TechSpot

[On-hold] Search engine redirect virus - still there despite 8 steps - router?

By jonboysylvan
Nov 25, 2010
Topic Status:
Not open for further replies.
  1. Hi team

    Have search engine redirect virus. Did various sweeps using several scans before finding you. Trend Micro threw up MARIOFEV.X, Malwarebytes a couple of things I forget, ESET threw up Ramnit, Hitman pro nothing. Still probs with redirects, pop-ups, sites not opening. Then found you. Just done 8 steps. Still same probs. Logs posted below.

    Also some possible evidence this is router-related? My wife was first to get this virus last week on work laptop (she works from home). So I assumed it was her putting portable hard drive into my PC that then led to my getting it. But her IT guys at work say they have fully reformatted her PC. She has just opened PC after receiving it back and connected to internet - started getting virus problem again straight away. But hasn't used her hard drive yet.

    Anyway, logs here for my PC as prescribed in 8 steps. Please help me/us!

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    25/11/2010 22:57:59
    mbam-log-2010-11-25 (22-57-59).txt

    Scan type: Quick scan
    Objects scanned: 111545
    Time elapsed: 15 minute(s), 13 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-11-25 23:09:13
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 MAXTOR_6L020J1 rev.A93.0500
    Running: ln2nd3n3.exe; Driver: C:\DOCUME~1\jon\LOCALS~1\Temp\fwrcypow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    ---- EOF - GMER 1.0.15 ----

    DDS (Ver_10-11-26.01) - NTFSx86
    Run by jon at 23:17:06.69 on 25/11/2010
    Internet Explorer: 6.0.2900.5512
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.255.38 [GMT 0:00]

    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\jon\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uInternet Connection Wizard,ShellNext = iexplore
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\jon\applic~1\mozilla\firefox\profiles\ddkusqlm.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-11-24 11608]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-11-24 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-11-24 267944]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-11-24 60936]

    =============== Created Last 30 ================

    2010-11-25 23:09:40 -------- d-----w- c:\windows\system32\LogFiles
    2010-11-25 22:41:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-25 22:41:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-25 22:41:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-24 21:55:39 -------- d-----w- c:\windows\system32\NtmsData
    2010-11-24 21:51:59 -------- d-----w- c:\docume~1\jon\applic~1\Avira
    2010-11-24 21:38:30 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-11-24 21:38:20 -------- d-----w- c:\program files\Avira
    2010-11-24 21:38:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
    2010-11-24 20:48:18 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-11-24 20:48:16 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-11-24 20:45:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
    2010-11-24 03:23:51 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
    2010-11-24 03:23:30 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
    2010-11-24 03:23:29 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
    2010-11-24 03:23:02 357248 -c----w- c:\windows\system32\dllcache\srv.sys
    2010-11-24 03:22:28 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
    2010-11-24 03:22:17 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
    2010-11-24 03:21:59 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
    2010-11-24 03:19:45 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2010-11-24 03:18:54 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
    2010-11-24 03:18:53 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
    2010-11-24 03:18:30 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
    2010-11-24 03:18:30 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
    2010-11-24 03:18:29 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
    2010-11-24 03:18:29 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
    2010-11-24 03:18:29 110592 -c----w- c:\windows\system32\dllcache\services.exe
    2010-11-24 03:18:27 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
    2010-11-24 03:18:25 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
    2010-11-24 03:18:24 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
    2010-11-24 03:17:26 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
    2010-11-24 03:17:22 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
    2010-11-24 03:17:21 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
    2010-11-24 03:17:20 2066816 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
    2010-11-24 03:17:20 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
    2010-11-24 03:15:56 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
    2010-11-24 03:15:39 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
    2010-11-24 03:12:45 293376 ------w- c:\windows\system32\browserchoice.exe
    2010-11-24 03:07:39 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
    2010-11-24 03:07:06 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
    2010-11-24 03:06:38 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe
    2010-11-24 03:06:36 512000 -c----w- c:\windows\system32\dllcache\jscript.dll
    2010-11-24 03:06:03 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
    2010-11-24 03:06:02 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-11-24 03:00:46 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
    2010-11-23 23:54:32 -------- d-----w- c:\docume~1\jon\locals~1\applic~1\ESET
    2010-11-23 23:11:17 -------- d-----w- c:\windows\system32\wbem\AutoRecover
    2010-11-23 22:59:59 712704 ------w- c:\windows\system32\windowscodecs.dll
    2010-11-23 22:54:55 -------- d-----w- c:\windows\ServicePackFiles
    2010-11-23 22:54:48 33792 -c----w- c:\windows\system32\dllcache\custsat.dll
    2010-11-23 22:47:01 -------- d-----w- c:\windows\system32\ReinstallBackups
    2010-11-23 22:39:36 -------- d-----w- c:\windows\EHome
    2010-11-23 07:36:43 -------- d-----w- c:\windows\system32\PreInstall
    2010-11-23 07:36:05 26488 ----a-w- c:\windows\system32\spupdsvc.exe
    2010-11-22 23:12:58 -------- d--h--w- c:\windows\$hf_mig$
    2010-11-22 09:49:11 -------- d-----w- c:\docume~1\jon\applic~1\Malwarebytes
    2010-11-22 09:47:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-11-21 18:41:05 274288 ----a-w- c:\windows\system32\mucltui.dll
    2010-11-21 18:41:05 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
    2010-11-21 18:40:55 -------- d-----w- c:\windows\system32\SoftwareDistribution
    2010-11-21 13:50:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
    2010-11-21 13:34:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
    2010-11-20 22:59:12 274944 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzpp5k2.dll
    2010-11-20 22:59:11 117760 ----a-w- c:\windows\system32\hpz3l5k2.dll
    2010-11-20 22:58:48 267864 ----a-w- c:\windows\system32\hpzids01.dll
    2010-11-20 22:58:38 -------- d-----w- c:\windows\aqmlk
    2010-11-20 22:56:56 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2010-11-20 22:50:21 1287768 ----a-w- c:\windows\hpzshl01.exe
    2010-11-20 22:50:19 1140312 ----a-w- c:\windows\hpzmsi01.exe
    2010-11-20 22:32:05 -------- d-----w- c:\program files\common files\Hewlett-Packard
    2010-11-20 22:31:34 94208 ----a-w- c:\windows\system32\HPZipt12.dll
    2010-11-20 22:31:34 65536 ----a-w- c:\windows\system32\HPZipm12.exe
    2010-11-20 22:31:34 61440 ----a-w- c:\windows\system32\HPZinw12.exe
    2010-11-20 22:31:34 57344 ----a-w- c:\windows\system32\HPZisn12.dll
    2010-11-20 22:31:34 204800 ----a-w- c:\windows\system32\HPZipr12.dll
    2010-11-20 22:31:32 278584 ----a-w- c:\windows\system32\HPZidr12.dll
    2010-11-20 22:30:14 -------- d-----w- c:\program files\HP
    2010-11-20 22:14:39 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys
    2010-11-20 22:14:39 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
    2010-11-20 22:11:31 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
    2010-11-20 22:11:22 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2010-11-09 12:35:09 -------- d-----w- c:\program files\Freeciv-2.2.3-gtk2

    ==================== Find3M ====================

    2010-09-18 12:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-09 14:16:31 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-09-09 14:16:30 61952 ----a-w- c:\windows\system32\tdc.ocx
    2010-09-09 14:16:29 81920 ------w- c:\windows\system32\ieencode.dll
    2010-09-08 16:49:49 369664 ------w- c:\windows\system32\html.iec
    2010-09-04 12:37:35 10022 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
    2005-06-20 16:39:35 20798256 ----a-w- c:\program files\AdbeRdr70_enu_full.exe

    ============= FINISH: 23:18:30.48 ===============
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-11-26.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 08/06/2005 21:12:22
    System Uptime: 25/11/2010 22:30:22 (1 hours ago)

