Google redirect, did 8 steps and here are the logs

Solved
By evecaffeine
Jul 2, 2010
Topic Status:
Not open for further replies.
  1. First off thank you.

    For 2 weeks I've had a "redirect" from any search engine. Random links on a results page redirect when clicked, and sometimes a new browser window opens.

    I ran "McAfee OAS" several times a week, and it kept reporting "deleted 28 trojans."

    I tried system restore, and the problem went back into history with me.

    I deleted anything my Ex put on my computer (specifically porn and games like "casino" or "pogo") as well as any instant messengers.

    Nothing worked so I googled "google redirect", and found this forum. Learnt a little about rootkits.

    Followed 8 Steps. It took over 3 days (I have small kids and can't be online but in spurts of time; hope this won't be a problem that I didn't do it all at once).

    Here are my logs, I attached the text docs because it was too long to post when I copy-pasted.

    Thanks again for taking the time to look over this problem with me, I appreciate it.


    Here are the MBAM and GMER logs.





    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4264

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    7/1/2010 12:23:32 PM
    mbam-log-2010-07-01 (12-23-32).txt

    Scan type: Quick scan
    Objects scanned: 145855
    Time elapsed: 1 hour(s), 51 minute(s), 28 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)




    GMER Log:


    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-07-01 18:26:27
    Windows 5.1.2600 Service Pack 3
    Running: zojucpx7.exe; Driver: C:\DOCUME~1\EVECAF~1\LOCALS~1\Temp\agtyiuod.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xECA1DCD2]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xECA1DB8E]
    SSDT F0D7ACBC ZwCreateThread
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xECA1E142]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xECA1E06C]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xECA1D764]
    SSDT F0D7ACDA ZwLoadKey
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xECA1DC68]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xECA1D6A4]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xECA1D708]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xECA1DD88]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xECA1E210]
    SSDT F0D7ACE4 ZwReplaceKey
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xECA1DD48]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xECA1DEC8]

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xF72E0020]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF72E0039]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xECA2A9C0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF72E0137]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF72E0121]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xECA2AAFA]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xF72E014D]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF72E0179]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF72DFFE4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF72DFFF8]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xF72E01BA]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF72E010B]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xF72E0061]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF72E004D]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF72E000C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xF72E0163]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    PAGE ntkrnlpa.exe!ZwLoadDriver 805795FA 7 Bytes JMP ECA2AAFE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntkrnlpa.exe!NtCreateSection 805A075C 7 Bytes JMP ECA2A9C4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B1CE0 5 Bytes JMP ECA265B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntkrnlpa.exe!ObInsertObject 805B8B58 5 Bytes JMP ECA27F6C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
    .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
    .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
    .text C:\WINDOWS\System32\svchost.exe[1316] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 063D000A
    .text C:\WINDOWS\System32\svchost.exe[1316] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00D9000A
    .text C:\WINDOWS\Explorer.EXE[2112] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
    .text C:\WINDOWS\Explorer.EXE[2112] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
    .text C:\WINDOWS\Explorer.EXE[2112] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
    .text C:\WINDOWS\system32\wuauclt.exe[2652] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
    .text C:\WINDOWS\system32\wuauclt.exe[2652] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
    .text C:\WINDOWS\system32\wuauclt.exe[2652] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\services.exe[964] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003B0002
    IAT C:\WINDOWS\system32\services.exe[964] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003B0000

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    ---- EOF - GMER 1.0.15 ----

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 45,208   +243

    You're running two AV programs, Avira and McAfee. One of them has to go. Your choice.
    When done...

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE. If Combofix asks you to install Recovery Console, please allow it.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  3. evecaffeine

    evecaffeine Newcomer, in training Topic Starter

    I uninstalled McAfee, and left Avira. Thank you.

    ComboFix log attached.

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 45,208   +243

  5. evecaffeine

    evecaffeine Newcomer, in training Topic Starter

    Haven't had any more redirects or random windows, I believe it's probably solved. Thanks SO much for your help! I just wish I knew how this got on my computer in the first place.

    And I used the McAfee remover. I didn't know that about McAfee.

    Thanks again, this saved me so much frustration.
  6. Broni

    Broni Malware Annihilator Posts: 45,208   +243

    I'm glad to hear good news, but we're not done yet :)
    We have to make sure, your computer is totally clean.

