Google redirect and Windows Security Viruses

Solved
By kspot
Jan 7, 2012
  1. Hey guys, I have been having virus issues since mid December and have not been able to solve them on my own. I have a google redirect and Windows Security Virus and who knows what else. Attached below are the logs that are requested. Any help that you can provide is appreciated.

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.07.04

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    John :: JOHN-BC19467D9A [administrator]

    1/7/2012 2:02:13 PM
    mbam-log-2012-01-07 (14-02-13).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 235639
    Time elapsed: 28 minute(s), 55 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 3
    HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    I:\Documents and Settings\Pam\Local Settings\Application Data\ncn.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.

    (end)


    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-01-07 14:46:02
    Windows 5.1.2600 Service Pack 3
    Running: bml80zym.exe; Driver: I:\DOCUME~1\John\LOCALS~1\Temp\kgdyipow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs KmxFile.sys (HIPS File Guard driver/CA)
    AttachedDevice \FileSystem\Ntfs \Ntfs VET-FILT.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)
    AttachedDevice \FileSystem\Ntfs \Ntfs kmxagent.sys (HIPS Agent Driver/CA)
    AttachedDevice \FileSystem\Ntfs \Ntfs VET-REC.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)

    Device \Driver\Tcpip \Device\Ip kmxfw.sys (HIPS Firewall Driver/CA)
    Device \Driver\Tcpip \Device\Tcp kmxfw.sys (HIPS Firewall Driver/CA)
    Device \Driver\Tcpip \Device\Udp kmxfw.sys (HIPS Firewall Driver/CA)
    Device \Driver\Tcpip \Device\RawIp kmxfw.sys (HIPS Firewall Driver/CA)

    ---- EOF - GMER 1.0.15 ----



    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
    Run by John at 15:07:49 on 2012-01-07
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.472 [GMT -6:00]
    .
    AV: CA Anti-Virus *Enabled/Updated* {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
    FW: CA Personal Firewall *Disabled*
    .
    ============== Running Processes ===============
    .
    I:\WINDOWS\system32\Ati2evxx.exe
    I:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    I:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    I:\WINDOWS\system32\spoolsv.exe
    I:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
    I:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
    I:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
    I:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
    svchost.exe
    I:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    I:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
    I:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    I:\Program Files\Bonjour\mDNSResponder.exe
    I:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
    I:\WINDOWS\eHome\ehRecvr.exe
    I:\WINDOWS\eHome\ehSched.exe
    I:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
    I:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
    I:\Program Files\Java\jre6\bin\jqs.exe
    I:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    svchost.exe
    I:\WINDOWS\system32\svchost.exe -k imgsvc
    I:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
    I:\WINDOWS\Explorer.EXE
    I:\WINDOWS\system32\dllhost.exe
    I:\WINDOWS\system32\wscntfy.exe
    I:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
    I:\WINDOWS\ehome\ehtray.exe
    I:\WINDOWS\stsystra.exe
    I:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    I:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
    I:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    I:\WINDOWS\eHome\ehmsas.exe
    I:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
    I:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
    I:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
    I:\Program Files\iTunes\iTunesHelper.exe
    I:\Program Files\Epson Software\Event Manager\EEventManager.exe
    I:\Program Files\Epson Software\FAX Utility\FUFAXRCV.exe
    I:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
    I:\Program Files\Messenger\msmsgs.exe
    I:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    I:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    I:\WINDOWS\system32\ctfmon.exe
    I:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
    I:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
    I:\Program Files\iPod\bin\iPodService.exe
    I:\WINDOWS\system32\rundll32.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uStart Page = hxxp://soccernet.espn.go.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mDefault_Search_URL = hxxp://www.google.com/ie
    mSearch Page = hxxp://www.google.com
    mStart Page = hxxp://www.google.com
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - i:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - i:\program files\java\jre6\bin\ssv.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - i:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - i:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - i:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - i:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - i:\program files\canon\easy-webprint\Toolband.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - i:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
    uRun: [MSMSGS] "i:\program files\messenger\msmsgs.exe" /background
    uRun: [swg] "i:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [ctfmon.exe] i:\windows\system32\ctfmon.exe
    uRun: [Artisan 837(Network)] i:\windows\system32\spool\drivers\w32x86\3\e_fatihoa.exe /fu "i:\docume~1\john\locals~1\temp\E_S1A.tmp" /EF "HKCU"
    mRun: [ehTray] i:\windows\ehome\ehtray.exe
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [ATIPTA] "i:\program files\ati technologies\ati control panel\atiptaxx.exe"
    mRun: [OpwareSE2] "i:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
    mRun: [EPSON Stylus Photo R800] i:\windows\system32\spool\drivers\w32x86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"
    mRun: [Adobe Photo Downloader] "i:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
    mRun: [cctray] "i:\program files\ca\ca internet security suite\cctray\cctray.exe"
    mRun: [CAVRID] "i:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
    mRun: [cafwc] i:\program files\ca\ca internet security suite\ca personal firewall\cafw.exe -cl
    mRun: [capfasem] i:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exe
    mRun: [<NO NAME>]
    mRun: [capfupgrade] i:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe
    mRun: [iTunesHelper] "i:\program files\itunes\iTunesHelper.exe"
    mRun: [Adobe Reader Speed Launcher] "i:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "i:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [QuickTime Task] "i:\program files\quicktime\qttask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "i:\program files\java\jre6\bin\jusched.exe"
    mRun: [EEventManager] "i:\program files\epson software\event manager\EEventManager.exe"
    mRun: [FUFAXRCV] "i:\program files\epson software\fax utility\FUFAXRCV.exe"
    mRun: [FUFAXSTM] "i:\program files\epson software\fax utility\FUFAXSTM.exe"
    dRun: [ctfmon.exe] i:\windows\system32\ctfmon.exe
    StartupFolder: i:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - i:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    IE: Convert link target to Adobe PDF - i:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - i:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - i:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - i:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - i:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - i:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - i:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - i:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: E&xport to Microsoft Excel - i:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - i:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBC} - i:\program files\java\jre6\bin\jp2iexp.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - i:\progra~1\micros~2\office11\REFIEBAR.DLL
    LSP: i:\windows\system32\VetRedir.dll
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/swdir8d196a.cab
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - i:\program files\yahoo!\common\Yinsthelper.dll
    DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
    DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
    DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/44.10/uploader2.cab
    DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxps://www.myfamily.com/Controls/Upload/ImageUploader5.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {895D1291-D5BD-4982-BA84-AD11D29C1D6A} - hxxp://community.weightwatchers.com/Scripts/ImageUploader6.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/games/popcaploader_v6.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Notify: PFW - UmxWnp.Dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - i:\windows\system32\WPDShServiceObj.dll
    STS: {5defdc92-484f-4a0a-8f98-86f2f2b4542c} - No File
    LSA: Notification Packages = scecli lovojefu.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - i:\documents and settings\john\application data\mozilla\firefox\profiles\h69h0tno.default\
    FF - plugin: i:\documents and settings\pam\application data\move networks\plugins\npqmp071505000010.dll
    FF - plugin: i:\documents and settings\pam\application data\move networks\plugins\npqmp071705000014.dll
    FF - plugin: i:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
    FF - plugin: i:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: i:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: i:\program files\mozilla firefox\plugins\NPcol400.dll
    FF - plugin: i:\program files\mozilla firefox\plugins\NPcol500.dll
    FF - plugin: i:\program files\mozilla firefox\plugins\npCouponPrinter.dll
    FF - plugin: i:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: i:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
    FF - plugin: i:\program files\mozilla firefox\plugins\npyaxmpb.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 KmxStart;KmxStart;i:\windows\system32\drivers\KmxStart.sys [2008-6-24 93712]
    R1 KmxAgent;KmxAgent;i:\windows\system32\drivers\KmxAgent.sys [2008-6-24 63504]
    R1 KmxFile;KmxFile;i:\windows\system32\drivers\KmxFile.sys [2008-6-24 45584]
    R1 KmxFw;KmxFw;i:\windows\system32\drivers\KmxFw.sys [2008-6-24 115216]
    R1 VET-FILT;VET File System Filter;i:\windows\system32\drivers\vet-filt.sys [2010-3-28 26352]
    R1 VET-REC;VET File System Recognizer;i:\windows\system32\drivers\vet-rec.sys [2010-3-28 21104]
    R1 VETEFILE;VET File Scan Engine;i:\windows\system32\drivers\vetefile.sys [2010-6-3 746216]
    R1 VETFDDNT;VET Floppy Boot Sector Monitor;i:\windows\system32\drivers\vetfddnt.sys [2010-3-28 21488]
    R1 VETMONNT;VET File Monitor;i:\windows\system32\drivers\vetmonnt.sys [2010-3-28 32240]
    R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;i:\program files\common files\abbyy\finereadersprint\9.00\licensing\NetworkLicenseServer.exe [2009-5-14 759048]
    R2 CAISafe;CAISafe;i:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2010-3-28 144960]
    R2 EpsonCustomerParticipation;EpsonCustomerParticipation;i:\program files\epson\epsoncustomerparticipation\EPCP.exe [2011-3-17 513408]
    R2 KmxCF;KmxCF;i:\windows\system32\drivers\KmxCF.sys [2008-6-24 134648]
    R2 KmxSbx;KmxSbx;i:\windows\system32\drivers\KmxSbx.sys [2008-6-24 66576]
    R2 McrdSvc;Media Center Extender Service;i:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 UmxAgent;HIPS Event Manager;i:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2007-10-18 1010192]
    R2 UmxCfg;HIPS Configuration Interpreter;i:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2007-10-18 801296]
    R2 UmxPol;HIPS Policy Manager;i:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2008-6-24 281104]
    R2 VETMSGNT;VET Message Service;i:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2010-3-28 238928]
    R3 KmxCfg;KmxCfg;i:\windows\system32\drivers\KmxCfg.sys [2008-6-24 88816]
    R3 PPCtlPriv;PPCtlPriv;i:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2007-8-16 189704]
    R3 VETEBOOT;VET Boot Scan Engine;i:\windows\system32\drivers\veteboot.sys [2010-6-3 130280]
    S2 gupdate;Google Update Service (gupdate);i:\program files\google\update\GoogleUpdate.exe [2010-2-2 135664]
    S2 mrtRate;mrtRate; [x]
    S3 gupdatem;Google Update Service (gupdatem);i:\program files\google\update\GoogleUpdate.exe [2010-2-2 135664]
    .
    =============== Created Last 30 ================
    .
    2011-12-30 03:43:25 626688 ----a-w- i:\program files\mozilla firefox\msvcr80.dll
    2011-12-30 03:43:25 548864 ----a-w- i:\program files\mozilla firefox\msvcp80.dll
    2011-12-30 03:43:25 479232 ----a-w- i:\program files\mozilla firefox\msvcm80.dll
    2011-12-30 03:43:25 43992 ----a-w- i:\program files\mozilla firefox\mozutils.dll
    .
    ==================== Find3M ====================
    .
    2011-12-15 02:39:37 414368 ----a-w- i:\windows\system32\FlashPlayerCPLApp.cpl
    2011-12-10 21:24:06 20464 ----a-w- i:\windows\system32\drivers\mbam.sys
    2011-11-23 13:25:32 1859584 ----a-w- i:\windows\system32\win32k.sys
    2011-11-04 19:20:51 916992 ----a-w- i:\windows\system32\wininet.dll
    2011-11-04 19:20:51 43520 ----a-w- i:\windows\system32\licmgr10.dll
    2011-11-04 19:20:51 1469440 ----a-w- i:\windows\system32\inetcpl.cpl
    2011-11-04 11:23:59 385024 ----a-w- i:\windows\system32\html.iec
    2011-11-01 16:07:10 1288704 ----a-w- i:\windows\system32\ole32.dll
    2011-10-28 05:31:48 33280 ----a-w- i:\windows\system32\csrsrv.dll
    2011-10-25 13:37:08 2148864 ----a-w- i:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52:02 2027008 ----a-w- i:\windows\system32\ntkrnlpa.exe
    2011-10-14 23:38:00 456192 ----a-w- i:\windows\system32\encdec.dll
    2011-10-10 14:22:41 692736 ----a-w- i:\windows\system32\inetcomm.dll
    .
    ============= FINISH: 15:08:20.34 ===============



