 C:\WINDOWS\stsystra.exe
4044 C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
2040 C:\WINDOWS\system32\hkcmd.exe
176 C:\WINDOWS\system32\igfxpers.exe
2000 C:\WINDOWS\system32\svchost.exe
1976 C:\WINDOWS\system32\igfxsrvc.exe
1932 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
2028 C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
2256 C:\Program Files\Microsoft IntelliPoint\point32.exe
2288 C:\Program Files\QuickTime\qttask.exe
2320 C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
2388 C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
2620 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
2912 C:\Program Files\Common Files\AOL\1236780990\ee\aolsoftware.exe
3020 C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
3024 C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
3064 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
2504 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
3736 C:\WINDOWS\system32\ctfmon.exe
3752 C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
924 C:\Program Files\Messenger\msmsgs.exe
2412 C:\Program Files\BigFix\bigfix.exe
1252 C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
1160 C:\WINDOWS\system32\wuauclt.exe
548 C:\Program Files\Mozilla Firefox\firefox.exe
1656 C:\Program Files\Mozilla Firefox\plugin-container.exe
3380 C:\WINDOWS\system32\cidaemon.exe
1596 C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`b5ce7a00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: HitachiHTS541616J9SA00, Rev: SB4OC70P

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Gateway MBR code detected
SHA1: 007DADCB3671462B53686F6996D328CFD544ABBD

Done!

drhodsdon, Oct 13, 2010

#9
drhodsdon Newcomer, in training

combofix log

ComboFix 10-10-12.03 - Owner 10/13/2010 23:07:57.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1407 [GMT -4:00]
Running from: c:\documents and settings\Owner.YOUR-A0281B86C4\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-09-14 to 2010-10-14 )))))))))))))))))))))))))))))))
.

2010-10-13 01:57 . 2010-10-13 01:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-10-12 03:19 . 2010-10-12 03:19 -------- d-----w- c:\documents and settings\Owner.YOUR-A0281B86C4\Application Data\Avira
2010-10-12 02:59 . 2010-10-12 02:59 -------- d-----w- c:\documents and settings\Owner.YOUR-A0281B86C4\Application Data\Malwarebytes
2010-10-12 02:59 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-12 02:59 . 2010-10-12 02:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-12 02:59 . 2010-10-12 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-12 02:59 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-12 02:45 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-10-12 02:45 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-10-12 02:45 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-10-12 02:45 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-10-12 02:45 . 2010-10-12 02:45 -------- d-----w- c:\program files\Avira
2010-10-12 02:45 . 2010-10-12 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-09-22 22:10 . 2010-09-22 22:10 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-09-22 22:10 . 2010-09-22 22:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 413696]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-24 573440]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-11 98304]
"Lexmark X6100 Series"="c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-04-21 57344]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"SetDefPrt"="c:\program files\Brother\Brmfl04b\BrStDvPt.exe" [2004-05-25 49152]
"FaxCenterServer"="c:\program files\\Lexmark Fax Solutions\fm3032.exe" [2007-05-07 312240]
"HostManager"="c:\program files\Common Files\AOL\1236780990\ee\AOLSoftware.exe" [2008-06-24 41824]
"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-05-07 435120]
"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-03-05 20480]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-9-11 2168360]
Lotus QuickStart.lnk - c:\lotus\wordpro\ltsstart.exe [2002-8-8 32768]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2007-10-1 819200]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-12 23:16 1121792 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\lxdicoms.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\App4r.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\scan\\scanman6.exe"=
"c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\Wireless\\lxdiwpss.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdiwbgw.exe"=
"c:\\Program Files\\AOL\\RC\\regclient.exe"=
"c:\\Program Files\\Common Files\\AOL\\1236780990\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"c:\\WINDOWS\\system32\\lxdicfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/11/2010 10:45 PM 135336]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/1/2010 2:55 PM 135664]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [6/14/2010 4:10 PM 99248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 18:55]

2010-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 18:55]

2006-11-29 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12]

2006-11-29 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12]

2006-11-29 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.YOUR-A0281B86C4\Application Data\Mozilla\Firefox\Profiles\we4m7u5w.default\
FF - plugin: c:\documents and settings\Owner.YOUR-A0281B86C4\Application Data\Mozilla\Firefox\Profiles\we4m7u5w.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\Owner.YOUR-A0281B86C4\Application Data\Mozilla\Firefox\Profiles\we4m7u5w.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-msci - c:\docume~1\OWNER~1.YOU\LOCALS~1\Temp\2006112916925_mcinfo.exe

.
Completion time: 2010-10-13 23:18:27
ComboFix-quarantined-files.txt 2010-10-14 03:18

Pre-Run: 117,758,656,512 bytes free
Post-Run: 117,652,803,584 bytes free

- - End Of File - - C4D7DC588A99DFF05384540FA44302E5

drhodsdon, Oct 13, 2010

#10
Broni Malware Annihilator
Both logs look good

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
Broni, Oct 13, 2010

#11
drhodsdon Newcomer, in training

otl.txt part1

OTL logfile created on: 10/13/2010 11:43:41 PM - Run 1
OTL by OldTimer - Version 3.2.15.2 Folder = C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 72.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 142.20 Gb Total Space | 109.59 Gb Free Space | 77.07% Space Free | Partition Type: NTFS
Drive D: | 6.83 Gb Total Space | 4.64 Gb Free Space | 67.96% Space Free | Partition Type: FAT32
Drive E: | 49.22 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: YOUR-A0281B86C4 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 90 Days