    Motherboard: | | 8363-686A
    Processor: AMD Duron(tm) processor | Slot A | 802/100mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 15 GiB total, 3.874 GiB free.
    D: is FIXED (NTFS) - 4 GiB total, 3.484 GiB free.
    E: is CDROM ()
    G: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP864: 23/11/2010 23:17:08 - Installed ESET NOD32 Antivirus
    RP865: 24/11/2010 03:00:33 - Software Distribution Service 3.0
    RP866: 24/11/2010 08:58:05 - Software Distribution Service 3.0
    RP867: 24/11/2010 09:26:30 - Installed Windows XP WgaNotify.
    RP868: 24/11/2010 20:40:03 - Removed ESET NOD32 Antivirus
    RP869: 25/11/2010 03:01:40 - Software Distribution Service 3.0

    ==== Installed Programs ======================

    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 7.0.7
    Adobe SVG Viewer 3.0
    AiO_Scan
    AutoUpdate
    Avira AntiVir Personal - Free Antivirus
    DivX
    DivX Player
    Enterprise
    Freeciv 2.2.3 (GTK+ client)
    HijackThis 2.0.2
    Hitman Pro 3.5
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB976002-v5)
    HP PSC & Officejet 4.2 Corporate Edition
    Macromedia Extension Manager
    Macromedia Shockwave Player
    Malwarebytes' Anti-Malware
    Microsoft Office XP Professional
    Microsoft Visual C Runtime
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.12)
    MS Access 97 SP2
    Nero 6 Ultra Edition
    PowerDVD
    QFolder
    RealPlayer
    Scan
    Security Update for CAPICOM (KB931906)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360131)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Spotify
    Symantec Network Drivers Update
    Total Commander (Remove or Repair)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973815)
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows XP Service Pack 3
    WinRAR archiver
    WinZip

    ==== Event Viewer Messages From Past Week ========

    25/11/2010 09:15:09, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the AntiVirSchedulerService service.
    25/11/2010 08:11:25, error: Service Control Manager [7022] - The Avira AntiVir Guard service hung on starting.
    23/11/2010 23:11:46, error: Service Control Manager [7023] - The Portable Media Serial Number service terminated with the following error: The specified module could not be found.
    23/11/2010 23:11:17, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    23/11/2010 19:37:09, error: Service Control Manager [7023] - The Windows Installer service terminated with the following error: Overlapped I/O operation is in progress.
    23/11/2010 19:23:15, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
    23/11/2010 19:23:15, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Alwil Software\Avast5\aavm4h.dll. Reference error message: The operation completed successfully. .
    23/11/2010 19:23:15, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
    23/11/2010 19:23:09, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Alwil Software\Avast5\ashTaskEx.dll. Reference error message: The operation completed successfully. .
    23/11/2010 19:23:09, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Alwil Software\Avast5\ashBase.dll. Reference error message: The operation completed successfully. .
    23/11/2010 19:13:34, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Alwil Software\Avast5\AvastSvc.exe. Reference error message: The operation completed successfully. .
    23/11/2010 19:13:26, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Alwil Software\Avast5\ashQuick.exe. Reference error message: The operation completed successfully. .
    23/11/2010 19:12:42, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Alwil Software\Avast5\AvastUI.exe. Reference error message: The operation completed successfully. .
    23/11/2010 19:11:08, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Alwil Software\Avast5\avastUI.exe. Reference error message: The operation completed successfully. .
    23/11/2010 19:11:08, error: Service Control Manager [7000] - The avast! Antivirus service failed to start due to the following error: This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.
    23/11/2010 19:11:03, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Alwil Software\Avast5\defs\10101100\aswCmnBS.dll. Reference error message: The operation completed successfully. .
    23/11/2010 19:10:52, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Alwil Software\Avast5\defs\10101100\aswScan.dll. Reference error message: The operation completed successfully. .
    23/11/2010 16:55:21, error: ACPI [5] - AMLI: ACPI BIOS is attempting to write to an illegal IO port address (0xcf8), which lies in the 0xcf8 - 0xcff protected address range. This could lead to system instability. Please contact your system vendor for technical assistance.
    23/11/2010 16:55:21, error: ACPI [4] - AMLI: ACPI BIOS is attempting to read from an illegal IO port address (0xcfc), which lies in the 0xcf8 - 0xcff protected address range. This could lead to system instability. Please contact your system vendor for technical assistance.
    21/11/2010 18:32:45, error: Service Control Manager [7034] - The Symantec Network Drivers Service service terminated unexpectedly. It has done this 1 time(s).
    21/11/2010 18:32:45, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
    21/11/2010 18:32:45, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    21/11/2010 18:06:41, error: SideBySide [59] - Generate Activation Context failed for C:\Documents and Settings\jon\Local Settings\Temp\avira_antivir_personal_en\redist.dll. Reference error message: The operation completed successfully. .
    21/11/2010 17:53:24, error: SideBySide [59] - Generate Activation Context failed for C:\Documents and Settings\jon\Local Settings\Temp\avira_antivir_personal_en\setup.exe. Reference error message: The operation completed successfully. .

    ==== End Of File ===========================
  2. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Welcome aboard [​IMG]

    This is bad news, because, unfortunately, Ramnit is not curable.

    Let's see...

    Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  3. jonboysylvan

    jonboysylvan TS Rookie Topic Starter Posts: 37

    ESET found nothing

    Thanks for looking into this

    ESET online scan found nothing. Said no files infected. Didn't seem to generate a list of search results or a report, only button I could see was 'finish'.

    p.s. last time when I found stuff I downloaded ESET NOD

    Not curable. Ouch. What next?
  4. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Maybe, it was a false alarm. We'll keep checking.

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ======================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AVG Remover to uninstall it: http://www.avg.com/us-en/download-tools
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.pif
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  5. jonboysylvan

    jonboysylvan TS Rookie Topic Starter Posts: 37

    Quick q re combofix

    Broni

    MBR report is below.

    Quick q re combofix.exe - don't want to do it wrong - when I download it will not give me the option to save directly to my desktop. There is a save button and if I click it it will start downloading into C:\My Documents\Downloads. Is it OK for me to download it to there and then cut and paste it onto the desktop?

