TechSpot

Malware trouble, only Firefox will connect, constant pop-ups

Inactive
By Boogie Daddie
Apr 7, 2011
Topic Status:
Not open for further replies.
  1. A month or so ago I got infected with some sort of malware that caused constant pop ups of "Your computer is infected click here to fix it". Most of these popups seemed to mimic the built in Windows Internet Security, but clicking on them would take you to a site to purchase some program. I also get a pop up at start up every time that says Microsoft Windows Malicious Software Removal Tool needs my permission to continue.At the same time most of my internet based programs stopped working. IE wouldn't connect at all, Windows Mail would download my mail, but wouldn't get any of the pictures embedded in the messages. When ripping CDs Media Player couldn't connect to get album information. Firefox worked but only after clicking "Run as administrator". A few weeks ago, the pop-ups stopped without my having done anything to effect them. I came across your site, and downloaded all of the programs listed and the logs will follow. The programs found several things and after running them, my IE and mail appear to be working and Media Player is gathering album information again. I am concerned however that something is still lurking in my computer. Any help is much appreciated,

    Boogie Daddie

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6304

    Windows 6.0.6000
    Internet Explorer 7.0.6000.17037

    4/7/2011 6:51:44 PM
    mbam-log-2011-04-07 (18-51-44).txt

    Scan type: Quick scan
    Objects scanned: 162162
    Time elapsed: 4 minute(s), 23 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 2
    Registry Data Items Infected: 4
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\mdnkso81qq2 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_Application (Hijacker.Application) -> Value: bak_Application -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Lilheath\AppData\Local\evf.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Lilheath\AppData\Local\evf.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Lilheath\AppData\Local\evf.exe" -a "C:\Program Files\Intern") Good: (iexplore.exe) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\Application (Hijacker.Application) -> Bad: (http://www.helpmeopen.com/?n=app&ext=%s) Good: (http://shell.windows.com/fileassoc/x/xml/redir.asp?Ext=%s) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\windows\system32\drivers\orpokalx.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    c:\Users\Lilheath\local settings\application data\evf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-04-07 19:29:31
    Windows 6.0.6000
    Running: gmer.exe; Driver: C:\Users\Lilheath\AppData\Local\Temp\uwlcrkow.sys


    ---- Services - GMER 1.0.15 ----

    Service (*** hidden *** ) [BOOT] orpokalx <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\orpokalx@Type 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\orpokalx@Start 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\orpokalx@ErrorControl 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\orpokalx@Group Boot Bus Extender
    Reg HKLM\SYSTEM\ControlSet002\Services\orpokalx@Type 1
    Reg HKLM\SYSTEM\ControlSet002\Services\orpokalx@Start 0
    Reg HKLM\SYSTEM\ControlSet002\Services\orpokalx@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet002\Services\orpokalx@Group Boot Bus Extender
    Reg HKLM\SYSTEM\ControlSet003\Services\orpokalx@Type 1
    Reg HKLM\SYSTEM\ControlSet003\Services\orpokalx@Start 0
    Reg HKLM\SYSTEM\ControlSet003\Services\orpokalx@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet003\Services\orpokalx@Group Boot Bus Extender
    Reg HKLM\SYSTEM\ControlSet004\Services\orpokalx@Type 1
    Reg HKLM\SYSTEM\ControlSet004\Services\orpokalx@Start 0
    Reg HKLM\SYSTEM\ControlSet004\Services\orpokalx@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet004\Services\orpokalx@Group Boot Bus Extender
    Reg HKLM\SYSTEM\ControlSet005\Services\orpokalx@Type 1
    Reg HKLM\SYSTEM\ControlSet005\Services\orpokalx@Start 0
    Reg HKLM\SYSTEM\ControlSet005\Services\orpokalx@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet005\Services\orpokalx@Group Boot Bus Extender
    Reg HKLM\SYSTEM\ControlSet006\Services\orpokalx@Type 1
    Reg HKLM\SYSTEM\ControlSet006\Services\orpokalx@Start 0
    Reg HKLM\SYSTEM\ControlSet006\Services\orpokalx@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet006\Services\orpokalx@Group Boot Bus Extender
    Reg HKLM\SYSTEM\ControlSet007\Services\orpokalx@Type 1
    Reg HKLM\SYSTEM\ControlSet007\Services\orpokalx@Start 0
    Reg HKLM\SYSTEM\ControlSet007\Services\orpokalx@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet007\Services\orpokalx@Group Boot Bus Extender
    Reg HKLM\SYSTEM\ControlSet008\Services\orpokalx@Type 1
    Reg HKLM\SYSTEM\ControlSet008\Services\orpokalx@Start 0
    Reg HKLM\SYSTEM\ControlSet008\Services\orpokalx@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet008\Services\orpokalx@Group Boot Bus Extender
    Reg HKLM\SYSTEM\ControlSet009\Services\orpokalx@Type 1
    Reg HKLM\SYSTEM\ControlSet009\Services\orpokalx@Start 0
    Reg HKLM\SYSTEM\ControlSet009\Services\orpokalx@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet009\Services\orpokalx@Group Boot Bus Extender
    Reg HKLM\SYSTEM\ControlSet010\Services\orpokalx@Type 1
    Reg HKLM\SYSTEM\ControlSet010\Services\orpokalx@Start 0
    Reg HKLM\SYSTEM\ControlSet010\Services\orpokalx@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet010\Services\orpokalx@Group Boot Bus Extender
    Reg HKLM\SYSTEM\ControlSet011\Services\orpokalx@Type 1
    Reg HKLM\SYSTEM\ControlSet011\Services\orpokalx@Start 0
    Reg HKLM\SYSTEM\ControlSet011\Services\orpokalx@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet011\Services\orpokalx@Group Boot Bus Extender
    Reg HKLM\SYSTEM\ControlSet012\Services\orpokalx@Type 1
    Reg HKLM\SYSTEM\ControlSet012\Services\orpokalx@Start 0
    Reg HKLM\SYSTEM\ControlSet012\Services\orpokalx@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet012\Services\orpokalx@Group Boot Bus Extender
    Reg HKLM\SYSTEM\ControlSet013\Services\orpokalx@Type 1
    Reg HKLM\SYSTEM\ControlSet013\Services\orpokalx@Start 0
    Reg HKLM\SYSTEM\ControlSet013\Services\orpokalx@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet013\Services\orpokalx@Group Boot Bus Extender
    Reg HKLM\SYSTEM\ControlSet014\Services\orpokalx@Type 1
    Reg HKLM\SYSTEM\ControlSet014\Services\orpokalx@Start 0
    Reg HKLM\SYSTEM\ControlSet014\Services\orpokalx@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet014\Services\orpokalx@Group Boot Bus Extender
    Reg HKLM\SYSTEM\ControlSet015\Services\orpokalx@Type 1
    Reg HKLM\SYSTEM\ControlSet015\Services\orpokalx@Start 0
    Reg HKLM\SYSTEM\ControlSet015\Services\orpokalx@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet015\Services\orpokalx@Group Boot Bus Extender

    ---- EOF - GMER 1.0.15 ----

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 9/6/2007 9:00:29 AM
    System Uptime: 4/7/2011 6:53:06 PM (1 hours ago)
    .
    Motherboard: ASUSTek Computer INC. | | Acacia
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5000+ | Socket AM2 | 2400/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 364 GiB total, 233.037 GiB free.
    D: is FIXED (NTFS) - 9 GiB total, 1.196 GiB free.
    E: is CDROM ()
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    3ivx D4 4.5.1 Decoder (remove only)
    ABBYY FineReader 6.0 Sprint
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.2
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Software Update
    Ask Toolbar
    AVS DVDMenu Editor 1.2.1.19
    AVS Video Tools 5.6
    CyberLink PowerDirector
    Digital Photo Navigator 1.5
    EA Download Manager
    EA Download Manager UI
    eMusic Download Manager 4.1.4
    Enhanced Multimedia Keyboard Solution
    Everio MediaBrowser
    Facebook Plug-In
    Final Media Player 2010
    GameTap
    Greeting Card Factory Deluxe 7.0
    Hardware Diagnostic Tools
    Hewlett-Packard Active Check
    Hewlett-Packard Asset Agent for Health Check
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Active Support Library
    HP Active Support Library 32 bit components
    HP Advisor
    HP Customer Experience Enhancements
    HP Customer Feedback
    HP Easy Setup - Frontend
    HP On-Screen Cap/Num/Scroll Lock Indicator
    HP Photosmart Essential 2.01
    HP Photosmart Essential2.01
    HP Picasso Media Center Add-In
    HP Update
    Java(TM) SE Runtime Environment 6 Update 1
    Lexmark 2300 Series
    Lexmark Z700-P700 Series
    LG USB Modem driver
    LightScribe 1.6.45.1
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 3.5 SP1
    Microsoft FrontPage 2000
    Microsoft Office 2000 Professional
    Microsoft Office Home and Student 60 day trial
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Works
    Mozilla Firefox (3.5.17)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    muvee autoProducer 6.0
    My HP Games
    Napster Download Manager
    NVIDIA Drivers
    Opera 10.61
    Oracle JInitiator 1.3.1.28
    PSSWCORE
    Python 2.5
    QuickTime
    Realtek High Definition Audio Driver
    Rhapsody
    Rhapsody Player Engine
    Roxio Activation Module
    Roxio Creator Audio
    Roxio Creator Basic v9
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator EasyArchive
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio MyDVD Basic v9
    Security Update for CAPICOM (KB931906)
    Security Update for Windows Media Encoder (KB954156)
    SimCity™ Societies
    SmartSound Quicktracks Plugin
    Snapfish Picture Mover
    Spelling Dictionaries Support For Adobe Reader 9
    SPORE™
    System Requirements Lab
    Ulead GIF Animator 5 TBYB
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    VideoToolkit01
    WeatherBug Gadget
    Windows Media Encoder 9 Series
    World of Warcraft
    Yahoo! Search Protection
    Yahoo! Toolbar
    .
    ==== End Of File ===========================

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Lilheath at 19:30:11.60 on Thu 04/07/2011
    Internet Explorer: 7.0.6000.17037
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1918.1096 [GMT -4:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Windows\system32\lxblcoms.exe
    C:\Windows\system32\lxcgcoms.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\hp\support\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
    C:\Windows\RtHDVCpl.exe
    C:\Windows\system32\schtasks.exe
    C:\Program Files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\system32\jusched.exe
    C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
    C:\Program Files\Lexmark 2300 Series\ezprint.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k wdisvc
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\hp\kbd\kbd.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Lilheath\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
    uInternet Settings,ProxyOverride = <local>
    uURLSearchHooks: H - No File
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
    TB: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No File
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
    uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [mwptuym] rundll32.exe "c:\users\lilheath\appdata\roaming\chuygia.dll",pmcfiz
    uRun: [HPADVISOR] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autorun=AUTORUN
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    mRun: [KBD] c:\hp\kbd\KbdStub.EXE
    mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
    mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
    mRun: [<NO NAME>]
    mRun: [ReminderApp] c:\program files\nova development\greeting card factory deluxe 7.0\ReminderApp.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,_RunDLLEntry@16
    mRun: [lxcgmon.exe] "c:\program files\lexmark 2300 series\lxcgmon.exe"
    mRun: [EzPrint] "c:\program files\lexmark 2300 series\ezprint.exe"
    mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\8.0"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [MRT] "c:\windows\system32\MRT.exe" /R
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mbcame~1.lnk - c:\program files\pixela\everio mediabrowser\MBCameraMonitor.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
    Trusted Zone: mercerhrs.com\ibenefitcenter
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
    DPF: {3D3DBC64-0D21-4EA4-94EE-86D6D9B31C0C} - hxxp://www.worldwinner.com/games/v45/moneylist/moneylist.cab
    DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
    DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
    DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
    DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} - hxxp://www.worldwinner.com/games/v46/monopoly/monopoly.cab
    DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxps://esis.ncwise.org/forms/jinitiator/jinit13128.exe
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\lilheath\appdata\roaming\mozilla\firefox\profiles\9q5nude7.default\
    FF - prefs.js: browser.search.selectedEngine - Ask
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
    FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
    FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
    FF - plugin: c:\program files\gametap\bin\release\npgametaptool.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit13128.dll
    FF - plugin: c:\program files\opera\program\plugins\npMozCouponPrinter.dll
    FF - plugin: c:\users\lilheath\appdata\roaming\facebook\npfbplugin_1_0_3.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 lxbl_device;lxbl_device;c:\windows\system32\lxblcoms.exe -service --> c:\windows\system32\lxblcoms.exe -service [?]
    R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2007-8-31 464384]
    R3 uwlcrkow;uwlcrkow;C:\uwlcrkow.sys [2011-4-7 94848]
    R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\drivers\xcbda.sys [2007-9-7 156928]
    .
    =============== Created Last 30 ================
    .
    2011-04-07 22:56:57 94848 ----a-w- C:\uwlcrkow.sys
    2011-04-07 22:44:33 -------- d-----w- c:\users\lilheath\appdata\roaming\Malwarebytes
    2011-04-07 22:44:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-07 22:44:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-07 02:26:33 -------- d-----w- c:\program files\AVAST Software
    2011-04-07 02:26:33 -------- d-----w- c:\progra~2\AVAST Software
    2011-04-06 17:09:01 -------- d-----w- c:\users\lilheath\appdata\roaming\Unity
    2011-03-29 20:45:17 -------- d-----w- c:\users\lilheath\appdata\roaming\Inspiration Software
    2011-03-29 20:44:43 -------- d-----w- c:\program files\Inspiration 9
    2011-03-29 20:40:40 -------- d-----w- c:\users\lilheath\appdata\roaming\Softland
    2011-03-29 20:40:31 -------- d-----w- c:\program files\Softland
    2011-03-29 20:40:13 -------- d-----w- c:\progra~2\Inspiration 9
    .
    ==================== Find3M ====================
    .
    2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
    .
    ============= FINISH: 19:30:28.08 ===============
  2. Broni