========== Processes (SafeList) ==========

PRC - [2010/10/13 23:39:26 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\OTL.exe
PRC - [2010/06/23 13:52:56 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2010/06/23 13:51:30 | 001,043,968 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/03/02 11:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/01/14 22:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2008/06/24 14:34:50 | 000,041,824 | ---- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\1236780990\ee\aolsoftware.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/07 14:07:08 | 000,435,120 | ---- | M] () -- C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
PRC - [2007/04/26 11:38:38 | 000,517,040 | ---- | M] ( ) -- C:\WINDOWS\system32\lxdicoms.exe
PRC - [2007/03/05 08:40:25 | 000,020,480 | ---- | M] (Lexmark) -- C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
PRC - [2006/10/23 08:50:35 | 000,046,640 | R--- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\acs\AOLacsd.exe
PRC - [2006/09/11 01:56:35 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PRC - [2006/05/23 22:22:36 | 000,573,440 | ---- | M] (Motorola Inc.) -- C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
PRC - [2005/12/28 14:56:16 | 000,602,182 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PRC - [2005/12/28 14:55:40 | 000,667,718 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2005/12/28 14:52:32 | 000,397,381 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
PRC - [2005/12/28 14:47:10 | 000,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2005/12/28 14:45:02 | 000,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2005/12/28 14:44:24 | 000,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2005/12/27 13:20:14 | 000,413,696 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2005/10/12 15:30:42 | 000,139,264 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2005/10/12 15:30:24 | 000,086,140 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
PRC - [2005/10/11 15:47:58 | 002,168,360 | ---- | M] (BigFix Inc.) -- C:\Program Files\BigFix\bigfix.exe
PRC - [2004/11/05 10:47:00 | 000,098,394 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2004/04/14 14:46:50 | 000,057,393 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
PRC - [2004/03/26 19:30:12 | 000,819,200 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
PRC - [2003/04/21 02:00:22 | 000,049,152 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
PRC - [2003/04/21 01:38:12 | 000,057,344 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
PRC - [2001/12/12 20:01:00 | 000,045,056 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brss01a.exe

========== Modules (SafeList) ==========

MOD - [2010/10/13 23:39:26 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2004/11/05 10:47:00 | 000,069,722 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\SynTPFcs.dll

========== Win32 Services (SafeList) ==========

SRV - [2010/06/23 13:52:56 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/03/29 08:53:22 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
SRV - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2007/04/26 11:38:38 | 000,517,040 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxdicoms.exe -- (lxdi_device)
SRV - [2007/04/26 11:38:21 | 000,099,248 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe -- (lxdiCATSCustConnectService)
SRV - [2006/10/23 08:50:35 | 000,046,640 | R--- | M] (AOL LLC) [Auto | Running] -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -- (AOL ACS)
SRV - [2006/09/11 01:56:35 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Running] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2005/12/28 14:47:10 | 000,540,745 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel(R)
SRV - [2005/12/28 14:45:02 | 000,114,753 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel(R)
SRV - [2005/12/28 14:44:24 | 000,217,164 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel(R)
SRV - [2005/11/14 02:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2005/10/12 15:30:24 | 000,086,140 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe -- (IAANTMon) Intel(R)
SRV - [2002/04/11 20:00:00 | 000,057,344 | ---- | M] (brother Industries Ltd) [Auto | Stopped] -- C:\WINDOWS\system32\brsvc01a.exe -- (Brother XP spl Service)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\ZoneLabs\srescan.sys -- (srescan)
DRV - [2010/05/13 10:02:32 | 000,532,224 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2010/03/01 10:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/02/16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/05/11 12:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2008/04/13 14:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 14:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2006/09/11 01:54:50 | 000,008,552 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2006/06/15 18:28:04 | 001,179,784 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/05/23 22:30:06 | 000,893,952 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial)
DRV - [2006/01/22 20:50:00 | 000,244,480 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2005/12/28 16:22:08 | 000,013,568 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2005/12/05 03:55:30 | 001,428,096 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51) Intel(R)
DRV - [2005/10/12 15:07:12 | 000,874,240 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS -- (iaStor)
DRV - [2005/09/21 03:30:56 | 000,162,432 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2004/11/10 20:30:18 | 000,024,832 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2004/11/10 20:27:34 | 000,044,288 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2004/11/05 10:47:00 | 000,185,824 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2003/01/10 17:13:04 | 000,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/18 00:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/18 00:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/18 00:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/18 00:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/18 00:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 23:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 23:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 23:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 23:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 23:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 23:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 23:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 23:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 23:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 23:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [1999/03/08 08:15:00 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PMEMNT.SYS -- (PMEM)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6931
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\CNNSI, = search.sportsillustrated.cnn.com/pages/search.jsp?query=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Dictionary, = dictionary.reference.com/search?q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Google, = google.com/search?q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\GoogleGroups, = groups-beta.google.com/groups?q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\GoogleImages, = images.google.com/images?hl=en&lr=&q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\GoogleNews, = news.google.com/news?tab=gn&hl=en&ie=UTF-8&q=%s&btnG=Search+News
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\KB, = support.microsoft.com/search/default.aspx?query=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\KBDLL, = support.microsoft.com/dllhelp/default.aspx?dlltype=file&l=55&alpha=%s&S=1
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Movies, = fandango.com/my_box_office.asp?searchby=2&txtCityZip=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\MSN, = search.msn.com/results.asp?q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Thesaurus, = thesaurus.reference.com/search?q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Weather, = weather.com/weather/local/%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Yahoo, = search.yahoo.com/search?p=%s
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E}:2.9.2
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.63

