Inactive Malware trouble, only Firefox will connect, constant pop-ups

Status
Not open for further replies.
I am in safe mode, have not tried last known good configuration. I'm not doing anything at this point without prior instructions. How do I do get to the last known good config?
 
Please, post fresh Combofix log.
To do that, restart computer in Safe Mode with Networking, just in case Combofix asks for an update.
 
Ran Combofix, after rebooting into normal Windows I got a similar blue screen, different stop code, rebooted into safe mode and got the following Combofix log. Will be out probably for the rest of the nights, thanks again for all of your help;

ComboFix 11-05-08.02 - Lilheath 05/08/2011 15:33:40.5.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1918.1484 [GMT -4:00]
Running from: c:\users\Lilheath\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\orpokalx.sys . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_orpokalx
-------\Service_orpokalx
.
.
((((((((((((((((((((((((( Files Created from 2011-04-08 to 2011-05-08 )))))))))))))))))))))))))))))))
.
.
2011-05-08 19:42 . 2011-05-08 19:49 -------- d-----w- c:\users\Lilheath\AppData\Local\temp
2011-05-08 19:42 . 2011-05-08 19:42 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-05-08 19:42 . 2011-05-08 19:42 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2011-05-08 19:42 . 2011-05-08 19:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-24 23:59 . 2011-04-24 23:59 -------- d-----w- C:\_OTL
2011-04-22 15:53 . 2011-04-18 17:17 307288 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-04-22 15:53 . 2011-04-18 17:13 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-04-22 15:53 . 2011-04-18 17:12 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-04-22 15:53 . 2011-04-18 17:17 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-04-22 15:53 . 2011-04-18 17:16 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-04-22 15:53 . 2011-04-18 17:13 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-04-22 15:52 . 2011-04-18 17:25 40112 ----a-w- c:\windows\avastSS.scr
2011-04-22 15:52 . 2011-04-18 17:25 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-04-22 15:37 . 2011-04-22 15:36 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-22 15:37 . 2011-04-22 15:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-08 19:51 . 2010-01-03 21:54 741376 ----a-w- c:\windows\system32\drivers\orpokalx.sys
2011-02-11 06:54 . 2011-03-04 07:19 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E626E5BF-FAF5-4DEE-92E3-58CA924D6384}\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-04-18 17:25 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-05-24 71176]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"ReminderApp"="c:\program files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe" [2007-08-25 185664]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"LXCGCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2007-02-22 73728]
"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2007-04-30 205744]
"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2007-04-30 103344]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"MRT"="c:\windows\system32\MRT.exe" [2011-04-15 39828936]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-04-18 3460784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]
"OTL"="c:\users\Lilheath\Desktop\OTL.exe" [2011-04-14 580608]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
MBCameraMonitor.lnk - c:\program files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe [2009-8-7 541976]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R1 aswSnx;aswSnx; [x]
R1 aswSP;aswSP; [x]
R1 hxjpqkia;hxjpqkia;c:\windows\system32\drivers\hxjpqkia.sys [x]
R2 aswFsBlk;aswFsBlk;aswFsBlk.sys [x]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-04-18 53592]
R2 lxbl_device;lxbl_device;c:\windows\system32\lxblcoms.exe [2007-04-20 537520]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\DRIVERS\xcbda.sys [2007-09-07 156928]
S3 CFcatchme;CFcatchme;c:\users\Lilheath\AppData\Local\Temp\CFcatchme.sys [x]
S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2007-08-31 464384]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - orpokalx
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-21 c:\windows\Tasks\Final Media Player Update Checker.job
- c:\program files\FinalMediaPlayer\FMPCheckForUpdates.exe [2010-08-07 02:22]
.
2011-04-22 c:\windows\Tasks\User_Feed_Synchronization-{4AA49B77-910B-4BDC-99FA-50B3303F99D2}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.my.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxps://esis.ncwise.org/forms/jinitiator/jinit13128.exe
FF - ProfilePath - c:\users\Lilheath\AppData\Roaming\Mozilla\Firefox\Profiles\9q5nude7.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-RunOnce-<NO NAME> - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-08 15:49
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\orpokalx]
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2270473045-1982684083-2497196655-1000\Software\SecuROM\License information*]
"datasecu"=hex:1a,95,15,66,a1,fb,51,b0,44,3e,00,ef,6f,d2,55,71,ac,fc,63,ce,01,
60,54,eb,8e,f4,d3,7a,46,ff,bd,72,e9,e5,b5,87,6c,3c,40,9e,c3,7b,cf,c6,bf,99,\
"rkeysecu"=hex:eb,0f,06,a9,1b,df,b5,82,23,57,e4,6f,2d,03,c1,76
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-05-08 15:55:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-08 19:55
ComboFix2.txt 2011-04-14 13:46
ComboFix3.txt 2011-04-12 22:16
ComboFix4.txt 2011-04-08 16:30
.
Pre-Run: 252,108,857,344 bytes free
Post-Run: 251,972,988,928 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=15 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
- - End Of File - - FBBC1B868A1617A022370EBD408B48AD
 