    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 8/8/2006 4:47:09 PM
    System Uptime: 1/7/2012 2:33:28 PM (1 hours ago)
    .
    Motherboard: Dell Inc. | | 0KF623
    Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Microprocessor | 3192/800mhz
    .
    ==== Disk Partitions =========================
    .
    D: is CDROM ()
    H: is CDROM ()
    I: is FIXED (NTFS) - 149 GiB total, 71.201 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: TI Technologies Inc.
    Description: RADEON X300 SE 128MB HyperMemory Secondary
    Device ID: PCI\VEN_1002&DEV_5B70&SUBSYS_06031002&REV_00\4&1603E009&0&0108
    Manufacturer: ATI Technologies Inc.
    Name: RADEON X300 SE 128MB HyperMemory Secondary
    PNP Device ID: PCI\VEN_1002&DEV_5B70&SUBSYS_06031002&REV_00\4&1603E009&0&0108
    Service: ati2mtag
    .
    ==== System Restore Points ===================
    .
    RP1883: 10/10/2011 2:34:50 PM - System Checkpoint
    RP1884: 10/11/2011 2:43:33 PM - System Checkpoint
    RP1885: 10/12/2011 2:52:05 PM - System Checkpoint
    RP1886: 10/13/2011 4:41:16 PM - System Checkpoint
    RP1887: 10/14/2011 3:00:19 AM - Software Distribution Service 3.0
    RP1888: 10/15/2011 3:17:56 AM - System Checkpoint
    RP1889: 10/16/2011 3:47:56 AM - System Checkpoint
    RP1890: 10/17/2011 4:36:28 AM - System Checkpoint
    RP1891: 10/18/2011 4:59:48 AM - System Checkpoint
    RP1892: 10/19/2011 5:47:45 AM - System Checkpoint
    RP1893: 10/20/2011 5:49:43 AM - System Checkpoint
    RP1894: 10/21/2011 6:11:41 AM - System Checkpoint
    RP1895: 10/22/2011 6:26:08 AM - System Checkpoint
    RP1896: 10/23/2011 6:38:13 AM - System Checkpoint
    RP1897: 10/24/2011 7:03:16 AM - System Checkpoint
    RP1898: 10/25/2011 7:32:30 AM - System Checkpoint
    RP1899: 10/26/2011 8:24:39 AM - System Checkpoint
    RP1900: 10/27/2011 9:32:39 AM - System Checkpoint
    RP1901: 10/28/2011 10:22:11 AM - System Checkpoint
    RP1902: 10/29/2011 11:44:03 AM - System Checkpoint
    RP1903: 10/30/2011 11:51:31 AM - System Checkpoint
    RP1904: 10/31/2011 1:19:48 PM - System Checkpoint
    RP1905: 11/1/2011 2:05:05 PM - System Checkpoint
    RP1906: 11/2/2011 2:19:17 PM - System Checkpoint
    RP1907: 11/3/2011 5:20:51 PM - System Checkpoint
    RP1908: 11/5/2011 12:13:30 AM - System Checkpoint
    RP1909: 11/6/2011 12:33:20 AM - System Checkpoint
    RP1910: 11/7/2011 1:33:15 AM - System Checkpoint
    RP1911: 11/8/2011 1:55:20 AM - System Checkpoint
    RP1912: 11/9/2011 2:45:25 AM - System Checkpoint
    RP1913: 11/9/2011 3:00:19 AM - Software Distribution Service 3.0
    RP1914: 11/10/2011 3:20:22 AM - System Checkpoint
    RP1915: 11/10/2011 9:57:10 PM - Software Distribution Service 3.0
    RP1916: 11/12/2011 12:28:53 AM - System Checkpoint
    RP1917: 11/13/2011 12:37:00 AM - System Checkpoint
    RP1918: 11/14/2011 12:54:47 AM - System Checkpoint
    RP1919: 11/15/2011 1:20:19 AM - System Checkpoint
    RP1920: 11/16/2011 2:06:42 AM - System Checkpoint
    RP1921: 11/17/2011 2:18:13 AM - System Checkpoint
    RP1922: 11/18/2011 2:54:09 AM - System Checkpoint
    RP1923: 11/19/2011 3:33:11 AM - System Checkpoint
    RP1924: 11/20/2011 3:54:08 AM - System Checkpoint
    RP1925: 11/21/2011 5:07:27 AM - System Checkpoint
    RP1926: 11/22/2011 11:37:27 AM - System Checkpoint
    RP1927: 11/23/2011 2:40:26 PM - System Checkpoint
    RP1928: 11/24/2011 6:31:50 PM - System Checkpoint
    RP1929: 11/25/2011 6:35:47 PM - System Checkpoint
    RP1930: 11/26/2011 9:23:29 PM - System Checkpoint
    RP1931: 11/27/2011 10:27:53 PM - System Checkpoint
    RP1932: 11/28/2011 10:51:37 PM - System Checkpoint
    RP1933: 11/29/2011 11:35:17 PM - System Checkpoint
    RP1934: 11/30/2011 11:46:59 PM - System Checkpoint
    RP1935: 12/2/2011 6:41:26 AM - System Checkpoint
    RP1936: 12/3/2011 7:18:39 AM - System Checkpoint
    RP1937: 12/4/2011 8:06:34 AM - System Checkpoint
    RP1938: 12/5/2011 10:07:26 AM - System Checkpoint
    RP1939: 12/6/2011 11:22:35 AM - System Checkpoint
    RP1940: 12/7/2011 12:06:57 PM - System Checkpoint
    RP1941: 12/8/2011 1:16:55 PM - System Checkpoint
    RP1942: 12/9/2011 2:03:25 PM - System Checkpoint
    RP1943: 12/10/2011 2:43:41 PM - System Checkpoint
    RP1944: 12/11/2011 4:37:51 PM - System Checkpoint
    RP1945: 12/13/2011 12:21:03 AM - System Checkpoint
    RP1946: 12/14/2011 1:44:31 AM - System Checkpoint
    RP1947: 12/15/2011 2:44:31 AM - System Checkpoint
    RP1948: 12/15/2011 3:00:20 AM - Software Distribution Service 3.0
    RP1949: 12/16/2011 10:58:00 PM - System Checkpoint
    RP1950: 12/17/2011 11:50:38 PM - System Checkpoint
    RP1951: 12/19/2011 12:56:03 AM - System Checkpoint
    RP1952: 12/20/2011 1:55:32 AM - System Checkpoint
    RP1953: 12/21/2011 2:30:03 AM - System Checkpoint
    RP1954: 12/22/2011 3:21:02 AM - System Checkpoint
    RP1955: 12/23/2011 4:56:02 AM - System Checkpoint
    RP1956: 12/24/2011 6:19:03 AM - System Checkpoint
    RP1957: 12/25/2011 7:06:29 AM - System Checkpoint
    RP1958: 12/26/2011 8:39:34 AM - System Checkpoint
    RP1959: 12/27/2011 9:28:01 AM - System Checkpoint
    RP1960: 12/28/2011 9:57:08 AM - System Checkpoint
    RP1961: 12/29/2011 10:47:36 AM - System Checkpoint
    RP1962: 12/30/2011 11:57:30 AM - System Checkpoint
    RP1963: 12/31/2011 1:13:45 PM - System Checkpoint
    RP1964: 1/2/2012 8:27:17 AM - System Checkpoint
    RP1965: 1/3/2012 4:24:48 PM - System Checkpoint
    RP1966: 1/4/2012 5:24:08 PM - System Checkpoint
    RP1967: 1/6/2012 2:11:22 AM - System Checkpoint
    RP1968: 1/7/2012 2:45:00 AM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    ABBYY FineReader 9.0 Sprint
    Across Lite 2.0
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Photoshop Elements 2.0
    Adobe Reader 9.4.7
    Adobe Shockwave Player 11.5
    Adobe® Photoshop® Album Starter Edition 3.0
    Amazon MP3 Downloader 1.0.10
    AnswerWorks 4.0 Runtime - English
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft PhotoStudio 5.5
    ATI - Software Uninstall Utility
    ATI Control Panel
    ATI Display Driver
    ATI Parental Control
    Bonjour
    CA Anti-Spam
    CA Anti-Spyware
    CA Anti-Virus
    CA Internet Security Suite
    CA Personal Firewall
    Canon Utilities Easy-PhotoPrint
    Compatibility Pack for the 2007 Office system
    Conexant D850 56K V.9x DFVc Modem
    Coupon Printer for Windows
    Critical Update for Windows Media Player 11 (KB959772)
    DeductionPro 2008
    DeductionPro 2009
    Dell Resource CD
    Easy-WebPrint
    EPSON Artisan 837 Series Printer Uninstall
    Epson Connect
    Epson Customer Participation
    Epson Download Navigator
    Epson Event Manager
    Epson FAX Utility
    Epson PC-FAX Driver
    Epson Print CD
    EPSON Printer Software
    EPSON Scan
    EpsonNet Print
    Garmin USB Drivers
    Garmin WebUpdater
    GemMaster Mystic
    Google Toolbar for Internet Explorer
    Google Update Helper
    H&R Block Deluxe + Efile + State 2009
    H&R Block Deluxe + Efile + State 2010
    H&R Block Kansas 2009
    H&R Block Kansas 2010
    High Definition Audio Driver Package - KB835221
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 10 (KB903157)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Intel(R) PRO Network Connections Drivers
    iTunes
    J2SE Runtime Environment 5.0 Update 10
    Java 2 Runtime Environment, SE v1.4.2_03
    Java Auto Updater
    Java(TM) 6 Update 26
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Malwarebytes Anti-Malware version 1.60.0.1800
    Microsoft .NET Framework 1.0 Hotfix (KB2572066)
    Microsoft .NET Framework 1.0 Hotfix (KB953295)
    Microsoft .NET Framework 1.0 Hotfix (KB979904)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2572067)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft Streets and Trips 2005
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Modem Helper
    MotionBased Agent
    Mozilla Firefox 9.0.1 (x86 en-US)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NVIDIA Media Center Extensions
    NVIDIA PureVideo Decoder
    OmniPage SE 2.0
    OpenOffice.org Installer 1.0
    PENTAX Digital Camera Utility
    Quicken 2007
    QuickTime
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SigmaTel Audio
    Sonic Encoders
    System Requirements Lab
    TaxCut Kansas 2008
    TaxCut Premium + State + Efile 2008
    TurboTax Deluxe 2007
    TurboTax Deluxe Deduction Maximizer 2006
    TurboTax ItsDeductible 2006
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows Media Player 10 (KB913800)
    Update for Windows Media Player 10 (KB926251)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update Rollup 2 for Windows XP Media Center Edition 2005
    WebFldrs XP
    WexTech AnswerWorks
    Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Media Center Edition 2005 KB2502898
    Windows XP Media Center Edition 2005 KB2619340
    Windows XP Media Center Edition 2005 KB925766
    Windows XP Media Center Edition 2005 KB973768
    Windows XP Service Pack 3
    Yahoo! Install Manager
    Zoo Tycoon 2
    .
    ==== Event Viewer Messages From Past Week ========
    .
    1/7/2012 2:35:14 PM, error: Service Control Manager [7000] - The mrtRate service failed to start due to the following error: The system cannot find the file specified.
    .
    ==== End Of File ===========================
  2. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =================================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ===============================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.

    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  3. kspot

    kspot Newcomer, in training Topic Starter Posts: 27

    I removed CA antivirus, the logs from Avast and Combofix are below:

    aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
    Run date: 2012-01-08 10:06:37
    -----------------------------
    10:06:37.177 OS Version: Windows 5.1.2600 Service Pack 3
    10:06:37.177 Number of processors: 2 586 0x403
    10:06:37.177 ComputerName: JOHN-BC19467D9A UserName: John
    10:06:38.146 Initialize success
    10:09:18.318 AVAST engine download error: 0
    10:09:48.599 Service scanning
    10:09:53.239 Modules scanning
    10:09:59.943 Disk 0 trace - called modules:
    10:09:59.974 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
    10:09:59.974 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f97ab8]
    10:09:59.974 3 CLASSPNP.SYS[f76a2fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x86f63b00]
    10:09:59.974 Scan finished successfully
    10:10:43.021 The log file has been saved successfully to "I:\Documents and Settings\John\Desktop\aswMBR.txt"