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/20 09:42:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/12 21:58:17 | 000,000,000 | ---D | M]

[2009/01/14 10:06:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Application Data\Mozilla\Extensions
[2010/10/13 10:39:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Application Data\Mozilla\Firefox\Profiles\we4m7u5w.default\extensions
[2010/05/09 14:30:25 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Application Data\Mozilla\Firefox\Profiles\we4m7u5w.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2010/06/27 16:55:45 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus(R))) -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Application Data\Mozilla\Firefox\Profiles\we4m7u5w.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2009/01/14 10:06:50 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/06/19 14:47:45 | 000,024,673 | ---- | M] (Check Point Software Technologies Ltd.) -- C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll

drhodsdon, Oct 13, 2010

#12
drhodsdon Newcomer, in training

otl -part 2

O1 HOSTS File: ([2010/10/13 23:16:21 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O2 - BHO: (ZoneAlarm Spy Blocker BHO) - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL (ZoneAlarm)
O3 - HKLM\..\Toolbar: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKLM\..\Toolbar: (ZoneAlarm Spy Blocker) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL (ZoneAlarm)
O3 - HKCU\..\Toolbar\WebBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Spy Blocker) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL (ZoneAlarm)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [FaxCenterServer] C:\Program Files\Lexmark Fax Solutions\fm3032.exe ()
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1236780990\ee\aolsoftware.exe (AOL LLC)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [Lexmark X6100 Series] C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [lxdiamon] C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe (Lexmark)
O4 - HKLM..\Run: [lxdimon.exe] C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe ()
O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\WINDOWS\creator\Remind_XP.exe (SoftThinks)
O4 - HKLM..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe (Brother Industories, Ltd.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Scansoft, Inc.)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [Power2GoExpress] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk = C:\Program Files\BigFix\bigfix.exe (BigFix Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe (Lotus Development Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe (Brother Industries, Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.255.252.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\WRNotifier: DllName - WRLogonNTF.dll - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Owner.YOUR-A0281B86C4\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner.YOUR-A0281B86C4\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/06/17 05:41:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.clmp3enc - C:\Program Files\CyberLink\Power2Go\CLMP3Enc.ACM (CyberLink Corp.)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 90 Days ==========

[2010/10/13 23:39:26 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\OTL.exe
[2010/10/13 23:01:27 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/10/13 22:46:56 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/10/13 22:45:01 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/10/13 22:45:01 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/10/13 22:45:01 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/10/13 22:45:01 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/10/13 22:44:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/10/13 22:44:21 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/10/12 21:57:59 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2010/10/12 21:57:33 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/10/11 23:19:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Application Data\Avira
[2010/10/11 22:59:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Application Data\Malwarebytes
[2010/10/11 22:59:29 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/10/11 22:59:27 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/10/11 22:59:27 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/10/11 22:59:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/10/11 22:45:05 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010/10/11 22:45:02 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/10/11 22:45:02 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/10/11 22:45:02 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010/10/11 22:45:02 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010/10/11 22:45:01 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/10/11 22:45:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2010/10/11 22:42:59 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\TFC.exe
[2010/10/11 22:42:55 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\mbam-setup-1.46.exe
[2010/08/25 11:02:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\Mike and Anna Trip to Maine August 2010
[2010/07/22 13:29:15 | 000,000,000 | ---D | C] -- C:\Program Files\DIFX
[2010/07/22 13:29:13 | 000,000,000 | ---D | C] -- C:\Program Files\Garmin
[2010/06/14 16:07:46 | 001,187,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdiserv.dll
[2010/06/14 16:07:46 | 000,942,080 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdiusb1.dll
[2010/06/14 16:07:46 | 000,356,352 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdiinpa.dll
[2010/06/14 16:07:46 | 000,339,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdiiesc.dll
[2010/06/14 16:07:46 | 000,311,296 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdihcp.dll
[2010/06/14 16:07:45 | 000,614,400 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdipmui.dll
[2010/06/14 16:07:45 | 000,532,480 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdilmpm.dll
[2010/06/14 16:07:45 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdiprox.dll
[2010/06/14 16:07:45 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdipplc.dll
[2010/06/14 16:07:44 | 000,671,744 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdihbn3.dll
[2010/06/14 16:07:43 | 000,765,952 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdicomc.dll
[2010/06/14 16:07:43 | 000,360,448 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdicomm.dll
[16 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/10/13 23:39:26 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\OTL.exe
[2010/10/13 23:16:21 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/10/13 22:59:09 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/10/13 22:58:12 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/10/13 22:57:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/10/13 22:57:55 | 2137,182,208 | -HS- | M] () -- C:\hiberfil.sys
[2010/10/13 22:47:01 | 000,000,325 | RHS- | M] () -- C:\boot.ini
[2010/10/13 22:35:49 | 003,878,092 | R--- | M] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\ComboFix.exe
[2010/10/13 22:34:38 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\MBRCheck(2).exe
[2010/10/13 22:34:24 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\MBRCheck.exe
[2010/10/13 22:14:11 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/10/12 22:58:23 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\vehc9mzl.exe
[2010/10/12 21:58:18 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/10/11 22:59:32 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/11 22:45:23 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/10/11 22:25:20 | 000,544,768 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\dds.scr
[2010/10/11 22:24:29 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\mbzz3pgm.exe
[2010/10/11 22:23:14 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\mbam-setup-1.46.exe
[2010/10/11 22:21:44 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\TFC.exe
[2010/10/11 22:21:18 | 044,089,904 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\avira_antivir_personal_en.exe
[2010/10/09 18:04:35 | 000,006,144 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/09 17:42:49 | 000,442,114 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/10/09 17:42:49 | 000,071,884 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/09/24 13:18:43 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/09/22 12:44:22 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ZoomBrowser EX.lnk
[2010/09/16 07:11:35 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/09/13 12:45:30 | 000,002,373 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Street Atlas USA 2010 Plus.lnk
[2010/08/29 20:20:02 | 000,024,814 | ---- | M] () -- C:\Documents and Settings\All Users\lxdi
[2010/08/12 06:01:37 | 000,255,864 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/07/21 21:32:00 | 000,000,082 | ---- | M] () -- C:\WINDOWS\MPLAYER.INI
[16 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]