    Broni Malware Annihilator Posts: 46,765   +254

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =======================================================================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    =======================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  3. Boogie Daddie

    Boogie Daddie TS Rookie Topic Starter Posts: 20

    Broni,

    Thanks for such a quick response, here are the additional logs you requested;

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Premium Edition
    Windows Information: (build 6000), 32-bit
    Base Board Manufacturer: ASUSTek Computer INC.
    BIOS Manufacturer: Phoenix Technologies, LTD
    System Manufacturer: HP-Pavilion
    System Product Name: GN567AA-ABA s3220n
    Logical Drives Mask: 0x000001fc

    Kernel Drivers (total 149):
    0x82400000 \SystemRoot\system32\ntkrnlpa.exe
    0x827A2000 \SystemRoot\system32\hal.dll
    0x802C6000 \SystemRoot\system32\kdcom.dll
    0x802BD000 \SystemRoot\system32\PSHED.dll
    0x802B5000 \SystemRoot\system32\BOOTVID.dll
    0x8027A000 \SystemRoot\system32\CLFS.SYS
    0x8051F000 \SystemRoot\system32\CI.dll
    0x8026C000 \SystemRoot\System32\drivers\qeyr.sys
    0x804A4000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x8025F000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x8021C000 \SystemRoot\system32\drivers\acpi.sys
    0x80213000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x8020B000 \SystemRoot\system32\drivers\msisadrv.sys
    0x8047F000 \SystemRoot\system32\drivers\pci.sys
    0x80470000 \SystemRoot\system32\drivers\volmgr.sys
    0x80746000 \SystemRoot\System32\Drivers\orpokalx.sys
    0x80460000 \SystemRoot\System32\drivers\mountmgr.sys
    0x80204000 \SystemRoot\system32\drivers\pciide.sys
    0x80452000 \SystemRoot\system32\drivers\PCIIDEX.SYS
    0x80408000 \SystemRoot\System32\drivers\volmgrx.sys
    0x80400000 \SystemRoot\system32\drivers\atapi.sys
    0x80728000 \SystemRoot\system32\drivers\ataport.SYS
    0x8070B000 \SystemRoot\system32\drivers\nvstor32.sys
    0x806CB000 \SystemRoot\system32\drivers\storport.sys
    0x8069A000 \SystemRoot\system32\drivers\fltmgr.sys
    0x8068A000 \SystemRoot\system32\drivers\fileinfo.sys
    0x80681000 \SystemRoot\System32\Drivers\PxHelp20.sys
    0x87AFC000 \SystemRoot\system32\drivers\ndis.sys
    0x80656000 \SystemRoot\system32\drivers\msrpc.sys
    0x8061D000 \SystemRoot\system32\drivers\NETIO.SYS
    0x87CF8000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x87A92000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x87A5C000 \SystemRoot\system32\drivers\volsnap.sys
    0x80615000 \SystemRoot\System32\Drivers\spldr.sys
    0x80606000 \SystemRoot\System32\drivers\partmgr.sys
    0x87A4D000 \SystemRoot\System32\Drivers\mup.sys
    0x87A28000 \SystemRoot\System32\drivers\ecache.sys
    0x87A17000 \SystemRoot\system32\drivers\disk.sys
    0x87CD7000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x87A0E000 \SystemRoot\system32\drivers\crcdisk.sys
    0x88A03000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x8B094000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0x87C37000 \SystemRoot\system32\DRIVERS\amdk8.sys
    0x8B05D000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x8B8A5000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x88A62000 \SystemRoot\system32\DRIVERS\PS2.sys
    0x8B89A000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x88A0E000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0x8B85D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x8B84F000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x8B150000 \SystemRoot\system32\DRIVERS\ohci1394.sys
    0x8B841000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
    0x8B81A000 \SystemRoot\system32\DRIVERS\xcbda.sys
    0x8BF36000 \SystemRoot\system32\DRIVERS\ks.sys
    0x88B34000 \SystemRoot\system32\DRIVERS\BdaSup.SYS
    0x8C092000 \SystemRoot\system32\DRIVERS\xchal.sys
    0x8BEDE000 \SystemRoot\system32\DRIVERS\xcmem.sys
    0x8BE6B000 \SystemRoot\system32\DRIVERS\xcfe.sys
    0x8B808000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x8C6FD000 \SystemRoot\system32\DRIVERS\nvmfdx32.sys
    0x8BE53000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x8C8E1000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
    0x8C65E000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x8BE46000 \SystemRoot\System32\drivers\watchdog.sys
    0x8BE1B000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x8BE10000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x8C07B000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x8BE05000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x8C058000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x8B8B0000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x8C045000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x8B8BF000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x88B0B000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x8C62E000 \SystemRoot\system32\drivers\windrvr6.sys
    0x88B15000 \SystemRoot\system32\drivers\USBD.SYS
    0x8BF60000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8C02D000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x8C8AD000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x8B1B0000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x8D20D000 \SystemRoot\system32\drivers\RTKVHDA.sys
    0x8C601000 \SystemRoot\system32\drivers\portcls.sys
    0x8C888000 \SystemRoot\system32\drivers\drmk.sys
    0x8B0AF000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x8B000000 \SystemRoot\System32\Drivers\Null.SYS
    0x8B007000 \SystemRoot\System32\Drivers\Beep.SYS
    0x88AE3000 \SystemRoot\System32\drivers\vga.sys
    0x8C827000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x886B8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x88650000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8C03A000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x8C00F000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x8B0B8000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x8D47B000 \SystemRoot\System32\drivers\tcpip.sys
    0x8D027000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x8D012000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x8D467000 \SystemRoot\system32\DRIVERS\smb.sys
    0x8D420000 \SystemRoot\system32\drivers\afd.sys
    0x8D7CE000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x8D40A000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x8C001000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x8D7BB000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x8D780000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x8BF6A000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x8D729000 \SystemRoot\System32\Drivers\dfsc.sys
    0x88A3F000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x8BF74000 \SystemRoot\System32\Drivers\dump_diskdump.sys
    0x88A18000 \SystemRoot\System32\Drivers\dump_nvstor32.sys
    0x911CB000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x8D649000 \SystemRoot\system32\DRIVERS\usbscan.sys
    0x8BF7E000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0x8B0A6000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0x8B140000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0x8B038000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x911B9000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0x95000000 \SystemRoot\System32\win32k.sys
    0x8BF88000 \SystemRoot\System32\drivers\Dxapi.sys
    0x91141000 \SystemRoot\system32\DRIVERS\netr73.sys
    0x8B8CE000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x80C00000 \SystemRoot\System32\TSDDD.dll
    0x80C10000 \SystemRoot\System32\cdd.dll
    0x818A5000 \SystemRoot\system32\drivers\luafv.sys
    0x99B72000 \SystemRoot\system32\drivers\spsys.sys
    0x8B110000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x99B07000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x8BFA6000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x99AF4000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x9A597000 \SystemRoot\system32\drivers\HTTP.sys
    0x99A19000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0x99A00000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x9A543000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x9A523000 \SystemRoot\system32\drivers\mrxdav.sys
    0x9A505000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x9A4CC000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x9A4BA000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x9A496000 \SystemRoot\System32\DRIVERS\srv2.sys
    0x9ABAF000 \SystemRoot\System32\DRIVERS\srv.sys
    0x9B122000 \SystemRoot\system32\drivers\peauth.sys
    0x8BFC4000 \SystemRoot\System32\Drivers\secdrv.SYS
    0x8D566000 \SystemRoot\System32\drivers\tcpipreg.sys
    0x8B9B2000 \??\C:\Program Files\GameTap\bin\Release\X4HSX32.Sys
    0x9A481000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
    0x9AA1D000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
    0x8D571000 \SystemRoot\system32\drivers\tdtcp.sys
    0x8D058000 \SystemRoot\System32\DRIVERS\tssecsrv.sys
    0x9BC9E000 \SystemRoot\System32\Drivers\RDPWD.SYS
    0x81913000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0x9AA05000 \??\C:\Users\Lilheath\AppData\Local\Temp\uwlcrkow.sys
    0x81117000 \??\C:\Users\Lilheath\AppData\Local\Temp\mbr.sys
    0x771F0000 \Windows\System32\ntdll.dll

    Processes (total 64):
    0 System Idle Process
    4 System
    480 C:\Windows\System32\smss.exe
    544 csrss.exe
    600 C:\Windows\System32\wininit.exe
    612 csrss.exe
    644 C:\Windows\System32\services.exe
    660 C:\Windows\System32\lsass.exe
    672 C:\Windows\System32\lsm.exe
    768 C:\Windows\System32\winlogon.exe
    856 C:\Windows\System32\svchost.exe
    896 C:\Windows\System32\nvvsvc.exe
    924 C:\Windows\System32\svchost.exe
    1016 C:\Windows\System32\svchost.exe
    1080 C:\Windows\System32\svchost.exe
    1096 C:\Windows\System32\svchost.exe
    1204 C:\Windows\System32\audiodg.exe
    1244 C:\Windows\System32\SLsvc.exe
    1284 C:\Windows\System32\svchost.exe
    1384 C:\Windows\System32\rundll32.exe
    1460 C:\Windows\System32\svchost.exe
    1668 C:\Windows\System32\spoolsv.exe
    1704 C:\Windows\System32\svchost.exe
    1928 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    2000 C:\Windows\System32\lxblcoms.exe
    316 C:\Windows\System32\lxcgcoms.exe
    488 C:\Windows\System32\svchost.exe
    512 C:\Program Files\CyberLink\Shared files\RichVideo.exe
    844 C:\Windows\System32\svchost.exe
    1120 C:\Windows\System32\svchost.exe
    1416 C:\Windows\System32\SearchIndexer.exe
    2260 WUDFHost.exe
    2528 C:\Windows\System32\taskeng.exe
    2752 C:\Windows\System32\dwm.exe
    2808 C:\Windows\explorer.exe
    2844 C:\Windows\System32\taskeng.exe
    3120 C:\hp\support\hpsysdrv.exe
    3204 C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
    3244 C:\Windows\RtHDVCpl.exe
    3300 C:\Windows\System32\schtasks.exe
    3320 C:\Program Files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe
    3328 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    3344 C:\Windows\System32\rundll32.exe
    3368 C:\Windows\System32\jusched.exe
    3396 C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
    3432 C:\Program Files\Lexmark 2300 Series\ezprint.exe
    3496 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    3524 C:\Program Files\Windows Sidebar\sidebar.exe
    3536 C:\Windows\ehome\ehtray.exe
    3560 C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    3568 C:\Program Files\Windows Media Player\wmpnscfg.exe
    3592 C:\Program Files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe
    3660 C:\Windows\ehome\ehmsas.exe
    3704 C:\Program Files\Windows Media Player\wmpnetwk.exe
    2976 C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
    3256 C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
    2488 C:\hp\KBD\kbd.exe
    3728 C:\Windows\System32\wuauclt.exe
    260 C:\Program Files\Internet Explorer\ieuser.exe
    1904 C:\Windows\System32\SearchProtocolHost.exe
    3772 C:\Windows\System32\SearchFilterHost.exe
    2988 dllhost.exe
    944 dllhost.exe
    328 C:\Users\Lilheath\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x0000005a`efda8000 (NTFS)

    PhysicalDrive0 Model Number: HitachiHDT725040VLA, Rev: V5CO

    Size Device Name MBR Status
    --------------------------------------------
    372 GB \\.\PhysicalDrive0 Hewlett-Packard MBR code detected
    SHA1: 161E5DF10EB9B6EAC4AA8DF99305EF77B11BEBD8


    Done!