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\windows\system32\drivers\orpokalx.sys
c:\windows\system32\drivers\hxjpqkia.sys

Rootkit::
c:\windows\system32\drivers\orpokalx.sys
c:\windows\system32\drivers\hxjpqkia.sys

Folder::

Driver::
orpokalx
hxjpqkia

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\orpokalx]


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
Ok, computer restarted into normal mode successfully after re-running combofix with that script. I'm not seeing a new log from combofix though. There is a log on my desktop but is from a run done in April.
 
new log file from today;

ComboFix 11-05-11.01 - Lilheath 05/11/2011 16:08:19.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1918.1318 [GMT -4:00]
Running from: c:\users\Lilheath\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\orpokalx.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ORPOKALX
-------\Service_hxjpqkia
-------\Service_orpokalx
-------\Legacy_orpokalx
-------\Service_orpokalx
.
.
((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))
.
.
2011-05-11 20:24 . 2011-05-11 20:24 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-05-11 20:24 . 2011-05-11 20:24 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2011-05-11 20:24 . 2011-05-11 20:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-09 19:28 . 2011-05-09 19:28 -------- d-----w- c:\users\Lilheath\AppData\Local\Temp(165)
2011-04-24 23:59 . 2011-04-24 23:59 -------- d-----w- C:\_OTL
2011-04-22 15:37 . 2011-04-22 15:36 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-22 15:37 . 2011-04-22 15:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-11 06:54 . 2011-03-04 07:19 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E626E5BF-FAF5-4DEE-92E3-58CA924D6384}\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-05-24 71176]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"ReminderApp"="c:\program files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe" [2007-08-25 185664]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"LXCGCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2007-02-22 73728]
"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2007-04-30 205744]
"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2007-04-30 103344]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"MRT"="c:\windows\system32\MRT.exe" [2011-04-18 42181064]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
MBCameraMonitor.lnk - c:\program files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe [2009-8-7 541976]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 lxbl_device;lxbl_device;c:\windows\system32\lxblcoms.exe [2007-04-20 537520]
S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2007-08-31 464384]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-11 c:\windows\Tasks\Final Media Player Update Checker.job
- c:\program files\FinalMediaPlayer\FMPCheckForUpdates.exe [2010-08-07 02:22]
.
2011-05-10 c:\windows\Tasks\User_Feed_Synchronization-{4AA49B77-910B-4BDC-99FA-50B3303F99D2}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxps://esis.ncwise.org/forms/jinitiator/jinit13128.exe
FF - ProfilePath - c:\users\Lilheath\AppData\Roaming\Mozilla\Firefox\Profiles\9q5nude7.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-11 17:16
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2270473045-1982684083-2497196655-1000\Software\SecuROM\License information*]
"datasecu"=hex:1a,95,15,66,a1,fb,51,b0,44,3e,00,ef,6f,d2,55,71,ac,fc,63,ce,01,
60,54,eb,8e,f4,d3,7a,46,ff,bd,72,e9,e5,b5,87,6c,3c,40,9e,c3,7b,cf,c6,bf,99,\
"rkeysecu"=hex:eb,0f,06,a9,1b,df,b5,82,23,57,e4,6f,2d,03,c1,76
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\lxcgcoms.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\RtHDVCpl.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\vssvc.exe
.
**************************************************************************
.
Completion time: 2011-05-11 17:21:56 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-11 21:21
ComboFix2.txt 2011-05-08 19:55
ComboFix3.txt 2011-04-14 13:46
ComboFix4.txt 2011-04-12 22:16
ComboFix5.txt 2011-05-09 19:19
.
Pre-Run: 250,517,557,248 bytes free
Post-Run: 250,466,185,216 bytes free
.
- - End Of File - - A3CD1376853D3904D41023D1E09CF100
 
Perfect!

Any current issues?

Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
Ok, so current issues;
I still keep getting a lot of pop ups from the Windows Security Center but I'm not sure if they're legit. These are ones that come on when I boot up from the shortcut tray at the bottom right of the screen, informing me that my computer is unprotected. I also have a pop up on boot that says my Windows Malicious Software Tool needs my permission to run. This has been happening since I first started having the problems so I've been denying it permission.