drhodsdon, Oct 13, 2010

#13
drhodsdon Newcomer, in training

otl -part3

========== Files Created - No Company Name ==========

[2010/10/13 22:47:01 | 000,000,209 | ---- | C] () -- C:\Boot.bak
[2010/10/13 22:46:58 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/10/13 22:45:01 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/10/13 22:45:01 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/10/13 22:45:01 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/10/13 22:45:01 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/10/13 22:45:01 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/10/13 22:35:19 | 003,878,092 | R--- | C] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\ComboFix.exe
[2010/10/13 22:34:38 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\MBRCheck(2).exe
[2010/10/13 22:34:23 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\MBRCheck.exe
[2010/10/13 10:12:04 | 2137,182,208 | -HS- | C] () -- C:\hiberfil.sys
[2010/10/12 22:58:21 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\vehc9mzl.exe
[2010/10/12 21:58:17 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/10/11 22:59:32 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/11 22:45:23 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/10/11 22:42:58 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\mbzz3pgm.exe
[2010/10/11 22:42:55 | 000,544,768 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\dds.scr
[2010/10/11 22:42:31 | 044,089,904 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\avira_antivir_personal_en.exe
[2010/09/24 13:18:43 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/06/14 16:10:15 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxdivs.dll
[2010/06/14 16:10:13 | 000,344,064 | ---- | C] () -- C:\WINDOWS\System32\lxdicoin.dll
[2010/06/14 16:09:56 | 000,692,224 | ---- | C] () -- C:\WINDOWS\System32\lxdidrs.dll
[2010/06/14 16:09:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\lxdicaps.dll
[2010/06/14 16:09:55 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxdicnv4.dll
[2010/06/14 16:08:00 | 000,000,060 | -H-- | C] () -- C:\WINDOWS\System32\lxdirwrd.ini
[2010/06/14 16:07:46 | 000,294,912 | ---- | C] () -- C:\WINDOWS\System32\lxdiinst.dll
[2010/06/14 16:07:43 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxdigrd.dll
[2008/06/22 20:45:23 | 000,000,144 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Local Settings\Application Data\fusioncache.dat
[2008/04/29 19:41:01 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/03/17 18:31:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\APPROACH.INI
[2007/12/06 22:31:11 | 000,796,048 | ---- | C] () -- C:\WINDOWS\System32\libeay32_0.9.6l.dll
[2007/10/27 11:16:13 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\LXF3PMON.DLL
[2007/10/27 11:16:13 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\lxf3oem.dll
[2007/10/27 11:16:13 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXF3FXPU.DLL
[2007/10/27 11:16:13 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\LXF3PMRC.DLL
[2007/10/01 19:54:34 | 000,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2007/10/01 19:53:36 | 000,000,419 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2007/10/01 19:53:36 | 000,000,238 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2007/10/01 19:53:36 | 000,000,092 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2007/10/01 19:53:36 | 000,000,079 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2007/10/01 19:53:01 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2007/10/01 19:50:12 | 000,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2007/09/24 08:58:10 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/08/16 17:22:51 | 000,000,412 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2006/12/31 15:32:59 | 000,000,082 | ---- | C] () -- C:\WINDOWS\MPLAYER.INI
[2006/12/31 15:31:16 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2006/12/31 15:31:16 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\LFKODAK.DLL
[2006/12/28 20:03:54 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2006/12/28 20:03:25 | 000,000,021 | ---- | C] () -- C:\WINDOWS\CS_setup.ini
[2006/12/28 19:53:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2006/11/30 11:01:29 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Application Data\wklnhst.dat
[2006/11/29 17:27:12 | 000,684,032 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2006/11/29 17:10:33 | 000,000,006 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/09/11 02:01:59 | 000,023,552 | ---- | C] () -- C:\WINDOWS\System32\jesterss.dll
[2006/09/11 01:49:32 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/06/21 05:48:15 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/06/17 05:24:58 | 000,001,280 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/06/17 05:24:57 | 000,000,519 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2006/06/16 22:31:45 | 000,004,324 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/08/06 00:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/01/14 12:46:34 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll
[2003/04/21 01:36:01 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\LXBFLCNP.DLL
[2002/11/13 11:40:22 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbfvs.dll
[2002/09/04 10:42:38 | 000,000,188 | ---- | C] () -- C:\WINDOWS\System32\lxbfcoin.ini
[2002/03/04 10:16:34 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
[1999/03/09 20:23:00 | 000,222,928 | ---- | C] () -- C:\WINDOWS\System32\lobas09.dll
[1998/01/13 08:52:30 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\lotrn13.dll
[1997/11/13 20:23:00 | 000,031,008 | ---- | C] () -- C:\WINDOWS\System32\ivtrn09.dll
[1994/07/24 20:23:00 | 000,014,928 | ---- | C] () -- C:\WINDOWS\System32\wingen.drv
[1994/04/06 20:23:00 | 000,000,462 | ---- | C] () -- C:\WINDOWS\lodbf13.ini