    ComboFix 12-01-07.03 - John 01/08/2012 11:19:21.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.643 [GMT -6:00]
    Running from: i:\documents and settings\John\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    I:\Autorun.inf
    i:\documents and settings\All Users\Application Data\c16pm6u81m
    i:\documents and settings\All Users\Application Data\koMwzVHVNIGd4P
    i:\documents and settings\All Users\Application Data\TEMP
    i:\documents and settings\John\Application Data\AdobeDLM.log
    i:\documents and settings\John\Application Data\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
    i:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\h69h0tno.default\extensions\{e024531d-ac02-4e24-8bb3-56ae7b1ace04}
    i:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\h69h0tno.default\extensions\{e024531d-ac02-4e24-8bb3-56ae7b1ace04}\chrome.manifest
    i:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\h69h0tno.default\extensions\{e024531d-ac02-4e24-8bb3-56ae7b1ace04}\chrome\xulcache.jar
    i:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\h69h0tno.default\extensions\{e024531d-ac02-4e24-8bb3-56ae7b1ace04}\defaults\preferences\xulcache.js
    i:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\h69h0tno.default\extensions\{e024531d-ac02-4e24-8bb3-56ae7b1ace04}\install.rdf
    i:\documents and settings\John\Start Menu\Programs\System Fix
    i:\documents and settings\John\Start Menu\Programs\System Fix\System Fix.lnk
    i:\documents and settings\John\Start Menu\Programs\System Fix\Uninstall System Fix.lnk
    I:\readme.txt
    I:\setup.exe
    i:\windows\dasetup.log
    i:\windows\Downloaded Program Files\popcaploader.inf
    i:\windows\kb913800.exe
    i:\windows\Tasks\cfwqpozf.job
    .
    i:\windows\system32\drivers\i8042prt.sys was missing
    Restored copy from - i:\windows\ServicePackFiles\i386\i8042prt.sys
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-08 to 2012-01-08 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-30 03:43 . 2011-12-30 03:43 626688 ----a-w- i:\program files\Mozilla Firefox\msvcr80.dll
    2011-12-30 03:43 . 2011-12-30 03:43 548864 ----a-w- i:\program files\Mozilla Firefox\msvcp80.dll
    2011-12-30 03:43 . 2011-12-30 03:43 479232 ----a-w- i:\program files\Mozilla Firefox\msvcm80.dll
    2011-12-30 03:43 . 2011-12-30 03:43 43992 ----a-w- i:\program files\Mozilla Firefox\mozutils.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-15 02:39 . 2011-05-14 13:06 414368 ----a-w- i:\windows\system32\FlashPlayerCPLApp.cpl
    2011-12-10 21:24 . 2010-01-31 14:26 20464 ----a-w- i:\windows\system32\drivers\mbam.sys
    2011-11-23 13:25 . 2004-08-10 11:00 1859584 ----a-w- i:\windows\system32\win32k.sys
    2011-11-04 19:20 . 2004-08-10 11:00 916992 ----a-w- i:\windows\system32\wininet.dll
    2011-11-04 19:20 . 2004-08-10 11:00 43520 ----a-w- i:\windows\system32\licmgr10.dll
    2011-11-04 19:20 . 2004-08-10 11:00 1469440 ----a-w- i:\windows\system32\inetcpl.cpl
    2011-11-04 11:23 . 2004-08-10 11:00 385024 ----a-w- i:\windows\system32\html.iec
    2011-11-01 16:07 . 2004-08-10 11:00 1288704 ----a-w- i:\windows\system32\ole32.dll
    2011-10-28 05:31 . 2004-08-10 11:00 33280 ----a-w- i:\windows\system32\csrsrv.dll
    2011-10-25 13:37 . 2004-08-10 11:00 2148864 ----a-w- i:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52 . 2004-08-03 22:59 2027008 ----a-w- i:\windows\system32\ntkrnlpa.exe
    2011-10-14 23:38 . 2004-08-10 11:00 456192 ----a-w- i:\windows\system32\encdec.dll
    2011-12-30 03:43 . 2011-05-02 02:13 121816 ----a-w- i:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [7] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . i:\windows\ServicePackFiles\i386\userinit.exe
    [-] 2004-08-10 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . i:\windows\$NtServicePackUninstall$\userinit.exe
    [-] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . i:\windows\system32\userinit.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="i:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-20 68856]
    "ctfmon.exe"="i:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="i:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
    "ATIPTA"="i:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
    "OpwareSE2"="i:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
    "EPSON Stylus Photo R800"="i:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE" [2003-08-07 99840]
    "Adobe Photo Downloader"="i:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
    "iTunesHelper"="i:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
    "Adobe Reader Speed Launcher"="i:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
    "Adobe ARM"="i:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "QuickTime Task"="i:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "EEventManager"="i:\program files\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328]
    "FUFAXRCV"="i:\program files\Epson Software\FAX Utility\FUFAXRCV.exe" [2011-03-09 495616]
    "FUFAXSTM"="i:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2011-03-09 856064]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="i:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    i:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - i:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-8-12 113664]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    2005-06-07 05:46 57344 ----a-w- i:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- i:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2007-07-20 03:25 68856 ----a-w- i:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "i:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "i:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
    "i:\\WINDOWS\\ehome\\ehtray.exe"=
    "i:\\WINDOWS\\system32\\WgaTray.exe"=
    "i:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
    "i:\\Program Files\\iTunes\\iTunes.exe"=
    "i:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    .
    R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;i:\program files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [5/14/2009 4:07 PM 759048]
    R2 EpsonCustomerParticipation;EpsonCustomerParticipation;i:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [3/17/2011 5:03 PM 513408]
    S2 gupdate;Google Update Service (gupdate);i:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 6:22 PM 135664]
    S2 mrtRate;mrtRate; [x]
    S3 gupdatem;Google Update Service (gupdatem);i:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 6:22 PM 135664]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    *NewlyCreated* - WUAUSERV
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-08 i:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - i:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 00:22]
    .
    2012-01-08 i:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - i:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 00:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://soccernet.espn.go.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mStart Page = hxxp://www.google.com
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Convert link target to Adobe PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: E&xport to Microsoft Excel - i:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.2.1
    DPF: {895D1291-D5BD-4982-BA84-AD11D29C1D6A} - hxxp://community.weightwatchers.com/Scripts/ImageUploader6.cab
    FF - ProfilePath - i:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\h69h0tno.default\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-SunJavaUpdateSched - i:\program files\Java\jre6\bin\jusched.exe
    SharedTaskScheduler-{5defdc92-484f-4a0a-8f98-86f2f2b4542c} - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-08 11:27
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2000)
    i:\windows\system32\WININET.dll
    i:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
    i:\windows\system32\ieframe.dll
    i:\windows\system32\webcheck.dll
    i:\windows\system32\WPDShServiceObj.dll
    i:\windows\system32\PortableDeviceTypes.dll
    i:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    i:\windows\system32\Ati2evxx.exe
    i:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
    i:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    i:\program files\Bonjour\mDNSResponder.exe
    i:\windows\eHome\ehRecvr.exe
    i:\windows\eHome\ehSched.exe
    i:\program files\Java\jre6\bin\jqs.exe
    i:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    i:\windows\ehome\mcrdsvc.exe
    i:\windows\system32\dllhost.exe
    i:\windows\stsystra.exe
    i:\windows\eHome\ehmsas.exe
    i:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-08 11:33:07 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-08 17:33
    .
    Pre-Run: 76,414,406,656 bytes free
    Post-Run: 76,457,160,704 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 39BDFC28CDDB268E4C04328120DF21B8


    Thanks for your continued help
  4. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Please re-run aswMBR one more time.

    Also...

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
  5. kspot

    kspot Newcomer, in training Topic Starter Posts: 27

    The ASW virus definintions took much longer to load this time. The results are:

    aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
    Run date: 2012-01-08 10:06:37
    -----------------------------
    10:06:37.177 OS Version: Windows 5.1.2600 Service Pack 3
    10:06:37.177 Number of processors: 2 586 0x403
    10:06:37.177 ComputerName: JOHN-BC19467D9A UserName: John
    10:06:38.146 Initialize success
    10:09:18.318 AVAST engine download error: 0
    10:09:48.599 Service scanning
    10:09:53.239 Modules scanning
    10:09:59.943 Disk 0 trace - called modules:
    10:09:59.974 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
    10:09:59.974 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f97ab8]
    10:09:59.974 3 CLASSPNP.SYS[f76a2fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x86f63b00]
    10:09:59.974 Scan finished successfully
    10:10:43.021 The log file has been saved successfully to "I:\Documents and Settings\John\Desktop\aswMBR.txt"


    aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
    Run date: 2012-01-08 12:08:26
    -----------------------------
    12:08:26.171 OS Version: Windows 5.1.2600 Service Pack 3
    12:08:26.171 Number of processors: 2 586 0x403
    12:08:26.171 ComputerName: JOHN-BC19467D9A UserName: John
    12:08:26.531 Initialize success
    12:18:28.328 AVAST engine defs: 12010800
    12:18:36.265 Service scanning
    12:18:37.312 Modules scanning
    12:18:41.671 Disk 0 trace - called modules:
    12:18:41.703 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
    12:18:41.703 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f71ab8]
    12:18:41.703 3 CLASSPNP.SYS[f7697fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x86f72d98]
    12:18:42.437 AVAST engine scan I:\WINDOWS
    12:19:05.187 File: I:\WINDOWS\PEV.exe **INFECTED** Win32:Rootkit-gen [Rtk]
    12:19:07.781 AVAST engine scan I:\WINDOWS\system32
    12:20:38.062 AVAST engine scan I:\WINDOWS\system32\drivers
    12:20:52.171 AVAST engine scan I:\Documents and Settings\John
    12:24:49.750 AVAST engine scan I:\Documents and Settings\All Users
    12:26:41.796 Scan finished successfully
    12:27:24.781 The log file has been saved successfully to "I:\Documents and Settings\John\Desktop\aswMBR.txt"


    The Bootkit cleaner shows different information in the dialog box, but this is what control C and Control V produce:

    ComboFix 12-01-07.03 - John 01/08/2012 11:19:21.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.643 [GMT -6:00]
    Running from: i:\documents and settings\John\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    I:\Autorun.inf
    i:\documents and settings\All Users\Application Data\c16pm6u81m
    i:\documents and settings\All Users\Application Data\koMwzVHVNIGd4P
    i:\documents and settings\All Users\Application Data\TEMP
    i:\documents and settings\John\Application Data\AdobeDLM.log
    i:\documents and settings\John\Application Data\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
    i:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\h69h0tno.default\extensions\{e024531d-ac02-4e24-8bb3-56ae7b1ace04}
    i:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\h69h0tno.default\extensions\{e024531d-ac02-4e24-8bb3-56ae7b1ace04}\chrome.manifest
    i:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\h69h0tno.default\extensions\{e024531d-ac02-4e24-8bb3-56ae7b1ace04}\chrome\xulcache.jar
    i:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\h69h0tno.default\extensions\{e024531d-ac02-4e24-8bb3-56ae7b1ace04}\defaults\preferences\xulcache.js
    i:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\h69h0tno.default\extensions\{e024531d-ac02-4e24-8bb3-56ae7b1ace04}\install.rdf
    i:\documents and settings\John\Start Menu\Programs\System Fix
    i:\documents and settings\John\Start Menu\Programs\System Fix\System Fix.lnk
    i:\documents and settings\John\Start Menu\Programs\System Fix\Uninstall System Fix.lnk
    I:\readme.txt
    I:\setup.exe
    i:\windows\dasetup.log
    i:\windows\Downloaded Program Files\popcaploader.inf
    i:\windows\kb913800.exe
    i:\windows\Tasks\cfwqpozf.job
    .
    i:\windows\system32\drivers\i8042prt.sys was missing
    Restored copy from - i:\windows\ServicePackFiles\i386\i8042prt.sys
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-08 to 2012-01-08 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-30 03:43 . 2011-12-30 03:43 626688 ----a-w- i:\program files\Mozilla Firefox\msvcr80.dll
    2011-12-30 03:43 . 2011-12-30 03:43 548864 ----a-w- i:\program files\Mozilla Firefox\msvcp80.dll
    2011-12-30 03:43 . 2011-12-30 03:43 479232 ----a-w- i:\program files\Mozilla Firefox\msvcm80.dll
    2011-12-30 03:43 . 2011-12-30 03:43 43992 ----a-w- i:\program files\Mozilla Firefox\mozutils.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-15 02:39 . 2011-05-14 13:06 414368 ----a-w- i:\windows\system32\FlashPlayerCPLApp.cpl
    2011-12-10 21:24 . 2010-01-31 14:26 20464 ----a-w- i:\windows\system32\drivers\mbam.sys
    2011-11-23 13:25 . 2004-08-10 11:00 1859584 ----a-w- i:\windows\system32\win32k.sys
    2011-11-04 19:20 . 2004-08-10 11:00 916992 ----a-w- i:\windows\system32\wininet.dll
    2011-11-04 19:20 . 2004-08-10 11:00 43520 ----a-w- i:\windows\system32\licmgr10.dll
    2011-11-04 19:20 . 2004-08-10 11:00 1469440 ----a-w- i:\windows\system32\inetcpl.cpl
    2011-11-04 11:23 . 2004-08-10 11:00 385024 ----a-w- i:\windows\system32\html.iec
    2011-11-01 16:07 . 2004-08-10 11:00 1288704 ----a-w- i:\windows\system32\ole32.dll
    2011-10-28 05:31 . 2004-08-10 11:00 33280 ----a-w- i:\windows\system32\csrsrv.dll
    2011-10-25 13:37 . 2004-08-10 11:00 2148864 ----a-w- i:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52 . 2004-08-03 22:59 2027008 ----a-w- i:\windows\system32\ntkrnlpa.exe
    2011-10-14 23:38 . 2004-08-10 11:00 456192 ----a-w- i:\windows\system32\encdec.dll
    2011-12-30 03:43 . 2011-05-02 02:13 121816 ----a-w- i:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [7] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . i:\windows\ServicePackFiles\i386\userinit.exe
    [-] 2004-08-10 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . i:\windows\$NtServicePackUninstall$\userinit.exe
    [-] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . i:\windows\system32\userinit.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="i:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-20 68856]
    "ctfmon.exe"="i:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="i:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
    "ATIPTA"="i:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
    "OpwareSE2"="i:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
    "EPSON Stylus Photo R800"="i:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE" [2003-08-07 99840]
    "Adobe Photo Downloader"="i:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
    "iTunesHelper"="i:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
    "Adobe Reader Speed Launcher"="i:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
    "Adobe ARM"="i:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "QuickTime Task"="i:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "EEventManager"="i:\program files\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328]
    "FUFAXRCV"="i:\program files\Epson Software\FAX Utility\FUFAXRCV.exe" [2011-03-09 495616]
    "FUFAXSTM"="i:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2011-03-09 856064]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="i:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    i:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - i:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-8-12 113664]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    2005-06-07 05:46 57344 ----a-w- i:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- i:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2007-07-20 03:25 68856 ----a-w- i:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "i:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "i:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
    "i:\\WINDOWS\\ehome\\ehtray.exe"=
    "i:\\WINDOWS\\system32\\WgaTray.exe"=
    "i:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
    "i:\\Program Files\\iTunes\\iTunes.exe"=
    "i:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    .
    R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;i:\program files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [5/14/2009 4:07 PM 759048]
    R2 EpsonCustomerParticipation;EpsonCustomerParticipation;i:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [3/17/2011 5:03 PM 513408]
    S2 gupdate;Google Update Service (gupdate);i:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 6:22 PM 135664]
    S2 mrtRate;mrtRate; [x]
    S3 gupdatem;Google Update Service (gupdatem);i:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 6:22 PM 135664]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    *NewlyCreated* - WUAUSERV
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-08 i:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - i:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 00:22]
    .
    2012-01-08 i:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - i:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 00:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://soccernet.espn.go.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mStart Page = hxxp://www.google.com
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Convert link target to Adobe PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - i:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: E&xport to Microsoft Excel - i:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.2.1
    DPF: {895D1291-D5BD-4982-BA84-AD11D29C1D6A} - hxxp://community.weightwatchers.com/Scripts/ImageUploader6.cab
    FF - ProfilePath - i:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\h69h0tno.default\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-SunJavaUpdateSched - i:\program files\Java\jre6\bin\jusched.exe
    SharedTaskScheduler-{5defdc92-484f-4a0a-8f98-86f2f2b4542c} - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-08 11:27
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2000)
    i:\windows\system32\WININET.dll
    i:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
    i:\windows\system32\ieframe.dll
    i:\windows\system32\webcheck.dll
    i:\windows\system32\WPDShServiceObj.dll
    i:\windows\system32\PortableDeviceTypes.dll
    i:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    i:\windows\system32\Ati2evxx.exe
    i:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
    i:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    i:\program files\Bonjour\mDNSResponder.exe
    i:\windows\eHome\ehRecvr.exe
    i:\windows\eHome\ehSched.exe
    i:\program files\Java\jre6\bin\jqs.exe
    i:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    i:\windows\ehome\mcrdsvc.exe
    i:\windows\system32\dllhost.exe
    i:\windows\stsystra.exe
    i:\windows\eHome\ehmsas.exe
    i:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-08 11:33:07 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-08 17:33
    .
    Pre-Run: 76,414,406,656 bytes free
    Post-Run: 76,457,160,704 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 39BDFC28CDDB268E4C04328120DF21B8