    ComboFix 11-04-07.08 - Lilheath 04/08/2011 12:18:52.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1918.1026 [GMT -4:00]
    Running from: c:\users\Lilheath\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\arp.exe
    c:\windows\system32\jusched.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-08 to 2011-04-08 )))))))))))))))))))))))))))))))
    .
    .
    2011-04-08 16:16 . 2011-04-08 16:17 -------- d-----w- C:\32788R22FWJFW
    2011-04-07 22:56 . 2011-04-07 22:56 94848 ----a-w- C:\uwlcrkow.sys
    2011-04-07 22:44 . 2011-04-07 22:44 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Malwarebytes
    2011-04-07 22:44 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-07 22:44 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-07 02:26 . 2011-04-07 02:26 -------- d-----w- c:\programdata\AVAST Software
    2011-04-07 02:26 . 2011-04-07 02:26 -------- d-----w- c:\program files\AVAST Software
    2011-04-06 17:09 . 2011-04-06 17:09 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Unity
    2011-03-29 20:45 . 2011-03-29 20:45 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Inspiration Software
    2011-03-29 20:44 . 2011-03-29 20:45 -------- d-----w- c:\program files\Inspiration 9
    2011-03-29 20:40 . 2011-03-29 20:40 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Softland
    2011-03-29 20:40 . 2011-03-29 20:40 -------- d-----w- c:\program files\Softland
    2011-03-29 20:40 . 2011-03-29 20:40 -------- d-----w- c:\programdata\Inspiration 9
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-11 06:54 . 2011-03-04 07:19 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E626E5BF-FAF5-4DEE-92E3-58CA924D6384}\mpengine.dll
    2011-02-02 22:11 . 2009-10-03 14:46 222080 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    2008-07-17 21:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]
    .
    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]
    .
    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
    "HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
    "KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
    "OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-05-24 71176]
    "SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
    "ReminderApp"="c:\program files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe" [2007-08-25 185664]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
    "LXCGCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2007-02-22 73728]
    "lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2007-04-30 205744]
    "EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2007-04-30 103344]
    "UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
    "MRT"="c:\windows\system32\MRT.exe" [2011-03-09 37943240]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    MBCameraMonitor.lnk - c:\program files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe [2009-8-7 541976]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
    Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    R1 xaegahln;xaegahln;c:\windows\system32\drivers\xaegahln.sys [x]
    S2 lxbl_device;lxbl_device;c:\windows\system32\lxblcoms.exe [2007-04-20 537520]
    S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2007-08-31 464384]
    S3 uwlcrkow;uwlcrkow;C:\uwlcrkow.sys [2011-04-07 94848]
    S3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\DRIVERS\xcbda.sys [2007-09-07 156928]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - orpokalx
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-08 c:\windows\Tasks\Final Media Player Update Checker.job
    - c:\program files\FinalMediaPlayer\FMPCheckForUpdates.exe [2010-08-07 02:22]
    .
    2011-04-07 c:\windows\Tasks\User_Feed_Synchronization-{4AA49B77-910B-4BDC-99FA-50B3303F99D2}.job
    - c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
    uInternet Settings,ProxyOverride = <local>
    Trusted Zone: mercerhrs.com\ibenefitcenter
    DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
    DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxps://esis.ncwise.org/forms/jinitiator/jinit13128.exe
    FF - ProfilePath - c:\users\Lilheath\AppData\Roaming\Mozilla\Firefox\Profiles\9q5nude7.default\
    FF - prefs.js: browser.search.selectedEngine - Ask
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
    FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
    WebBrowser-{1392B8D2-5C05-419F-A8F6-B9F15A596612} - (no file)
    HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
    HKCU-Run-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
    HKCU-Run-mwptuym - c:\users\Lilheath\AppData\Roaming\chuygia.dll
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-08 12:27
    Windows 6.0.6000 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    LXCGCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\orpokalx]
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2270473045-1982684083-2497196655-1000\Software\SecuROM\License information*]
    "datasecu"=hex:1a,95,15,66,a1,fb,51,b0,44,3e,00,ef,6f,d2,55,71,ac,fc,63,ce,01,
    60,54,eb,8e,f4,d3,7a,46,ff,bd,72,e9,e5,b5,87,6c,3c,40,9e,c3,7b,cf,c6,bf,99,\
    "rkeysecu"=hex:eb,0f,06,a9,1b,df,b5,82,23,57,e4,6f,2d,03,c1,76
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-04-08 12:30:14
    ComboFix-quarantined-files.txt 2011-04-08 16:29
    .
    Pre-Run: 249,753,829,376 bytes free
    Post-Run: 249,678,835,712 bytes free
    .
    Current=1 Default=1 Failed=0 LastKnownGood=15 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
    - - End Of File - - 5A111E8297FDFD8223836A6A77EE1F2F
  4. Broni

    Broni Malware Annihilator Posts: 46,765   +254

    Uninstall Ask Toolbar, known foistware.

    I don't see any AV program running. I can see some Avast leftovers though.
    What's the story there?

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    C:\uwlcrkow.sys
    c:\windows\system32\drivers\xaegahln.sys
    
    
    DDS::
    uInternet Settings,ProxyOverride = <local>
    Trusted Zone: mercerhrs.com\ibenefitcenter
    
    Driver::
    xaegahln
    uwlcrkow
    
    Registry::
    [-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\orpokalx]
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  5. Boogie Daddie

    Boogie Daddie TS Rookie Topic Starter Posts: 20

    I d/led Avast after my computer starting going nutty at first but it wouldn't complete set up since it couldn't connect to the internet. Thanks again for the help, will get these other steps completed asap and let ya know.
  6. Broni

    Broni Malware Annihilator Posts: 46,765   +254

    OK, we'll get back to it after your run Combofix.
  7. Boogie Daddie

    Boogie Daddie TS Rookie Topic Starter Posts: 20

    I uninstalled the ask toolbar, copied and pasted the script and dragged it into combofix. Combofix ran like it did before. I left the computer, came back and was at a Windows shut down unexpectedly screen asking if I wanted to start normal, safe mode etc. When I went back into the computer I didn't see any combofix logs anywhere. Should I try that part again?
  8. Broni

    Broni Malware Annihilator Posts: 46,765   +254

    Yes, please.
  9. Boogie Daddie

    Boogie Daddie TS Rookie Topic Starter Posts: 20

    When I ran the Combofix the most recent time it gave a prompt that there was a newer version available, and asked if I wanted to d/l it. Should I grab the new version, or stick with the one I have?
  10. Broni

    Broni Malware Annihilator Posts: 46,765   +254

    Always update, if asked.
  11. Boogie Daddie

    Boogie Daddie TS Rookie Topic Starter Posts: 20

    Reran the Combofix by dragging the script file into it, rebooted and got the log which follows. Now none of my programs will open. I get an error saying they have been marked for deletion.

    ComboFix 11-04-12.01 - Lilheath 04/12/2011 17:12:09.3.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1918.1301 [GMT -4:00]
    Running from: c:\users\Lilheath\Desktop\ComboFix.exe
    Command switches used :: c:\users\Lilheath\Desktop\CFScript.txt
    .
    FILE ::
    "C:\uwlcrkow.sys"
    "c:\windows\system32\drivers\xaegahln.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_UWLCRKOW
    -------\Service_xaegahln
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-12 to 2011-04-12 )))))))))))))))))))))))))))))))
    .
    .
    2011-04-12 21:20 . 2011-04-12 21:20 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
    2011-04-12 21:20 . 2011-04-12 21:20 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-04-12 21:09 . 2011-04-12 21:10 -------- d-----w- C:\32788R22FWJFW
    2011-04-07 22:44 . 2011-04-07 22:44 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Malwarebytes
    2011-04-07 22:44 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-07 22:44 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-07 02:26 . 2011-04-07 02:26 -------- d-----w- c:\programdata\AVAST Software
    2011-04-07 02:26 . 2011-04-07 02:26 -------- d-----w- c:\program files\AVAST Software
    2011-04-06 17:09 . 2011-04-06 17:09 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Unity
    2011-03-29 20:45 . 2011-03-29 20:45 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Inspiration Software
    2011-03-29 20:44 . 2011-03-29 20:45 -------- d-----w- c:\program files\Inspiration 9
    2011-03-29 20:40 . 2011-03-29 20:40 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Softland
    2011-03-29 20:40 . 2011-03-29 20:40 -------- d-----w- c:\program files\Softland
    2011-03-29 20:40 . 2011-03-29 20:40 -------- d-----w- c:\programdata\Inspiration 9
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-11 06:54 . 2011-03-04 07:19 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E626E5BF-FAF5-4DEE-92E3-58CA924D6384}\mpengine.dll
    2011-02-02 22:11 . 2009-10-03 14:46 222080 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
    "HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
    "KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
    "OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-05-24 71176]
    "SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
    "ReminderApp"="c:\program files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe" [2007-08-25 185664]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
    "LXCGCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2007-02-22 73728]
    "lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2007-04-30 205744]
    "EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2007-04-30 103344]
    "UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
    "MRT"="c:\windows\system32\MRT.exe" [2011-03-09 37943240]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    MBCameraMonitor.lnk - c:\program files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe [2009-8-7 541976]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
    Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    S2 lxbl_device;lxbl_device;c:\windows\system32\lxblcoms.exe [2007-04-20 537520]
    S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2007-08-31 464384]
    S3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\DRIVERS\xcbda.sys [2007-09-07 156928]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - orpokalx
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-12 c:\windows\Tasks\Final Media Player Update Checker.job
    - c:\program files\FinalMediaPlayer\FMPCheckForUpdates.exe [2010-08-07 02:22]
    .
    2011-04-12 c:\windows\Tasks\User_Feed_Synchronization-{4AA49B77-910B-4BDC-99FA-50B3303F99D2}.job
    - c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
    DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
    DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxps://esis.ncwise.org/forms/jinitiator/jinit13128.exe
    FF - ProfilePath - c:\users\Lilheath\AppData\Roaming\Mozilla\Firefox\Profiles\9q5nude7.default\
    FF - prefs.js: browser.search.selectedEngine - Ask
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
    FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-12 18:11
    Windows 6.0.6000 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    LXCGCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\orpokalx]
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2270473045-1982684083-2497196655-1000\Software\SecuROM\License information*]
    "datasecu"=hex:1a,95,15,66,a1,fb,51,b0,44,3e,00,ef,6f,d2,55,71,ac,fc,63,ce,01,
    60,54,eb,8e,f4,d3,7a,46,ff,bd,72,e9,e5,b5,87,6c,3c,40,9e,c3,7b,cf,c6,bf,99,\
    "rkeysecu"=hex:eb,0f,06,a9,1b,df,b5,82,23,57,e4,6f,2d,03,c1,76
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\windows\system32\lxcgcoms.exe
    c:\program files\CyberLink\Shared files\RichVideo.exe
    c:\windows\system32\WUDFHost.exe
    c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\RtHDVCpl.exe
    c:\windows\System32\rundll32.exe
    c:\windows\system32\schtasks.exe
    c:\windows\ehome\ehmsas.exe
    c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    .
    **************************************************************************
    .
    Completion time: 2011-04-12 18:16:10 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-04-12 22:16
    ComboFix2.txt 2011-04-08 16:30
    .
    Pre-Run: 249,770,536,960 bytes free
    Post-Run: 249,582,768,128 bytes free
    .
    Current=1 Default=1 Failed=0 LastKnownGood=15 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
    - - End Of File - - 72593E030E5684FD4F91A9D15E5E6510
     
  12. Broni

    Broni Malware Annihilator Posts: 46,765   +254

    Simply restart computer to fix the issue.