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000005d

    Kernel Drivers (total 132):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806EE000 \WINDOWS\system32\hal.dll
    0xF9D71000 \WINDOWS\system32\KDCOM.DLL
    0xF9C81000 \WINDOWS\system32\BOOTVID.dll
    0xF9822000 ACPI.sys
    0xF9D73000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
    0xF9811000 pci.sys
    0xF9871000 isapnp.sys
    0xF9D75000 viaide.sys
    0xF9AF1000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
    0xF9881000 MountMgr.sys
    0xF97F2000 ftdisk.sys
    0xF9D77000 dmload.sys
    0xF97CC000 dmio.sys
    0xF9AF9000 PartMgr.sys
    0xF9891000 VolSnap.sys
    0xF97B4000 atapi.sys
    0xF98A1000 disk.sys
    0xF98B1000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
    0xF9794000 fltmgr.sys
    0xF9782000 sr.sys
    0xF976B000 KSecDD.sys
    0xF96DE000 Ntfs.sys
    0xF96B1000 NDIS.sys
    0xF98C1000 viaagp.sys
    0xF9697000 Mup.sys
    0xF9A01000 \SystemRoot\System32\DRIVERS\processr.sys
    0xF947F000 \SystemRoot\System32\DRIVERS\nv4_mini.sys
    0xF946B000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
    0xF9A11000 \SystemRoot\System32\DRIVERS\cdrom.sys
    0xF9A21000 \SystemRoot\System32\DRIVERS\imapi.sys
    0xF9A31000 \SystemRoot\System32\DRIVERS\redbook.sys
    0xF9448000 \SystemRoot\System32\DRIVERS\ks.sys
    0xF9B51000 \SystemRoot\System32\DRIVERS\usbuhci.sys
    0xF9424000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
    0xF940F000 \SystemRoot\system32\drivers\ac97via.sys
    0xF93CD000 \SystemRoot\system32\drivers\portcls.sys
    0xF9A41000 \SystemRoot\system32\drivers\drmk.sys
    0xF9397000 \SystemRoot\System32\DRIVERS\HSFBS2S2.sys
    0xF9298000 \SystemRoot\System32\DRIVERS\HSFDPSP2.sys
    0xF91F0000 \SystemRoot\System32\DRIVERS\HSFCXTS2.sys
    0xF9B59000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF9A51000 \SystemRoot\System32\DRIVERS\AN983.sys
    0xF9B61000 \SystemRoot\System32\DRIVERS\fdc.sys
    0xF9A61000 \SystemRoot\System32\DRIVERS\serial.sys
    0xF9D1D000 \SystemRoot\System32\DRIVERS\serenum.sys
    0xF91DC000 \SystemRoot\System32\DRIVERS\parport.sys
    0xF9A71000 \SystemRoot\System32\DRIVERS\i8042prt.sys
    0xF9B69000 \SystemRoot\System32\DRIVERS\kbdclass.sys
    0xF9F86000 \SystemRoot\System32\DRIVERS\audstub.sys
    0xF9A81000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
    0xF9D21000 \SystemRoot\System32\DRIVERS\ndistapi.sys
    0xF91C5000 \SystemRoot\System32\DRIVERS\ndiswan.sys
    0xF9A91000 \SystemRoot\System32\DRIVERS\raspppoe.sys
    0xF9AA1000 \SystemRoot\System32\DRIVERS\raspptp.sys
    0xF9B71000 \SystemRoot\System32\DRIVERS\TDI.SYS
    0xF91B4000 \SystemRoot\System32\DRIVERS\psched.sys
    0xF9AB1000 \SystemRoot\System32\DRIVERS\msgpc.sys
    0xF9B81000 \SystemRoot\System32\DRIVERS\ptilink.sys
    0xF9B89000 \SystemRoot\System32\DRIVERS\raspti.sys
    0xF90E4000 \SystemRoot\System32\DRIVERS\rdpdr.sys
    0xF9AE1000 \SystemRoot\System32\DRIVERS\termdd.sys
    0xF9B91000 \SystemRoot\System32\DRIVERS\mouclass.sys
    0xF9D93000 \SystemRoot\System32\DRIVERS\swenum.sys
    0xF905E000 \SystemRoot\System32\DRIVERS\update.sys
    0xF9D51000 \SystemRoot\System32\DRIVERS\mssmbios.sys
    0xF98F1000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF9921000 \SystemRoot\System32\DRIVERS\usbhub.sys
    0xF9DA5000 \SystemRoot\System32\DRIVERS\USBD.SYS
    0xF9657000 \SystemRoot\System32\DRIVERS\gameenum.sys
    0xF9653000 \SystemRoot\system32\drivers\MODEMCSA.sys
    0xF9BA1000 \SystemRoot\System32\DRIVERS\flpydisk.sys
    0xF9DB5000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF9EC3000 \SystemRoot\System32\Drivers\Null.SYS
    0xF9DB7000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF9BC1000 \SystemRoot\System32\drivers\vga.sys
    0xF9DB9000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF9DBB000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF9BC9000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF9BD1000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF9D11000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0xF7F03000 \SystemRoot\System32\DRIVERS\ipsec.sys
    0xF7EAA000 \SystemRoot\System32\DRIVERS\tcpip.sys
    0xF7E6A000 \SystemRoot\System32\Drivers\SYMTDI.SYS
    0xF7E42000 \SystemRoot\System32\DRIVERS\netbt.sys
    0xF9D35000 \SystemRoot\System32\drivers\ws2ifsl.sys
    0xF7E20000 \SystemRoot\System32\drivers\afd.sys
    0xF9961000 \SystemRoot\System32\DRIVERS\netbios.sys
    0xF9BD9000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0xF7DF5000 \SystemRoot\System32\DRIVERS\rdbss.sys
    0xF7D85000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
    0xF9971000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF7D5F000 \SystemRoot\System32\DRIVERS\ipnat.sys
    0xF9981000 \SystemRoot\System32\DRIVERS\wanarp.sys
    0xF7D3C000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0xF9DBF000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    0xF9D3D000 \SystemRoot\System32\DRIVERS\hidusb.sys
    0xF99A1000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
    0xF9BE1000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
    0xF9D49000 \SystemRoot\System32\DRIVERS\mouhid.sys
    0xF99B1000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xF7CFC000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF9DC1000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF7F56000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF9BE9000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF9F14000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\nv4_disp.dll
    0xF6CEF000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0xF6CD7000 \SystemRoot\System32\DRIVERS\ndisuio.sys
    0xF6192000 \SystemRoot\system32\drivers\wdmaud.sys
    0xF9114000 \SystemRoot\system32\drivers\sysaudio.sys
    0xF5F7F000 \SystemRoot\System32\DRIVERS\mrxdav.sys
    0xF9D9B000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xF6337000 \SystemRoot\System32\Drivers\Aspi32.SYS
    0xF5EE8000 \SystemRoot\System32\DRIVERS\HSF_FALL.sys
    0xF5ECB000 \SystemRoot\System32\DRIVERS\HSF_FSKS.sys
    0xF5E6B000 \SystemRoot\System32\DRIVERS\HSF_K56K.sys
    0xF6263000 \SystemRoot\System32\DRIVERS\mdmxsdk.sys
    0xF62E7000 \SystemRoot\System32\DRIVERS\secdrv.sys
    0xF5DC3000 \SystemRoot\System32\DRIVERS\srv.sys
    0xF5CCA000 \SystemRoot\System32\DRIVERS\HSF_FAXX.sys
    0xF6217000 \SystemRoot\System32\DRIVERS\HSF_TONE.sys
    0xF5C52000 \SystemRoot\System32\DRIVERS\HSF_V124.sys
    0xF5E43000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
    0xF9DDD000 \SystemRoot\System32\Drivers\SYMDNS.SYS
    0xF62C7000 \SystemRoot\System32\Drivers\SYMNDIS.SYS
    0xF5B61000 \SystemRoot\System32\Drivers\SYMFW.SYS
    0xF9B31000 \SystemRoot\System32\Drivers\SYMIDS.SYS
    0xF59B8000 \SystemRoot\System32\Drivers\HTTP.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 28):
    0 System Idle Process
    4 System
    420 C:\WINDOWS\system32\smss.exe
    484 csrss.exe
    508 C:\WINDOWS\system32\winlogon.exe
    552 C:\WINDOWS\system32\services.exe
    564 C:\WINDOWS\system32\lsass.exe
    732 C:\WINDOWS\system32\svchost.exe
    788 svchost.exe
    856 C:\WINDOWS\system32\svchost.exe
    916 svchost.exe
    968 svchost.exe
    1264 C:\WINDOWS\system32\WgaTray.exe
    1296 C:\WINDOWS\explorer.exe
    1312 C:\WINDOWS\system32\ctfmon.exe
    1340 C:\WINDOWS\system32\spoolsv.exe
    1660 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    1964 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    1976 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    2028 svchost.exe
    692 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    848 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    1020 C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    1064 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    2068 alg.exe
    2204 C:\WINDOWS\system32\wuauclt.exe
    2352 C:\Program Files\Mozilla Firefox\firefox.exe
    3144 C:\Documents and Settings\jon\My Documents\Downloads\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000003`a9636e00 (NTFS)

    PhysicalDrive0 Model Number: MAXTOR6L020J1, Rev: A93.0500

    Size Device Name MBR Status
    --------------------------------------------
    19 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!

    J
  6. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Yes :)
  7. jonboysylvan

    jonboysylvan TS Rookie Topic Starter Posts: 37

    combofix log

    ComboFix 10-11-25.06 - jon 26/11/2010 18:20:52.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.255.137 [GMT 0:00]
    Running from: c:\documents and settings\jon\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\fxe.sp
    c:\windows\ynh.dx

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-26 to 2010-11-26 )))))))))))))))))))))))))))))))
    .