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ===================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  7. evecaffeine

    evecaffeine Newcomer, in training Topic Starter

    OTL Extras logfile created on: 7/3/2010 1:29:03 PM - Run 1
    OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\Eve Caffeine\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1,023.00 Mb Total Physical Memory | 606.00 Mb Available Physical Memory | 59.00% Memory free
    3.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.25 Gb Total Space | 23.70 Gb Free Space | 63.61% Space Free | Partition Type: NTFS
    Unable to calculate disk information.
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: 2POINT1DELL
    Current User Name: Eve Caffeine
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 90 Days
    Output = Standard
    Quick Scan

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
    htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 1
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    "139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002
    "3389:TCP" = 3389:TCP:*:Enabled:mad:xpsp2res.dll,-22009

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "_PDF WRITER" = _PDF WRITER
    "{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
    "{0E0479F8-180F-4054-B4F7-17EE657F90BF}" = TIPCI
    "{184E7118-0295-43C4-B72C-1D54AA75AAF7}" = Windows Live Mail
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java(TM) 6 Update 20
    "{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}" = Windows Live Photo Gallery
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.1
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver for Mobile
    "{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = C-Major Audio
    "{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.3
    "{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
    "{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "{F0E2B312-D7FD-4349-A9B6-E90B36DB1BD0}" = Paint.NET v3.5.5
    "{FC57FC53-104C-415C-98D7-B05E659461A9}" = Broadcom Gigabit Integrated Controller
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "All ATI Software" = ATI - Software Uninstall Utility
    "ATI Display Driver" = ATI Display Driver
    "avast5" = avast! Free Antivirus
    "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
    "Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
    "CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1" = Conexant D110 MDC V.92 Modem
    "ie8" = Windows Internet Explorer 8
    "InstallShield_{0E0479F8-180F-4054-B4F7-17EE657F90BF}" = Texas Instruments PCIxx21/x515/xx12 drivers.
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft.Net.Client.3.5" = Microsoft .NET Framework Client Profile
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "UnityWebPlayer" = Unity Web Player
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WinZip" = WinZip
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 3/21/2022 10:34:28 AM | Computer Name = DELL2POINT1 | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 3/21/2022 10:37:15 AM | Computer Name = DELL2POINT1 | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 3/21/2022 10:37:15 AM | Computer Name = DELL2POINT1 | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 3/21/2022 10:37:30 AM | Computer Name = DELL2POINT1 | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: This operation returned because the timeout period expired.

    Error - 3/21/2022 10:37:42 AM | Computer Name = DELL2POINT1 | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 3/21/2022 10:37:52 AM | Computer Name = DELL2POINT1 | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 3/21/2022 10:37:57 AM | Computer Name = DELL2POINT1 | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 3/21/2022 10:38:06 AM | Computer Name = DELL2POINT1 | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 3/21/2022 10:49:41 AM | Computer Name = DELL2POINT1 | Source = Application Error | ID = 1000
    Description = Faulting application ad-aware.exe, version 7.1.0.11, faulting module
    ad-aware.exe, version 7.1.0.11, fault address 0x0014b4ec.

    Error - 6/13/2009 12:43:02 PM | Computer Name = 2POINT1DELL | Source = McLogEvent | ID = 5004
    Description =

    [ System Events ]
    Error - 3/21/2022 10:37:18 AM | Computer Name = DELL2POINT1 | Source = W32Time | ID = 39452706
    Description = The time service has detected that the system time needs to be changed
    by -410227195 seconds. The time service will not change the system time by more
    than -54000 seconds. Verify that your time and time zone are correct, and that
    the time source time.windows.com (ntp.m|0x1|192.168.1.103:123->207.46.197.32:123)
    is working properly.

    Error - 6/11/2009 7:37:57 PM | Computer Name = 2POINT1DELL | Source = Windows Update Agent | ID = 20
    Description = Installation Failure: Windows failed to install the following update
    with error 0x80070643: Internet Explorer 8 for Windows XP.

    Error - 10/22/2009 9:42:51 PM | Computer Name = 2POINT1DELL | Source = Service Control Manager | ID = 7034
    Description = The Intel(R) PROSet/Wireless SSO Service service terminated unexpectedly.
    It has done this 1 time(s).

    Error - 10/22/2009 9:42:52 PM | Computer Name = 2POINT1DELL | Source = Service Control Manager | ID = 7034
    Description = The Intel(R) PROSet/Wireless Service service terminated unexpectedly.
    It has done this 1 time(s).

    Error - 10/22/2009 9:42:53 PM | Computer Name = 2POINT1DELL | Source = Service Control Manager | ID = 7034
    Description = The Intel(R) PROSet/Wireless Event Log service terminated unexpectedly.
    It has done this 1 time(s).