    Hope I am still on the right track.
  6. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    You posted Combofix log instead of Bootkit Remover log.
    Please redo.
  7. kspot

    kspot Newcomer, in training Topic Starter Posts: 27

    I thought that looked familiar : )

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\I:
    \\.\I: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
  8. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Looks good.

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  9. kspot

    kspot Newcomer, in training Topic Starter Posts: 27

    The computer is running very fast. Probably because there is no CA antivirus slowing it down at this time.

    OTL part 1:

    OTL logfile created on: 1/8/2012 2:25:10 PM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = I:\Documents and Settings\John\Desktop
    Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1022.07 Mb Total Physical Memory | 576.96 Mb Available Physical Memory | 56.45% Memory free
    2.40 Gb Paging File | 2.12 Gb Available in Paging File | 88.32% Paging File free
    Paging file location(s): I:\pagefile.sys 1536 3072 [binary data]

    %SystemDrive% = I: | %SystemRoot% = I:\WINDOWS | %ProgramFiles% = I:\Program Files
    Drive I: | 149.00 Gb Total Space | 71.17 Gb Free Space | 47.76% Space Free | Partition Type: NTFS

    Computer Name: JOHN-BC19467D9A | User Name: John | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/01/08 14:20:28 | 000,584,192 | ---- | M] (OldTimer Tools) -- I:\Documents and Settings\John\Desktop\OTL.exe
    PRC - [2011/03/17 17:03:32 | 000,513,408 | ---- | M] (SEIKO EPSON CORPORATION) -- I:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
    PRC - [2011/03/08 23:00:00 | 000,856,064 | ---- | M] (SEIKO EPSON CORPORATION) -- I:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
    PRC - [2011/03/08 23:00:00 | 000,495,616 | ---- | M] (SEIKO EPSON CORPORATION) -- I:\Program Files\Epson Software\FAX Utility\FUFAXRCV.exe
    PRC - [2010/10/12 12:56:40 | 000,979,328 | ---- | M] (SEIKO EPSON CORPORATION) -- I:\Program Files\Epson Software\Event Manager\EEventManager.exe
    PRC - [2009/05/14 16:07:14 | 000,759,048 | ---- | M] (ABBYY) -- I:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
    PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\explorer.exe
    PRC - [2006/12/19 17:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- I:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
    PRC - [2005/06/06 23:46:24 | 000,057,344 | ---- | M] (Adobe Systems Incorporated) -- I:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    PRC - [2005/03/22 17:20:44 | 000,339,968 | ---- | M] (SigmaTel, Inc.) -- I:\WINDOWS\stsystra.exe
    PRC - [2003/08/07 05:00:00 | 000,099,840 | ---- | M] (SEIKO EPSON CORPORATION) -- I:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2J1.EXE
    PRC - [2003/05/08 10:00:58 | 000,049,152 | ---- | M] (ScanSoft, Inc.) -- I:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe


    ========== Modules (No Company Name) ==========

    MOD - [2011/10/14 17:38:00 | 000,456,192 | ---- | M] () -- I:\WINDOWS\system32\encdec.dll
    MOD - [2011/02/04 17:48:30 | 000,291,840 | ---- | M] () -- I:\WINDOWS\system32\sbe.dll
    MOD - [2010/03/15 15:57:20 | 000,067,872 | ---- | M] () -- I:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
    MOD - [2010/02/05 12:27:45 | 001,291,776 | ---- | M] () -- I:\WINDOWS\system32\quartz.dll
    MOD - [2008/04/13 18:11:59 | 000,014,336 | ---- | M] () -- I:\WINDOWS\system32\msdmo.dll
    MOD - [2008/04/13 18:11:51 | 000,059,904 | ---- | M] () -- I:\WINDOWS\system32\devenum.dll
    MOD - [2005/08/05 13:01:54 | 000,159,744 | ---- | M] () -- I:\WINDOWS\system32\VBICodec.ax
    MOD - [2005/08/05 12:06:50 | 000,165,376 | ---- | M] () -- I:\WINDOWS\system32\mpg2splt.ax


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- -- (wuauserv)
    SRV - [2011/03/17 17:03:32 | 000,513,408 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- I:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe -- (EpsonCustomerParticipation)
    SRV - [2009/05/14 16:07:14 | 000,759,048 | ---- | M] (ABBYY) [Auto | Running] -- I:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe -- (ABBYY.Licensing.FineReader.Sprint.9.0)
    SRV - [2006/12/19 17:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- I:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe -- (EpsonBidirectionalService)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
    DRV - [2008/04/13 12:46:22 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- I:\WINDOWS\system32\drivers\mpe.sys -- (MPE)
    DRV - [2006/05/05 19:21:00 | 000,004,608 | ---- | M] (NVIDIA Corporation.) [Kernel | System | Running] -- I:\WINDOWS\system32\drivers\nvport.sys -- (nvport)
    DRV - [2006/03/29 08:49:26 | 000,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
    DRV - [2006/02/09 20:57:46 | 001,502,208 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2005/06/14 16:40:08 | 000,180,864 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\sthda.sys -- (STHDA) High Definition Audio Driver (WDM)
    DRV - [2005/03/04 17:06:50 | 000,135,296 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\atinavxx.sys -- (ATIAVPCI)
    DRV - [2003/11/17 14:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
    DRV - [2003/11/17 14:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
    DRV - [2003/11/17 14:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-1123561945-448539723-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
    IE - HKU\S-1-5-21-1123561945-448539723-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    IE - HKU\S-1-5-21-1123561945-448539723-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://soccernet.espn.go.com/
    IE - HKU\S-1-5-21-1123561945-448539723-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
    IE - HKU\S-1-5-21-1123561945-448539723-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-1123561945-448539723-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    ========== FireFox ==========

    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
    FF - prefs.js..network.proxy.no_proxies_on: "*.local"

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: I:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: I:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: I:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: I:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: i:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: I:\Documents and Settings\Pam\Application Data\Move Networks\plugins\npqmp071705000014.dll (Move Networks)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: I:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: I:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: I:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: I:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll (Yahoo! Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: I:\Program Files\Mozilla Firefox\components [2011/12/29 21:43:26 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: I:\Program Files\Mozilla Firefox\plugins [2011/06/23 05:22:55 | 000,000,000 | ---D | M]

    [2010/02/12 14:32:06 | 000,000,000 | ---D | M] (No name found) -- I:\Documents and Settings\John\Application Data\Mozilla\Extensions
    [2011/12/14 20:01:32 | 000,000,000 | ---D | M] (No name found) -- I:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\h69h0tno.default\extensions
    [2010/04/28 14:59:11 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- I:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\h69h0tno.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2011/11/11 17:06:42 | 000,000,000 | ---D | M] (No name found) -- I:\Program Files\Mozilla Firefox\extensions
    File not found (No name found) -- I:\DOCUMENTS AND SETTINGS\JOHN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H69H0TNO.DEFAULT\EXTENSIONS\{E024531D-AC02-4E24-8BB3-56AE7B1ACE04}
    [2010/05/26 21:00:28 | 000,000,000 | ---D | M] (Java Quick Starter) -- I:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
    [2011/12/29 21:43:25 | 000,121,816 | ---- | M] (Mozilla Foundation) -- I:\Program Files\mozilla firefox\components\browsercomps.dll
    [2011/01/21 12:43:24 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- I:\Program Files\mozilla firefox\plugins\NPcol400.dll
    [2011/01/21 12:43:24 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- I:\Program Files\mozilla firefox\plugins\NPcol500.dll
    [2011/03/18 12:32:12 | 000,091,552 | ---- | M] (Coupons, Inc.) -- I:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
    [2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- I:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
    [2011/03/18 12:32:14 | 000,091,552 | ---- | M] (Coupons, Inc.) -- I:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
    [2007/03/09 17:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- I:\Program Files\mozilla firefox\plugins\npyaxmpb.dll
    [2011/10/05 08:16:09 | 000,002,252 | ---- | M] () -- I:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2011/11/11 17:06:19 | 000,002,040 | ---- | M] () -- I:\Program Files\mozilla firefox\searchplugins\twitter.xml

    O1 HOSTS File: ([2012/01/08 11:27:36 | 000,000,027 | ---- | M]) - I:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - I:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll (Google Inc.)
    O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - I:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
    O3 - HKU\S-1-5-21-1123561945-448539723-839522115-1003\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
    O4 - HKLM..\Run: [Adobe Photo Downloader] I:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [EEventManager] I:\Program Files\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
    O4 - HKLM..\Run: [EPSON Stylus Photo R800] I:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE (SEIKO EPSON CORPORATION)
    O4 - HKLM..\Run: [FUFAXRCV] I:\Program Files\Epson Software\FAX Utility\FUFAXRCV.exe (SEIKO EPSON CORPORATION)
    O4 - HKLM..\Run: [FUFAXSTM] I:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe (SEIKO EPSON CORPORATION)
    O4 - HKLM..\Run: [OpwareSE2] I:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe (ScanSoft, Inc.)
    O4 - HKLM..\Run: [SigmatelSysTrayApp] I:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
    O4 - Startup: I:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = I:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = I:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = I:\WINDOWS\Resources\Themes\Royale.theme ()
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-1123561945-448539723-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1123561945-448539723-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-1123561945-448539723-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-1123561945-448539723-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html File not found
    O8 - Extra context menu item: Convert link target to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html File not found
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html File not found
    O8 - Extra context menu item: Convert selected links to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html File not found
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html File not found
    O8 - Extra context menu item: Convert selection to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html File not found
    O8 - Extra context menu item: Convert to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html File not found
    O8 - Extra context menu item: Convert to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html File not found
    O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre6\bin\npjpi160_26.dll (Sun Microsystems, Inc.)
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d196a.cab (Shockwave ActiveX Control)
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
    O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} I:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine)
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www.costcophotocenter.com/CostcoActivia.cab (Snapfish Activia)
    O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} http://picasaweb.google.com/s/v/44.10/uploader2.cab (UploadListView Class)
    O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} https://www.myfamily.com/Controls/Upload/ImageUploader5.cab (Image Uploader Control)
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
    O16 - DPF: {895D1291-D5BD-4982-BA84-AD11D29C1D6A} http://community.weightwatchers.com/Scripts/ImageUploader6.cab (Image Uploader Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://www.popcap.com/games/popcaploader_v6.cab (PopCapLoader Object)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D508C823-5466-40F7-8B94-27C622AFF8DF}: DhcpNameServer = 192.168.2.1
    O20 - HKLM Winlogon: Shell - (Explorer.exe) -I:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (I:\WINDOWS\system32\userinit.exe) -I:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: I:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: I:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found
    NetSvcs: wuauserv - File not found