    2010-11-26 06:14 . 2010-11-26 06:14 -------- d-----w- c:\program files\ESET
    2010-11-25 23:09 . 2010-11-25 23:09 -------- d-----w- c:\windows\system32\LogFiles
    2010-11-25 22:41 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-25 22:41 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-25 22:41 . 2010-11-25 22:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-25 22:13 . 2010-11-25 22:13 -------- d-----w- c:\documents and settings\LocalService\Application Data\Avira
    2010-11-25 21:01 . 2010-11-25 21:01 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
    2010-11-24 21:55 . 2010-11-25 22:04 -------- d-----w- c:\windows\system32\NtmsData
    2010-11-24 21:51 . 2010-11-24 21:51 -------- d-----w- c:\documents and settings\jon\Application Data\Avira
    2010-11-24 21:38 . 2010-08-02 16:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-11-24 21:38 . 2010-08-02 16:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-11-24 21:38 . 2010-06-17 15:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-11-24 21:38 . 2010-06-17 15:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-11-24 21:38 . 2010-11-24 21:38 -------- d-----w- c:\program files\Avira
    2010-11-24 21:38 . 2010-11-24 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-11-24 20:48 . 2010-11-24 20:48 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-11-24 20:48 . 2010-11-24 20:48 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-11-24 20:45 . 2010-11-24 20:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2010-11-24 03:23 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
    2010-11-24 03:23 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
    2010-11-24 03:23 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
    2010-11-24 03:23 . 2010-08-26 13:39 357248 -c----w- c:\windows\system32\dllcache\srv.sys
    2010-11-24 03:22 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
    2010-11-24 03:22 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
    2010-11-24 03:21 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
    2010-11-24 03:19 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2010-11-24 03:18 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
    2010-11-24 03:18 . 2010-08-27 08:02 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
    2010-11-24 03:18 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
    2010-11-24 03:18 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
    2010-11-24 03:18 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
    2010-11-24 03:18 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
    2010-11-24 03:18 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
    2010-11-24 03:18 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
    2010-11-24 03:18 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
    2010-11-24 03:18 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
    2010-11-24 03:17 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
    2010-11-24 03:17 . 2010-04-27 13:59 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
    2010-11-24 03:17 . 2010-04-28 02:25 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
    2010-11-24 03:17 . 2010-04-27 13:05 2066816 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
    2010-11-24 03:17 . 2010-04-27 13:05 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
    2010-11-24 03:15 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
    2010-11-24 03:15 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
    2010-11-24 03:12 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
    2010-11-24 03:07 . 2010-06-18 13:36 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
    2010-11-24 03:07 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
    2010-11-24 03:06 . 2010-07-12 12:55 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe
    2010-11-24 03:06 . 2009-08-13 15:16 512000 -c----w- c:\windows\system32\dllcache\jscript.dll
    2010-11-24 03:06 . 2010-08-16 08:45 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
    2010-11-24 03:06 . 2010-08-26 12:52 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-11-24 03:00 . 2010-11-24 03:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
    2010-11-24 00:28 . 2010-11-24 00:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
    2010-11-23 23:54 . 2010-11-23 23:54 -------- d-----w- c:\documents and settings\jon\Local Settings\Application Data\ESET
    2010-11-23 23:11 . 2010-11-23 23:14 -------- d-----w- c:\windows\system32\wbem\AutoRecover
    2010-11-23 22:59 . 2008-04-14 05:42 712704 ------w- c:\windows\system32\windowscodecs.dll
    2010-11-23 22:54 . 2010-11-23 23:00 -------- d-----w- c:\windows\ServicePackFiles
    2010-11-23 22:54 . 2008-04-14 05:41 33792 -c----w- c:\windows\system32\dllcache\custsat.dll
    2010-11-23 22:39 . 2010-11-23 22:39 -------- d-----w- c:\windows\EHome
    2010-11-23 07:36 . 2007-07-27 23:11 26488 ----a-w- c:\windows\system32\spupdsvc.exe
    2010-11-22 23:12 . 2010-11-24 16:56 -------- d--h--w- c:\windows\$hf_mig$
    2010-11-22 09:49 . 2010-11-22 09:49 -------- d-----w- c:\documents and settings\jon\Application Data\Malwarebytes
    2010-11-22 09:47 . 2010-11-22 09:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-11-21 18:41 . 2009-08-06 19:23 274288 ----a-w- c:\windows\system32\mucltui.dll
    2010-11-21 13:50 . 2010-11-23 19:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-11-21 13:34 . 2010-11-21 13:34 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2010-11-20 22:59 . 2010-11-20 22:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
    2010-11-20 22:59 . 2007-06-27 12:04 274944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5k2.dll
    2010-11-20 22:59 . 2007-06-27 12:06 117760 ----a-w- c:\windows\system32\hpz3l5k2.dll
    2010-11-20 22:58 . 2007-05-21 17:47 267864 ----a-w- c:\windows\system32\hpzids01.dll
    2010-11-20 22:58 . 2010-11-20 22:58 -------- d-----w- c:\windows\aqmlk
    2010-11-20 22:56 . 2008-04-14 00:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2010-11-20 22:50 . 2007-05-21 17:41 1287768 ----a-w- c:\windows\hpzshl01.exe
    2010-11-20 22:50 . 2007-05-21 17:45 1140312 ----a-w- c:\windows\hpzmsi01.exe
    2010-11-20 22:32 . 2010-11-20 22:32 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
    2010-11-20 22:31 . 2004-03-18 16:56 204800 ----a-w- c:\windows\system32\HPZipr12.dll
    2010-11-20 22:31 . 2004-03-18 16:55 65536 ----a-w- c:\windows\system32\HPZipm12.exe
    2010-11-20 22:31 . 2004-03-18 16:39 57344 ----a-w- c:\windows\system32\HPZisn12.dll
    2010-11-20 22:31 . 2004-03-18 16:39 94208 ----a-w- c:\windows\system32\HPZipt12.dll
    2010-11-20 22:31 . 2004-03-18 16:38 61440 ----a-w- c:\windows\system32\HPZinw12.exe
    2010-11-20 22:31 . 2004-03-18 16:53 278584 ----a-w- c:\windows\system32\HPZidr12.dll
    2010-11-20 22:30 . 2010-11-20 22:31 -------- d-----w- c:\program files\HP
    2010-11-20 22:14 . 2009-08-26 22:41 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys
    2010-11-20 22:14 . 2009-08-26 22:41 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
    2010-11-20 22:11 . 2008-04-14 00:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
    2010-11-20 22:11 . 2008-04-14 00:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2010-11-09 12:35 . 2010-11-18 20:49 -------- d-----w- c:\program files\Freeciv-2.2.3-gtk2
    2010-10-31 15:51 . 2010-10-31 15:51 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
    2010-10-29 08:52 . 2010-10-29 08:52 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 12:23 . 2001-08-23 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2001-08-23 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2001-08-23 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2001-08-23 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-09 14:16 . 2002-08-29 03:41 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-09-09 14:16 . 2001-08-23 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
    2010-09-01 11:51 . 2001-08-23 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2002-08-29 02:14 1852800 ----a-w- c:\windows\system32\win32k.sys
    2005-06-20 16:39 . 2005-06-20 16:32 20798256 ----a-w- c:\program files\AdbeRdr70_enu_full.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-07-05 180269]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    2005-10-24 15:53 307200 ----a-w- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Spotify\\spotify.exe"=

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [24/11/2010 21:38 135336]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Connection Wizard,ShellNext = iexplore
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\jon\Application Data\Mozilla\Firefox\Profiles\ddkusqlm.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    .
    - - - - ORPHANS REMOVED - - - -

    MSConfigStartUp-Symantec NetDriver Monitor - c:\progra~1\SYMNET~1\SNDMon.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-26 18:29
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-11-26 18:33:50
    ComboFix-quarantined-files.txt 2010-11-26 18:33

    Pre-Run: 3,940,069,376 bytes free
    Post-Run: 3,913,617,408 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

    - - End Of File - - 64FFED41218AFB4F3E8367C0CE317C8F
  8. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Combofix log looks clean now :)

    How is redirection?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  9. jonboysylvan

    jonboysylvan TS Rookie Topic Starter Posts: 37

    first part of OTL log (rest plus Extras log in following post)

    still redirecting, I'm afraid

    OTL logfile created on: 28/11/2010 23:09:10 - Run 1
    OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\jon\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.5512)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    255.00 Mb Total Physical Memory | 112.00 Mb Available Physical Memory | 44.00% Memory free
    620.00 Mb Paging File | 346.00 Mb Available in Paging File | 56.00% Paging File free
    Paging file location(s): C:\pagefile.sys 384 768 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 14.65 Gb Total Space | 3.65 Gb Free Space | 24.90% Space Free | Partition Type: NTFS
    Drive D: | 4.48 Gb Total Space | 3.48 Gb Free Space | 77.75% Space Free | Partition Type: NTFS