========== LOP Check ==========

[2007/08/16 17:22:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2009/12/20 08:42:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DeLorme
[2007/12/06 22:31:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MailFrontier
[2006/11/29 17:15:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2007/10/01 19:49:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2007/12/06 21:52:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2006/09/11 01:54:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2006/11/29 17:12:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2010/07/02 19:03:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Application Data\CheckPoint
[2009/12/20 08:42:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Application Data\DeLorme
[2010/05/09 14:37:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Application Data\GARMIN
[2010/06/14 16:14:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Application Data\Lexmark Productivity Studio
[2009/10/31 15:02:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Application Data\MSNInstaller
[2007/12/06 21:46:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Application Data\PCToolsFirewallPlus
[2006/09/11 01:56:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Application Data\SampleView
[2006/11/30 11:02:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Application Data\Template
[2006/11/29 17:06:14 | 000,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\ISP signup reminder 1.job
[2006/11/29 17:06:14 | 000,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\ISP signup reminder 2.job
[2006/11/29 17:06:14 | 000,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\ISP signup reminder 3.job
========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2009/03/10 07:28:16 | 000,010,920 | ---- | M] () -- C:\aolconnfix.exe
[2009/03/10 07:28:16 | 000,001,039 | ---- | M] () -- C:\aolconnfix.txt
[2006/09/11 01:47:32 | 000,000,002 | ---- | M] () -- C:\AUDIT_INSTALL_IN_PROGRESS
[2006/06/17 05:41:16 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2006/11/29 17:06:14 | 000,000,209 | ---- | M] () -- C:\Boot.bak
[2010/10/13 22:47:01 | 000,000,325 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2010/10/13 23:18:28 | 000,010,458 | ---- | M] () -- C:\ComboFix.txt
[2006/06/17 05:41:16 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/10/13 22:57:55 | 2137,182,208 | -HS- | M] () -- C:\hiberfil.sys
[2008/02/27 11:51:16 | 000,000,248 | ---- | M] () -- C:\INSTALL.LOG
[2006/06/17 05:41:16 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2007/12/06 21:49:54 | 000,000,087 | ---- | M] () -- C:\lxdi.log
[2006/06/17 05:41:16 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/10 15:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/02/14 12:31:09 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/10/13 22:57:54 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2006/09/11 01:48:23 | 000,000,090 | ---- | M] () -- C:\powerdvd.log
[2006/09/11 01:56:14 | 000,000,186 | ---- | M] () -- C:\RaidApp.log
[2007/02/27 10:02:05 | 000,458,694 | ---- | M] () -- C:\Topo6MM.log
[2006/09/11 01:49:51 | 000,000,191 | ---- | M] () -- C:\touchpad.log

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2006/06/17 05:40:30 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2004/02/08 20:00:00 | 000,026,285 | ---- | M] (Brother Industries ,Ltd ) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\brmfpp1.dll
[2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2003/04/16 10:36:54 | 000,078,336 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\LXBFPP5C.DLL
[2007/03/15 23:08:11 | 000,113,664 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\lxdidrpp.dll
[2003/01/16 19:37:14 | 000,011,264 | ---- | M] (BVRP Software) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\lxprint2000.dll
[2004/03/22 18:17:08 | 000,025,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
[2001/11/20 14:37:28 | 000,047,616 | R--- | M] (Black Ice Software) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\ppbiPr.dll
[2008/07/06 06:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2006/06/16 22:30:11 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2006/06/16 22:30:11 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2006/06/16 22:30:11 | 000,897,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2009/02/14 12:39:46 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2007/05/17 08:05:29 | 000,000,170 | -HS- | M] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2006/06/17 05:46:25 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2010/10/11 22:21:18 | 044,089,904 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\avira_antivir_personal_en.exe
[2010/10/13 22:35:49 | 003,878,092 | R--- | M] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\ComboFix.exe
[2009/12/24 12:31:12 | 002,685,028 | ---- | M] (XYStudio(www.xydownload.com) ) -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\easycapture_setup.exe
[2010/10/11 22:23:14 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\mbam-setup-1.46.exe
[2010/10/13 22:34:38 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\MBRCheck(2).exe
[2010/10/13 22:34:24 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\MBRCheck.exe
[2010/10/11 22:24:29 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\mbzz3pgm.exe
[2010/10/13 23:39:26 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\OTL.exe
[2010/10/11 22:21:44 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\TFC.exe
[2010/10/12 22:58:23 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop\vehc9mzl.exe

drhodsdon, Oct 13, 2010

#14
drhodsdon Newcomer, in training

otl-part 4

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2006/11/29 17:06:42 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Favorites\Desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >
[2010/08/29 20:20:02 | 000,024,814 | ---- | M] () -- C:\Documents and Settings\All Users\lxdi
[16 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2010/10/13 23:24:01 | 000,049,152 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A0281B86C4\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2007/06/26 23:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >
[2005/12/28 17:21:06 | 000,552,960 | ---- | M] (Intel Corporation) -- C:\WINDOWS\Installer\iProInst.exe