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Registry::
    [-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\orpokalx]
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  13. Boogie Daddie

    Boogie Daddie TS Rookie Topic Starter Posts: 20

    Thanks again, here's the latest log;

    ComboFix 11-04-13.04 - Lilheath 04/14/2011 9:36.4.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1918.1066 [GMT -4:00]
    Running from: c:\users\Lilheath\Desktop\ComboFix.exe
    Command switches used :: c:\users\Lilheath\Desktop\CFScript.txt
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-14 to 2011-04-14 )))))))))))))))))))))))))))))))
    .
    .
    2011-04-14 13:44 . 2011-04-14 13:44 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
    2011-04-14 13:44 . 2011-04-14 13:44 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-04-07 22:44 . 2011-04-07 22:44 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Malwarebytes
    2011-04-07 22:44 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-07 22:44 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-07 02:26 . 2011-04-07 02:26 -------- d-----w- c:\programdata\AVAST Software
    2011-04-07 02:26 . 2011-04-07 02:26 -------- d-----w- c:\program files\AVAST Software
    2011-04-06 17:09 . 2011-04-06 17:09 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Unity
    2011-03-29 20:45 . 2011-03-29 20:45 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Inspiration Software
    2011-03-29 20:44 . 2011-03-29 20:45 -------- d-----w- c:\program files\Inspiration 9
    2011-03-29 20:40 . 2011-03-29 20:40 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Softland
    2011-03-29 20:40 . 2011-03-29 20:40 -------- d-----w- c:\program files\Softland
    2011-03-29 20:40 . 2011-03-29 20:40 -------- d-----w- c:\programdata\Inspiration 9
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-11 06:54 . 2011-03-04 07:19 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E626E5BF-FAF5-4DEE-92E3-58CA924D6384}\mpengine.dll
    2011-02-02 22:11 . 2009-10-03 14:46 222080 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
    "HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
    "KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
    "OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-05-24 71176]
    "SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
    "ReminderApp"="c:\program files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe" [2007-08-25 185664]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
    "LXCGCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2007-02-22 73728]
    "lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2007-04-30 205744]
    "EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2007-04-30 103344]
    "UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
    "MRT"="c:\windows\system32\MRT.exe" [2011-03-09 37943240]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    MBCameraMonitor.lnk - c:\program files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe [2009-8-7 541976]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
    Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    S2 lxbl_device;lxbl_device;c:\windows\system32\lxblcoms.exe [2007-04-20 537520]
    S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2007-08-31 464384]
    S3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\DRIVERS\xcbda.sys [2007-09-07 156928]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - orpokalx
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-13 c:\windows\Tasks\Final Media Player Update Checker.job
    - c:\program files\FinalMediaPlayer\FMPCheckForUpdates.exe [2010-08-07 02:22]
    .
    2011-04-14 c:\windows\Tasks\User_Feed_Synchronization-{4AA49B77-910B-4BDC-99FA-50B3303F99D2}.job
    - c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
    DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
    DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxps://esis.ncwise.org/forms/jinitiator/jinit13128.exe
    FF - ProfilePath - c:\users\Lilheath\AppData\Roaming\Mozilla\Firefox\Profiles\9q5nude7.default\
    FF - prefs.js: browser.search.selectedEngine - Ask
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
    FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-14 09:44
    Windows 6.0.6000 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    LXCGCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\orpokalx]
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2270473045-1982684083-2497196655-1000\Software\SecuROM\License information*]
    "datasecu"=hex:1a,95,15,66,a1,fb,51,b0,44,3e,00,ef,6f,d2,55,71,ac,fc,63,ce,01,
    60,54,eb,8e,f4,d3,7a,46,ff,bd,72,e9,e5,b5,87,6c,3c,40,9e,c3,7b,cf,c6,bf,99,\
    "rkeysecu"=hex:eb,0f,06,a9,1b,df,b5,82,23,57,e4,6f,2d,03,c1,76
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-04-14 09:46:45
    ComboFix-quarantined-files.txt 2011-04-14 13:46
    ComboFix2.txt 2011-04-12 22:16
    ComboFix3.txt 2011-04-08 16:30
    .
    Pre-Run: 248,693,051,392 bytes free
    Post-Run: 248,655,663,104 bytes free
    .
    Current=1 Default=1 Failed=0 LastKnownGood=15 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
    - - End Of File - - 81ADEE9D5A82FB03ACCA94731D5D680C
  14. Broni

    Broni Malware Annihilator Posts: 46,765   +254

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  15. Boogie Daddie

    Boogie Daddie TS Rookie Topic Starter Posts: 20

    Here are the OTL logs;

    OTL logfile created on: 4/14/2011 2:28:32 PM - Run 1
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Lilheath\Desktop
    Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.6000.17037)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 60.00% Memory free
    4.00 Gb Paging File | 3.00 Gb Available in Paging File | 79.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 363.75 Gb Total Space | 232.12 Gb Free Space | 63.81% Space Free | Partition Type: NTFS
    Drive D: | 8.86 Gb Total Space | 1.20 Gb Free Space | 13.50% Space Free | Partition Type: NTFS

    Computer Name: LILHEATH-PC | User Name: Lilheath | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/04/14 14:13:49 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Lilheath\Desktop\OTL.exe
    PRC - [2008/10/29 02:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2008/09/03 15:04:22 | 000,541,976 | ---- | M] (PIXELA CORPORATION) -- C:\Program Files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe
    PRC - [2008/01/15 11:26:18 | 004,874,240 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
    PRC - [2007/08/25 01:03:20 | 000,185,664 | ---- | M] () -- C:\Program Files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe
    PRC - [2007/04/29 23:57:42 | 000,103,344 | ---- | M] (Lexmark International Inc.) -- C:\Program Files\Lexmark 2300 Series\ezprint.exe
    PRC - [2007/04/29 23:55:32 | 000,205,744 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
    PRC - [2007/04/29 23:54:44 | 000,537,520 | ---- | M] ( ) -- C:\Windows\System32\lxcgcoms.exe
    PRC - [2007/04/20 13:24:20 | 000,537,520 | ---- | M] ( ) -- C:\Windows\System32\lxblcoms.exe
    PRC - [2007/04/18 11:01:34 | 000,065,536 | ---- | M] (Hewlett-Packard Company) -- C:\hp\support\hpsysdrv.exe
    PRC - [2007/02/15 07:59:00 | 000,118,784 | ---- | M] (OsdMaestro) -- C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
    PRC - [2006/11/02 05:45:39 | 000,150,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\schtasks.exe


    ========== Modules (SafeList) ==========

    MOD - [2011/04/14 14:13:49 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Lilheath\Desktop\OTL.exe
    MOD - [2006/11/02 05:38:57 | 001,648,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2007/04/29 23:54:44 | 000,537,520 | ---- | M] ( ) [Auto | Running] -- C:\Windows\System32\lxcgcoms.exe -- (lxcg_device)
    SRV - [2007/04/20 13:24:20 | 000,537,520 | ---- | M] ( ) [Auto | Running] -- C:\Windows\System32\lxblcoms.exe -- (lxbl_device)


    ========== Driver Services (SafeList) ==========

    DRV - [2009/03/16 21:45:53 | 000,194,362 | ---- | M] (Jungo) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\windrvr6.sys -- (WinDriver6)
    DRV - [2008/11/11 13:42:00 | 000,024,832 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgusbmodem.sys -- (USBModem)
    DRV - [2008/11/11 13:41:00 | 000,019,968 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgusbdiag.sys -- (UsbDiag)
    DRV - [2008/11/11 13:41:00 | 000,013,056 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgusbbus.sys -- (usbbus)
    DRV - [2008/05/22 14:49:00 | 007,465,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
    DRV - [2008/03/07 07:18:26 | 000,031,264 | ---- | M] (Exent Technologies Ltd.) [Kernel | Auto | Running] -- C:\Program Files\GameTap\bin\Release\X4HSX32.sys -- (X4HSX32)
    DRV - [2007/10/26 11:51:22 | 000,110,624 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvstor32.sys -- (nvstor32)
    DRV - [2007/09/07 07:36:08 | 000,156,928 | ---- | M] (ViXS Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\xcbda.sys -- (xcbdaNtsc) ViXS Tuner Card (NTSC)
    DRV - [2007/08/31 14:54:04 | 000,464,384 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netr73.sys -- (netr73)
    DRV - [2007/05/03 14:29:10 | 001,065,384 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
    DRV - [2005/12/12 13:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PS2.sys -- (Ps2)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-2270473045-1982684083-2497196655-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    IE - HKU\S-1-5-21-2270473045-1982684083-2497196655-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKU\S-1-5-21-2270473045-1982684083-2497196655-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========


    FF - HKLM\software\mozilla\eMusic Download Manager\Extensions\\Components: C:\Program Files\eMusic Download Manager\xulrunner\components [2010/04/23 12:09:03 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\eMusic Download Manager\Extensions\\Plugins: C:\Program Files\eMusic Download Manager\xulrunner\plugins [2010/07/16 12:24:09 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.5.18\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/13 15:24:59 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.5.18\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/13 15:24:59 | 000,000,000 | ---D | M]

    [2008/12/04 14:47:21 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Lilheath\AppData\Roaming\Mozilla\Extensions
    [2011/04/13 15:35:19 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Lilheath\AppData\Roaming\Mozilla\Firefox\Profiles\9q5nude7.default\extensions
    [2010/05/01 14:21:15 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Lilheath\AppData\Roaming\Mozilla\Firefox\Profiles\9q5nude7.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2008/12/04 14:46:09 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2010/04/23 12:09:03 | 000,000,000 | ---D | M] (eMusic - Apple iTunes Support) -- C:\PROGRAM FILES\EMUSIC DOWNLOAD MANAGER\XULRUNNER\EXTENSIONS\DLM_ITUNES@EMUSIC.COM
    [2010/04/23 12:09:03 | 000,000,000 | ---D | M] (eMusic - Nullsoft Winamp Support) -- C:\PROGRAM FILES\EMUSIC DOWNLOAD MANAGER\XULRUNNER\EXTENSIONS\DLM_WINAMP@EMUSIC.COM
    [2010/04/23 12:09:03 | 000,000,000 | ---D | M] (eMusic - Microsoft Media Player Support) -- C:\PROGRAM FILES\EMUSIC DOWNLOAD MANAGER\XULRUNNER\EXTENSIONS\DLM_WMP@EMUSIC.COM
    [2006/09/28 05:45:46 | 000,053,355 | ---- | M] (Oracle Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPJinit13128.dll

    O1 HOSTS File: ([2011/04/12 18:10:50 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (Sun Microsystems, Inc.)
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O4 - HKLM..\Run: [EzPrint] C:\Program Files\Lexmark 2300 Series\ezprint.exe (Lexmark International Inc.)
    O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
    O4 - HKLM..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)
    O4 - HKLM..\Run: [KBD] C:\hp\KBD\KbdStub.exe ()
    O4 - HKLM..\Run: [LXCGCATS] C:\Windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.DLL ()
    O4 - HKLM..\Run: [lxcgmon.exe] C:\Program Files\Lexmark 2300 Series\lxcgmon.exe (Lexmark International, Inc.)
    O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
    O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [OsdMaestro] C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe (OsdMaestro)
    O4 - HKLM..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe ()
    O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
    O4 - HKLM..\Run: [SunJavaUpdateReg] C:\Windows\System32\jureg.exe (Sun Microsystems, Inc.)
    O4 - HKLM..\Run: [UpdatePDRShortCut] C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
    O4 - HKLM..\RunOnce: [Launcher] C:\Windows\SMINST\Launcher.exe (soft thinks)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-2270473045-1982684083-2497196655-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-2270473045-1982684083-2497196655-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (Sun Microsystems, Inc.)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {3D3DBC64-0D21-4EA4-94EE-86D6D9B31C0C} http://www.worldwinner.com/games/v45/moneylist/moneylist.cab (MoneyList Control)
    O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} http://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab (Reg Error: Key error.)
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.systemrequirementslab.com/sysreqlab2.cab (System Requirements Lab Class)
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} http://lads.myspace.com/upload/MySpaceUploader2.cab (MySpace Uploader Control)
    O16 - DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} http://www.worldwinner.com/games/v46/monopoly/monopoly.cab (Monopoly Control)
    O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} https://esis.ncwise.org/forms/jinitiator/jinit13128.exe (JInitiator 1.3.1.28)
    O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Users\Lilheath\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
    O24 - Desktop BackupWallPaper: C:\Users\Lilheath\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2007/08/11 04:15:15 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O35 - HKU\S-1-5-21-2270473045-1982684083-2497196655-1000..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKU\S-1-5-21-2270473045-1982684083-2497196655-1000\...exe [@ = exefile] -- "%1" %*