    Computer Name: JONATHAN | User Name: jon | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2010/11/28 22:58:38 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jon\Desktop\OTL.exe
    PRC - [2010/08/02 16:10:00 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
    PRC - [2010/08/02 16:09:55 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    PRC - [2010/08/02 16:09:55 | 000,267,944 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    PRC - [2010/01/14 22:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    PRC - [2009/03/10 22:18:14 | 000,934,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\WgaTray.exe
    PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2005/07/05 16:53:39 | 000,180,269 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    PRC - [2005/04/05 10:17:22 | 000,206,552 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/11/28 22:58:38 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jon\Desktop\OTL.exe
    MOD - [2010/08/23 16:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
    SRV - [2010/08/02 16:10:00 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
    SRV - [2010/08/02 16:09:55 | 000,267,944 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
    SRV - [2005/04/05 10:17:22 | 000,206,552 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20081108.002\symidsco.sys -- (SYMIDSCO)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\jon\LOCALS~1\Temp\catchme.sys -- (catchme)
    DRV - [2010/08/02 16:10:08 | 000,126,856 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
    DRV - [2010/08/02 16:10:08 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
    DRV - [2010/06/17 15:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
    DRV - [2010/06/17 15:27:12 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
    DRV - [2008/04/14 00:15:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
    DRV - [2008/04/13 22:04:32 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
    DRV - [2005/04/05 10:17:02 | 000,267,192 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
    DRV - [2005/04/05 10:17:00 | 000,017,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
    DRV - [2005/04/05 10:16:58 | 000,036,984 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMIDS.SYS -- (SYMIDS)
    DRV - [2005/04/05 10:16:56 | 000,047,192 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMNDIS.SYS -- (SYMNDIS)
    DRV - [2005/04/05 10:16:54 | 000,173,208 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMFW.SYS -- (SYMFW)
    DRV - [2005/04/05 10:16:52 | 000,011,512 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMDNS.SYS -- (SYMDNS)
    DRV - [2002/08/28 23:00:56 | 000,084,480 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ac97via.sys -- (VIAudio) VIA AC'97 Audio Controller (WDM)
    DRV - [2002/08/28 22:59:12 | 000,036,224 | ---- | M] (ADMtek Incorporated.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\an983.sys -- (AN983)
    DRV - [2001/08/17 13:28:12 | 000,488,383 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_V124.sys -- (V124)
    DRV - [2001/08/17 13:28:12 | 000,050,751 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_TONE.sys -- (Tones)
    DRV - [2001/08/17 13:28:10 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_MSFT.sys -- (hsf_msft)
    DRV - [2001/08/17 13:28:10 | 000,057,471 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_SAMP.sys -- (Rksample)
    DRV - [2001/08/17 13:28:08 | 000,391,199 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_K56K.sys -- (K56)
    DRV - [2001/08/17 13:28:06 | 000,289,887 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FALL.sys -- (Fallback)
    DRV - [2001/08/17 13:28:06 | 000,199,711 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FAXX.sys -- (SoftFax)
    DRV - [2001/08/17 13:28:06 | 000,115,807 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FSKS.sys -- (Fsks)
    DRV - [2001/08/17 13:28:04 | 000,067,167 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_BSC2.sys -- (basic2)
    DRV - [1997/12/23 01:02:46 | 000,023,936 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\aspi32.sys -- (Aspi32)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
    FF - prefs.js..extensions.enabledItems: zotero@chnm.gmu.edu:2.0.2

    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/29 18:50:33 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/29 08:50:29 | 000,000,000 | ---D | M]

    [2008/08/17 20:27:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\Mozilla\Extensions
    [2010/11/26 17:53:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\Mozilla\Firefox\Profiles\ddkusqlm.default\extensions
    [2010/03/15 19:06:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\Mozilla\Firefox\Profiles\ddkusqlm.default\extensions\zotero@chnm.gmu.edu
    [2010/10/24 09:16:23 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

    O1 HOSTS File: ([2010/11/26 18:29:23 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
    O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\jon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\jon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2005/06/08 20:07:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivXNetworks, Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
    Drivers32: VIDC.WMV3 - C:\WINDOWS\System32\wmv9vcm.dll (Microsoft Corporation)
    Drivers32: wave1 - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point (16902109354000384)

    ========== Files/Folders - Created Within 30 Days ==========

    [2010/11/28 22:58:33 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\jon\Desktop\OTL.exe
    [2010/11/26 18:33:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
    [2010/11/26 18:19:13 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2010/11/26 18:16:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2010/11/26 18:16:08 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2010/11/26 18:16:08 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2010/11/26 18:16:08 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2010/11/26 18:15:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2010/11/26 18:15:30 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/11/26 06:14:04 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
    [2010/11/25 23:09:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
    [2010/11/25 22:41:12 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010/11/25 22:41:06 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2010/11/25 22:41:05 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2010/11/25 22:13:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Avira
    [2010/11/25 21:01:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla
    [2010/11/25 21:01:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Mozilla
    [2010/11/25 21:00:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
    [2010/11/24 21:55:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
    [2010/11/24 21:51:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jon\Application Data\Avira
    [2010/11/24 21:38:36 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
    [2010/11/24 21:38:30 | 000,126,856 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
    [2010/11/24 21:38:30 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
    [2010/11/24 21:38:30 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
    [2010/11/24 21:38:30 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
    [2010/11/24 21:38:20 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
    [2010/11/24 21:38:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
    [2010/11/24 20:48:16 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
    [2010/11/24 20:45:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
    [2010/11/24 03:00:46 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
    [2010/11/24 00:28:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ESET
    [2010/11/23 23:54:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jon\Local Settings\Application Data\ESET
    [2010/11/23 23:10:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
    [2010/11/23 22:59:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us
    [2010/11/23 22:59:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\provisioning
    [2010/11/23 22:59:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
    [2010/11/23 22:59:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
    [2010/11/23 22:59:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\peernet
    [2010/11/23 22:59:47 | 000,000,000 | ---D | C] -- C:\Program Files\msn
    [2010/11/23 22:59:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en
    [2010/11/23 22:54:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
    [2010/11/23 22:50:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic
    [2010/11/23 22:47:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ReinstallBackups
    [2010/11/23 22:39:40 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
    [2010/11/23 22:39:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\EHome
    [2010/11/23 07:36:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\PreInstall
    [2010/11/22 23:12:58 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$hf_mig$
    [2010/11/22 09:49:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jon\Application Data\Malwarebytes
    [2010/11/22 09:47:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2010/11/21 18:40:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\SoftwareDistribution
    [2010/11/21 13:50:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2010/11/21 13:34:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
    [2010/11/20 22:59:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
    [2010/11/20 22:58:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\aqmlk
    [2010/11/20 22:56:19 | 000,000,000 | ---D | C] -- C:\Config.Msi
    [2010/11/20 22:32:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Hewlett-Packard
    [2010/11/20 22:30:14 | 000,000,000 | ---D | C] -- C:\Program Files\HP
    [2010/11/09 12:35:09 | 000,000,000 | ---D | C] -- C:\Program Files\Freeciv-2.2.3-gtk2
    [2010/10/31 15:51:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\McAfee
    [2005/06/20 16:32:15 | 020,798,256 | ---- | C] (Netopsystems AG ) -- C:\Program Files\AdbeRdr70_enu_full.exe