    Drivers32: msacm.iac2 - I:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - I:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - I:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - I:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: MSVideo8 - I:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - I:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.iv31 - I:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - I:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - I:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - I:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
    Drivers32: wave1 - I:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/01/08 14:20:22 | 000,584,192 | ---- | C] (OldTimer Tools) -- I:\Documents and Settings\John\Desktop\OTL.exe
    [2012/01/08 12:30:28 | 000,000,000 | ---D | C] -- I:\Documents and Settings\John\Desktop\bootkit_remover
    [2012/01/08 11:15:37 | 000,000,000 | RHSD | C] -- I:\cmdcons
    [2012/01/08 11:11:17 | 000,518,144 | ---- | C] (SteelWerX) -- I:\WINDOWS\SWREG.exe
    [2012/01/08 11:11:17 | 000,406,528 | ---- | C] (SteelWerX) -- I:\WINDOWS\SWSC.exe
    [2012/01/08 11:11:17 | 000,212,480 | ---- | C] (SteelWerX) -- I:\WINDOWS\SWXCACLS.exe
    [2012/01/08 11:11:17 | 000,060,416 | ---- | C] (NirSoft) -- I:\WINDOWS\NIRCMD.exe
    [2012/01/08 11:11:09 | 000,000,000 | ---D | C] -- I:\WINDOWS\ERDNT
    [2012/01/08 11:01:46 | 000,000,000 | ---D | C] -- I:\Config.Msi
    [2012/01/08 10:39:49 | 000,000,000 | ---D | C] -- I:\Qoobox
    [2012/01/08 10:17:21 | 008,821,856 | ---- | C] (OPSWAT, Inc.) -- I:\Documents and Settings\John\Desktop\AppRemover.exe
    [2012/01/08 10:12:37 | 004,374,678 | R--- | C] (Swearware) -- I:\Documents and Settings\John\Desktop\ComboFix.exe
    [2012/01/08 10:05:47 | 004,713,472 | ---- | C] (AVAST Software) -- I:\Documents and Settings\John\Desktop\aswMBR.exe
    [2012/01/07 14:48:39 | 000,607,260 | R--- | C] (Swearware) -- I:\Documents and Settings\John\Desktop\dds.scr
    [2011/12/16 22:08:20 | 000,000,000 | R--D | C] -- I:\Documents and Settings\John\Start Menu\Programs\Administrative Tools
    [2011/12/16 21:28:34 | 000,000,000 | R--D | C] -- I:\Documents and Settings\John\Recent
    [2011/12/16 21:03:30 | 000,000,000 | ---D | C] -- I:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [1 I:\WINDOWS\*.tmp files -> I:\WINDOWS\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/01/08 14:20:28 | 000,584,192 | ---- | M] (OldTimer Tools) -- I:\Documents and Settings\John\Desktop\OTL.exe
    [2012/01/08 14:16:00 | 000,000,886 | ---- | M] () -- I:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2012/01/08 12:28:47 | 000,044,607 | ---- | M] () -- I:\Documents and Settings\John\Desktop\bootkit_remover.zip
    [2012/01/08 11:27:36 | 000,000,027 | ---- | M] () -- I:\WINDOWS\System32\drivers\etc\hosts
    [2012/01/08 11:27:27 | 000,002,206 | ---- | M] () -- I:\WINDOWS\System32\wpa.dbl
    [2012/01/08 11:27:23 | 000,000,882 | ---- | M] () -- I:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2012/01/08 11:26:25 | 000,002,048 | --S- | M] () -- I:\WINDOWS\bootstat.dat
    [2012/01/08 11:15:41 | 000,000,325 | RHS- | M] () -- I:\boot.ini
    [2012/01/08 10:17:28 | 008,821,856 | ---- | M] (OPSWAT, Inc.) -- I:\Documents and Settings\John\Desktop\AppRemover.exe
    [2012/01/08 10:12:42 | 004,374,678 | R--- | M] (Swearware) -- I:\Documents and Settings\John\Desktop\ComboFix.exe
    [2012/01/08 10:06:01 | 004,713,472 | ---- | M] (AVAST Software) -- I:\Documents and Settings\John\Desktop\aswMBR.exe
    [2012/01/07 14:48:39 | 000,607,260 | R--- | M] (Swearware) -- I:\Documents and Settings\John\Desktop\dds.scr
    [2012/01/07 14:41:59 | 000,302,592 | ---- | M] () -- I:\Documents and Settings\John\Desktop\bml80zym.exe
    [2012/01/07 13:58:40 | 000,000,802 | ---- | M] () -- I:\Documents and Settings\John\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
    [2012/01/07 13:58:40 | 000,000,784 | ---- | M] () -- I:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2011/12/17 13:41:55 | 000,001,729 | ---- | M] () -- I:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
    [2011/12/15 07:35:50 | 000,278,944 | ---- | M] () -- I:\WINDOWS\System32\FNTCACHE.DAT
    [2011/12/15 03:07:33 | 000,001,393 | ---- | M] () -- I:\WINDOWS\imsins.BAK
    [2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) -- I:\WINDOWS\System32\drivers\mbam.sys
    [1 I:\WINDOWS\*.tmp files -> I:\WINDOWS\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2099/01/01 12:00:00 | 000,006,456 | ---- | C] () -- I:\WINDOWS\System32\komazuyu
    [2012/01/08 12:28:50 | 000,044,607 | ---- | C] () -- I:\Documents and Settings\John\Desktop\bootkit_remover.zip
    [2012/01/08 11:15:41 | 000,000,208 | ---- | C] () -- I:\Boot.bak
    [2012/01/08 11:15:38 | 000,260,272 | RHS- | C] () -- I:\cmldr
    [2012/01/08 11:11:17 | 000,256,000 | ---- | C] () -- I:\WINDOWS\PEV.exe
    [2012/01/08 11:11:17 | 000,208,896 | ---- | C] () -- I:\WINDOWS\MBR.exe
    [2012/01/08 11:11:17 | 000,098,816 | ---- | C] () -- I:\WINDOWS\sed.exe
    [2012/01/08 11:11:17 | 000,080,412 | ---- | C] () -- I:\WINDOWS\grep.exe
    [2012/01/08 11:11:17 | 000,068,096 | ---- | C] () -- I:\WINDOWS\zip.exe
    [2012/01/07 14:41:57 | 000,302,592 | ---- | C] () -- I:\Documents and Settings\John\Desktop\bml80zym.exe
    [2012/01/07 13:58:40 | 000,000,802 | ---- | C] () -- I:\Documents and Settings\John\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
    [2012/01/07 13:58:40 | 000,000,784 | ---- | C] () -- I:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2011/12/16 21:03:45 | 000,001,853 | ---- | C] () -- I:\Documents and Settings\All Users\Desktop\MP500 On-screen Manual.lnk
    [2011/12/16 21:03:45 | 000,000,724 | ---- | C] () -- I:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
    [2011/12/16 21:03:45 | 000,000,559 | ---- | C] () -- I:\Documents and Settings\All Users\Desktop\Print CD.lnk
    [2011/12/16 21:03:44 | 000,002,067 | ---- | C] () -- I:\Documents and Settings\All Users\Desktop\Adobe Photoshop Album Starter Edition 3.0.lnk
    [2011/12/16 21:03:44 | 000,001,729 | ---- | C] () -- I:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
    [2011/12/16 21:03:44 | 000,001,694 | ---- | C] () -- I:\Documents and Settings\All Users\Desktop\Artisan 837 User's Guide.lnk
    [2011/12/16 21:03:44 | 000,001,682 | ---- | C] () -- I:\Documents and Settings\All Users\Desktop\H&R Block 2010.lnk
    [2011/12/16 21:03:44 | 000,000,895 | ---- | C] () -- I:\Documents and Settings\All Users\Desktop\Adobe Photoshop Elements 2.0.lnk
    [2011/12/16 21:03:44 | 000,000,808 | ---- | C] () -- I:\Documents and Settings\All Users\Desktop\Easy-PhotoPrint.lnk
    [2011/12/16 21:03:44 | 000,000,665 | ---- | C] () -- I:\Documents and Settings\All Users\Desktop\EPSON Scan.lnk
    [2011/12/16 21:03:39 | 000,001,478 | ---- | C] () -- I:\Documents and Settings\John\Application Data\Microsoft\Internet Explorer\Quick Launch\Media Center.lnk
    [2011/12/16 21:03:39 | 000,000,815 | ---- | C] () -- I:\Documents and Settings\John\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2011/12/16 21:03:39 | 000,000,800 | ---- | C] () -- I:\Documents and Settings\John\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
    [2011/12/16 21:03:39 | 000,000,742 | ---- | C] () -- I:\Documents and Settings\John\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
    [2011/12/16 21:03:39 | 000,000,079 | ---- | C] () -- I:\Documents and Settings\John\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
    [2011/12/16 21:03:32 | 000,000,793 | ---- | C] () -- I:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    [2011/12/16 21:03:27 | 000,002,453 | ---- | C] () -- I:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Streets & Trips.lnk
    [2011/12/16 21:03:27 | 000,002,347 | ---- | C] () -- I:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
    [2011/12/16 21:03:27 | 000,001,830 | ---- | C] () -- I:\Documents and Settings\All Users\Start Menu\Programs\Apple Software Update.lnk
    [2011/12/16 21:03:27 | 000,001,466 | ---- | C] () -- I:\Documents and Settings\All Users\Start Menu\Programs\Media Center.lnk
    [2011/12/16 21:03:27 | 000,000,786 | ---- | C] () -- I:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
    [2011/12/16 21:03:27 | 000,000,730 | ---- | C] () -- I:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
    [2011/12/16 21:03:27 | 000,000,609 | ---- | C] () -- I:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
    [2011/12/16 21:03:26 | 000,002,073 | ---- | C] () -- I:\Documents and Settings\All Users\Start Menu\Programs\Adobe Photoshop Album Starter Edition 3.0.lnk
    [2011/12/16 21:03:26 | 000,001,702 | ---- | C] () -- I:\Documents and Settings\All Users\Start Menu\Programs\Across Lite 2.0.lnk
    [2011/12/16 21:03:26 | 000,000,901 | ---- | C] () -- I:\Documents and Settings\All Users\Start Menu\Programs\Adobe Photoshop Elements 2.0.lnk
    [2011/10/07 20:39:12 | 000,000,000 | ---- | C] () -- I:\WINDOWS\EEventManager.INI
    [2011/10/07 17:45:32 | 000,058,708 | ---- | C] () -- I:\WINDOWS\System32\mlfcache.dat
    [2011/10/05 18:36:08 | 000,000,104 | ---- | C] () -- I:\WINDOWS\EART837.ini
    [2010/04/05 12:47:17 | 000,000,664 | ---- | C] () -- I:\WINDOWS\System32\d3d9caps.dat
    [2010/01/31 08:48:03 | 000,020,552 | ---- | C] () -- I:\WINDOWS\System32\drivers\hitmanpro35.sys
    [2008/05/03 12:28:59 | 000,017,408 | ---- | C] () -- I:\Documents and Settings\John\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2007/09/10 17:41:32 | 000,001,337 | ---- | C] () -- I:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
    [2007/01/28 14:47:32 | 000,000,000 | ---- | C] () -- I:\WINDOWS\PestPatrol5.INI
    [2006/09/09 14:49:16 | 000,000,000 | ---- | C] () -- I:\Documents and Settings\John\Application Data\dm.ini
    [2006/08/31 08:19:39 | 000,000,030 | ---- | C] () -- I:\WINDOWS\INTURS.DAT
    [2006/08/28 11:43:51 | 000,000,078 | ---- | C] () -- I:\WINDOWS\qwimp.ini
    [2006/08/28 11:42:54 | 000,000,209 | ---- | C] () -- I:\WINDOWS\QUICKEN.INI
    [2006/08/14 16:56:35 | 000,000,000 | ---- | C] () -- I:\WINDOWS\nsreg.dat
    [2006/08/12 14:23:08 | 000,000,048 | ---- | C] () -- I:\WINDOWS\EPSONR800.ini
    [2006/08/11 10:02:45 | 000,008,704 | ---- | C] () -- I:\WINDOWS\System32\CNMVS7L.DLL
    [2006/08/11 10:01:05 | 000,000,532 | ---- | C] () -- I:\WINDOWS\MAXLINK.INI
    [2006/08/10 11:59:10 | 000,000,376 | ---- | C] () -- I:\WINDOWS\ODBC.INI
    [2006/08/09 16:42:11 | 000,004,212 | ---- | C] () -- I:\WINDOWS\System32\zllictbl.dat
    [2006/08/08 16:16:03 | 000,520,192 | ---- | C] () -- I:\WINDOWS\System32\ati2sgag.exe
    [2006/08/08 16:15:38 | 000,114,630 | ---- | C] () -- I:\WINDOWS\System32\atiicdxx.dat
    [2006/08/08 15:52:21 | 000,000,127 | ---- | C] () -- I:\Documents and Settings\John\Local Settings\Application Data\fusioncache.dat
    [2006/08/08 15:47:16 | 000,002,048 | --S- | C] () -- I:\WINDOWS\bootstat.dat
    [2006/08/08 15:40:56 | 000,021,640 | ---- | C] () -- I:\WINDOWS\System32\emptyregdb.dat
    [2006/08/08 09:03:16 | 000,004,161 | ---- | C] () -- I:\WINDOWS\ODBCINST.INI
    [2006/08/08 09:02:14 | 000,278,944 | ---- | C] () -- I:\WINDOWS\System32\FNTCACHE.DAT
    [2005/08/05 13:01:54 | 000,235,008 | ---- | C] () -- I:\WINDOWS\System32\psisdecd.dll
    [2005/03/22 16:38:24 | 013,107,200 | ---- | C] () -- I:\WINDOWS\System32\oembios.bin
    [2005/03/22 16:38:24 | 000,004,627 | ---- | C] () -- I:\WINDOWS\System32\oembios.dat
    [2004/08/10 05:00:00 | 000,673,088 | ---- | C] () -- I:\WINDOWS\System32\mlang.dat
    [2004/08/10 05:00:00 | 000,444,456 | ---- | C] () -- I:\WINDOWS\System32\perfh009.dat
    [2004/08/10 05:00:00 | 000,272,128 | ---- | C] () -- I:\WINDOWS\System32\perfi009.dat
    [2004/08/10 05:00:00 | 000,218,003 | ---- | C] () -- I:\WINDOWS\System32\dssec.dat
    [2004/08/10 05:00:00 | 000,072,332 | ---- | C] () -- I:\WINDOWS\System32\perfc009.dat
    [2004/08/10 05:00:00 | 000,046,258 | ---- | C] () -- I:\WINDOWS\System32\mib.bin
    [2004/08/10 05:00:00 | 000,028,626 | ---- | C] () -- I:\WINDOWS\System32\perfd009.dat
    [2004/08/10 05:00:00 | 000,004,569 | ---- | C] () -- I:\WINDOWS\System32\secupd.dat
    [2004/08/10 05:00:00 | 000,001,804 | ---- | C] () -- I:\WINDOWS\System32\dcache.bin
    [2004/08/10 05:00:00 | 000,000,741 | ---- | C] () -- I:\WINDOWS\System32\noise.dat
    [2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- I:\WINDOWS\System32\OUTLPERF.INI
    [2001/09/04 04:04:00 | 000,000,182 | ---- | C] () -- I:\WINDOWS\System32\EBPPORT4.DAT