Here is the OTL log, for some reason I don't seem to have an extras log, there was one on the pc, but was from a previous run.


OTL Log:
OTL logfile created on: 5/14/2011 3:28:01 PM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Lilheath\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 67.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 363.75 Gb Total Space | 231.66 Gb Free Space | 63.69% Space Free | Partition Type: NTFS
Drive D: | 8.86 Gb Total Space | 1.20 Gb Free Space | 13.50% Space Free | Partition Type: NTFS

Computer Name: LILHEATH-PC | User Name: Lilheath | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/14 14:13:49 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Lilheath\Desktop\OTL.exe
PRC - [2009/02/02 22:07:18 | 000,240,544 | R--- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashUtil10b.exe
PRC - [2008/10/29 02:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/09/03 15:04:22 | 000,541,976 | ---- | M] (PIXELA CORPORATION) -- C:\Program Files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe
PRC - [2008/01/15 11:26:18 | 004,874,240 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/08/25 01:03:20 | 000,185,664 | ---- | M] () -- C:\Program Files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe
PRC - [2007/04/29 23:57:42 | 000,103,344 | ---- | M] (Lexmark International Inc.) -- C:\Program Files\Lexmark 2300 Series\ezprint.exe
PRC - [2007/04/29 23:55:32 | 000,205,744 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
PRC - [2007/04/29 23:54:44 | 000,537,520 | ---- | M] ( ) -- C:\Windows\System32\lxcgcoms.exe
PRC - [2007/04/20 13:24:20 | 000,537,520 | ---- | M] ( ) -- C:\Windows\System32\lxblcoms.exe
PRC - [2007/04/18 11:01:34 | 000,065,536 | ---- | M] (Hewlett-Packard Company) -- C:\hp\support\hpsysdrv.exe
PRC - [2007/02/15 07:59:00 | 000,118,784 | ---- | M] (OsdMaestro) -- C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
PRC - [2006/11/02 05:45:39 | 000,150,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\schtasks.exe


========== Modules (SafeList) ==========

MOD - [2011/04/14 14:13:49 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Lilheath\Desktop\OTL.exe
MOD - [2006/11/02 05:38:57 | 001,648,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2007/04/29 23:54:44 | 000,537,520 | ---- | M] ( ) [Auto | Running] -- C:\Windows\System32\lxcgcoms.exe -- (lxcg_device)
SRV - [2007/04/20 13:24:20 | 000,537,520 | ---- | M] ( ) [Auto | Running] -- C:\Windows\System32\lxblcoms.exe -- (lxbl_device)


========== Driver Services (SafeList) ==========

DRV - [2009/03/16 21:45:53 | 000,194,362 | ---- | M] (Jungo) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\windrvr6.sys -- (WinDriver6)
DRV - [2008/11/11 13:42:00 | 000,024,832 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgusbmodem.sys -- (USBModem)
DRV - [2008/11/11 13:41:00 | 000,019,968 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgusbdiag.sys -- (UsbDiag)
DRV - [2008/11/11 13:41:00 | 000,013,056 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgusbbus.sys -- (usbbus)
DRV - [2008/05/22 14:49:00 | 007,465,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/03/07 07:18:26 | 000,031,264 | ---- | M] (Exent Technologies Ltd.) [Kernel | Auto | Running] -- C:\Program Files\GameTap\bin\Release\X4HSX32.sys -- (X4HSX32)
DRV - [2007/10/26 11:51:22 | 000,110,624 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2007/09/07 07:36:08 | 000,156,928 | ---- | M] (ViXS Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\xcbda.sys -- (xcbdaNtsc) ViXS Tuner Card (NTSC)
DRV - [2007/08/31 14:54:04 | 000,464,384 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netr73.sys -- (netr73)
DRV - [2007/05/03 14:29:10 | 001,065,384 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2005/12/12 13:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PS2.sys -- (Ps2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2270473045-1982684083-2497196655-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
IE - HKU\S-1-5-21-2270473045-1982684083-2497196655-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2270473045-1982684083-2497196655-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\software\mozilla\eMusic Download Manager\Extensions\\Components: C:\Program Files\eMusic Download Manager\xulrunner\components [2010/04/23 12:09:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\eMusic Download Manager\Extensions\\Plugins: C:\Program Files\eMusic Download Manager\xulrunner\plugins [2010/07/16 12:24:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/13 14:45:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/13 14:45:49 | 000,000,000 | ---D | M]