    ========== Files - Modified Within 30 Days ==========

    [2010/11/28 22:58:38 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jon\Desktop\OTL.exe
    [2010/11/28 22:54:44 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/11/28 22:51:52 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/11/28 22:51:50 | 267,968,512 | -HS- | M] () -- C:\hiberfil.sys
    [2010/11/26 18:29:23 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2010/11/26 18:19:18 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2010/11/26 18:14:11 | 003,909,115 | R--- | M] () -- C:\Documents and Settings\jon\Desktop\ComboFix.exe
    [2010/11/25 23:20:22 | 000,076,288 | ---- | M] () -- C:\Documents and Settings\jon\My Documents\virus log so far.doc
    [2010/11/25 22:41:15 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010/11/25 03:36:42 | 000,312,378 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/11/25 03:36:42 | 000,040,448 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/11/25 03:13:49 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2010/11/24 21:39:16 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
    [2010/11/24 20:48:18 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
    [2010/11/24 20:48:16 | 000,001,663 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
    [2010/11/24 09:17:28 | 000,122,136 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2010/11/23 23:15:21 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
    [2010/11/23 23:12:34 | 000,000,779 | ---- | M] () -- C:\Documents and Settings\jon\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2010/11/23 23:03:38 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2010/11/23 22:50:12 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2010/11/23 22:50:12 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2010/11/23 19:23:24 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
    [2010/11/22 09:49:56 | 000,119,808 | ---- | M] () -- C:\Documents and Settings\jon\My Documents\screen print.doc
    [2010/11/21 18:12:07 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\jon\Local Settings\Application Data\housecall.guid.cache
    [2010/11/20 22:33:24 | 000,102,006 | ---- | M] () -- C:\WINDOWS\hpoins04.dat.temp
    [2010/11/20 22:33:24 | 000,102,006 | ---- | M] () -- C:\WINDOWS\hpoins04.dat
    [2010/11/18 20:49:00 | 000,006,870 | ---- | M] () -- C:\Documents and Settings\jon\Application Data\.freeciv-client-rc-2.2
    [2010/11/17 09:29:00 | 000,079,872 | ---- | M] () -- C:\Documents and Settings\jon\Desktop\BlackRock proposal draft 5.doc
    [2010/11/12 11:02:00 | 000,048,640 | ---- | M] () -- C:\Documents and Settings\jon\My Documents\BlackRock proposal draft 3.doc
    [2010/11/09 22:01:05 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\jon\My Documents\milestones.xls
    [2010/11/08 06:52:29 | 001,756,454 | ---- | M] () -- C:\Documents and Settings\jon\My Documents\AVIVA%20Policy%20Wording.pdf
    [2010/11/08 06:52:10 | 000,376,849 | ---- | M] () -- C:\Documents and Settings\jon\My Documents\cert%20for%2099%20sylvan%20ave%2014.07.10.pdf
    [2010/11/08 01:20:24 | 000,089,088 | ---- | M] () -- C:\WINDOWS\MBR.exe
    [2010/11/05 21:40:51 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\jon\My Documents\Maintain a continued relationship with the customer.doc
    [2010/11/01 20:18:24 | 000,199,434 | ---- | M] () -- C:\Documents and Settings\jon\My Documents\Malaga BoardingPass.pdf
    [2010/10/30 17:59:36 | 000,045,186 | ---- | M] () -- C:\WINDOWS\cdplayer.ini