    Error - 12/29/2009 8:10:08 PM | Computer Name = 2POINT1DELL | Source = Dhcp | ID = 1002
    Description = The IP address lease 192.168.1.139 for the Network Card with network
    address 0014A531C28E has been denied by the DHCP server 0.0.0.0 (The DHCP Server
    sent a DHCPNACK message).

    Error - 12/30/2009 5:43:37 PM | Computer Name = 2POINT1DELL | Source = Dhcp | ID = 1002
    Description = The IP address lease 192.168.1.148 for the Network Card with network
    address 0014A531C28E has been denied by the DHCP server 192.168.1.1 (The DHCP Server
    sent a DHCPNACK message).

    Error - 1/1/2010 2:26:54 PM | Computer Name = 2POINT1DELL | Source = Server | ID = 2505
    Description = The server could not bind to the transport \Device\NetBT_Tcpip_{8DF02E36-D3D9-4F2F-B641-4376B9FC4765}
    because another computer on the network has the same name. The server could not
    start.


    < End of report >
  8. evecaffeine

    evecaffeine Newcomer, in training Topic Starter

    OTL logfile created on: 7/3/2010 1:29:03 PM - Run 1
    OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\Eve Caffeine\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1,023.00 Mb Total Physical Memory | 606.00 Mb Available Physical Memory | 59.00% Memory free
    3.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.25 Gb Total Space | 23.70 Gb Free Space | 63.61% Space Free | Partition Type: NTFS
    Unable to calculate disk information.
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: 2POINT1DELL
    Current User Name: Eve Caffeine
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 90 Days
    Output = Standard
    Quick Scan

    ========== Processes (SafeList) ==========

    PRC - [2010/07/03 13:17:03 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eve Caffeine\Desktop\OTL.exe
    PRC - [2010/06/28 15:57:18 | 002,837,864 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    PRC - [2010/06/28 15:57:15 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    PRC - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    PRC - [2010/03/02 11:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    PRC - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
    PRC - [2010/01/14 22:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2007/07/20 17:53:52 | 000,475,136 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/07/03 13:17:03 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eve Caffeine\Desktop\OTL.exe
    MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- -- (TomTomHOMEService)
    SRV - [2010/06/28 15:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
    SRV - [2010/06/28 15:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
    SRV - [2010/06/28 15:57:15 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
    SRV - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
    SRV - [2007/07/20 17:53:52 | 000,475,136 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)


    ========== Driver Services (SafeList) ==========

    DRV - [2010/06/28 15:37:52 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2010/06/28 15:37:30 | 000,165,456 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
    DRV - [2010/06/28 15:33:13 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2010/06/28 15:32:45 | 000,100,176 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
    DRV - [2010/06/28 15:32:33 | 000,017,744 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2010/06/28 15:32:16 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
    DRV - [2010/03/01 10:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
    DRV - [2010/02/16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
    DRV - [2009/05/11 12:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
    DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
    DRV - [2007/10/09 20:17:42 | 001,123,328 | ---- | M] (Broadcom Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
    DRV - [2007/07/22 15:41:06 | 000,161,792 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
    DRV - [2006/04/06 16:49:00 | 000,088,192 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
    DRV - [2005/08/12 18:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
    DRV - [2005/07/06 23:02:18 | 001,132,544 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2005/05/03 16:09:28 | 001,033,728 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.SYS -- (HSF_DPV)
    DRV - [2005/05/03 16:08:50 | 000,208,384 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
    DRV - [2005/05/03 16:08:44 | 000,705,408 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
    DRV - [2005/03/10 17:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
    DRV - [2001/08/17 13:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========


    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 02 C6 6C 39 AB 10 CB 01 [binary data]
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    O1 HOSTS File: ([2010/07/03 08:40:11 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
    O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)
    O16 - DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} http://support.dell.com/systemprofiler/DellSystemLite.CAB (DellSystemLite.Scanner)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab (EPUImageControl Class)
    O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\Eve Caffeine\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Eve Caffeine\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2008/11/18 18:36:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
  9. evecaffeine