[2008/12/04 14:47:21 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Lilheath\AppData\Roaming\Mozilla\Extensions
[2011/05/14 14:50:25 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Lilheath\AppData\Roaming\Mozilla\Firefox\Profiles\9q5nude7.default\extensions
[2011/05/09 20:31:35 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Lilheath\AppData\Roaming\Mozilla\Firefox\Profiles\9q5nude7.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/05/09 08:32:27 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/04/22 11:37:36 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2010/04/23 12:09:03 | 000,000,000 | ---D | M] (eMusic - Apple iTunes Support) -- C:\PROGRAM FILES\EMUSIC DOWNLOAD MANAGER\XULRUNNER\EXTENSIONS\DLM_ITUNES@EMUSIC.COM
[2010/04/23 12:09:03 | 000,000,000 | ---D | M] (eMusic - Nullsoft Winamp Support) -- C:\PROGRAM FILES\EMUSIC DOWNLOAD MANAGER\XULRUNNER\EXTENSIONS\DLM_WINAMP@EMUSIC.COM
[2010/04/23 12:09:03 | 000,000,000 | ---D | M] (eMusic - Microsoft Media Player Support) -- C:\PROGRAM FILES\EMUSIC DOWNLOAD MANAGER\XULRUNNER\EXTENSIONS\DLM_WMP@EMUSIC.COM
[2011/04/22 11:36:31 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2006/09/28 05:45:46 | 000,053,355 | ---- | M] (Oracle Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPJinit13128.dll

O1 HOSTS File: ([2011/05/11 17:16:13 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [EzPrint] C:\Program Files\Lexmark 2300 Series\ezprint.exe (Lexmark International Inc.)
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [KBD] C:\hp\KBD\KbdStub.exe ()
O4 - HKLM..\Run: [LXCGCATS] C:\Windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.DLL ()
O4 - HKLM..\Run: [lxcgmon.exe] C:\Program Files\Lexmark 2300 Series\lxcgmon.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [OsdMaestro] C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe (OsdMaestro)
O4 - HKLM..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe ()
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SunJavaUpdateReg] C:\Windows\System32\jureg.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UpdatePDRShortCut] C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\RunOnce: [Launcher] C:\Windows\SMINST\Launcher.exe (soft thinks)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2270473045-1982684083-2497196655-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2270473045-1982684083-2497196655-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {3D3DBC64-0D21-4EA4-94EE-86D6D9B31C0C} http://www.worldwinner.com/games/v45/moneylist/moneylist.cab (MoneyList Control)
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} http://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab (Reg Error: Key error.)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.systemrequirementslab.com/sysreqlab2.cab (System Requirements Lab Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} http://lads.myspace.com/upload/MySpaceUploader2.cab (MySpace Uploader Control)
O16 - DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} http://www.worldwinner.com/games/v46/monopoly/monopoly.cab (Monopoly Control)
O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} https://esis.ncwise.org/forms/jinitiator/jinit13128.exe (JInitiator 1.3.1.28)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Lilheath\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Lilheath\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/08/11 04:15:15 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-2270473045-1982684083-2497196655-1000..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-2270473045-1982684083-2497196655-1000\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

Drivers32: msacm.ac3acm - C:\Windows\System32\AC3ACM.acm (fccHandler)
Drivers32: msacm.alf2cd - C:\Windows\System32\alf2cd.acm (NCT Company)
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.scg726 - C:\Windows\System32\Scg726.acm (SHARP Corporation)
Drivers32: msacm.voxacm160 - C:\Windows\System32\vct3216.acm (Voxware, Inc.)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.3IV2 - C:\Windows\System32\3ivxVfWCodec_dec.dll (3ivx.com)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\Windows\System32\divx.dll (DivXNetworks, Inc.)
Drivers32: vidc.dvsd - C:\Windows\System32\mcdvd_32.dll (MainConcept)
Drivers32: vidc.xvid - C:\Windows\System32\xvidvfw.dll ()