    NetSvcs: FastUserSwitchingCompatibility - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Nla - File not found
    NetSvcs: Ntmssvc - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: SRService - File not found
    NetSvcs: WmdmPmSp - File not found
    NetSvcs: LogonHours - File not found
    NetSvcs: PCAudit - File not found
    NetSvcs: helpsvc - File not found
    NetSvcs: uploadmgr - File not found

    Drivers32: msacm.ac3acm - C:\Windows\System32\AC3ACM.acm (fccHandler)
    Drivers32: msacm.alf2cd - C:\Windows\System32\alf2cd.acm (NCT Company)
    Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.scg726 - C:\Windows\System32\Scg726.acm (SHARP Corporation)
    Drivers32: msacm.voxacm160 - C:\Windows\System32\vct3216.acm (Voxware, Inc.)
    Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.3IV2 - C:\Windows\System32\3ivxVfWCodec_dec.dll (3ivx.com)
    Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.DIVX - C:\Windows\System32\divx.dll (DivXNetworks, Inc.)
    Drivers32: vidc.dvsd - C:\Windows\System32\mcdvd_32.dll (MainConcept)
    Drivers32: vidc.xvid - C:\Windows\System32\xvidvfw.dll ()

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/04/14 14:13:43 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\Lilheath\Desktop\OTL.exe
    [2011/04/14 09:46:47 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2011/04/14 09:46:02 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2011/04/12 17:10:17 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
    [2011/04/12 17:10:17 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2011/04/12 17:10:17 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2011/04/12 17:10:17 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2011/04/08 12:52:07 | 000,000,000 | ---D | C] -- C:\Users\Lilheath\Documents\JVC
    [2011/04/08 12:47:29 | 000,000,000 | ---D | C] -- C:\Users\Lilheath\Desktop\Malware Programs
    [2011/04/08 12:17:40 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2011/04/08 12:17:11 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/04/07 18:44:33 | 000,000,000 | ---D | C] -- C:\Users\Lilheath\AppData\Roaming\Malwarebytes
    [2011/04/07 18:44:22 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
    [2011/04/07 18:44:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/04/07 18:44:18 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2011/04/07 18:13:24 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Users\Lilheath\Desktop\TFC.exe
    [2011/04/06 22:26:33 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
    [2011/04/06 22:26:33 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
    [2011/04/06 13:09:01 | 000,000,000 | ---D | C] -- C:\Users\Lilheath\AppData\Roaming\Unity
    [2011/03/29 16:45:17 | 000,000,000 | ---D | C] -- C:\Users\Lilheath\AppData\Roaming\Inspiration Software
    [2011/03/29 16:44:43 | 000,000,000 | ---D | C] -- C:\Program Files\Inspiration 9
    [2011/03/29 16:40:40 | 000,000,000 | ---D | C] -- C:\Users\Lilheath\AppData\Roaming\Softland
    [2011/03/29 16:40:31 | 000,000,000 | ---D | C] -- C:\Program Files\Softland
    [2011/03/29 16:40:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Inspiration 9
    [2008/12/05 12:25:32 | 000,413,696 | ---- | C] ( ) -- C:\Windows\System32\lxcginpa.dll
    [2008/12/05 12:25:32 | 000,323,584 | ---- | C] ( ) -- C:\Windows\System32\lxcghcp.dll
    [2008/12/05 12:25:31 | 001,224,704 | ---- | C] ( ) -- C:\Windows\System32\lxcgserv.dll
    [2008/12/05 12:25:31 | 000,995,328 | ---- | C] ( ) -- C:\Windows\System32\lxcgusb1.dll
    [2008/12/05 12:25:31 | 000,397,312 | ---- | C] ( ) -- C:\Windows\System32\lxcgiesc.dll
    [2008/12/05 12:25:31 | 000,163,840 | ---- | C] ( ) -- C:\Windows\System32\lxcgprox.dll
    [2008/12/05 12:25:30 | 000,643,072 | ---- | C] ( ) -- C:\Windows\System32\lxcgpmui.dll
    [2008/12/05 12:25:30 | 000,585,728 | ---- | C] ( ) -- C:\Windows\System32\lxcglmpm.dll
    [2008/12/05 12:25:30 | 000,385,968 | ---- | C] ( ) -- C:\Windows\System32\lxcgih.exe
    [2008/12/05 12:25:30 | 000,094,208 | ---- | C] ( ) -- C:\Windows\System32\lxcgpplc.dll
    [2008/12/05 12:25:29 | 000,696,320 | ---- | C] ( ) -- C:\Windows\System32\lxcghbn3.dll
    [2008/12/05 12:25:29 | 000,684,032 | ---- | C] ( ) -- C:\Windows\System32\lxcgcomc.dll
    [2008/12/05 12:25:29 | 000,537,520 | ---- | C] ( ) -- C:\Windows\System32\lxcgcoms.exe
    [2008/12/05 12:25:29 | 000,421,888 | ---- | C] ( ) -- C:\Windows\System32\lxcgcomm.dll
    [2008/12/05 12:25:29 | 000,381,872 | ---- | C] ( ) -- C:\Windows\System32\lxcgcfg.exe
    [2007/11/29 06:15:20 | 001,224,704 | ---- | C] ( ) -- C:\Windows\System32\lxblserv.dll
    [2007/11/29 06:15:20 | 000,995,328 | ---- | C] ( ) -- C:\Windows\System32\lxblusb1.dll
    [2007/11/29 06:15:20 | 000,413,696 | ---- | C] ( ) -- C:\Windows\System32\lxblinpa.dll
    [2007/11/29 06:15:20 | 000,397,312 | ---- | C] ( ) -- C:\Windows\System32\lxbliesc.dll
    [2007/11/29 06:15:20 | 000,323,584 | ---- | C] ( ) -- C:\Windows\System32\LXBLhcp.dll
    [2007/11/29 06:15:19 | 000,696,320 | ---- | C] ( ) -- C:\Windows\System32\lxblhbn3.dll
    [2007/11/29 06:15:19 | 000,643,072 | ---- | C] ( ) -- C:\Windows\System32\lxblpmui.dll
    [2007/11/29 06:15:19 | 000,585,728 | ---- | C] ( ) -- C:\Windows\System32\lxbllmpm.dll
    [2007/11/29 06:15:19 | 000,385,968 | ---- | C] ( ) -- C:\Windows\System32\lxblih.exe
    [2007/11/29 06:15:19 | 000,163,840 | ---- | C] ( ) -- C:\Windows\System32\lxblprox.dll
    [2007/11/29 06:15:19 | 000,094,208 | ---- | C] ( ) -- C:\Windows\System32\lxblpplc.dll
    [2007/11/29 06:15:18 | 000,684,032 | ---- | C] ( ) -- C:\Windows\System32\lxblcomc.dll
    [2007/11/29 06:15:18 | 000,537,520 | ---- | C] ( ) -- C:\Windows\System32\lxblcoms.exe
    [2007/11/29 06:15:18 | 000,421,888 | ---- | C] ( ) -- C:\Windows\System32\lxblcomm.dll
    [2007/11/29 06:15:18 | 000,381,872 | ---- | C] ( ) -- C:\Windows\System32\lxblcfg.exe
    [1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
    [1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2011/04/14 14:30:52 | 000,741,376 | ---- | M] () -- C:\Windows\System32\drivers\orpokalx.sys
    [2011/04/14 14:18:02 | 000,003,584 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2011/04/14 14:18:02 | 000,003,584 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2011/04/14 14:13:49 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Lilheath\Desktop\OTL.exe
    [2011/04/14 12:31:33 | 000,618,410 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2011/04/14 12:31:33 | 000,103,818 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2011/04/14 12:18:13 | 000,000,392 | ---- | M] () -- C:\Windows\tasks\Final Media Player Update Checker.job
    [2011/04/14 12:18:00 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2011/04/14 12:17:55 | 2011,750,400 | -HS- | M] () -- C:\hiberfil.sys
    [2011/04/14 09:33:16 | 004,320,788 | R--- | M] () -- C:\Users\Lilheath\Desktop\ComboFix.exe
    [2011/04/14 00:01:10 | 000,000,424 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{4AA49B77-910B-4BDC-99FA-50B3303F99D2}.job
    [2011/04/12 18:10:50 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2011/04/09 15:52:01 | 000,400,928 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [2011/04/09 15:51:13 | 275,160,944 | ---- | M] () -- C:\Windows\MEMORY.DMP
    [2011/04/07 18:13:24 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Users\Lilheath\Desktop\TFC.exe
    [1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
    [1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2011/04/12 17:10:17 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
    [2011/04/12 17:10:17 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2011/04/12 17:10:17 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
    [2011/04/12 17:10:17 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2011/04/12 17:10:17 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2011/04/08 11:43:31 | 004,320,788 | R--- | C] () -- C:\Users\Lilheath\Desktop\ComboFix.exe
    [2011/03/05 10:12:34 | 000,010,658 | -HS- | C] () -- C:\Users\Lilheath\AppData\Local\1380560618
    [2011/03/05 10:12:34 | 000,010,658 | -HS- | C] () -- C:\ProgramData\1380560618
    [2010/08/23 11:38:08 | 000,000,628 | ---- | C] () -- C:\Windows\System32\MRT.INI
    [2010/01/03 17:54:41 | 000,741,376 | ---- | C] () -- C:\Windows\System32\drivers\orpokalx.sys
    [2009/03/06 22:16:20 | 000,036,962 | ---- | C] () -- C:\Windows\System32\ActPanel.dll
    [2008/12/05 12:25:32 | 000,274,432 | ---- | C] () -- C:\Windows\System32\lxcginst.dll
    [2008/09/23 13:38:55 | 000,000,680 | ---- | C] () -- C:\Users\Lilheath\AppData\Local\d3d9caps.dat
    [2008/09/06 14:52:35 | 000,524,288 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
    [2008/09/06 14:52:35 | 000,139,264 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
    [2007/11/29 06:15:20 | 000,274,432 | ---- | C] () -- C:\Windows\System32\LXBLinst.dll
    [2007/11/09 11:52:40 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
    [2007/11/02 01:06:29 | 000,002,640 | ---- | C] () -- C:\Users\Lilheath\AppData\Roaming\wklnhst.dat
    [2007/11/02 01:04:42 | 000,051,712 | ---- | C] () -- C:\Users\Lilheath\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2007/08/11 04:03:27 | 000,107,026 | ---- | C] () -- C:\Windows\hpqins13.dat
    [2007/08/11 03:47:01 | 000,061,440 | ---- | C] () -- C:\Windows\System32\OsdRemove.exe
    [2007/08/11 03:38:25 | 000,327,680 | ---- | C] () -- C:\Windows\System32\pythoncom25.dll
    [2007/08/11 03:38:25 | 000,102,400 | ---- | C] () -- C:\Windows\System32\pywintypes25.dll
    [2007/05/14 08:28:10 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
    [2007/02/22 19:32:00 | 000,344,064 | ---- | C] () -- C:\Windows\System32\lxcgcoin.dll
    [2007/02/22 19:32:00 | 000,344,064 | ---- | C] () -- C:\Windows\System32\lxblcoin.dll
    [2006/12/14 02:01:36 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
    [2006/12/14 02:01:36 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
    [2006/11/02 08:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
    [2006/11/02 08:47:37 | 000,400,928 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
    [2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
    [2006/11/02 06:33:01 | 000,618,410 | ---- | C] () -- C:\Windows\System32\perfh009.dat
    [2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
    [2006/11/02 06:33:01 | 000,103,818 | ---- | C] () -- C:\Windows\System32\perfc009.dat
    [2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
    [2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
    [2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
    [2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
    [2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
    [2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
    [2006/11/02 03:22:43 | 000,099,999 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
    [2006/11/02 03:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
    [2005/09/07 14:44:34 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxblvs.dll
    [2005/08/18 07:26:46 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxcgvs.dll
    [2005/03/13 15:32:14 | 000,061,440 | ---- | C] () -- C:\Windows\System32\lxcgcnv4.dll
    [2004/01/27 08:13:02 | 000,421,888 | ---- | C] () -- C:\Windows\System32\OpenQuicktimeLib_dec.dll
    [1999/01/22 14:46:58 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL

    ========== LOP Check ==========

    [2009/08/08 00:24:24 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\AVSMedia
    [2009/08/17 20:56:27 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    [2010/04/23 12:09:04 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\eMusic
    [2010/06/14 19:50:52 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Facebook
    [2011/04/07 20:25:27 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\FinalMediaPlayer
    [2010/08/31 19:32:57 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\GetRightToGo
    [2011/03/29 16:45:17 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Inspiration Software
    [2007/11/14 21:19:07 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\iWin
    [2011/01/18 20:40:47 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\NCH Swift Sound
    [2010/08/15 18:09:46 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Opera
    [2007/10/27 22:54:26 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Snapfish
    [2011/03/29 16:40:40 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Softland
    [2008/09/07 16:23:09 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\SPORE
    [2007/11/02 01:06:49 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Template
    [2011/04/06 13:09:01 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Unity
    [2009/02/04 20:02:00 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Walgreens
    [2007/10/27 23:57:19 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\WildTangent
    [2007/11/05 19:57:15 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\WinBatch
    [2011/04/14 12:18:13 | 000,000,392 | ---- | M] () -- C:\Windows\Tasks\Final Media Player Update Checker.job
    [2011/04/14 12:16:53 | 000,032,582 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
    [2011/04/14 00:01:10 | 000,000,424 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{4AA49B77-910B-4BDC-99FA-50B3303F99D2}.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < * >
    [2007/08/11 04:15:15 | 000,000,074 | ---- | M] () -- \autoexec.bat
    [2006/11/02 05:53:57 | 000,438,840 | RHS- | M] () -- \bootmgr
    [2007/08/11 04:24:04 | 000,008,192 | R-S- | M] () -- \BOOTSECT.BAK
    [2009/02/04 18:02:15 | 000,001,921 | ---- | M] () -- \CDFE.log
    [2011/04/14 09:46:46 | 000,008,997 | ---- | M] () -- \ComboFix.txt
    [2006/09/18 17:43:37 | 000,000,010 | ---- | M] () -- \config.sys
    [2010/04/12 17:02:12 | 000,000,125 | ---- | M] () -- \FINIS_IT.TXT
    [2011/04/14 12:17:55 | 2011,750,400 | -HS- | M] () --
    [2008/12/05 12:21:11 | 000,000,178 | ---- | M] () -- \lxcg.log
    [2007/11/02 01:35:25 | 000,000,000 | ---- | M] () -- \lxcgfire.000
    [2008/12/02 19:44:07 | 000,000,000 | ---- | M] () -- \lxcgfire.001
    [2008/12/05 12:07:09 | 000,000,000 | ---- | M] () -- \lxcgfire.002
    [2008/12/05 12:09:45 | 000,000,000 | ---- | M] () -- \lxcgfire.003
    [2008/12/05 12:10:51 | 000,000,000 | ---- | M] () -- \lxcgfire.004
    [2009/02/04 17:52:18 | 000,000,000 | ---- | M] () -- \lxcgfire.005
    [2009/02/04 18:02:14 | 000,000,000 | ---- | M] () -- \lxcgfire.csv
    [2007/11/02 01:37:36 | 000,000,291 | ---- | M] () -- \LXCGINST.000
    [2008/12/02 19:44:47 | 000,000,468 | ---- | M] () -- \LXCGINST.001
    [2008/12/05 12:07:44 | 000,000,468 | ---- | M] () -- \LXCGINST.002
    [2008/12/05 12:10:12 | 000,000,714 | ---- | M] () -- \LXCGINST.003
    [2008/12/05 12:11:16 | 000,000,714 | ---- | M] () -- \LXCGINST.004
    [2009/02/04 17:55:58 | 000,000,592 | ---- | M] () -- \LXCGINST.005
    [2009/02/04 18:02:27 | 000,000,139 | ---- | M] () -- \LXCGINST.csv
    [2008/12/05 12:21:19 | 000,299,717 | ---- | M] () -- \lxcgunst.csv
    [2011/04/14 12:17:54 | 2325,676,032 | -HS- | M] () --
    [2008/04/12 13:46:59 | 000,000,477 | ---- | M] () -- \RHDSetup.log
    [2010/08/31 20:00:53 | 000,000,271 | ---- | M] () -- \rkill.log
    [2011/02/04 15:08:07 | 000,010,799 | ---- | M] () -- \Setup Log.txt

    < %SYSTEMDRIVE%\*.* >
    [2007/08/11 04:15:15 | 000,000,074 | ---- | M] () -- C:\autoexec.bat
    [2006/11/02 05:53:57 | 000,438,840 | RHS- | M] () -- C:\bootmgr
    [2007/08/11 04:24:04 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
    [2009/02/04 18:02:15 | 000,001,921 | ---- | M] () -- C:\CDFE.log
    [2011/04/14 09:46:46 | 000,008,997 | ---- | M] () -- C:\ComboFix.txt
    [2006/09/18 17:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
    [2010/04/12 17:02:12 | 000,000,125 | ---- | M] () -- C:\FINIS_IT.TXT
    [2011/04/14 12:17:55 | 2011,750,400 | -HS- | M] () -- C:\hiberfil.sys
    [2008/12/05 12:21:11 | 000,000,178 | ---- | M] () -- C:\lxcg.log
    [2007/11/02 01:35:25 | 000,000,000 | ---- | M] () -- C:\lxcgfire.000
    [2008/12/02 19:44:07 | 000,000,000 | ---- | M] () -- C:\lxcgfire.001
    [2008/12/05 12:07:09 | 000,000,000 | ---- | M] () -- C:\lxcgfire.002
    [2008/12/05 12:09:45 | 000,000,000 | ---- | M] () -- C:\lxcgfire.003
    [2008/12/05 12:10:51 | 000,000,000 | ---- | M] () -- C:\lxcgfire.004
    [2009/02/04 17:52:18 | 000,000,000 | ---- | M] () -- C:\lxcgfire.005
    [2009/02/04 18:02:14 | 000,000,000 | ---- | M] () -- C:\lxcgfire.csv
    [2007/11/02 01:37:36 | 000,000,291 | ---- | M] () -- C:\LXCGINST.000
    [2008/12/02 19:44:47 | 000,000,468 | ---- | M] () -- C:\LXCGINST.001
    [2008/12/05 12:07:44 | 000,000,468 | ---- | M] () -- C:\LXCGINST.002
    [2008/12/05 12:10:12 | 000,000,714 | ---- | M] () -- C:\LXCGINST.003
    [2008/12/05 12:11:16 | 000,000,714 | ---- | M] () -- C:\LXCGINST.004
    [2009/02/04 17:55:58 | 000,000,592 | ---- | M] () -- C:\LXCGINST.005
    [2009/02/04 18:02:27 | 000,000,139 | ---- | M] () -- C:\LXCGINST.csv
    [2008/12/05 12:21:19 | 000,299,717 | ---- | M] () -- C:\lxcgunst.csv
    [2011/04/14 12:17:54 | 2325,676,032 | -HS- | M] () -- C:\pagefile.sys
    [2008/04/12 13:46:59 | 000,000,477 | ---- | M] () -- C:\RHDSetup.log
    [2010/08/31 20:00:53 | 000,000,271 | ---- | M] () -- C:\rkill.log
    [2011/02/04 15:08:07 | 000,010,799 | ---- | M] () -- C:\Setup Log.txt

    < %systemroot%\Fonts\*.com >
    [2006/11/02 08:37:12 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
    [2006/11/02 08:37:12 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
    [2006/11/02 08:37:12 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
    [2006/11/02 08:37:12 | 000,030,808 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2006/09/18 17:37:34 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2006/11/02 08:35:48 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll
    [2007/03/23 03:10:00 | 000,117,760 | ---- | M] (Lexmark International, Inc.) -- C:\Windows\System32\spool\prtprocs\w32x86\lxblpp5c.dll
    [2007/01/30 07:32:46 | 000,118,272 | ---- | M] (Lexmark International, Inc.) -- C:\Windows\System32\spool\prtprocs\w32x86\lxcgpp5c.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2008/12/13 09:53:28 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2006/11/02 06:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
    [2006/11/02 06:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
    [2006/11/02 06:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
    [2006/11/02 06:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
    [2006/11/02 06:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2010/04/01 08:06:48 | 000,000,286 | -HS- | M] () -- C:\Users\Lilheath\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    < %USERPROFILE%\Desktop\*.exe >
    [2011/04/14 09:33:16 | 004,320,788 | R--- | M] () -- C:\Users\Lilheath\Desktop\ComboFix.exe
    [2011/04/14 14:13:49 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Lilheath\Desktop\OTL.exe
    [2011/04/07 18:13:24 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Users\Lilheath\Desktop\TFC.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >
    [2007/09/06 09:00:55 | 000,008,192 | ---- | M] () -- C:\Windows\security\database\edb.chk
    [2007/09/06 09:00:25 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edb.log
    [2007/09/06 09:00:25 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00001.jrs
    [2007/09/06 09:00:25 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00002.jrs
    [2007/09/06 09:00:25 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbtmp.log
    [2007/09/06 09:00:25 | 001,056,768 | ---- | M] () -- C:\Windows\security\database\tmp.edb

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2007/10/28 16:16:08 | 000,000,402 | -HS- | M] () -- C:\Users\Lilheath\Favorites\desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2011/03/11 10:57:32 | 000,010,658 | -HS- | M] () -- C:\ProgramData\1380560618
    [2007/08/11 04:03:47 | 000,000,343 | ---- | M] () -- C:\ProgramData\hpzinstall.log
    [1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-03-09 08:27:50


    < * >
    [2007/08/11 04:15:15 | 000,000,074 | ---- | M] () -- \autoexec.bat
    [2006/11/02 05:53:57 | 000,438,840 | RHS- | M] () -- \bootmgr
    [2007/08/11 04:24:04 | 000,008,192 | R-S- | M] () -- \BOOTSECT.BAK
    [2009/02/04 18:02:15 | 000,001,921 | ---- | M] () -- \CDFE.log
    [2011/04/14 09:46:46 | 000,008,997 | ---- | M] () -- \ComboFix.txt
    [2006/09/18 17:43:37 | 000,000,010 | ---- | M] () -- \config.sys
    [2010/04/12 17:02:12 | 000,000,125 | ---- | M] () -- \FINIS_IT.TXT
    [2011/04/14 12:17:55 | 2011,750,400 | -HS- | M] () --
    [2008/12/05 12:21:11 | 000,000,178 | ---- | M] () -- \lxcg.log
    [2007/11/02 01:35:25 | 000,000,000 | ---- | M] () -- \lxcgfire.000
    [2008/12/02 19:44:07 | 000,000,000 | ---- | M] () -- \lxcgfire.001
    [2008/12/05 12:07:09 | 000,000,000 | ---- | M] () -- \lxcgfire.002
    [2008/12/05 12:09:45 | 000,000,000 | ---- | M] () -- \lxcgfire.003
    [2008/12/05 12:10:51 | 000,000,000 | ---- | M] () -- \lxcgfire.004
    [2009/02/04 17:52:18 | 000,000,000 | ---- | M] () -- \lxcgfire.005
    [2009/02/04 18:02:14 | 000,000,000 | ---- | M] () -- \lxcgfire.csv
    [2007/11/02 01:37:36 | 000,000,291 | ---- | M] () -- \LXCGINST.000
    [2008/12/02 19:44:47 | 000,000,468 | ---- | M] () -- \LXCGINST.001
    [2008/12/05 12:07:44 | 000,000,468 | ---- | M] () -- \LXCGINST.002
    [2008/12/05 12:10:12 | 000,000,714 | ---- | M] () -- \LXCGINST.003
    [2008/12/05 12:11:16 | 000,000,714 | ---- | M] () -- \LXCGINST.004
    [2009/02/04 17:55:58 | 000,000,592 | ---- | M] () -- \LXCGINST.005
    [2009/02/04 18:02:27 | 000,000,139 | ---- | M] () -- \LXCGINST.csv
    [2008/12/05 12:21:19 | 000,299,717 | ---- | M] () -- \lxcgunst.csv
    [2011/04/14 12:17:54 | 2325,676,032 | -HS- | M] () --
    [2008/04/12 13:46:59 | 000,000,477 | ---- | M] () -- \RHDSetup.log
    [2010/08/31 20:00:53 | 000,000,271 | ---- | M] () -- \rkill.log
    [2011/02/04 15:08:07 | 000,010,799 | ---- | M] () -- \Setup Log.txt

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 64 bytes -> C:\Users\Lilheath\Documents\rewards.ppt:TOC.WMV
    @Alternate Data Stream - 64 bytes -> C:\Users\Lilheath\Documents\011411-160105[1].mp3:TOC.WMV
    @Alternate Data Stream - 270 bytes -> C:\Windows\System32\drivers\hajqkyws.sys:changelist

    < End of report >
  16. Boogie Daddie

    Boogie Daddie TS Rookie Topic Starter Posts: 20

    And the 2nd log;

    OTL Extras logfile created on: 4/14/2011 2:28:32 PM - Run 1
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Lilheath\Desktop
    Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.6000.17037)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 60.00% Memory free
    4.00 Gb Paging File | 3.00 Gb Available in Paging File | 79.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 363.75 Gb Total Space | 232.12 Gb Free Space | 63.81% Space Free | Partition Type: NTFS
    Drive D: | 8.86 Gb Total Space | 1.20 Gb Free Space | 13.50% Space Free | Partition Type: NTFS

    Computer Name: LILHEATH-PC | User Name: Lilheath | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
    .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

    [HKEY_USERS\S-1-5-21-2270473045-1982684083-2497196655-1000\SOFTWARE\Classes\<extension>]

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
    InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink -- (EarthLink, Inc.)