    evecaffeine Newcomer, in training Topic Starter

    ========== Files/Folders - Created Within 90 Days ==========

    [2010/07/03 13:16:52 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Eve Caffeine\Desktop\OTL.exe
    [2010/07/03 12:46:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
    [2010/07/03 08:44:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
    [2010/07/03 08:06:18 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2010/07/03 02:55:54 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2010/07/03 02:55:54 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2010/07/03 02:55:54 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2010/07/03 02:55:54 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2010/07/03 02:55:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2010/07/03 02:54:33 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/07/02 23:07:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Eve Caffeine\My Documents\My Videos
    [2010/07/01 16:49:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Application Data\Avira
    [2010/07/01 10:30:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Application Data\Malwarebytes
    [2010/07/01 10:06:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
    [2010/07/01 10:06:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
    [2010/07/01 09:23:43 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Eve Caffeine\Desktop\TFC.exe
    [2010/06/29 15:19:28 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\avastSS.scr
    [2010/06/29 01:09:32 | 000,017,744 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
    [2010/06/29 01:09:31 | 000,165,456 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
    [2010/06/29 01:09:28 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
    [2010/06/29 01:09:26 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
    [2010/06/29 01:09:22 | 000,100,176 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
    [2010/06/29 01:09:22 | 000,094,544 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
    [2010/06/29 01:09:21 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
    [2010/06/29 01:07:07 | 000,165,032 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
    [2010/06/29 01:06:07 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
    [2010/06/29 01:06:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2010/06/28 23:41:51 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
    [2010/06/28 23:41:32 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
    [2010/06/28 23:41:31 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
    [2010/06/28 23:41:30 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
    [2010/06/28 23:41:29 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
    [2010/06/28 23:41:19 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
    [2010/06/28 23:41:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
    [2010/06/28 23:33:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Desktop\TechSpot 8 step
    [2010/06/27 12:46:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Application Data\Sun
    [2010/06/26 14:38:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
    [2010/06/26 14:38:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
    [2010/06/24 15:57:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Local Settings\Application Data\Paint.NET
    [2010/06/22 20:07:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Unity
    [2010/06/22 12:09:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
    [2010/06/22 11:12:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Local Settings\Application Data\Adobe
    [2010/06/21 16:29:29 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Eve Caffeine\IECompatCache
    [2010/06/20 14:27:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Application Data\Macromedia
    [2010/06/20 14:22:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Application Data\Dell
    [2010/06/20 14:03:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Application Data\Adobe
    [2010/06/20 14:03:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Local Settings\Application Data\Yahoo
    [2010/06/20 14:03:10 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Eve Caffeine\PrivacIE
    [2010/06/20 13:36:33 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Eve Caffeine\Application Data\yahoo!
    [2010/06/20 13:34:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Application Data\Identities
    [2010/06/20 13:34:42 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Eve Caffeine\My Documents\My Pictures
    [2010/06/20 13:34:42 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Eve Caffeine\My Documents\Music
    [2010/06/20 13:33:49 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Eve Caffeine\Application Data\Microsoft
    [2010/06/20 13:33:49 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Eve Caffeine\Application Data
    [2010/06/20 13:33:49 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Eve Caffeine\Favorites
    [2010/06/20 13:33:49 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Eve Caffeine\IETldCache
    [2010/06/20 13:33:49 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Eve Caffeine\Cookies
    [2010/06/20 13:33:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Desktop
    [2010/06/20 13:33:48 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Eve Caffeine\SendTo
    [2010/06/20 13:33:48 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Eve Caffeine\Recent
    [2010/06/20 13:33:48 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Eve Caffeine\Start Menu
    [2010/06/20 13:33:48 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Eve Caffeine\My Documents
    [2010/06/20 13:33:48 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Eve Caffeine\Templates
    [2010/06/20 13:33:48 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Eve Caffeine\PrintHood
    [2010/06/20 13:33:48 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Eve Caffeine\NetHood
    [2010/06/20 13:33:48 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Eve Caffeine\Local Settings
    [2010/06/20 13:33:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Local Settings\Application Data\Microsoft
    [2010/06/20 13:31:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
    [2010/06/20 13:31:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\croe
    [2010/06/13 01:56:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe(2)
    [2010/06/07 15:12:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe(3)
    [2010/06/03 17:32:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe(2)
    [2010/06/03 14:46:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
    [2010/06/03 12:16:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
    [2010/05/31 15:46:55 | 000,000,000 | ---D | C] -- C:\Config.Msi