    ========== Files Created - No Company Name ==========

    [2010/11/26 18:19:18 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2010/11/26 18:19:15 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2010/11/26 18:16:08 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2010/11/26 18:16:08 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2010/11/26 18:16:08 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2010/11/26 18:16:08 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2010/11/26 18:16:08 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2010/11/26 18:14:11 | 003,909,115 | R--- | C] () -- C:\Documents and Settings\jon\Desktop\ComboFix.exe
    [2010/11/25 23:02:56 | 000,076,288 | ---- | C] () -- C:\Documents and Settings\jon\My Documents\virus log so far.doc
    [2010/11/25 22:41:15 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010/11/24 21:39:15 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
    [2010/11/24 20:48:18 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
    [2010/11/24 20:48:16 | 000,001,663 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
    [2010/11/23 23:11:49 | 000,316,640 | ---- | C] () -- C:\WINDOWS\WMSysPr9.prx
    [2010/11/23 23:00:52 | 000,010,457 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmptour.hta
    [2010/11/23 23:00:52 | 000,001,771 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmptour.css
    [2010/11/23 23:00:51 | 000,613,334 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplayer.chm
    [2010/11/23 23:00:51 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud9.wav
    [2010/11/23 23:00:51 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud8.wav
    [2010/11/23 23:00:51 | 000,067,374 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplayer.adm
    [2010/11/23 23:00:51 | 000,023,195 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplay.chm
    [2010/11/23 23:00:51 | 000,000,855 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpocm.inf
    [2010/11/23 23:00:51 | 000,000,420 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmploc.js
    [2010/11/23 23:00:50 | 000,343,204 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud7.wav
    [2010/11/23 23:00:50 | 000,343,204 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud6.wav
    [2010/11/23 23:00:50 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud3.wav
    [2010/11/23 23:00:50 | 000,086,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud5.wav
    [2010/11/23 23:00:50 | 000,086,180 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud4.wav
    [2010/11/23 23:00:50 | 000,086,180 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud2.wav
    [2010/11/23 23:00:49 | 000,354,468 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud1.wav
    [2010/11/23 23:00:49 | 000,029,070 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmp.inf
    [2010/11/23 23:00:49 | 000,017,272 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmdm.inf
    [2010/11/23 23:00:49 | 000,007,892 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm9.gif
    [2010/11/23 23:00:49 | 000,006,769 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmfsdk.inf
    [2010/11/23 23:00:48 | 000,572,557 | ---- | C] () -- C:\WINDOWS\System32\dllcache\rtuner.wmv
    [2010/11/23 23:00:48 | 000,300,969 | ---- | C] () -- C:\WINDOWS\System32\dllcache\viz.wmv
    [2010/11/23 23:00:48 | 000,077,307 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plyr_err.chm
    [2010/11/23 23:00:48 | 000,066,725 | ---- | C] () -- C:\WINDOWS\System32\dllcache\revert.wmz
    [2010/11/23 23:00:48 | 000,023,829 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tourbg.gif
    [2010/11/23 23:00:48 | 000,017,489 | ---- | C] () -- C:\WINDOWS\System32\dllcache\videobg.gif
    [2010/11/23 23:00:48 | 000,008,677 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm7.gif
    [2010/11/23 23:00:48 | 000,007,636 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm2.gif
    [2010/11/23 23:00:48 | 000,007,369 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm4.gif
    [2010/11/23 23:00:48 | 000,006,241 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm3.gif
    [2010/11/23 23:00:48 | 000,006,060 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm6.gif
    [2010/11/23 23:00:48 | 000,005,789 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm1.gif
    [2010/11/23 23:00:48 | 000,005,290 | ---- | C] () -- C:\WINDOWS\System32\dllcache\vidsamp.gif
    [2010/11/23 23:00:48 | 000,004,193 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm8.gif
    [2010/11/23 23:00:48 | 000,003,187 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tour.js
    [2010/11/23 23:00:48 | 000,002,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm5.gif
    [2010/11/23 23:00:48 | 000,002,469 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tplay.gif
    [2010/11/23 23:00:48 | 000,002,450 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tpause.gif
    [2010/11/23 23:00:48 | 000,002,375 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tplayh.gif
    [2010/11/23 23:00:48 | 000,002,371 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tpauseh.gif
    [2010/11/23 23:00:48 | 000,001,398 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taon.gif
    [2010/11/23 23:00:48 | 000,001,380 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taonh.gif
    [2010/11/23 23:00:48 | 000,001,380 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taoff.gif
    [2010/11/23 23:00:48 | 000,001,367 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taoffh.gif
    [2010/11/23 23:00:48 | 000,001,148 | ---- | C] () -- C:\WINDOWS\System32\dllcache\snd.htm
    [2010/11/23 23:00:48 | 000,000,908 | ---- | C] () -- C:\WINDOWS\System32\dllcache\skins.inf
    [2010/11/23 23:00:47 | 000,375,519 | ---- | C] () -- C:\WINDOWS\System32\dllcache\nuskin.wmv
    [2010/11/23 23:00:47 | 000,022,060 | ---- | C] () -- C:\WINDOWS\System32\dllcache\npds.zip
    [2010/11/23 23:00:47 | 000,001,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst6.wpl
    [2010/11/23 23:00:47 | 000,001,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst5.wpl
    [2010/11/23 23:00:47 | 000,001,474 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst3.wpl
    [2010/11/23 23:00:47 | 000,001,451 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst12.wpl
    [2010/11/23 23:00:47 | 000,001,448 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst4.wpl
    [2010/11/23 23:00:47 | 000,001,250 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst1.wpl
    [2010/11/23 23:00:47 | 000,001,049 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst2.wpl
    [2010/11/23 23:00:47 | 000,001,046 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst7.wpl
    [2010/11/23 23:00:47 | 000,001,036 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst8.wpl
    [2010/11/23 23:00:47 | 000,000,789 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst11.wpl
    [2010/11/23 23:00:47 | 000,000,787 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst10.wpl
    [2010/11/23 23:00:47 | 000,000,784 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst9.wpl
    [2010/11/23 23:00:47 | 000,000,783 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst13.wpl
    [2010/11/23 23:00:47 | 000,000,775 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst14.wpl
    [2010/11/23 23:00:47 | 000,000,733 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst15.wpl
    [2010/11/23 23:00:47 | 000,000,403 | ---- | C] () -- C:\WINDOWS\System32\dllcache\npdrmv2.zip
    [2010/11/23 23:00:46 | 000,457,607 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mdlib.wmv
    [2010/11/23 23:00:46 | 000,018,286 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplayer2.inf
    [2010/11/23 23:00:46 | 000,005,971 | ---- | C] () -- C:\WINDOWS\System32\dllcache\events.js
    [2010/11/23 23:00:46 | 000,002,778 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplogoh.gif
    [2010/11/23 23:00:46 | 000,002,545 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplogo.gif
    [2010/11/23 23:00:45 | 000,381,425 | ---- | C] () -- C:\WINDOWS\System32\dllcache\copycd.wmv
    [2010/11/23 23:00:45 | 000,184,959 | ---- | C] () -- C:\WINDOWS\System32\dllcache\compact.wmz
    [2010/11/23 23:00:45 | 000,009,585 | ---- | C] () -- C:\WINDOWS\System32\dllcache\controls.css
    [2010/11/23 23:00:45 | 000,008,298 | ---- | C] () -- C:\WINDOWS\System32\dllcache\contents.htm
    [2010/11/23 23:00:45 | 000,006,878 | ---- | C] () -- C:\WINDOWS\System32\dllcache\controls.js
    [2010/11/23 23:00:45 | 000,000,999 | ---- | C] () -- C:\WINDOWS\System32\dllcache\bktrh.gif
    [2010/11/23 23:00:45 | 000,000,773 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cnth.gif
    [2010/11/23 23:00:45 | 000,000,773 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cnt.gif
    [2010/11/23 23:00:45 | 000,000,772 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cntd.gif
    [2010/11/23 23:00:45 | 000,000,760 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cloapph.gif
    [2010/11/23 23:00:45 | 000,000,717 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cloapp.gif
    [2010/11/23 23:00:25 | 000,239,616 | ---- | C] () -- C:\WINDOWS\System32\wstrenderer.ax
    [2010/11/23 23:00:25 | 000,164,352 | ---- | C] () -- C:\WINDOWS\System32\wstpager.ax
    [2010/11/23 23:00:25 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\vbicodec.ax
    [2010/11/23 22:50:38 | 000,129,045 | ---- | C] () -- C:\WINDOWS\System32\drivers\cxthsfs2.cty
    [2010/11/23 22:50:38 | 000,064,352 | ---- | C] () -- C:\WINDOWS\System32\drivers\ativmc20.cod
    [2010/11/23 22:50:36 | 000,067,866 | ---- | C] () -- C:\WINDOWS\System32\drivers\netwlan5.img
    [2010/11/22 09:49:56 | 000,119,808 | ---- | C] () -- C:\Documents and Settings\jon\My Documents\screen print.doc
    [2010/11/21 18:12:07 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\jon\Local Settings\Application Data\housecall.guid.cache
    [2010/11/20 22:58:27 | 000,001,393 | ---- | C] () -- C:\WINDOWS\imsins.BAK
    [2010/11/20 22:50:06 | 000,009,847 | ---- | C] () -- C:\WINDOWS\hpwscr12.dat
    [2010/11/20 22:38:48 | 000,102,006 | ---- | C] () -- C:\WINDOWS\hpoins04.dat.temp
    [2010/11/20 22:38:48 | 000,017,218 | ---- | C] () -- C:\WINDOWS\hpomdl04.dat.temp
    [2010/11/20 22:28:51 | 000,002,506 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
    [2010/11/20 22:28:49 | 000,102,006 | ---- | C] () -- C:\WINDOWS\hpoins04.dat
    [2010/11/20 22:28:49 | 000,017,218 | ---- | C] () -- C:\WINDOWS\hpomdl04.dat
    [2010/11/17 08:02:29 | 000,079,872 | ---- | C] () -- C:\Documents and Settings\jon\Desktop\BlackRock proposal draft 5.doc
    [2010/11/12 09:18:09 | 000,048,640 | ---- | C] () -- C:\Documents and Settings\jon\My Documents\BlackRock proposal draft 3.doc
    [2010/11/09 14:01:18 | 000,006,870 | ---- | C] () -- C:\Documents and Settings\jon\Application Data\.freeciv-client-rc-2.2
    [2010/11/09 11:08:54 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\jon\My Documents\milestones.xls
    [2010/11/08 06:52:28 | 001,756,454 | ---- | C] () -- C:\Documents and Settings\jon\My Documents\AVIVA%20Policy%20Wording.pdf
    [2010/11/08 06:52:10 | 000,376,849 | ---- | C] () -- C:\Documents and Settings\jon\My Documents\cert%20for%2099%20sylvan%20ave%2014.07.10.pdf
    [2010/11/05 21:40:50 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\jon\My Documents\Maintain a continued relationship with the customer.doc
    [2010/11/01 20:18:24 | 000,199,434 | ---- | C] () -- C:\Documents and Settings\jon\My Documents\Malaga BoardingPass.pdf
    [2010/09/15 13:34:52 | 000,000,632 | ---- | C] () -- C:\WINDOWS\Vtw.INI
    [2010/09/09 19:12:20 | 000,004,990 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\mtbjfghn.xbe
    [2009/01/25 12:46:32 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
    [2008/11/02 07:25:31 | 000,007,458 | ---- | C] () -- C:\Documents and Settings\jon\Application Data\.civclientrc
    [2008/05/08 17:56:18 | 000,000,560 | ---- | C] () -- C:\Program Files\Global.sw
    [2006/11/16 12:08:10 | 000,045,056 | ---- | C] () -- C:\WINDOWS\TRAYHOOK.DLL
    [2006/05/14 14:35:04 | 000,000,006 | ---- | C] () -- C:\WINDOWS\System32\x517_256.dll
    [2006/02/16 09:35:23 | 000,022,528 | ---- | C] () -- C:\Documents and Settings\jon\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2005/08/11 10:00:16 | 000,045,186 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
    [2005/06/08 21:35:54 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
    [2005/06/08 21:32:10 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
    [2005/06/08 21:25:36 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2005/06/08 21:24:03 | 000,010,022 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
    [2005/06/08 21:01:17 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2005/06/08 20:41:53 | 000,000,635 | ---- | C] () -- C:\WINDOWS\wincmd.ini
    [2004/07/12 21:07:21 | 003,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
    [2000/01/27 23:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL
    [1999/01/22 18:46:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

    ========== LOP Check ==========

    [2010/11/23 19:23:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2008/11/10 20:13:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avg7
    [2008/11/02 09:38:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
    [2010/09/11 08:30:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
    [2010/11/24 20:46:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
    [2010/11/21 13:34:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
    [2006/07/09 21:53:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
    [2010/01/30 18:51:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2010/11/18 20:44:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\.freeciv
    [2008/11/02 07:25:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\.ggz
    [2010/06/27 11:24:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
    [2010/09/09 19:12:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\Carambis
    [2008/12/22 06:51:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\PCToolsFirewallPlus
    [2008/12/22 06:51:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\PCToolsSpamMonitorPlus
    [2008/01/14 19:10:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\Sports Interactive
    [2010/11/25 17:16:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\Spotify
    [2008/12/09 15:44:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\TSO
    [2008/11/02 09:59:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\VCOM