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{07F9C309-E457-4F65-9C5A-80718212CE79}" = lport=445 | protocol=6 | dir=in | app=system |
    "{15AFCEF5-47F3-4928-B4AA-85C6F50BBE51}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{1DEF95AB-8DBC-4796-8FC5-8BF87B05935C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{2169E430-85EB-48BF-BE23-DB5707258F63}" = lport=137 | protocol=17 | dir=in | app=system |
    "{25DAFDF8-23EE-4F08-84D1-4AB6828A351B}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{2BA55E27-393B-44F6-8CE0-B6716C479611}" = rport=10244 | protocol=6 | dir=out | app=system |
    "{307EFDC6-4274-445C-BAAF-6B61A3A4CBF5}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{33D6F9BE-75C9-4C65-9A04-C989953CEEC2}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{39367858-DBCE-4573-80FB-822738CF4508}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{455D9EF9-F653-4F34-B768-0F74FBB0679F}" = lport=554 | protocol=6 | dir=in | app=%systemroot%\ehome\ehshell.exe |
    "{46F35AFB-7112-4015-993E-8C6B03727C3B}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{4D19B24A-A687-46AC-8A7A-CC09D7C14BEA}" = lport=138 | protocol=17 | dir=in | app=system |
    "{4DE5EF23-2DB4-4A52-82BD-13FB5D653132}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{4EDD83C5-5DE1-45B4-846F-DE167EBD73D8}" = rport=139 | protocol=6 | dir=out | app=system |
    "{59595BE0-E2BF-4488-9064-E50E6C3158A9}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{60A435F7-9BAC-4E4B-B2EB-A673CEC4156F}" = lport=3390 | protocol=6 | dir=in | app=system |
    "{68680473-24AC-4233-8E93-82F34D9965B0}" = lport=7777 | protocol=17 | dir=in | app=%systemroot%\ehome\ehshell.exe |
    "{6E30F747-82A9-44AD-9903-A7F9081E8A2D}" = rport=10243 | protocol=6 | dir=out | app=system |
    "{751339F5-659E-44B4-A035-20CC4AEB1BA0}" = rport=138 | protocol=17 | dir=out | app=system |
    "{78BCF7A6-67CB-44EB-85C7-56F24143CDB4}" = lport=3724 | protocol=6 | dir=in | name=blizzard downloader: 3724 |
    "{7CC10976-58CD-4881-91C9-996D64164FA1}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{7D2D6AFE-F83B-4319-86BD-314AD00B3A9B}" = lport=10243 | protocol=6 | dir=in | app=system |
    "{82F1FF83-9086-4114-8679-7BD071867843}" = rport=445 | protocol=6 | dir=out | app=system |
    "{8329CA9C-51FB-4912-BE4F-F16491E92391}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{8348A419-EC9B-4033-94A8-D66313546AD0}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{8A243C6C-55A8-4A18-AD2E-CCDD67DB60C2}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{8DA86A58-CDFA-42FD-9729-F65D1987CAB5}" = lport=7777 | protocol=17 | dir=in | app=%systemroot%\ehome\ehshell.exe |
    "{8EFF1EBE-5752-4040-94FC-FA8B35E655BB}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{8FC6B481-F44F-4902-82CB-684C5DDF887A}" = lport=10244 | protocol=6 | dir=in | app=system |
    "{9A54E0CD-0F0F-449A-8545-5EE352A6FABD}" = lport=554 | protocol=6 | dir=in | app=%systemroot%\ehome\ehshell.exe |
    "{9B248BB6-C859-4A07-B7B3-764D744CF549}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{A5B722C9-D2D3-4A2E-A7C2-2A61B61A7ADE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{A9BE8414-6752-4ACA-B2D6-64CB5B846E32}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{B975C268-8513-4F0A-B1FF-290609EAD823}" = lport=3390 | protocol=6 | dir=in | app=system |
    "{C27780C7-9112-4672-A53D-4D0D4AB1446D}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{CCC512D4-44F4-4F9C-93AC-F7EE11E397B0}" = lport=139 | protocol=6 | dir=in | app=system |
    "{E18F036E-541B-4742-B747-6A5E3B99671B}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{E1999439-CB56-47D5-AA14-F0CD94082F9F}" = lport=10244 | protocol=6 | dir=in | app=system |
    "{E1A1AFEC-EE78-44A8-BDD2-476FA6E32536}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
    "{E7560BE2-46DE-4BDE-8913-F040EE3F9CDD}" = rport=10244 | protocol=6 | dir=out | app=system |
    "{E81B7658-0A45-47B5-9F94-6B4F6843244C}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{F264D92E-3536-4A94-BD41-5FF8EC33F272}" = rport=137 | protocol=17 | dir=out | app=system |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{054D363F-FFA1-4E3E-A2C5-2D3FD9D9499C}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
    "{056ACDA9-82B3-4A6F-B1C3-B8AFA347A5FA}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{0B595D48-F0AA-4B6E-9C6A-71DDD53F4691}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
    "{1A166425-0B43-4CC3-81E6-AE30F2A6AA6A}" = protocol=6 | dir=out | app=system |
    "{1D795682-6A79-4059-820C-7C1D9FF2F3F9}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxcgpswx.exe |
    "{366CC5E9-7ACF-41B9-A647-FDE671A07868}" = protocol=17 | dir=in | app=c:\windows\system32\lxcgcoms.exe |
    "{3A7D56B6-389F-4654-9F5F-3AE05AA6F46C}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
    "{3B4A2DA2-7ECF-4128-A214-DBD6B75DB447}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe |
    "{50E7AAA4-C04F-4712-AF9E-E796594EDD1F}" = protocol=6 | dir=in | app=c:\windows\system32\lxcgcoms.exe |
    "{646F2BFA-BBFB-4A89-AD21-29D7922F6EEE}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{65D0A517-97B1-4C83-B59B-0120260E9FCD}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
    "{661FC9EF-423D-4FBA-9C2B-FC4A23300B1F}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
    "{68E1D7A4-FC22-4DE4-8E30-D0B8CAFADB18}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxcgpswx.exe |
    "{6CCF88FE-5A52-4F95-B85B-5A58A7A916C3}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{72677AE4-33BD-44BE-853A-41CF5A885181}" = protocol=17 | dir=out | app=%systemroot%\ehome\ehshell.exe |
    "{790D01DB-C872-45F4-BE78-4CB3B849E412}" = protocol=17 | dir=in | app=c:\program files\opera\opera.exe |
    "{7F693533-2C65-4B77-9C34-39AE7C89237B}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxblpswx.exe |
    "{80388BD2-05C6-4374-81C7-38FF9AC457B8}" = protocol=6 | dir=out | app=%systemroot%\ehome\ehshell.exe |
    "{85714614-83AA-4D7A-93D4-446E931FDB0B}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxblpswx.exe |
    "{8B139DBF-DB3B-4D05-A0FE-8C02409A3C51}" = protocol=6 | dir=out | app=%systemroot%\ehome\ehshell.exe |
    "{9577B62E-435C-45DE-B5EA-A396C993B5E5}" = protocol=17 | dir=in | app=c:\windows\system32\lxblcoms.exe |
    "{9D94C639-810F-405E-8585-4AFCC5834288}" = protocol=6 | dir=out | app=%systemroot%\ehome\mcx2prov.exe |
    "{A2495E7E-EAC6-4465-97D0-BF748D7DA8B0}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
    "{B3BBA716-5D8A-44A4-9061-D1C401A33F48}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
    "{BC5E8EEA-FA2C-49AD-BD66-017DA7E2E78A}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
    "{BE0EAF16-66DE-497F-81D3-00B34D27FAAC}" = protocol=6 | dir=out | svc=mcx2svc | app=%systemroot%\system32\svchost.exe |
    "{C1D035BC-CEB8-4903-95F9-48A7509FB5C0}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
    "{C4BF8AC0-6475-4572-9583-04756C2DD107}" = protocol=6 | dir=in | app=c:\windows\system32\lxblcoms.exe |
    "{C9297834-A66D-4E8A-BBE6-D338FAE174FE}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{CC822E85-59DC-4E23-86F2-C2162AB543F2}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
    "{CCF1C77C-CC7A-44D1-A2F1-837874C6F6E6}" = protocol=6 | dir=out | app=%systemroot%\ehome\mcx2prov.exe |
    "{CDD1E740-2625-491C-8ACD-A4E5D3B41744}" = protocol=17 | dir=out | app=%systemroot%\ehome\ehshell.exe |
    "{CF7953B9-A9D9-4710-A21A-25EB39D26704}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
    "{D04EC2BA-6EAB-4C91-BCAA-2CBF8F970E60}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{D32C77AB-DC41-45E7-8198-325DB506DFDD}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{E1E3E792-D32B-42C8-A3D3-C0849E601115}" = protocol=6 | dir=in | app=c:\windows\system32\lxcgcoms.exe |
    "{E2CC40C9-22AA-404C-80B8-4F55EFC0B064}" = protocol=6 | dir=in | app=c:\program files\opera\opera.exe |
    "{E4A8B9A1-FD6C-4B80-8961-25C4E0804D15}" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-2.2.0-enus-downloader.exe |
    "{E576DAD5-C5BB-4E91-88FC-CAF9CA994149}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{E7656EBE-EF96-44F8-A27C-BE9AAA6C5988}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{EA6F8AAE-AC83-4B4E-8A81-37BDF7167ADA}" = protocol=17 | dir=in | app=c:\windows\system32\lxcgcoms.exe |
    "{EDFE1A18-77F4-4A22-94D5-0D1D761D5D05}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{F5D1D11A-9456-4A40-9547-BD351E852037}" = dir=in | app=c:\program files\finalmediaplayer\fmpcheckforupdates.exe |
    "{FA27EAC5-D3EA-4B54-B930-5A0F1A8F040B}" = protocol=6 | dir=out | svc=mcx2svc | app=%systemroot%\system32\svchost.exe |
    "{FAB6A75F-05B0-4630-9D82-8797D5940100}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{FC71017C-303B-4EBD-9359-5B0FEFCAB554}" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-2.2.0-enus-downloader.exe |
    "TCP Query User{03B77975-71E1-4346-B51C-038942581ADA}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
    "TCP Query User{0B5195CC-2159-462A-8A92-ADA5CCAC2A79}C:\program files\hp games\jeopardy\jeopardy!.exe" = protocol=6 | dir=in | app=c:\program files\hp games\jeopardy\jeopardy!.exe |
    "TCP Query User{165A05B1-03E9-4816-933E-1247F04F1191}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
    "TCP Query User{2841E688-D7B8-4208-9EC9-5895E04748C9}C:\program files\gametap\bin\release\gametap.exe" = protocol=6 | dir=in | app=c:\program files\gametap\bin\release\gametap.exe |
    "TCP Query User{3918E368-B252-4A01-B188-2E01C5BCE576}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
    "TCP Query User{4967C311-9A3C-405E-A2BA-F0AE39D8F383}C:\program files\electronic arts\eadm\core.exe" = protocol=6 | dir=in | app=c:\program files\electronic arts\eadm\core.exe |
    "TCP Query User{8D03BC34-92BC-40A6-A4B3-52D7FD0FA748}C:\program files\world of warcraft\wow-1.12.x-to-2.0.1-enus-patch-downloader.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-1.12.x-to-2.0.1-enus-patch-downloader.exe |
    "TCP Query User{BE1C5B4D-0A5C-4DAF-85E9-37557A222BA4}C:\program files\electronic arts\eadm\core.exe" = protocol=6 | dir=in | app=c:\program files\electronic arts\eadm\core.exe |
    "TCP Query User{DAB823FB-0299-472C-A367-79120DB67D51}C:\program files\world of warcraft\wow-1.12.0-enus-downloader.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-1.12.0-enus-downloader.exe |
    "TCP Query User{F00F1088-A0C0-419B-86C4-52D2BC9561CA}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
    "TCP Query User{FE62901B-6F6A-4AEC-B383-D11D0A4FF04B}C:\program files\hp games\wheel of fortune\wheel of fortune.exe" = protocol=6 | dir=in | app=c:\program files\hp games\wheel of fortune\wheel of fortune.exe |
    "UDP Query User{0D8914AF-48E3-49E1-B074-047996E3E674}C:\program files\electronic arts\eadm\core.exe" = protocol=17 | dir=in | app=c:\program files\electronic arts\eadm\core.exe |
    "UDP Query User{1B61986C-3342-49F2-8E58-ADCB227BB3F8}C:\program files\world of warcraft\wow-1.12.0-enus-downloader.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-1.12.0-enus-downloader.exe |
    "UDP Query User{28BC68DE-1163-4FA0-97E2-912233676DD6}C:\program files\hp games\wheel of fortune\wheel of fortune.exe" = protocol=17 | dir=in | app=c:\program files\hp games\wheel of fortune\wheel of fortune.exe |
    "UDP Query User{2C7957BB-8C83-4FAC-8130-F2DD7AF73019}C:\program files\gametap\bin\release\gametap.exe" = protocol=17 | dir=in | app=c:\program files\gametap\bin\release\gametap.exe |
    "UDP Query User{38AB18A5-A598-43CB-A153-D38EAECFA2D3}C:\program files\electronic arts\eadm\core.exe" = protocol=17 | dir=in | app=c:\program files\electronic arts\eadm\core.exe |
    "UDP Query User{793F15CB-AB17-4083-AB7E-F9AC230F5A9D}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |
    "UDP Query User{A3D6D131-2A5E-4710-ABD0-0D3975FB766B}C:\program files\world of warcraft\wow-1.12.x-to-2.0.1-enus-patch-downloader.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-1.12.x-to-2.0.1-enus-patch-downloader.exe |
    "UDP Query User{B9C56F3A-323D-455F-8E9A-9FD88B4F1450}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
    "UDP Query User{C5E79401-3A08-4768-B1C3-170B99C6063E}C:\program files\hp games\jeopardy\jeopardy!.exe" = protocol=17 | dir=in | app=c:\program files\hp games\jeopardy\jeopardy!.exe |
    "UDP Query User{DC4F4011-1DB9-4163-871E-9641C6AEC1BB}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
    "UDP Query User{E7F1F49B-DC3D-4FDD-9AAD-EFB74EAE9E66}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional
    "{00120409-78E1-11D2-B60F-006097C998E7}" = Microsoft FrontPage 2000
    "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    "{029B5901-1F27-4347-9923-E8ACC8F54E15}" = Snapfish Picture Mover
    "{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
    "{0A2C5854-557E-48C8-835A-3B9F074BDCAA}" = Python 2.5
    "{0A47BAFF-D4FF-4BD3-96CA-02A22EA62722}" = HP Active Support Library
    "{0B5154C0-8F00-4616-B0AB-6240AE80D9CE}" = SimCity™ Societies
    "{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
    "{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}" = Roxio Creator EasyArchive
    "{14AF024E-2E3B-49D0-A175-D1C1A06B155A}" = muvee autoProducer 6.0
    "{1E99F5D7-4262-4C7C-9135-F066E7485811}" = System Requirements Lab
    "{209CDA54-D390-46A2-A97C-7BF61734418D}" = WeatherBug Gadget
    "{254C37AA-6B72-4300-84F6-98A82419187E}" = Hewlett-Packard Active Check
    "{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
    "{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
    "{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java(TM) SE Runtime Environment 6 Update 1
    "{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Roxio Activation Module
    "{40F7AED3-0C7D-4582-99F6-484A515C73F2}" = HP Easy Setup - Frontend
    "{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
    "{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
    "{55979C41-7D6A-49CC-B591-64AC1BBE2C8B}" = HP Picasso Media Center Add-In
    "{55D6B4DA-50E9-47AF-99C1-9A8E3A234763}" = Greeting Card Factory Deluxe 7.0
    "{5CA03ECF-B4A6-464B-9F5D-64D8B61B083F}" = Everio MediaBrowser
    "{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
    "{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
    "{669D4A35-146B-4314-89F1-1AC3D7B88367}" = Hewlett-Packard Asset Agent for Health Check
    "{67E158AF-8856-4337-B483-EA21930786AF}" = GameTap
    "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
    "{6D3DB611-D5E8-4E4B-8952-0D3F549F9CC6}" = HP Active Support Library 32 bit components
    "{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{73A43E42-3658-4DD9-8551-FACDA3632538}" = HP Advisor
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{824D3839-DAA1-4315-A822-7AE3E620E528}" = VideoToolkit01
    "{8389382B-53BA-4A87-8854-91E3D80A5AC7}" = HP Photosmart Essential2.01
    "{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8AF3E926-ED59-11D4-A44B-0000E86D2305}" = Ulead GIF Animator 5 TBYB
    "{938B1CD7-7C60-491E-AA90-1F1888168240}" = Roxio MyDVD Basic v9
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9DBA770F-BF73-4D39-B1DF-6035D95268FC}" = HP Customer Feedback
    "{9DF0196F-B6B8-4C3A-8790-DE42AA530101}" = SPORE™
    "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
    "{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
    "{AB5E289E-76BF-4251-9F3F-9B763F681AE0}" = HP Customer Experience Enhancements
    "{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
    "{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
    "{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
    "{B6ADA0E4-9451-43EB-B86E-878AD9E68D4F}" = LightScribe 1.6.45.1
    "{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver
    "{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator Basic v9
    "{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update
    "{CAFECAFE-0013-0001-0128-ABCDEFABCDEF}" = Oracle JInitiator 1.3.1.28
    "{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{CF9CD37C-E29A-11D5-AE3D-005004B8E30C}" = Digital Photo Navigator 1.5
    "{D5A9DA4B-E4F9-FB49-017D-769FC540F1F0}" = EA Download Manager UI
    "{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
    "{E7C97E98-4C2D-BEAF-5D2F-CC45A2F95D90}" = Acrobat.com
    "{EF7E931D-DC84-471B-8DB6-A83358095474}" = EA Download Manager
    "{F07737AC-C218-4272-A678-26CA5F6CD8DF}" = Opera 10.61
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F72E2DDC-3DB8-4190-A21D-63883D955FE7}" = PSSWCORE
    "3ivx D4 4.5.1 Decoder" = 3ivx D4 4.5.1 Decoder (remove only)
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "Adobe Shockwave Player" = Adobe Shockwave Player 11.5
    "AVS DVDMenu Editor_is1" = AVS DVDMenu Editor 1.2.1.19
    "AVS Video Tools 5_is1" = AVS Video Tools 5.6
    "com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
    "com.ea.Vault.919CACB699904AC5D41B606703500DD39747C02D.1" = EA Download Manager UI
    "EA Download Manager" = EA Download Manager
    "eMusic Download Manager" = eMusic Download Manager 4.1.4
    "FinalMediaPlayer_is1" = Final Media Player 2010
    "HP Photosmart Essential" = HP Photosmart Essential 2.01
    "InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
    "InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector
    "Lexmark 2300 Series" = Lexmark 2300 Series
    "Lexmark Z700-P700 Series" = Lexmark Z700-P700 Series
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Mozilla Firefox (3.5.18)" = Mozilla Firefox (3.5.18)
    "NVIDIA Drivers" = NVIDIA Drivers
    "OfficeTrial" = Microsoft Office Home and Student 60 day trial
    "OsdMaestro" = HP On-Screen Cap/Num/Scroll Lock Indicator
    "PC-Doctor 5 for Windows" = Hardware Diagnostic Tools
    "Rhapsody" = Rhapsody
    "SystemRequirementsLab" = System Requirements Lab
    "WildTangent hp Master Uninstall" = My HP Games
    "Windows Media Encoder 9" = Windows Media Encoder 9 Series
    "World of Warcraft" = World of Warcraft
    "Yahoo! Companion" = Yahoo! Toolbar
    "Yahoo! Search Defender" = Yahoo! Search Protection
    "Yahoo! Toolbar" = Yahoo! Toolbar