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/05/11 17:21:58 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/05/11 17:16:15 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2011/05/09 15:28:25 | 000,000,000 | ---D | C] -- C:\Users\Lilheath\AppData\Local\Temp(165)
[2011/04/24 19:59:13 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/22 11:40:11 | 000,000,000 | ---D | C] -- C:\Users\Lilheath\Desktop\JavaRa
[2011/04/22 11:38:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2008/12/05 12:25:32 | 000,413,696 | ---- | C] ( ) -- C:\Windows\System32\lxcginpa.dll
[2008/12/05 12:25:32 | 000,323,584 | ---- | C] ( ) -- C:\Windows\System32\lxcghcp.dll
[2008/12/05 12:25:31 | 001,224,704 | ---- | C] ( ) -- C:\Windows\System32\lxcgserv.dll
[2008/12/05 12:25:31 | 000,995,328 | ---- | C] ( ) -- C:\Windows\System32\lxcgusb1.dll
[2008/12/05 12:25:31 | 000,397,312 | ---- | C] ( ) -- C:\Windows\System32\lxcgiesc.dll
[2008/12/05 12:25:31 | 000,163,840 | ---- | C] ( ) -- C:\Windows\System32\lxcgprox.dll
[2008/12/05 12:25:30 | 000,643,072 | ---- | C] ( ) -- C:\Windows\System32\lxcgpmui.dll
[2008/12/05 12:25:30 | 000,585,728 | ---- | C] ( ) -- C:\Windows\System32\lxcglmpm.dll
[2008/12/05 12:25:30 | 000,385,968 | ---- | C] ( ) -- C:\Windows\System32\lxcgih.exe
[2008/12/05 12:25:30 | 000,094,208 | ---- | C] ( ) -- C:\Windows\System32\lxcgpplc.dll
[2008/12/05 12:25:29 | 000,696,320 | ---- | C] ( ) -- C:\Windows\System32\lxcghbn3.dll
[2008/12/05 12:25:29 | 000,684,032 | ---- | C] ( ) -- C:\Windows\System32\lxcgcomc.dll
[2008/12/05 12:25:29 | 000,537,520 | ---- | C] ( ) -- C:\Windows\System32\lxcgcoms.exe
[2008/12/05 12:25:29 | 000,421,888 | ---- | C] ( ) -- C:\Windows\System32\lxcgcomm.dll
[2008/12/05 12:25:29 | 000,381,872 | ---- | C] ( ) -- C:\Windows\System32\lxcgcfg.exe
[2007/11/29 06:15:20 | 001,224,704 | ---- | C] ( ) -- C:\Windows\System32\lxblserv.dll
[2007/11/29 06:15:20 | 000,995,328 | ---- | C] ( ) -- C:\Windows\System32\lxblusb1.dll
[2007/11/29 06:15:20 | 000,413,696 | ---- | C] ( ) -- C:\Windows\System32\lxblinpa.dll
[2007/11/29 06:15:20 | 000,397,312 | ---- | C] ( ) -- C:\Windows\System32\lxbliesc.dll
[2007/11/29 06:15:20 | 000,323,584 | ---- | C] ( ) -- C:\Windows\System32\LXBLhcp.dll
[2007/11/29 06:15:19 | 000,696,320 | ---- | C] ( ) -- C:\Windows\System32\lxblhbn3.dll
[2007/11/29 06:15:19 | 000,643,072 | ---- | C] ( ) -- C:\Windows\System32\lxblpmui.dll
[2007/11/29 06:15:19 | 000,585,728 | ---- | C] ( ) -- C:\Windows\System32\lxbllmpm.dll
[2007/11/29 06:15:19 | 000,385,968 | ---- | C] ( ) -- C:\Windows\System32\lxblih.exe
[2007/11/29 06:15:19 | 000,163,840 | ---- | C] ( ) -- C:\Windows\System32\lxblprox.dll
[2007/11/29 06:15:19 | 000,094,208 | ---- | C] ( ) -- C:\Windows\System32\lxblpplc.dll
[2007/11/29 06:15:18 | 000,684,032 | ---- | C] ( ) -- C:\Windows\System32\lxblcomc.dll
[2007/11/29 06:15:18 | 000,537,520 | ---- | C] ( ) -- C:\Windows\System32\lxblcoms.exe
[2007/11/29 06:15:18 | 000,421,888 | ---- | C] ( ) -- C:\Windows\System32\lxblcomm.dll
[2007/11/29 06:15:18 | 000,381,872 | ---- | C] ( ) -- C:\Windows\System32\lxblcfg.exe

========== Files - Modified Within 30 Days ==========

[2011/05/14 14:44:13 | 000,003,584 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/05/14 14:44:13 | 000,003,584 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/05/14 12:09:01 | 000,000,392 | ---- | M] () -- C:\Windows\tasks\Final Media Player Update Checker.job
[2011/05/13 20:45:14 | 000,000,424 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{4AA49B77-910B-4BDC-99FA-50B3303F99D2}.job
[2011/05/12 13:44:06 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/05/12 13:44:01 | 2011,750,400 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/11 17:16:13 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/05/11 16:04:59 | 004,346,086 | R--- | M] () -- C:\Users\Lilheath\Desktop\ComboFix.exe
[2011/05/10 03:17:41 | 000,000,186 | ---- | M] () -- C:\Windows\System32\MRT.INI
[2011/05/09 16:33:32 | 185,486,608 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/05/01 16:18:10 | 000,000,680 | ---- | M] () -- C:\Users\Lilheath\AppData\Local\d3d9caps.dat
[2011/04/22 11:51:25 | 056,189,640 | ---- | M] () -- C:\Users\Lilheath\Desktop\setup_av_free.exe
[2011/04/22 11:33:43 | 000,159,877 | ---- | M] () -- C:\Users\Lilheath\Desktop\JavaRa.zip