    ========== Files - Modified Within 90 Days ==========

    [2022/03/21 09:32:46 | 000,001,855 | ---- | M] () -- C:\Documents and Settings\Eve Caffeine\Desktop\Anti-Virus.lnk
    [2010/07/03 15:25:00 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{EFE7E038-736C-4AC0-BE9C-CBFD9D8AF79D}.job
    [2010/07/03 13:17:03 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eve Caffeine\Desktop\OTL.exe
    [2010/07/03 12:53:55 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
    [2010/07/03 12:41:32 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/07/03 12:40:05 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2010/07/03 12:38:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/07/03 12:36:18 | 001,310,720 | -H-- | M] () -- C:\Documents and Settings\Eve Caffeine\NTUSER.DAT
    [2010/07/03 12:36:18 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Eve Caffeine\ntuser.ini
    [2010/07/03 12:36:10 | 002,688,276 | -H-- | M] () -- C:\Documents and Settings\Eve Caffeine\Local Settings\Application Data\IconCache.db
    [2010/07/03 08:40:23 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
    [2010/07/03 08:40:11 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2010/07/03 08:06:33 | 000,000,281 | RHS- | M] () -- C:\boot.ini
    [2010/07/03 05:31:12 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2010/07/02 23:06:29 | 000,000,800 | ---- | M] () -- C:\Documents and Settings\Eve Caffeine\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
    [2010/07/02 22:49:23 | 000,007,168 | ---- | M] () -- C:\Documents and Settings\Eve Caffeine\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/07/01 10:16:28 | 000,001,620 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2010/07/01 09:23:48 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eve Caffeine\Desktop\TFC.exe
    [2010/06/29 15:19:35 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
    [2010/06/29 01:09:33 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\Eve Caffeine\Desktop\avast! Free Antivirus.lnk
    [2010/06/28 15:57:33 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\avastSS.scr
    [2010/06/28 15:57:12 | 000,165,032 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
    [2010/06/28 15:37:52 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
    [2010/06/28 15:37:30 | 000,165,456 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
    [2010/06/28 15:33:13 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
    [2010/06/28 15:32:45 | 000,100,176 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
    [2010/06/28 15:32:42 | 000,094,544 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
    [2010/06/28 15:32:33 | 000,017,744 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
    [2010/06/28 15:32:16 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
    [2010/06/28 12:24:29 | 000,432,924 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/06/28 12:24:28 | 000,508,956 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
    [2010/06/28 12:24:28 | 000,067,714 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/06/26 01:36:58 | 000,123,728 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2010/06/24 17:42:10 | 000,000,812 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Paint.NET.lnk
    [2010/06/24 17:40:22 | 000,020,160 | ---- | M] () -- C:\Documents and Settings\Eve Caffeine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    [2010/06/24 14:13:00 | 000,001,507 | ---- | M] () -- C:\Documents and Settings\Eve Caffeine\Desktop\Notepad.lnk
    [2010/06/22 11:11:51 | 000,000,789 | ---- | M] () -- C:\WINDOWS\win.ini
    [2010/06/21 09:10:17 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
    [2010/06/20 13:35:31 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Eve Caffeine\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2010/06/20 13:35:31 | 000,000,803 | ---- | M] () -- C:\Documents and Settings\Eve Caffeine\Desktop\Teh Interwebz.lnk
    [2010/06/20 13:35:24 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Eve Caffeine\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
    [2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe

    ========== Files Created - No Company Name ==========

    [2022/03/21 09:32:46 | 000,001,855 | ---- | C] () -- C:\Documents and Settings\Eve Caffeine\Desktop\Anti-Virus.lnk
    [2010/07/03 12:18:51 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
    [2010/07/03 08:06:32 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2010/07/03 08:06:26 | 000,260,272 | ---- | C] () -- C:\cmldr
    [2010/07/03 02:55:54 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2010/07/03 02:55:54 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2010/07/03 02:55:54 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2010/07/03 02:55:54 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2010/07/03 02:55:54 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2010/07/02 23:06:28 | 000,000,800 | ---- | C] () -- C:\Documents and Settings\Eve Caffeine\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
    [2010/06/29 01:09:33 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\Eve Caffeine\Desktop\avast! Free Antivirus.lnk
    [2010/06/24 17:42:10 | 000,000,812 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Paint.NET.lnk
    [2010/06/24 15:18:30 | 000,007,168 | ---- | C] () -- C:\Documents and Settings\Eve Caffeine\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/06/22 20:08:16 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2010/06/20 14:08:27 | 000,000,803 | ---- | C] () -- C:\Documents and Settings\Eve Caffeine\Desktop\Teh Interwebz.lnk
    [2010/06/20 13:35:31 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Eve Caffeine\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2010/06/20 13:35:24 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Eve Caffeine\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
    [2010/06/20 13:33:54 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Eve Caffeine\ntuser.ini
    [2010/06/20 13:33:50 | 000,001,507 | ---- | C] () -- C:\Documents and Settings\Eve Caffeine\Desktop\Notepad.lnk
    [2010/06/20 13:33:48 | 000,016,384 | -H-- | C] () -- C:\Documents and Settings\Eve Caffeine\NTUSER.DAT.LOG
    [2010/06/20 13:33:47 | 001,310,720 | -H-- | C] () -- C:\Documents and Settings\Eve Caffeine\NTUSER.DAT
    [2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
    [2009/03/21 09:28:32 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\custmon2k.dll
    [2008/11/18 20:03:03 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
    [2008/11/18 19:44:46 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2008/11/18 19:15:36 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\stac97co.dll
    [2008/11/18 18:53:49 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
    [2008/11/18 18:53:48 | 000,753,664 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll

    ========== LOP Check ==========

    [2010/06/29 01:06:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2010/03/15 08:36:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Oberon Media
    [2010/03/20 07:34:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2010/03/14 04:53:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TomTom
    [2010/07/03 15:25:00 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{EFE7E038-736C-4AC0-BE9C-CBFD9D8AF79D}.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2008/11/18 18:36:08 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2008/11/18 18:30:24 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2010/07/03 08:06:33 | 000,000,281 | RHS- | M] () -- C:\boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
    [2008/11/18 18:36:08 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2008/11/18 18:36:08 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2008/11/18 18:36:08 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2008/11/18 18:53:44 | 000,022,729 | ---- | M] () -- C:\newfile.enc
    [2008/11/18 18:53:44 | 000,022,729 | ---- | M] () -- C:\newkey
    [2004/08/04 05:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2008/11/18 21:51:43 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2010/03/23 10:07:56 | 000,262,144 | ---- | M] () -- C:\ntuser.dat
    [2010/03/23 10:07:56 | 000,001,024 | -H-- | M] () -- C:\ntuser.dat.LOG
    [2010/07/03 12:38:23 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
    [2009/10/22 20:41:26 | 000,000,200 | ---- | M] () -- C:\WirelessDiagLog.csv

    < %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
    [2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2007/04/09 14:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll

    < %systemroot%\system32\*.wt >

    < %systemroot%\system32\*.ruy >

    < %systemroot%\Fonts\*.com >
    [2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
    [2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.tmp >

    < %systemroot%\*. /mp /s >

    < %systemroot%\system32\*.dll /lockedfiles >

    < %systemroot%\Tasks\*.job /lockedfiles >

    < %systemroot%\System32\config\*.sav >
    [2008/11/18 13:24:46 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2008/11/18 13:24:46 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2008/11/18 13:24:46 | 000,892,928 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    < %systemroot%\system32\user32.dll /md5 >
    [2008/04/13 19:12:08 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\system32\user32.dll

    < %systemroot%\system32\ws2_32.dll /md5 >
    [2008/04/13 19:12:10 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\system32\ws2_32.dll

    < %systemroot%\system32\ws2help.dll /md5 >
    [2008/04/13 19:12:10 | 000,019,968 | ---- | M] (Microsoft Corporation) MD5=9789E95E1D88EEB4B922BF3EA7779C28 -- C:\WINDOWS\system32\ws2help.dll

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >

    ========== Alternate Data Streams ==========
  10. Broni

    Broni Malware Annihilator Posts: 45,208   +243

    We still have two AV programs running. This time, Avira and Avast.
    Uninstall one of them before proceeding further.

    ========================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
      O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
      O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab  (Reg Error: Key error.)
      @Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:23BEBB72
      @Alternate Data Stream - 144 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:96F344DB
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [resethosts]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  11. evecaffeine

    evecaffeine Newcomer, in training Topic Starter

    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ not found.
    Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
    C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:23BEBB72 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:96F344DB deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Administrator.2POINT1DELL
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: All Users

    User: Backup
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Eve Caffeine
    ->Temp folder emptied: 2973429 bytes
    ->Temporary Internet Files folder emptied: 20749151 bytes
    ->Java cache emptied: 2023 bytes
    ->Flash cache emptied: 6867 bytes

    User: Guest
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->Flash cache emptied: 456 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 8972 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    Session Manager Temp folder emptied: 132252 bytes
    Session Manager Tmp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 54045020 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 3752081 bytes

    Total Files Cleaned = 78.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: Administrator.2POINT1DELL

    User: All Users

    User: Backup

    User: Default User

    User: Eve Caffeine
    ->Flash cache emptied: 0 bytes

    User: Guest
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb

    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.2.7.0 log created on 07032010_231159