    ========== LOP Check ==========

    [2012/01/08 11:09:21 | 000,000,000 | ---D | M] -- I:\Documents and Settings\All Users\Application Data\CA
    [2010/03/27 08:51:21 | 000,000,000 | ---D | M] -- I:\Documents and Settings\All Users\Application Data\CA-SupportBridge
    [2011/10/05 18:57:02 | 000,000,000 | ---D | M] -- I:\Documents and Settings\All Users\Application Data\EPSON
    [2010/01/31 09:02:42 | 000,000,000 | ---D | M] -- I:\Documents and Settings\All Users\Application Data\Hitman Pro
    [2006/11/03 21:16:34 | 000,000,000 | ---D | M] -- I:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
    [2006/08/19 15:35:41 | 000,000,000 | ---D | M] -- I:\Documents and Settings\All Users\Application Data\PopCap
    [2010/03/27 10:33:58 | 000,000,000 | ---D | M] -- I:\Documents and Settings\All Users\Application Data\ScanSoft
    [2006/08/11 10:01:06 | 000,000,000 | ---D | M] -- I:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
    [2006/08/11 10:01:06 | 000,000,000 | ---D | M] -- I:\Documents and Settings\All Users\Application Data\SSScanWizard
    [2011/01/26 09:13:11 | 000,000,000 | ---D | M] -- I:\Documents and Settings\All Users\Application Data\TaxCut
    [2009/04/03 14:53:50 | 000,000,000 | ---D | M] -- I:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
    [2010/04/26 10:14:49 | 000,000,000 | ---D | M] -- I:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2011/06/25 10:29:59 | 000,000,000 | ---D | M] -- I:\Documents and Settings\John\Application Data\Canon
    [2011/10/07 17:35:49 | 000,000,000 | ---D | M] -- I:\Documents and Settings\John\Application Data\Epson
    [2006/08/12 14:24:42 | 000,000,000 | ---D | M] -- I:\Documents and Settings\John\Application Data\Leadertech
    [2007/04/14 08:21:52 | 000,000,000 | ---D | M] -- I:\Documents and Settings\John\Application Data\MotionBased
    [2008/11/19 18:27:14 | 000,000,000 | ---D | M] -- I:\Documents and Settings\John\Application Data\MSNInstaller
    [2010/03/27 10:33:58 | 000,000,000 | ---D | M] -- I:\Documents and Settings\John\Application Data\ScanSoft
    [2007/12/16 12:55:40 | 000,000,000 | ---D | M] -- I:\Documents and Settings\John\Application Data\Snapfish
    [2011/10/09 08:41:00 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Jonathan\Application Data\Epson
    [2011/10/05 18:49:43 | 000,000,000 | ---D | M] -- I:\Documents and Settings\LocalService\Application Data\Epson
    [2008/11/24 22:31:53 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Pam\Application Data\Amazon
    [2011/09/07 07:36:03 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Pam\Application Data\Canon
    [2011/01/21 12:43:24 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Pam\Application Data\Catalina Marketing Corp
    [2009/11/28 22:00:47 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Pam\Application Data\CDFKPHome
    [2011/10/09 10:17:20 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Pam\Application Data\Epson
    [2010/06/14 13:37:42 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Pam\Application Data\Facebook
    [2007/10/22 19:51:40 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Pam\Application Data\funkitron
    [2007/07/23 10:36:42 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Pam\Application Data\Leadertech
    [2006/08/11 10:01:08 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Pam\Application Data\ScanSoft
    [2007/02/09 12:49:55 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Pam\Application Data\Snapfish
    [2011/01/26 09:16:54 | 000,000,000 | ---D | M] -- I:\Documents and Settings\Pam\Application Data\TaxCut

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2005/02/12 20:05:00 | 000,151,552 | ---- | M] (ATI Technologies Inc.) -- I:\AtiCim.bin
    [2005/02/12 20:05:00 | 000,110,592 | ---- | M] (ATI Technologies Inc.) -- I:\AtiCimUn.exe
    [2006/08/08 15:38:09 | 000,000,208 | ---- | M] () -- I:\Boot.bak
    [2012/01/08 11:15:41 | 000,000,325 | RHS- | M] () -- I:\boot.ini
    [2005/02/12 20:05:00 | 000,069,632 | ---- | M] (ATI Technologies Inc.) -- I:\CheckVer.exe
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- I:\cmldr
    [2012/01/08 11:33:08 | 000,012,736 | ---- | M] () -- I:\ComboFix.txt
    [2005/12/12 08:27:00 | 000,045,056 | ---- | M] (Windows XP Bundled build C-Centric Single User) -- I:\CSVer.dll
    [2005/02/12 20:05:00 | 000,798,386 | ---- | M] () -- I:\data1.cab
    [2005/02/12 20:05:00 | 000,012,370 | ---- | M] () -- I:\data1.hdr
    [2005/02/12 20:05:00 | 000,000,512 | ---- | M] () -- I:\data2.cab
    [2003/11/19 01:15:00 | 000,128,398 | ---- | M] () -- I:\del200f.cty
    [2004/01/19 10:13:08 | 000,011,075 | ---- | M] () -- I:\del200fk.cat
    [2004/01/07 10:16:18 | 000,037,128 | ---- | M] () -- I:\del200fk.inf
    [2003/09/03 14:31:16 | 000,001,736 | ---- | M] () -- I:\DEVTYPE.INI
    [2002/02/04 14:39:20 | 000,000,023 | R--- | M] () -- I:\disk1
    [2005/02/12 20:05:00 | 000,154,624 | ---- | M] (ATI Technologies Inc.) -- I:\DrvUI64A.exe
    [2005/07/13 10:34:30 | 000,030,720 | ---- | M] () -- I:\dss features matrix v14.xls
    [2005/03/24 07:46:04 | 000,459,688 | ---- | M] () -- I:\engine32.cab
    [2003/10/23 14:01:36 | 000,032,218 | R--- | M] (Conexant Systems, Inc.) -- I:\HSFCI008.dll
    [2003/11/17 14:59:20 | 000,212,224 | R--- | M] (Conexant Systems, Inc.) -- I:\HSFHWBS2.sys
    [2003/11/17 14:58:02 | 000,680,704 | R--- | M] (Conexant Systems, Inc.) -- I:\HSF_CNXT.sys
    [2003/11/17 14:56:26 | 001,042,432 | R--- | M] (Conexant Systems, Inc.) -- I:\HSF_DP.sys
    [2003/10/30 14:25:38 | 000,532,480 | ---- | M] (Conexant Systems, Inc.) -- I:\HXFSetup.exe
    [2005/07/01 10:01:02 | 000,008,080 | ---- | M] () -- I:\iaahci.cat
    [2005/06/17 06:27:10 | 000,004,736 | ---- | M] () -- I:\iaahci.inf
    [2005/07/06 16:41:26 | 000,007,982 | ---- | M] () -- I:\iastor.cat
    [2005/06/30 09:46:32 | 000,003,302 | ---- | M] () -- I:\iastor.inf
    [2005/06/17 06:33:40 | 000,872,064 | ---- | M] (Intel Corporation) -- I:\iastor.sys
    [2005/02/12 20:05:00 | 000,344,923 | ---- | M] () -- I:\ikernel.ex_
    [2005/12/12 08:27:00 | 000,000,720 | ---- | M] () -- I:\InfoDlg.txt
    [2005/12/12 08:27:00 | 000,000,072 | ---- | M] () -- I:\Install.cfg
    [2005/02/12 20:05:00 | 000,000,257 | ---- | M] () -- I:\INSTALL.INI
    [2005/12/12 08:27:00 | 000,065,536 | ---- | M] () -- I:\Instngin.dll
    [2005/02/12 20:05:00 | 000,127,488 | ---- | M] (InstallShield Software Corporation) -- I:\issetup.exe
    [2004/07/08 09:42:52 | 015,228,464 | ---- | M] (Sun Microsystems, Inc. ) -- I:\j2re.exe
    [2005/03/01 13:12:08 | 000,000,789 | ---- | M] () -- I:\language.dat
    [2005/07/08 13:10:36 | 000,000,256 | ---- | M] () -- I:\Language.txt
    [2005/02/12 20:05:00 | 000,000,569 | ---- | M] () -- I:\layout.bin
    [2005/07/08 12:51:38 | 000,011,042 | ---- | M] () -- I:\license.txt
    [2003/04/09 13:01:32 | 000,090,112 | R--- | M] (Conexant) -- I:\MdmXSdk.dll
    [2003/04/09 12:48:08 | 000,011,043 | R--- | M] (Conexant) -- I:\MDMXSDK.sys
    [2005/03/04 09:56:02 | 000,019,992 | ---- | M] () -- I:\MH Releases.txt
    [2004/08/10 05:00:00 | 000,047,564 | RHS- | M] () -- I:\NTDETECT.COM
    [2008/08/17 07:49:46 | 000,250,048 | RHS- | M] () -- I:\ntldr
    [2012/01/08 11:26:22 | 1610,612,736 | -HS- | M] () -- I:\pagefile.sys
    [2005/03/21 12:01:10 | 000,106,496 | ---- | M] (Intel® Corporation) -- I:\PCIUtil.dll
    [2005/02/12 20:05:00 | 000,018,192 | ---- | M] (Microsoft Corporation) -- I:\psapi.dll
    [2004/05/25 14:56:00 | 000,002,193 | ---- | M] () -- I:\readme_CS.TXT
    [2004/05/25 14:34:08 | 000,002,175 | ---- | M] () -- I:\readme_CT.TXT
    [2004/05/25 13:51:58 | 000,003,955 | ---- | M] () -- I:\readme_FR.TXT
    [2004/05/25 13:53:16 | 000,004,082 | ---- | M] () -- I:\readme_GE.TXT
    [2004/05/21 10:05:28 | 000,003,306 | ---- | M] () -- I:\readme_JA.TXT
    [2004/05/25 13:59:16 | 000,002,927 | ---- | M] () -- I:\readme_KO.TXT
    [2004/05/25 13:52:40 | 000,003,561 | ---- | M] () -- I:\readme_PB.TXT
    [2004/05/20 15:17:16 | 000,003,996 | ---- | M] () -- I:\readme_SP.TXT
    [2005/07/08 13:10:36 | 000,092,132 | ---- | M] () -- I:\setup.bmp
    [2005/06/17 00:29:38 | 000,450,563 | ---- | M] () -- I:\setup.ibt
    [2005/02/12 20:05:00 | 000,000,132 | ---- | M] () -- I:\Setup.ini
    [2005/02/12 20:05:00 | 000,159,605 | ---- | M] () -- I:\setup.inx
    [2005/07/08 13:10:34 | 000,000,931 | ---- | M] () -- I:\setup.iss
    [2005/06/10 10:07:04 | 000,002,600 | ---- | M] () -- I:\Setupcfg.reg
    [2011/12/25 13:09:00 | 000,050,030 | ---- | M] () -- I:\TDSSKiller.2.6.25.0_25.12.2011_13.08.14_log.txt
    [2011/12/25 13:15:50 | 000,050,030 | ---- | M] () -- I:\TDSSKiller.2.6.25.0_25.12.2011_13.14.08_log.txt
    [2011/12/25 13:16:38 | 000,050,030 | ---- | M] () -- I:\TDSSKiller.2.6.25.0_25.12.2011_13.16.14_log.txt
    [2005/06/17 06:26:54 | 000,002,814 | ---- | M] () -- I:\txtsetup.oem
    [2005/12/12 08:27:04 | 000,051,712 | ---- | M] () -- I:\UpDrv64.exe
    [2005/12/15 11:49:44 | 000,000,590 | ---- | M] () -- I:\Version.txt
  10. kspot

    kspot Newcomer, in training Topic Starter Posts: 27

    OTL part 2:

    < %systemroot%\Fonts\*.com >
    [2006/04/18 14:39:28 | 000,026,040 | ---- | M] () -- I:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 13:53:56 | 000,026,489 | ---- | M] () -- I:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 14:39:28 | 000,029,779 | ---- | M] () -- I:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 13:58:52 | 000,030,808 | ---- | M] () -- I:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2006/08/08 15:43:57 | 000,000,067 | -HS- | M] () -- I:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2005/08/25 23:00:00 | 000,020,992 | ---- | M] (CANON INC.) -- I:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPD7L.DLL
    [2005/08/26 11:00:00 | 000,059,392 | ---- | M] (CANON INC.) -- I:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPP7L.DLL
    [2008/07/06 06:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2004/03/22 16:17:06 | 000,025,840 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
    [2008/07/06 04:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2006/08/08 09:01:39 | 000,094,208 | ---- | M] () -- I:\WINDOWS\System32\config\default.sav
    [2006/08/08 09:01:39 | 000,659,456 | ---- | M] () -- I:\WINDOWS\System32\config\software.sav
    [2006/08/08 09:01:39 | 000,913,408 | ---- | M] () -- I:\WINDOWS\System32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2008/08/17 08:01:51 | 000,000,272 | -HS- | M] () -- I:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2006/08/08 16:02:35 | 000,000,170 | -HS- | M] () -- I:\Documents and Settings\John\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2006/08/08 16:02:34 | 000,000,079 | ---- | M] () -- I:\Documents and Settings\John\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2012/01/08 10:17:28 | 008,821,856 | ---- | M] (OPSWAT, Inc.) -- I:\Documents and Settings\John\Desktop\AppRemover.exe
    [2012/01/08 10:06:01 | 004,713,472 | ---- | M] (AVAST Software) -- I:\Documents and Settings\John\Desktop\aswMBR.exe
    [2012/01/07 14:41:59 | 000,302,592 | ---- | M] () -- I:\Documents and Settings\John\Desktop\bml80zym.exe
    [2012/01/08 10:12:42 | 004,374,678 | R--- | M] (Swearware) -- I:\Documents and Settings\John\Desktop\ComboFix.exe
    [2012/01/08 14:20:28 | 000,584,192 | ---- | M] (OldTimer Tools) -- I:\Documents and Settings\John\Desktop\OTL.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >
    [2010/01/22 16:29:12 | 038,808,920 | ---- | M] (Microsoft Corporation) -- I:\Documents and Settings\John\My Documents\FileFormatConverters.exe

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2006/08/08 16:02:34 | 000,000,122 | -HS- | M] () -- I:\Documents and Settings\John\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >
    [2010/04/24 14:41:14 | 000,272,640 | ---- | M] () -- I:\Program Files\Mozilla Firefox\o.dat

    < %USERPROFILE%\Cookies\*.txt /x >
    [2009/06/27 14:23:48 | 000,000,067 | -HS- | M] () -- I:\Documents and Settings\John\Cookies\desktop.ini
    [2012/01/08 11:28:23 | 000,180,224 | ---- | M] () -- I:\Documents and Settings\John\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2007/06/26 22:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008/04/13 18:11:51 | 000,033,792 | ---- | M] (Microsoft Corporation) -- I:\Program Files\Messenger\custsat.dll
    [2004/08/04 00:06:34 | 000,004,821 | ---- | M] () -- I:\Program Files\Messenger\logowin.gif
    [2004/08/04 00:06:34 | 000,007,047 | ---- | M] () -- I:\Program Files\Messenger\lvback.gif
    [2008/05/02 08:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- I:\Program Files\Messenger\msgsc.dll
    [2008/04/13 11:30:28 | 000,180,224 | ---- | M] (Microsoft Corporation) -- I:\Program Files\Messenger\msgslang.dll
    [2008/04/13 18:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- I:\Program Files\Messenger\msmsgs.exe
    [2007/04/02 12:07:23 | 000,002,882 | ---- | M] () -- I:\Program Files\Messenger\newalert.wav
    [2007/04/02 12:07:23 | 000,006,156 | ---- | M] () -- I:\Program Files\Messenger\newemail.wav
    [2007/04/02 12:07:24 | 000,006,160 | ---- | M] () -- I:\Program Files\Messenger\online.wav
    [2004/08/04 00:06:36 | 000,004,454 | ---- | M] () -- I:\Program Files\Messenger\type.wav
    [2004/08/04 00:06:36 | 000,115,981 | ---- | M] () -- I:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < >

    < End of report >


    Extras:
    OTL Extras logfile created on: 1/8/2012 2:25:10 PM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = I:\Documents and Settings\John\Desktop
    Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1022.07 Mb Total Physical Memory | 576.96 Mb Available Physical Memory | 56.45% Memory free
    2.40 Gb Paging File | 2.12 Gb Available in Paging File | 88.32% Paging File free
    Paging file location(s): I:\pagefile.sys 1536 3072 [binary data]

    %SystemDrive% = I: | %SystemRoot% = I:\WINDOWS | %ProgramFiles% = I:\Program Files
    Drive I: | 149.00 Gb Total Space | 71.17 Gb Free Space | 47.76% Space Free | Partition Type: NTFS

    Computer Name: JOHN-BC19467D9A | User Name: John | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

    [HKEY_USERS\S-1-5-21-1123561945-448539723-839522115-1003\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- I:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusOverride" = 1
    "FirewallOverride" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 0
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22008
    "139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "I:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe" = I:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe:LocalSubNet:Disabled:TurboTax -- (Intuit, Inc.)
    "I:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe" = I:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Disabled:TurboTax Update Manager -- (Intuit, Inc.)
    "I:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = I:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
    "I:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = I:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
    "I:\Program Files\Microsoft Games\Zoo Tycoon 2\zt.exe" = I:\Program Files\Microsoft Games\Zoo Tycoon 2\zt.exe:*:Disabled:Zoo Tycoon 2 Executable -- (Microsoft Corporation)
    "I:\WINDOWS\system32\WgaTray.exe" = I:\WINDOWS\system32\WgaTray.exe:*:Enabled:WgaTray -- (Microsoft Corporation)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update
    "{055FEF8E-4B86-400F-A5C6-8FAC0042DCD9}" = NVIDIA PureVideo Decoder
    "{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
    "{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}" = Epson FAX Utility
    "{0D2E80C8-0875-43EB-9623-47118E2DFBCA}" = Quicken 2007
    "{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}" = OpenOffice.org Installer 1.0
    "{10964A8F-21C1-45EA-BC2D-F84B505C3848}" = H&R Block Deluxe + Efile + State 2010
    "{10F63395-157F-4B93-AB4D-702A2FF11942}" = Epson Download Navigator
    "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 26
    "{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
    "{2DC94AFD-A6E2-4AB4-9132-4A3F8E07B386}" = Apple Application Support
    "{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
    "{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
    "{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
    "{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{390FF986-468D-4CA9-8830-2C4B313F447F}" = ATI Parental Control
    "{3E31400D-274E-4647-916C-2CACC3741799}" = EpsonNet Print
    "{424D0DE6-670E-4744-99F9-3C84326F4C7B}" = H&R Block Kansas 2010
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
    "{4BE15737-07C5-4705-9DFC-D9D533939942}" = NVIDIA Media Center Extensions
    "{53A19323-917A-4822-B27E-A57D1EF6E9FC}" = H&R Block Deluxe + Efile + State 2009
    "{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
    "{61100673-2546-42E1-BF92-467B5CB2AC6D}" = DeductionPro 2008
    "{64BA551C-9AF6-495C-93F3-D1270E0045FC}" = Epson Connect
    "{67E4EE98-59F4-4210-89A6-A20AF5BEC689}" = Microsoft Streets and Trips 2005
    "{6F29FA78-4E36-4888-A248-B324AE1396F8}" = H&R Block Kansas 2009
    "{70C4EFA5-F8B8-4015-9378-FCAA9000DF19}" = MotionBased Agent
    "{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}" = OmniPage SE 2.0
    "{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
    "{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
    "{814FA673-A085-403C-9545-747FC1495069}" = Epson Customer Participation
    "{85309D89-7BE9-4094-BB17-24999C6118FC}" = ArcSoft PhotoStudio 5.5
    "{8ED43F7E-A8F6-4898-AF11-B6158F2EDF94}" = Epson Event Manager
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{91E30409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
    "{97F4D62E-5AEB-4649-BABF-4712C6EF6845}" = DeductionPro 2009
    "{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
    "{996A2FAA-7514-4628-9D12-A8FC34A0016E}" = iTunes
    "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.7
    "{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}" = TurboTax ItsDeductible 2006
    "{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
    "{BBB33AD6-BCF7-4002-B6A0-6DC679AE5C18}" = TaxCut Premium + State + Efile 2008
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C7ABCF96-AD65-4156-94A0-8A8A9AE32D6D}" = TaxCut Kansas 2008
    "{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D16A31F9-276D-4968-A753-FFEAC56995D0}" = Epson Print CD
    "{E0783143-EAE2-4047-A8D6-E155523C594C}" = Garmin WebUpdater
    "{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
    "{F9000000-0018-0000-0000-074957833700}" = ABBYY FineReader 9.0 Sprint
    "{FCD9CD52-7222-4672-94A0-A722BA702FD0}" = Dell Resource CD
    "12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
    "45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
    "ABBYY FineReader 9.0 Sprint" = ABBYY FineReader 9.0 Sprint
    "Across Lite 2.0" = Across Lite 2.0
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "Adobe Photoshop Elements 2.0" = Adobe Photoshop Elements 2.0
    "Adobe Shockwave Player" = Adobe Shockwave Player 11.5
    "All ATI Software" = ATI - Software Uninstall Utility
    "Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.10
    "ATI Display Driver" = ATI Display Driver
    "CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
    "Coupon Printer for Windows4.0" = Coupon Printer for Windows
    "Coupon Printer for Windows5.0.0.1" = Coupon Printer for Windows
    "Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
    "Easy-WebPrint" = Easy-WebPrint
    "EPSON Artisan 837 Series" = EPSON Artisan 837 Series Printer Uninstall
    "EPSON PC-FAX Driver 2" = Epson PC-FAX Driver
    "EPSON Printer and Utilities" = EPSON Printer Software
    "EPSON Scanner" = EPSON Scan
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "ie8" = Windows Internet Explorer 8
    "InstallShield_{390FF986-468D-4CA9-8830-2C4B313F447F}" = ATI Parental Control
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Mozilla Firefox 9.0.1 (x86 en-US)" = Mozilla Firefox 9.0.1 (x86 en-US)
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "PENTAX Digital Camera Utility" = PENTAX Digital Camera Utility
    "PROSet" = Intel(R) PRO Network Connections Drivers
    "SystemRequirementsLab" = System Requirements Lab
    "TurboTax Deluxe 2007" = TurboTax Deluxe 2007
    "TurboTax Deluxe Deduction Maximizer 2006" = TurboTax Deluxe Deduction Maximizer 2006
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
    "YInstHelper" = Yahoo! Install Manager
    "Zoo Tycoon 2" = Zoo Tycoon 2

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 12/16/2011 9:53:33 PM | Computer Name = JOHN-BC19467D9A | Source = Media Center Scheduler | ID = 0
    Description =

    Error - 12/16/2011 9:56:09 PM | Computer Name = JOHN-BC19467D9A | Source = Microsoft Office 11 | ID = 1000
    Description = Faulting application excel.exe, version 11.0.8033.0, stamp 449c383b,
    faulting module mso.dll, version 11.0.8036.0, stamp 44b846ce, debug? 0, fault address
    0x00033b90.