========== Files Created - No Company Name ==========

[2011/05/09 15:30:29 | 2011,750,400 | -HS- | C] () -- C:\hiberfil.sys
[2011/04/22 11:51:16 | 056,189,640 | ---- | C] () -- C:\Users\Lilheath\Desktop\setup_av_free.exe
[2011/04/22 11:33:36 | 000,159,877 | ---- | C] () -- C:\Users\Lilheath\Desktop\JavaRa.zip
[2011/04/12 17:10:17 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/04/12 17:10:17 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/04/12 17:10:17 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2011/04/12 17:10:17 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/04/12 17:10:17 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/03/05 10:12:34 | 000,010,658 | -HS- | C] () -- C:\Users\Lilheath\AppData\Local\1380560618
[2011/03/05 10:12:34 | 000,010,658 | -HS- | C] () -- C:\ProgramData\1380560618
[2010/08/23 11:38:08 | 000,000,186 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2009/03/06 22:16:20 | 000,036,962 | ---- | C] () -- C:\Windows\System32\ActPanel.dll
[2008/12/05 12:25:32 | 000,274,432 | ---- | C] () -- C:\Windows\System32\lxcginst.dll
[2008/09/23 13:38:55 | 000,000,680 | ---- | C] () -- C:\Users\Lilheath\AppData\Local\d3d9caps.dat
[2008/09/06 14:52:35 | 000,524,288 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2008/09/06 14:52:35 | 000,139,264 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2007/11/29 06:15:20 | 000,274,432 | ---- | C] () -- C:\Windows\System32\LXBLinst.dll
[2007/11/09 11:52:40 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2007/11/02 01:06:29 | 000,002,640 | ---- | C] () -- C:\Users\Lilheath\AppData\Roaming\wklnhst.dat
[2007/11/02 01:04:42 | 000,051,712 | ---- | C] () -- C:\Users\Lilheath\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/08/11 04:03:27 | 000,107,026 | ---- | C] () -- C:\Windows\hpqins13.dat
[2007/08/11 03:47:01 | 000,061,440 | ---- | C] () -- C:\Windows\System32\OsdRemove.exe
[2007/08/11 03:38:25 | 000,327,680 | ---- | C] () -- C:\Windows\System32\pythoncom25.dll
[2007/08/11 03:38:25 | 000,102,400 | ---- | C] () -- C:\Windows\System32\pywintypes25.dll
[2007/05/14 08:28:10 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2007/02/22 19:32:00 | 000,344,064 | ---- | C] () -- C:\Windows\System32\lxcgcoin.dll
[2007/02/22 19:32:00 | 000,344,064 | ---- | C] () -- C:\Windows\System32\lxblcoin.dll
[2006/12/14 02:01:36 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/12/14 02:01:36 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2006/11/02 08:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:47:37 | 000,400,928 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 06:33:01 | 000,618,410 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 06:33:01 | 000,103,818 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/02 03:22:43 | 000,099,999 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2006/11/02 03:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2005/09/07 14:44:34 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxblvs.dll
[2005/08/18 07:26:46 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxcgvs.dll
[2005/03/13 15:32:14 | 000,061,440 | ---- | C] () -- C:\Windows\System32\lxcgcnv4.dll
[2004/01/27 08:13:02 | 000,421,888 | ---- | C] () -- C:\Windows\System32\OpenQuicktimeLib_dec.dll
[1999/01/22 14:46:58 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2009/08/08 00:24:24 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\AVSMedia
[2009/08/17 20:56:27 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/04/23 12:09:04 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\eMusic