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
  12. evecaffeine

    evecaffeine Newcomer, in training Topic Starter

    OTL logfile created on: 7/3/2010 11:27:30 PM - Run 2
    OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\Eve Caffeine\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1,023.00 Mb Total Physical Memory | 675.00 Mb Available Physical Memory | 66.00% Memory free
    3.00 Gb Paging File | 3.00 Gb Available in Paging File | 91.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.25 Gb Total Space | 23.40 Gb Free Space | 62.82% Space Free | Partition Type: NTFS
    Unable to calculate disk information.
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: 2POINT1DELL
    Current User Name: Eve Caffeine
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 90 Days
    Output = Standard
    Quick Scan

    ========== Processes (SafeList) ==========

    PRC - [2010/07/03 13:17:03 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eve Caffeine\Desktop\OTL.exe
    PRC - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    PRC - [2010/03/02 11:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    PRC - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
    PRC - [2010/01/14 22:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2007/07/20 17:53:52 | 000,475,136 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/07/03 13:17:03 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eve Caffeine\Desktop\OTL.exe
    MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- -- (TomTomHOMEService)
    SRV - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
    SRV - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
    SRV - [2007/07/20 17:53:52 | 000,475,136 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)


    ========== Driver Services (SafeList) ==========

    DRV - [2010/03/01 10:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
    DRV - [2010/02/16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
    DRV - [2009/05/11 12:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
    DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
    DRV - [2007/10/09 20:17:42 | 001,123,328 | ---- | M] (Broadcom Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
    DRV - [2007/07/22 15:41:06 | 000,161,792 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
    DRV - [2006/04/06 16:49:00 | 000,088,192 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
    DRV - [2005/08/12 18:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
    DRV - [2005/07/06 23:02:18 | 001,132,544 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2005/05/03 16:09:28 | 001,033,728 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.SYS -- (HSF_DPV)
    DRV - [2005/05/03 16:08:50 | 000,208,384 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
    DRV - [2005/05/03 16:08:44 | 000,705,408 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
    DRV - [2005/03/10 17:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
    DRV - [2001/08/17 13:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========


    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 02 C6 6C 39 AB 10 CB 01 [binary data]
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    O1 HOSTS File: ([2010/07/03 23:13:50 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)
    O16 - DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} http://support.dell.com/systemprofiler/DellSystemLite.CAB (DellSystemLite.Scanner)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab (EPUImageControl Class)
    O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\Eve Caffeine\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Eve Caffeine\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2008/11/18 18:36:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 90 Days ==========

    [2010/07/03 23:11:59 | 000,000,000 | ---D | C] -- C:\_OTL
    [2010/07/03 17:13:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Local Settings\Application Data\PCHealth
    [2010/07/03 13:16:52 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Eve Caffeine\Desktop\OTL.exe
    [2010/07/03 08:44:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
    [2010/07/03 08:06:18 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2010/07/03 02:55:54 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2010/07/03 02:55:54 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2010/07/03 02:55:54 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2010/07/03 02:55:54 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2010/07/03 02:55:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2010/07/03 02:54:33 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/07/02 23:07:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Eve Caffeine\My Documents\My Videos
    [2010/07/01 16:49:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Application Data\Avira
    [2010/07/01 10:30:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Application Data\Malwarebytes
    [2010/07/01 10:06:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
    [2010/07/01 10:06:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
    [2010/07/01 09:23:43 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Eve Caffeine\Desktop\TFC.exe
    [2010/06/29 01:06:07 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
    [2010/06/29 01:06:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2010/06/28 23:41:51 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
    [2010/06/28 23:41:32 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
    [2010/06/28 23:41:31 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
    [2010/06/28 23:41:30 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
    [2010/06/28 23:41:29 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
    [2010/06/28 23:41:19 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
    [2010/06/28 23:41:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
    [2010/06/28 23:33:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Desktop\TechSpot 8 step
    [2010/06/27 12:46:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Application Data\Sun
    [2010/06/26 14:38:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
    [2010/06/26 14:38:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
    [2010/06/24 15:57:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Local Settings\Application Data\Paint.NET
    [2010/06/22 20:07:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Unity
    [2010/06/22 12:09:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
    [2010/06/22 11:12:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Local Settings\Application Data\Adobe
    [2010/06/21 16:29:29 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Eve Caffeine\IECompatCache
    [2010/06/20 14:27:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Application Data\Macromedia
    [2010/06/20 14:22:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Application Data\Dell
    [2010/06/20 14:03:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Application Data\Adobe
    [2010/06/20 14:03:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Local Settings\Application Data\Yahoo
    [2010/06/20 14:03:10 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Eve Caffeine\PrivacIE
    [2010/06/20 13:36:33 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Eve Caffeine\Application Data\yahoo!
    [2010/06/20 13:34:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Application Data\Identities
    [2010/06/20 13:34:42 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Eve Caffeine\My Documents\My Pictures
    [2010/06/20 13:34:42 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Eve Caffeine\My Documents\Music
    [2010/06/20 13:33:49 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Eve Caffeine\Application Data\Microsoft
    [2010/06/20 13:33:49 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Eve Caffeine\Application Data
    [2010/06/20 13:33:49 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Eve Caffeine\Favorites
    [2010/06/20 13:33:49 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Eve Caffeine\IETldCache
    [2010/06/20 13:33:49 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Eve Caffeine\Cookies
    [2010/06/20 13:33:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Desktop
    [2010/06/20 13:33:48 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Eve Caffeine\SendTo
    [2010/06/20 13:33:48 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Eve Caffeine\Recent
    [2010/06/20 13:33:48 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Eve Caffeine\Start Menu
    [2010/06/20 13:33:48 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Eve Caffeine\My Documents
    [2010/06/20 13:33:48 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Eve Caffeine\Templates
    [2010/06/20 13:33:48 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Eve Caffeine\PrintHood
    [2010/06/20 13:33:48 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Eve Caffeine\NetHood
    [2010/06/20 13:33:48 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Eve Caffeine\Local Settings
    [2010/06/20 13:33:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eve Caffeine\Local Settings\Application Data\Microsoft
    [2010/06/20 13:31:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
    [2010/06/20 13:31:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\croe
    [2010/06/13 01:56:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe(2)
    [2010/06/07 15:12:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe(3)
    [2010/06/03 17:32:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe(2)
    [2010/06/03 14:46:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
    [2010/06/03 12:16:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
    [2010/05/31 15:46:55 | 000,000,000 | ---D | C] -- C:\Config.Msi
  13. Broni