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >
[2008/04/13 20:11:51 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
[2004/08/04 11:06:34 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
[2004/08/04 11:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
[2008/05/02 10:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
[2008/04/13 13:30:28 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
[2008/04/13 20:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
[2004/08/04 11:06:36 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
[2004/08/04 11:06:36 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
[2004/08/04 11:06:36 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
[2008/11/09 22:20:35 | 000,009,216 | -HS- | M] () -- C:\Program Files\Messenger\Thumbs.db
[2004/08/04 11:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
[2004/08/04 11:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >

========== Alternate Data Streams ==========

@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C31F31E6

< End of report >

drhodsdon, Oct 13, 2010

#15
drhodsdon Newcomer, in training

otl-extras -start

OTL Extras logfile created on: 10/13/2010 11:43:41 PM - Run 1
OTL by OldTimer - Version 3.2.15.2 Folder = C:\Documents and Settings\Owner.YOUR-A0281B86C4\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 72.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 142.20 Gb Total Space | 109.59 Gb Free Space | 77.07% Space Free | Partition Type: NTFS
Drive D: | 6.83 Gb Total Space | 4.64 Gb Free Space | 67.96% Space Free | Partition Type: FAT32
Drive E: | 49.22 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: YOUR-A0281B86C4 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 90 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNetisabledxpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Lexmark 3500-4500 Series\app4r.exe" = C:\Program Files\Lexmark 3500-4500 Series\App4R.exe:*:Enabled:Lexmark Imaging Studio -- ()
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AMERIC~1.0 -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- (AOL LLC)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- (AOL LLC)
"C:\WINDOWS\system32\lxdicoms.exe" = C:\WINDOWS\system32\lxdicoms.exe:*:Enabled:Lexmark Communications System -- ( )
"C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe" = C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe:*:Enabled:Lexmark Device Monitor -- (Lexmark)
"C:\Program Files\Lexmark 3500-4500 Series\App4r.exe" = C:\Program Files\Lexmark 3500-4500 Series\App4r.exe:*:Enabled:Lexmark Imaging Studio -- ()
"C:\Program Files\Abbyy FineReader 6.0 Sprint\scan\scanman6.exe" = C:\Program Files\Abbyy FineReader 6.0 Sprint\scan\scanman6.exe:*:Enabled:ABBYY FineReader -- (ABBYY (BIT Software))
"C:\Program Files\Lexmark Fax Solutions\FaxCtr.exe" = C:\Program Files\Lexmark Fax Solutions\FaxCtr.exe:*:Enabled:Fax software -- ()
"C:\Program Files\Lexmark 3500-4500 Series\Wireless\lxdiwpss.exe" = C:\Program Files\Lexmark 3500-4500 Series\Wireless\lxdiwpss.exe:*:Enabled: -- (Lexmark International, Inc.)
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdiwbgw.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdiwbgw.exe:*:Enabled:Lexmark Web Gateway -- ()
"C:\Program Files\AOL\RC\regclient.exe" = C:\Program Files\AOL\RC\regclient.exe:*:Enabled:AOL -- (AOL LLC)
"C:\Program Files\Common Files\AOL\1236780990\ee\aolsoftware.exe" = C:\Program Files\Common Files\AOL\1236780990\ee\aolsoftware.exe:*:Enabled:AOL Shared Components -- (AOL LLC)
"C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe" = C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe:*:Enabledevice Monitor -- ()
"C:\WINDOWS\system32\lxdicfg.exe" = C:\WINDOWS\system32\lxdicfg.exe:*:Enabledrinter Communication System -- ( )
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdipswx.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdipswx.exe:*:Enabledrinter Status Window Interface -- ()
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxditime.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxditime.exe:*:Enabled:Lexmark Connect Time Executable -- (Lexmark International, Inc.)
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdijswx.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdijswx.exe:*:Enabled:Job Status Window Interface -- ()
"C:\WINDOWS\system32\ZoneLabs\vsmon.exe" = C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:vsmon -- (Check Point Software Technologies LTD)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{0BA9CAC3-5131-4E59-B2AB-B765E876AAA2}" = Brother MFL-Pro Suite