[2011/05/09 20:31:32 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Facebook
[2011/05/09 20:31:32 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\FinalMediaPlayer
[2010/08/31 19:32:57 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\GetRightToGo
[2011/03/29 16:45:17 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Inspiration Software
[2007/11/14 21:19:07 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\iWin
[2011/01/18 20:40:47 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\NCH Swift Sound
[2010/08/15 18:09:46 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Opera
[2007/10/27 22:54:26 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Snapfish
[2011/03/29 16:40:40 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Softland
[2008/09/07 16:23:09 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\SPORE
[2007/11/02 01:06:49 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Template
[2011/04/06 13:09:01 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Unity
[2009/02/04 20:02:00 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Walgreens
[2007/10/27 23:57:19 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\WildTangent
[2007/11/05 19:57:15 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\WinBatch
[2011/05/14 12:09:01 | 000,000,392 | ---- | M] () -- C:\Windows\Tasks\Final Media Player Update Checker.job
[2011/05/12 13:11:20 | 000,032,582 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2011/05/13 20:45:14 | 000,000,424 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{4AA49B77-910B-4BDC-99FA-50B3303F99D2}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2007/08/11 04:15:15 | 000,000,074 | ---- | M] () -- C:\autoexec.bat
[2006/11/02 05:53:57 | 000,438,840 | RHS- | M] () -- C:\bootmgr
[2007/08/11 04:24:04 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2009/02/04 18:02:15 | 000,001,921 | ---- | M] () -- C:\CDFE.log
[2011/05/11 17:21:56 | 000,009,333 | ---- | M] () -- C:\ComboFix.txt
[2006/09/18 17:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2010/04/12 17:02:12 | 000,000,125 | ---- | M] () -- C:\FINIS_IT.TXT
[2011/05/12 13:44:01 | 2011,750,400 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/22 11:41:05 | 000,042,971 | ---- | M] () -- C:\JavaRa.log
[2008/12/05 12:21:11 | 000,000,178 | ---- | M] () -- C:\lxcg.log
[2007/11/02 01:35:25 | 000,000,000 | ---- | M] () -- C:\lxcgfire.000
[2008/12/02 19:44:07 | 000,000,000 | ---- | M] () -- C:\lxcgfire.001
[2008/12/05 12:07:09 | 000,000,000 | ---- | M] () -- C:\lxcgfire.002
[2008/12/05 12:09:45 | 000,000,000 | ---- | M] () -- C:\lxcgfire.003
[2008/12/05 12:10:51 | 000,000,000 | ---- | M] () -- C:\lxcgfire.004
[2009/02/04 17:52:18 | 000,000,000 | ---- | M] () -- C:\lxcgfire.005
[2009/02/04 18:02:14 | 000,000,000 | ---- | M] () -- C:\lxcgfire.csv
[2007/11/02 01:37:36 | 000,000,291 | ---- | M] () -- C:\LXCGINST.000
[2008/12/02 19:44:47 | 000,000,468 | ---- | M] () -- C:\LXCGINST.001
[2008/12/05 12:07:44 | 000,000,468 | ---- | M] () -- C:\LXCGINST.002
[2008/12/05 12:10:12 | 000,000,714 | ---- | M] () -- C:\LXCGINST.003
[2008/12/05 12:11:16 | 000,000,714 | ---- | M] () -- C:\LXCGINST.004
[2009/02/04 17:55:58 | 000,000,592 | ---- | M] () -- C:\LXCGINST.005
[2009/02/04 18:02:27 | 000,000,139 | ---- | M] () -- C:\LXCGINST.csv
[2008/12/05 12:21:19 | 000,299,717 | ---- | M] () -- C:\lxcgunst.csv
[2011/05/12 13:43:59 | 2325,676,032 | -HS- | M] () -- C:\pagefile.sys
[2008/04/12 13:46:59 | 000,000,477 | ---- | M] () -- C:\RHDSetup.log
[2010/08/31 20:00:53 | 000,000,271 | ---- | M] () -- C:\rkill.log
[2011/02/04 15:08:07 | 000,010,799 | ---- | M] () -- C:\Setup Log.txt