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-2270473045-1982684083-2497196655-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "61240c64869513c2" = Napster Download Manager
    "Facebook Plug-In" = Facebook Plug-In

    ========== Last 10 Event Log Errors ==========

    Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

    < End of report >
  17. Broni

    Broni Malware Annihilator Posts: 46,765   +254

    I don't see any AV program running.
    Please, install ONE of these:
    - Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
    - Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
    Update, run full scan, report on any findings.

    ========================================================================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ====================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} http://srtest-cdn.systemrequirements...qlabdetect.cab (Reg Error: Key error.)
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
      O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
      [1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
      [1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
      [2011/04/14 14:30:52 | 000,741,376 | ---- | M] () -- C:\Windows\System32\drivers\orpokalx.sys
      @Alternate Data Stream - 64 bytes -> C:\Users\Lilheath\Documents\rewards.ppt:TOC.WMV
      @Alternate Data Stream - 64 bytes -> C:\Users\Lilheath\Documents\011411-160105[1].mp3:TOC.WMV
      @Alternate Data Stream - 270 bytes -> C:\Windows\System32\drivers\hajqkyws.sys:changelist
      
      :Services
      
      :Reg
      [-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\orpokalx]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
      "DisableMonitoring" =-
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
  18. Broni

    Broni Malware Annihilator Posts: 46,765   +254

    Are you still out there?
  19. Boogie Daddie

    Boogie Daddie TS Rookie Topic Starter Posts: 20

    Sorry for the delay. I'm having new problems now. I d/led and installed Avast, updated my Java and removed old java with the Javara. After restarting the computer I got a blue screen after loading windows saying that it couldn't load up properly. I tried it a few more times and could never get it to load. It goes up through me selecting my Windows user and then to the blue screen. I started in safe mode, and am there now. Ran avast and it has 1 bad file, orco something, but it can't fix it. I'm going to run OTL again with the new script in the last post and will let you know what I find afterwards.
  20. Broni

    Broni Malware Annihilator Posts: 46,765   +254

    OK :).........
  21. Broni

    Broni Malware Annihilator Posts: 46,765   +254

    Reopened....
  22. Boogie Daddie

    Boogie Daddie TS Rookie Topic Starter Posts: 20

    Ran OTL again with the fix, when computer restarted, it came back to the blue screen. I took a picture with my cell phone, will try to get it uploaded. It goes by way too quick to read what is on it.
  23. Broni

    Broni Malware Annihilator Posts: 46,765   +254

    Try to restart manually (power button).
  24. Boogie Daddie

    Boogie Daddie TS Rookie Topic Starter Posts: 20

    Restarted manually, still getting blue screen. I have attached a pic of the screen that I'm getting.

    Thanks as always,

    Boogie Daddie

    Attached Files:

  25. Broni

    Broni Malware Annihilator Posts: 46,765   +254

    I can't really see from your picture what's the stop number is.

    Did you try Safe Mode, Last Known Good Configuration?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.