    Error - 12/16/2011 9:56:32 PM | Computer Name = JOHN-BC19467D9A | Source = Media Center Scheduler | ID = 0
    Description =

    Error - 12/17/2011 12:15:40 AM | Computer Name = JOHN-BC19467D9A | Source = UmxAgent | ID = 108
    Description =

    Error - 12/17/2011 2:52:01 PM | Computer Name = JOHN-BC19467D9A | Source = UmxAgent | ID = 108
    Description =

    Error - 12/17/2011 5:57:29 PM | Computer Name = JOHN-BC19467D9A | Source = UmxAgent | ID = 108
    Description =

    Error - 12/27/2011 2:35:01 PM | Computer Name = JOHN-BC19467D9A | Source = UmxAgent | ID = 108
    Description =

    Error - 1/1/2012 4:25:11 PM | Computer Name = JOHN-BC19467D9A | Source = UmxAgent | ID = 108
    Description =

    Error - 1/1/2012 4:48:09 PM | Computer Name = JOHN-BC19467D9A | Source = Application Hang | ID = 1002
    Description = Hanging application explorer.exe, version 6.0.2900.5512, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 1/7/2012 4:32:33 PM | Computer Name = JOHN-BC19467D9A | Source = UmxAgent | ID = 108
    Description =

    [ System Events ]
    Error - 12/25/2011 9:46:07 PM | Computer Name = JOHN-BC19467D9A | Source = Service Control Manager | ID = 7000
    Description = The mrtRate service failed to start due to the following error: %%2

    Error - 12/27/2011 9:34:47 AM | Computer Name = JOHN-BC19467D9A | Source = MRxSmb | ID = 8003
    Description = The master browser has received a server announcement from the computer
    USER-PC that believes that it is the master browser for the domain on transport
    NetBT_Tcpip_{D508C823-5466-40F7-8. The master browser is stopping or an election
    is being forced.

    Error - 12/27/2011 3:05:15 PM | Computer Name = JOHN-BC19467D9A | Source = Service Control Manager | ID = 7009
    Description = Timeout (30000 milliseconds) waiting for the Media Center Receiver
    Service service to connect.

    Error - 12/27/2011 3:05:15 PM | Computer Name = JOHN-BC19467D9A | Source = Service Control Manager | ID = 7000
    Description = The mrtRate service failed to start due to the following error: %%2

    Error - 1/7/2012 4:35:14 PM | Computer Name = JOHN-BC19467D9A | Source = Service Control Manager | ID = 7000
    Description = The mrtRate service failed to start due to the following error: %%2

    Error - 1/8/2012 12:44:41 PM | Computer Name = JOHN-BC19467D9A | Source = Service Control Manager | ID = 7000
    Description = The mrtRate service failed to start due to the following error: %%2

    Error - 1/8/2012 1:07:21 PM | Computer Name = JOHN-BC19467D9A | Source = Service Control Manager | ID = 7023
    Description = The HIPS Policy Manager service terminated with the following error:
    %%2147500037

    Error - 1/8/2012 1:09:41 PM | Computer Name = JOHN-BC19467D9A | Source = Service Control Manager | ID = 7000
    Description = The mrtRate service failed to start due to the following error: %%2

    Error - 1/8/2012 1:26:55 PM | Computer Name = JOHN-BC19467D9A | Source = Service Control Manager | ID = 7000
    Description = The mrtRate service failed to start due to the following error: %%2

    Error - 1/8/2012 1:26:55 PM | Computer Name = JOHN-BC19467D9A | Source = Service Control Manager | ID = 7023
    Description = The Automatic Updates service terminated with the following error:
    %%126


    < End of report >
  11. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    You can reinstall CA now.

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O8 - Extra context menu item: Convert link target to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html File not found
      O8 - Extra context menu item: Convert link target to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html File not found
      O8 - Extra context menu item: Convert selected links to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html File not found
      O8 - Extra context menu item: Convert selected links to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html File not found
      O8 - Extra context menu item: Convert selection to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html File not found
      O8 - Extra context menu item: Convert selection to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html File not found
      O8 - Extra context menu item: Convert to Adobe PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html File not found
      O8 - Extra context menu item: Convert to existing PDF - res://I:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html File not found
      O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/...ndows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jin...ndows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    =============================================================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ===============================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  12. kspot

    kspot Newcomer, in training Topic Starter Posts: 27

    CA is now reinstalled. Requested logs below:

    All processes killed
    ========== OTL ==========
    Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Convert link target to Adobe PDF\ deleted successfully.
    Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Convert link target to existing PDF\ deleted successfully.
    Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Convert selected links to Adobe PDF\ deleted successfully.
    Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Convert selected links to existing PDF\ deleted successfully.
    Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Convert selection to Adobe PDF\ deleted successfully.
    Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Convert selection to existing PDF\ deleted successfully.
    Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Convert to Adobe PDF\ deleted successfully.
    Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Convert to existing PDF\ deleted successfully.
    Starting removal of ActiveX control {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    I:\WINDOWS\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 41620 bytes

    User: John
    ->Temp folder emptied: 474256192 bytes
    ->Temporary Internet Files folder emptied: 229448117 bytes
    ->Java cache emptied: 67354867 bytes
    ->FireFox cache emptied: 50307755 bytes
    ->Flash cache emptied: 470 bytes

    User: Jonathan
    ->Temp folder emptied: 2365062512 bytes
    ->Temporary Internet Files folder emptied: 2023797858 bytes
    ->Java cache emptied: 54897669 bytes
    ->FireFox cache emptied: 13629493 bytes
    ->Flash cache emptied: 8598 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 49286 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Pam
    ->Temp folder emptied: 5621812 bytes
    ->Temporary Internet Files folder emptied: 522615 bytes
    ->Java cache emptied: 53695232 bytes
    ->FireFox cache emptied: 525735563 bytes
    ->Flash cache emptied: 16061 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 19569 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 664 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 67 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 5,593.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: John
    ->Flash cache emptied: 0 bytes

    User: Jonathan
    ->Flash cache emptied: 0 bytes

    User: LocalService

    User: NetworkService

    User: Pam
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.31.0 log created on 01082012_180327

    Files\Folders moved on Reboot...
    File\Folder I:\Documents and Settings\John\Local Settings\Temp\~DFA07.tmp not found!
    File\Folder I:\Documents and Settings\John\Local Settings\Temp\~DFA86.tmp not found!
    File\Folder I:\Documents and Settings\John\Local Settings\Temp\~DFD03.tmp not found!
    File\Folder I:\Documents and Settings\John\Local Settings\Temp\~DFD68.tmp not found!
    File\Folder I:\Documents and Settings\John\Local Settings\Temp\~DFF6F.tmp not found!
    File\Folder I:\Documents and Settings\John\Local Settings\Temp\~DFFA3.tmp not found!
    I:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\1R1JE475\topic175829[1].html moved successfully.

    Registry entries deleted on Reboot...


    Results of screen317's Security Check version 0.99.24
    Windows XP Service Pack 3 x86
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    CA Anti-Virus Plus
    Antivirus up to date!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Java(TM) 6 Update 30
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java 2 Runtime Environment, SE v1.4.2_03
    Out of date Java installed!
    Adobe Flash Player 11.1.102.55
    Mozilla Firefox (x86 en-US..)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    CA CA Internet Security Suite CA Anti-Virus Plus caamsvc.exe
    CA CA Internet Security Suite CA Anti-Virus Plus isafe.exe
    ``````````End of Log````````````


    Farbar Service Scanner
    Ran by John (administrator) on 08-01-2012 at 19:07:49
    Microsoft Windows XP Professional Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall"=DWORD:0
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ===========
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is OK.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".


    File Check:
    ========
    I:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    I:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    I:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    I:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    I:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    I:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    I:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    I:\WINDOWS\system32\netman.dll => MD5 is legit
    I:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    I:\WINDOWS\system32\srsvc.dll => MD5 is legit
    I:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    I:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    I:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    I:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    I:\WINDOWS\system32\qmgr.dll => MD5 is legit
    I:\WINDOWS\system32\es.dll => MD5 is legit
    I:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    I:\WINDOWS\system32\svchost.exe => MD5 is legit
    I:\WINDOWS\system32\rpcss.dll => MD5 is legit
    I:\WINDOWS\system32\services.exe => MD5 is legit

    Extra List:
    =======
    Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
    0x0700000005000000010000000200000003000000040000000600000007000000
    IpSec Tag value is correct.

    **** End of log ****

    I:\Documents and Settings\Jonathan\Application Data\Mozilla\Firefox\Profiles\td3vgl5q.default\extensions\{e024531d-ac02-4e24-8bb3-56ae7b1ace04}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
    I:\Documents and Settings\Pam\Application Data\Mozilla\Firefox\Profiles\alte1tez.default\extensions\{e024531d-ac02-4e24-8bb3-56ae7b1ace04}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
    I:\Program Files\Mozilla Firefox\o.dat a variant of Win32/Kryptik.DUI trojan
    I:\Qoobox\Quarantine\I\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\h69h0tno.default\extensions\{e024531d-ac02-4e24-8bb3-56ae7b1ace04}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
  13. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Uninstall:
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java 2 Runtime Environment, SE v1.4.2_03


    ============================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
  14. kspot

    kspot Newcomer, in training Topic Starter Posts: 27

    I deleted the older versions of Java using JavaRA. and did everything else below. Everything looked great when I used it, but when my wife went to google from her account she was redirected on her first try.

    Below is the attached log requested:


    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: John
    ->Temp folder emptied: 331479 bytes
    ->Temporary Internet Files folder emptied: 12663467 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 691 bytes

    User: Jonathan
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Pam
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 664 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 12.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: John
    ->Flash cache emptied: 0 bytes

    User: Jonathan
    ->Flash cache emptied: 0 bytes

    User: LocalService

    User: NetworkService

    User: Pam
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb

    Restore points cleared and new OTL Restore Point set!

    OTL by OldTimer - Version 3.2.31.0 log created on 01092012_053459

    Files\Folders moved on Reboot...
    File\Folder I:\Documents and Settings\John\Local Settings\Temp\~DF13E7.tmp not found!
    File\Folder I:\Documents and Settings\John\Local Settings\Temp\~DF1754.tmp not found!
    File\Folder I:\Documents and Settings\John\Local Settings\Temp\~DF1A16.tmp not found!
    File\Folder I:\Documents and Settings\John\Local Settings\Temp\~DF1A88.tmp not found!
    File\Folder I:\Documents and Settings\John\Local Settings\Temp\~DF1E25.tmp not found!
    File\Folder I:\Documents and Settings\John\Local Settings\Temp\~DF1F44.tmp not found!
    I:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\8IF94WXD\topic175829[1].html moved successfully.

    Registry entries deleted on Reboot...
  15. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    What browser got redirected?
  16. kspot

    kspot Newcomer, in training Topic Starter Posts: 27

    The browser that got redirected was Firefox.
  17. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Can you check if IE is getting redirected as well?

    While in your wife account.....

    Please download GooredFix from one of the locations below and save it to your Desktop
    Download Mirror #1
    Download Mirror #2
    • Ensure all Firefox windows are closed.
    • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
    • When prompted to run the scan, click Yes.
    • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
  18. kspot

    kspot Newcomer, in training Topic Starter Posts: 27

    IE is not getting redirected only Firefox is getting redirected. I will run Gooredfix once I get home from work.

    Thanks again for all the help.
  19. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    OK.................
  20. kspot

    kspot Newcomer, in training Topic Starter Posts: 27

    Here is the requested log:

    GooredFix by jpshortstuff (03.07.10.1)
    Log created at 16:45 on 09/01/2012 (Pam)
    Firefox version 9.0.1 (en-US)

    ========== GooredScan ==========

    Deleting "I:\Documents and Settings\Pam\Application Data\Mozilla\Firefox\Profiles\alte1tez.default\extensions\{e024531d-ac02-4e24-8bb3-56ae7b1ace04}" -> Success!

    ========== GooredLog ==========

    I:\Program Files\Mozilla Firefox\extensions\
    {972ce4c6-7e08-4474-a285-3208198ce6fd} [02:13 02/05/2011]
    {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} [00:56 09/01/2012]

    I:\Documents and Settings\Pam\Application Data\Mozilla\Firefox\Profiles\alte1tez.default\extensions\
    {20a82645-c095-46ed-80e3-08825760534b} [23:50 25/06/2010]

    [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
    "{20a82645-c095-46ed-80e3-08825760534b}"="i:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [08:10 15/08/2009]
    "caaphishtoolbar@ca.com"="I:\Program Files\CA\CA Internet Security Suite\CA Anti-Phishing\Toolbar\Firefox" [23:37 08/01/2012]
    "jqs@sun.com"="I:\Program Files\Java\jre6\lib\deploy\jqs\ff" [03:00 27/05/2010]

    -=E.O.F=-
  21. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    How is redirection now?
  22. kspot

    kspot Newcomer, in training Topic Starter Posts: 27

    Redirection is no longer a problem.
  23. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Good luck!


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.