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" = Lexmark Toolbar
"{12B09031-A7E1-43B1-AC8C-A202B676B556}" = RemoteCapture 2.7.3
"{15377C3E-9655-400F-B441-E69F0A6BEAFE}" = Recovery Software Suite Gateway
"{1DF502B6-3FAA-48CB-922F-1E0BFDEE5707}" = Earthmate Image Tagger
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Solution
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 4.0
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{45DFE7E0-5B85-4E01-986E-6A48420B8FD0}" = DeLorme Topo USA 6.0 PN Merge Modules
"{4677AAF8-8D7A-4EE2-BCE4-0068BB052353}" = ArcSoft Camera Suite
"{536D6172-7453-7569-7465-392E38300409}" = Lotus SmartSuite - English
"{5A188269-989A-4D12-B38B-07850FE52AD2}" = DeLorme Street Atlas USA 2007
"{5B39603F-2A77-40E6-950D-ED7B8307933D}" = Microsoft IntelliPoint 5.3
"{5BF2B19D-9C79-492A-8969-F059F06A627F}" = Print to Fax
"{5D95AD35-368F-47D5-B63A-A082DDF00111}" = Microsoft Digital Image Starter Edition 2006 Editor
"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
"{6661C844-F72D-44ED-823A-24862F2D1650}" = Print Artist Craft & Party Maker
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{691F4068-81BF-49E3-B32E-FE3E16400111}" = Microsoft Digital Image Starter Edition 2006 Library
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{797EE0CA-8165-405C-B5CE-F11EC20F1BB0}" = Microsoft VC9 runtime libraries
"{7995DBBB-EDE0-4C1A-99D7-5C36538B486B}" = DeLorme Street Atlas USA 2007 Service Pack 3
"{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A}" = TIPCI
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp
"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Napster Burn Engine
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel Matrix Storage Manager
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{97DED0D8-B530-4137-8AD0-F3978F6EFA8E}" = File Viewer Utility 1.3
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
"{A040AC77-C1AA-4CC9-8931-9F648AF178F6}" = VC 9.0 Runtime
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A17EABB6-D0C6-44E5-820C-72DC7F495064}" = PaperPort
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A833A505-4D7A-41F5-9362-A2F8DFFE6E9B}" = Camera Window
"{A9273349-F9D0-4454-8054-8657156BBDAC}" = DeLorme Topo USA 6.0 DVD Data
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.0
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}" = Canon Utilities ZoomBrowser EX
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1696920-9794-4BBC-8A30-7A88763DE5A2}" = ABBYY FineReader 5.0 Sprint Plus
"{D17111CB-C992-42A9-9D56-C19395102AAA}" = Garmin WebUpdater
"{D9741853-B432-4F74-8241-DD0125C0692C}" = DeLorme Topo USA 6
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F11A403B-0DE9-4953-B790-7A2F014FBB2B}" = PhotoStitch
"{F3561AD8-BDB2-467F-BB03-69B3890BEC36}" = DeLorme Street Atlas USA 2010 Plus
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"49CF605F02C7954F4E139D18828DE298CD59217C" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AOL Regclient" = AOL Registration
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"BigFix" = BigFix
"Family Tree Maker" = Family Tree Maker 7.0
"gtw_logo" = gtw_logo
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{12B09031-A7E1-43B1-AC8C-A202B676B556}" = Canon Utilities RemoteCapture 2.7
"InstallShield_{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"InstallShield_{97DED0D8-B530-4137-8AD0-F3978F6EFA8E}" = Canon Utilities File Viewer Utility 1.3
"InstallShield_{A833A505-4D7A-41F5-9362-A2F8DFFE6E9B}" = Canon Camera Window for ZoomBrowser EX
"InstallShield_{F11A403B-0DE9-4953-B790-7A2F014FBB2B}" = Canon Utilities PhotoStitch 3.1
"Lexmark 3500-4500 Series" = Lexmark 3500-4500 Series
"Lexmark Fax Solutions" = Lexmark Fax Solutions
"Lexmark X6100 Series" = Lexmark X6100 Series
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Money2006b" = Microsoft Money 2006
"Mozilla Firefox (3.6.10)" = Mozilla Firefox (3.6.10)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PhotoRecord" = Canon PhotoRecord
"PictureItSuiteTrial_v11" = Microsoft Digital Image Starter Edition 2006
"ProInst" = Intel(R) PROSet/Wireless Software
"QuickTime" = QuickTime
"RealPlayer 6.0" = RealPlayer Basic
"SMSERIAL" = Motorola SM56 Data Fax Modem
"StreetPlugin" = Learn2 Player (Uninstall Only)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"ViewpointMediaPlayer" = Viewpoint Media Player
"WGA" = Windows Genuine Advantage Validation Tool
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoneAlarm" = ZoneAlarm
"ZoneAlarmSB Uninstall" = ZoneAlarm Spy Blocker