< %systemroot%\Fonts\*.com >
[2006/11/02 08:37:12 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2006/11/02 08:37:12 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2006/11/02 08:37:12 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2006/11/02 08:37:12 | 000,030,808 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2006/09/18 17:37:34 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2006/11/02 08:35:48 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll
[2007/03/23 03:10:00 | 000,117,760 | ---- | M] (Lexmark International, Inc.) -- C:\Windows\System32\spool\prtprocs\w32x86\lxblpp5c.dll
[2007/01/30 07:32:46 | 000,118,272 | ---- | M] (Lexmark International, Inc.) -- C:\Windows\System32\spool\prtprocs\w32x86\lxcgpp5c.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2008/12/13 09:53:28 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2006/11/02 06:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/02 06:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/02 06:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 06:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 06:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2010/04/01 08:06:48 | 000,000,286 | -HS- | M] () -- C:\Users\Lilheath\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

< %USERPROFILE%\Desktop\*.exe >
[2011/05/11 16:04:59 | 004,346,086 | R--- | M] () -- C:\Users\Lilheath\Desktop\ComboFix.exe
[2011/04/22 11:32:05 | 000,885,024 | ---- | M] (Sun Microsystems, Inc.) -- C:\Users\Lilheath\Desktop\JavaSetup6u24.exe
[2011/04/14 14:13:49 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Lilheath\Desktop\OTL.exe
[2011/04/22 11:51:25 | 056,189,640 | ---- | M] () -- C:\Users\Lilheath\Desktop\setup_av_free.exe
[2011/04/07 18:13:24 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Users\Lilheath\Desktop\TFC.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >
[2007/09/06 09:00:55 | 000,008,192 | ---- | M] () -- C:\Windows\security\database\edb.chk
[2007/09/06 09:00:25 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edb.log
[2007/09/06 09:00:25 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00001.jrs
[2007/09/06 09:00:25 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00002.jrs
[2007/09/06 09:00:25 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbtmp.log
[2007/09/06 09:00:25 | 001,056,768 | ---- | M] () -- C:\Windows\security\database\tmp.edb

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2007/10/28 16:16:08 | 000,000,402 | -HS- | M] () -- C:\Users\Lilheath\Favorites\desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >
[2011/03/11 10:57:32 | 000,010,658 | -HS- | M] () -- C:\ProgramData\1380560618
[2007/08/11 04:03:47 | 000,000,343 | ---- | M] () -- C:\ProgramData\hpzinstall.log

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


========== Alternate Data Streams ==========

@Alternate Data Stream - 270 bytes -> C:\Windows\System32\drivers\hajqkyws.sys:changelist

< End of report >
 
informing me that my computer is unprotected
Click to expand...
I'd assume, they're legit, since you don't have any AV program installed at the moment.
Please, install one of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html

Also, make sure, Windows firewall is ON.

I also have a pop up on boot that says my Windows Malicious Software Tool needs my permission to run
Click to expand...
Grant it. It's a legit program.

======================================================================

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.

====================================================================

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} http://srtest-cdn.systemrequirements...qlabdetect.cab (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
[2011/03/05 10:12:34 | 000,010,658 | -HS- | C] () -- C:\Users\Lilheath\AppData\Local\1380560618
[2011/03/05 10:12:34 | 000,010,658 | -HS- | C] () -- C:\ProgramData\1380560618
@Alternate Data Stream - 270 bytes -> C:\Windows\System32\drivers\hajqkyws.sys:changelist

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

=====================================================================

Last scans...

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code: 
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how your computer is doing.
 
Ok, so I've d/led Avast, and it is currently running, ran a scan and found 1 item, the same oko... file that keeps popping up, quarantined it. Ran OTL again with the fix, have not run it the 2nd time yet for the restore, will do that today. I'm still getting some random errors. Last night I was trying to change print properties on my printer and kept getting some sort of error that would freeze the printing job and close everything out. I don't remember the code. I'm currently getting an error of "Application failed to initialize 0x80070006. The handle is invalid" when clicking on the Windows Defender icon in my tray to show my blocked startup programs. Here is the most recent OTL;

C:\Windows\Downloaded Program Files\sysreqlabdetect.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{40F576AD-8680-4F9E-9490-99D069CD665F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{40F576AD-8680-4F9E-9490-99D069CD665F}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{40F576AD-8680-4F9E-9490-99D069CD665F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{40F576AD-8680-4F9E-9490-99D069CD665F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{40F576AD-8680-4F9E-9490-99D069CD665F}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\Windows\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
C:\Users\Lilheath\AppData\Local\1380560618 moved successfully.
C:\ProgramData\1380560618 moved successfully.
ADS C:\Windows\System32\drivers\hajqkyws.sys:changelist deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Lilheath
->Temp folder emptied: 1407365 bytes
->Temporary Internet Files folder emptied: 110130850 bytes
->Java cache emptied: 2027 bytes
->FireFox cache emptied: 85773343 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 11169 bytes

User: Mcx1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 81420 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 188.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Lilheath
->Flash cache emptied: 0 bytes

User: Mcx1

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 05182011_234804

Files\Folders moved on Reboot...
File\Folder C:\Users\Lilheath\AppData\Local\Temp\~ROMFN_000013E4 not found!
C:\Users\Lilheath\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
C:\Users\Lilheath\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MJYNPON3\background_button_green_full[1].png moved successfully.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...
 
Getting a new pop up as of today. Says;
Windows Software Protection
An unauthorized change was made to Windows
You will no longer receive notifications, including those about your license or activation. Use the link below to find out how to fix your system.
Error: 0xC004D401
Description:
The security processor reported a system file mismatch error.

Then a link to "Learn more online" that I as of yet haven't clicked
 
Status
Not open for further replies.

Similar threads

wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
794
uber_beetle
uber_beetle
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A

Latest posts

Back