    Broni Malware Annihilator Posts: 45,208   +243

    Good :)

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  14. evecaffeine

    evecaffeine Newcomer, in training Topic Starter

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Monday, July 5, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Sunday, July 04, 2010 18:22:01
    Records in database: 4246361
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\

    Scan statistics:
    Objects scanned: 44047
    Threats found: 1
    Infected objects found: 1
    Suspicious objects found: 0
    Scan duration: 02:03:24


    File name / Threat / Threats count
    C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\pcmcia.sys.vir Infected: Rootkit.Win32.TDSS.ap 1

    Selected area has been scanned.
  15. Broni

    Broni Malware Annihilator Posts: 45,208   +243

    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    ========================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
  16. evecaffeine

    evecaffeine Newcomer, in training Topic Starter

    Quick question - now that I've done the Kaspersky, is the "threat" and/or "infected object" removed? IE, does Kaspersky remove them or just show you what it is and where to find it. I am asking because I ran the scan twice, the first time it showed the one / one infected items, and then before I could click to view or save the log, I had a 2 year old grab on the keyboard so I lost it. I just clicked to scan it again, it took less time but it still showed the same results, so I put up the logs and went on to the next step - cleaned up OTL and deleted the other tools and logs... as well as the other numbered steps. Except Defrag, I will do that tonight though.

    (Basically my question is, "so is it really, really over?")

    My computer is running much better now, no more sites getting redirected or random windows popping up, or any kind of "virus alerts" etc. Also I am no longer getting the balloons at the bottom right stating that things are out of date or turned off or other weirdnesses. I like the Avira much better than the McAfee as well - it's alot more user-friendly and it notifies me more and basically seems more reassuring.

    The computer is not shared anymore (alot of these problems could be related to someone elses' use of my system and tweaking it to allow certain content to be downloaded or viewed), and now it feels much more secure, especially after I read the "how to avoid" points and followed the suggestions. I knew I had pretty good internet-sense before, but now I realize I didn't have the right level of back-up protection on my computer. So thank you.

    Thank you so much for your wonderfully clear directions and quick responses. I am very, very grateful for this resource and I can't thank you enough. Thank you some more.
  17. Broni

    Broni Malware Annihilator Posts: 45,208   +243

    You're very welcome and I'm glad to hear good news :)
    Kaspersky scanner doesn't remove anything and I prefer it that way, because false positive may always happen, so I want see first, what was found and then remove it manually.
    In your case, we didn't remove that one item found, because it was found in Combofix quarantine folder and OTL Cleanup removes that folder.

    Good luck and stay safe :)
  18. evecaffeine

    evecaffeine Newcomer, in training Topic Starter

    Ah! wonderful! Thank you again :)
  19. Broni

    Broni Malware Annihilator Posts: 45,208   +243

    You're very welcome [​IMG]
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.