drhodsdon, Oct 14, 2010

#16
drhodsdon Newcomer, in training

otl-extras-part2

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/13/2010 2:53:44 AM | Computer Name = YOUR-A0281B86C4 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 10/13/2010 3:01:06 AM | Computer Name = YOUR-A0281B86C4 | Source = Ci | ID = 4126
Description = Cleaning up corrupt content index metadata on c:\system volume information\catalog.wci.
Index will be automatically restored by refiltering all documents.

Error - 10/13/2010 3:03:26 AM | Computer Name = YOUR-A0281B86C4 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 10/13/2010 10:12:16 AM | Computer Name = YOUR-A0281B86C4 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 10/13/2010 10:14:05 AM | Computer Name = YOUR-A0281B86C4 | Source = Google Update | ID = 20
Description =

Error - 10/13/2010 10:19:37 AM | Computer Name = YOUR-A0281B86C4 | Source = Ci | ID = 4126
Description = Cleaning up corrupt content index metadata on c:\system volume information\catalog.wci.
Index will be automatically restored by refiltering all documents.

Error - 10/13/2010 12:03:36 PM | Computer Name = YOUR-A0281B86C4 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 10/13/2010 12:12:00 PM | Computer Name = YOUR-A0281B86C4 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 10/13/2010 10:13:23 PM | Computer Name = YOUR-A0281B86C4 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 10/13/2010 10:58:25 PM | Computer Name = YOUR-A0281B86C4 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

[ System Events ]
Error - 10/13/2010 12:03:39 PM | Computer Name = YOUR-A0281B86C4 | Source = Service Control Manager | ID = 7000
Description = The lxdiCATSCustConnectService service failed to start due to the
following error: %%1053

Error - 10/13/2010 12:12:01 PM | Computer Name = YOUR-A0281B86C4 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the lxdiCATSCustConnectService
service to connect.

Error - 10/13/2010 12:12:01 PM | Computer Name = YOUR-A0281B86C4 | Source = Service Control Manager | ID = 7000
Description = The lxdiCATSCustConnectService service failed to start due to the
following error: %%1053

Error - 10/13/2010 10:13:18 PM | Computer Name = YOUR-A0281B86C4 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the lxdiCATSCustConnectService
service to connect.

Error - 10/13/2010 10:13:18 PM | Computer Name = YOUR-A0281B86C4 | Source = Service Control Manager | ID = 7000
Description = The lxdiCATSCustConnectService service failed to start due to the
following error: %%1053

Error - 10/13/2010 10:58:20 PM | Computer Name = YOUR-A0281B86C4 | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 10/13/2010 10:58:20 PM | Computer Name = YOUR-A0281B86C4 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the lxdiCATSCustConnectService
service to connect.

Error - 10/13/2010 10:58:20 PM | Computer Name = YOUR-A0281B86C4 | Source = Service Control Manager | ID = 7000
Description = The lxdiCATSCustConnectService service failed to start due to the
following error: %%1053

Error - 10/13/2010 10:59:34 PM | Computer Name = YOUR-A0281B86C4 | Source = System Error | ID = 1003
Description = Error code 100000d1, parameter1 e47c0000, parameter2 0000001c, parameter3
00000001, parameter4 9982d41d.

Error - 10/13/2010 11:08:17 PM | Computer Name = YOUR-A0281B86C4 | Source = Service Control Manager | ID = 7016
Description = The BrSplService service has reported an invalid current state 0.

< End of report >

drhodsdon, Oct 14, 2010

#17
Broni Malware Annihilator
Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.

Accept any prompts.

======================================================================

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:OTL O4 - HKCU..\Run: [Power2GoExpress] File not found O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk = C:\Program Files\BigFix\bigfix.exe (BigFix Inc.) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/ge...nt/swflash.cab (Reg Error: Key error.) O20 - Winlogon\Notify\WRNotifier: DllName - WRLogonNTF.dll - File not found [16 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ] [2006/09/11 01:54:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint [2006/11/29 17:06:14 | 000,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\ISP signup reminder 1.job [2006/11/29 17:06:14 | 000,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\ISP signup reminder 2.job [2006/11/29 17:06:14 | 000,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\ISP signup reminder 3.job @Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C31F31E6 :Services :Reg [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] "DisableMonitoring" =- :Files :Commands [purity] [emptytemp] [emptyflash] [Reboot]

Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

You will get a log that shows the results of the fix. Please post it.

======================================================================

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

2. Download Temp File Cleaner (TFC)

Double click on TFC.exe to run the program.

Click on Start button to begin cleaning process.

TFC will close all running programs, and it may ask you to restart computer.

3. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Tick the box next to YES, I accept the Terms of Use

Click Start

IMPORTANT! UN-check Remove found threats

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, push List of found threats

Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

NOTE. If Eset won't find any threats, it won't produce any log.
Broni, Oct 14, 2010

#18
drhodsdon Newcomer, in training

After updating JAVA and running JAVARA I had an alert but did not yet install the new udpdate.
Also had alerts for ie8, but do not use ie and we were in process here...

Logs below...

Security Check
Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
ZoneAlarm
ZoneAlarm Spy Blocker
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 20
Out of date Java installed!
Adobe Flash Player 10.1.85.3
Adobe Reader 9.4.0
````````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
Zone Labs ZoneAlarm zlclient.exe
````````````````````````````````
DNS Vulnerability Check:
Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

``````````End of Log````````````

ESETScan
C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll Win32/Toolbar.MyWebSearch application
C:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL Win32/Toolbar.MyWebSearch application
C:\Program Files\ZoneAlarmSB\bar\1.bin\Z4PLUGIN.DLL a variant of Win32/Toolbar.MyWebSearch application
Operating memory a variant of Win32/Toolbar.MyWebSearch application

drhodsdon, Oct 14, 2010

#19
Broni Malware Annihilator
Java is currently at Update 22, so please download and install the newest version.

=========================================================================

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:OTL :Services :Reg :Files C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll C:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL C:\Program Files\ZoneAlarmSB\bar\1.bin\Z4PLUGIN.DLL :Commands [purity] [emptytemp] [emptyflash] [Reboot]

Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

You will get a log that shows the results of the fix. Please post it.

=======================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:

:OTL :Commands [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]

Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.

Close all other programs apart from OTL as this step will require a reboot

On the OTL main screen, press the CLEANUP button

Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how is your computer doing.
Broni, Oct 14, 2010

#20

(You must log in or sign up to reply here.)

Page 1 of 2

Thread Status:: Not open for further replies.

TechSpot | Technology News and Analysis
Copyright © 1998-2012, TechSpot, Inc.
Forum software by XenForo™
TechSpot is a registered trademark
All Rights Reserved