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2008/11/29 14:27:12 | 000,005,527 | ---- | M] () -- C:\aoedoppl.txt
    [2008/11/29 14:27:24 | 000,002,960 | ---- | M] () -- C:\aoeWVlog.txt
    [2005/06/08 20:07:56 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2010/11/23 23:03:38 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2010/11/26 18:19:18 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2010/09/15 13:37:23 | 000,004,802 | R--- | M] () -- C:\CLDMA.LOG
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2010/11/26 18:33:51 | 000,013,146 | ---- | M] () -- C:\ComboFix.txt
    [2005/06/08 20:07:56 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2010/11/28 22:51:50 | 267,968,512 | -HS- | M] () -- C:\hiberfil.sys
    [2005/06/08 20:07:56 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2005/06/08 20:07:56 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2010/11/23 22:50:12 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2010/11/23 22:50:12 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2010/11/28 22:51:49 | 402,653,184 | -HS- | M] () -- C:\pagefile.sys
    [2008/10/21 13:50:13 | 000,000,232 | -H-- | M] () -- C:\sqmdata00.sqm
    [2008/10/21 14:50:50 | 000,000,232 | -H-- | M] () -- C:\sqmdata01.sqm
    [2008/10/21 15:21:44 | 000,000,232 | -H-- | M] () -- C:\sqmdata02.sqm
    [2008/10/23 17:11:01 | 000,000,232 | -H-- | M] () -- C:\sqmdata03.sqm
    [2008/10/25 13:35:28 | 000,000,232 | -H-- | M] () -- C:\sqmdata04.sqm
    [2008/10/29 18:07:02 | 000,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
    [2008/11/01 12:41:08 | 000,000,232 | -H-- | M] () -- C:\sqmdata06.sqm
    [2008/08/03 09:10:03 | 000,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
    [2008/08/05 21:02:58 | 000,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
    [2008/08/06 07:45:41 | 000,000,268 | -H-- | M] () -- C:\sqmdata09.sqm
    [2008/08/06 21:28:48 | 000,000,268 | -H-- | M] () -- C:\sqmdata10.sqm
    [2008/08/07 04:42:10 | 000,000,268 | -H-- | M] () -- C:\sqmdata11.sqm
    [2008/08/07 06:42:52 | 000,000,268 | -H-- | M] () -- C:\sqmdata12.sqm
    [2008/08/07 16:26:39 | 000,000,268 | -H-- | M] () -- C:\sqmdata13.sqm
    [2008/10/19 13:12:14 | 000,000,232 | -H-- | M] () -- C:\sqmdata14.sqm
    [2008/10/19 13:22:04 | 000,000,232 | -H-- | M] () -- C:\sqmdata15.sqm
    [2008/10/19 18:48:55 | 000,000,232 | -H-- | M] () -- C:\sqmdata16.sqm
    [2008/10/20 07:54:43 | 000,000,232 | -H-- | M] () -- C:\sqmdata17.sqm
    [2008/10/21 09:05:09 | 000,000,232 | -H-- | M] () -- C:\sqmdata18.sqm
    [2008/10/21 09:28:59 | 000,000,232 | -H-- | M] () -- C:\sqmdata19.sqm
    [2008/10/21 13:50:12 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
    [2008/10/21 14:50:50 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
    [2008/10/21 15:21:44 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
    [2008/10/23 17:11:01 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
    [2008/10/25 13:35:28 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
    [2008/10/29 18:07:02 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
    [2008/11/01 12:41:07 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
    [2008/08/03 09:10:03 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
    [2008/08/05 21:02:57 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
    [2008/08/06 07:45:41 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
    [2008/08/06 21:28:47 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
    [2008/08/07 04:42:09 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
    [2008/08/07 06:42:52 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
    [2008/08/07 16:26:39 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
    [2008/10/19 13:12:12 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
    [2008/10/19 13:22:02 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
    [2008/10/19 18:48:54 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
    [2008/10/20 07:54:42 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
    [2008/10/21 09:05:09 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
    [2008/10/21 09:28:59 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm

    < %systemroot%\Fonts\*.com >

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2005/06/08 20:07:13 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2007/06/27 12:04:44 | 000,274,944 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp5k2.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2005/06/20 16:39:35 | 020,798,256 | ---- | M] (Netopsystems AG ) -- C:\Program Files\AdbeRdr70_enu_full.exe
    [2008/05/08 17:56:40 | 000,000,560 | ---- | M] () -- C:\Program Files\Global.sw

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2005/06/08 20:59:13 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2005/06/08 20:59:13 | 000,626,688 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2005/06/08 20:59:13 | 000,401,408 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2010/11/23 23:02:17 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2010/11/23 23:13:11 | 000,000,177 | -HS- | M] () -- C:\Documents and Settings\jon\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2005/06/08 20:15:21 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\jon\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2010/11/26 18:14:11 | 003,909,115 | R--- | M] () -- C:\Documents and Settings\jon\Desktop\ComboFix.exe
    [2009/10/25 23:07:57 | 000,570,208 | ---- | M] (Google Inc.) -- C:\Documents and Settings\jon\Desktop\googleupdatesetup.exe
    [2008/12/22 07:30:13 | 001,851,544 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\jon\Desktop\install_flash_player.exe
    [2010/11/28 22:58:38 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jon\Desktop\OTL.exe
    [2008/12/29 21:54:56 | 010,024,504 | ---- | M] (Google Inc.) -- C:\Documents and Settings\jon\Desktop\picasa3-setup.exe
    [2010/01/03 12:06:25 | 032,494,896 | ---- | M] (Apple Inc.) -- C:\Documents and Settings\jon\Desktop\QuickTimeInstaller.exe
    [2008/12/22 07:24:10 | 006,762,760 | ---- | M] (Mozilla) -- C:\Documents and Settings\jon\Desktop\Thunderbird Setup 2.0.0.18.exe
    [2009/01/30 14:23:53 | 000,898,416 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\jon\Desktop\WGAPluginInstall(2).exe
    [2009/01/30 14:27:10 | 000,318,904 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\jon\Desktop\wmpfirefoxplugin.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >
    [2008/05/08 17:56:40 | 000,000,560 | -H-- | M] () -- C:\WINDOWS\Config\desktop.idf

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >


    to be continued...
  10. jonboysylvan

    jonboysylvan TS Rookie Topic Starter Posts: 37

    rest of OTL log plus Extras log

    [2010/11/23 23:13:11 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\jon\Favorites\Desktop.ini
    [2007/03/12 08:41:45 | 000,001,781 | ---- | M] () -- C:\Documents and Settings\jon\Favorites\Play other Games.lnk

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2010/11/28 22:52:59 | 000,212,992 | ---- | M] () -- C:\Documents and Settings\jon\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2008/04/14 05:42:40 | 000,208,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008/04/14 05:41:52 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2002/08/20 20:29:46 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2002/08/20 11:32:18 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2002/08/20 11:32:22 | 000,000,807 | ---- | M] () -- C:\Program Files\Messenger\mailtmpl.txt
    [2008/05/02 14:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2008/04/13 23:00:30 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008/04/14 05:42:30 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2002/08/20 14:08:38 | 000,069,663 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgsin.exe
    [2002/08/20 20:29:48 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2002/08/20 20:30:06 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2002/08/20 20:30:06 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2002/08/20 11:32:20 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2007/04/02 23:34:02 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >
    [1997/12/23 00:23:36 | 000,004,672 | ---- | M] (Adaptec) -- C:\WINDOWS\system\wowpost.exe

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 158 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84
    @Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CE3BDCE7
    @Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29
    @Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1

    < End of report >

    EXTRAS LOG reads

    OTL Extras logfile created on: 28/11/2010 23:09:10 - Run 1
    OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\jon\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.5512)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    255.00 Mb Total Physical Memory | 112.00 Mb Available Physical Memory | 44.00% Memory free
    620.00 Mb Paging File | 346.00 Mb Available in Paging File | 56.00% Paging File free
    Paging file location(s): C:\pagefile.sys 384 768 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 14.65 Gb Total Space | 3.65 Gb Free Space | 24.90% Space Free | Partition Type: NTFS
    Drive D: | 4.48 Gb Total Space | 3.48 Gb Free Space | 77.75% Space Free | Partition Type: NTFS

    Computer Name: JONATHAN | User Name: jon | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- Reg Error: Key error.
    https [open] -- C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE -url "%1" File not found
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0
    "DoNotAllowExceptions" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\Spotify\spotify.exe" = C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify -- (Spotify Ltd)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{1F63ED0B-EDD2-4037-B6AB-1358C624AF48}" = Scan
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
    "{52D97366-9779-43AB-98A2-91600DCD9102}" = Enterprise
    "{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}" = Macromedia Extension Manager
    "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
    "{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
    "{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
    "{8A5F34E2-37CF-4AD4-808C-2D413786E31A}" = Microsoft Visual C Runtime
    "{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
    "{90110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
    "{A4EA3AB4-E78C-4286-96DF-26035507CE55}" = AiO_Scan
    "{AC1314E7-D28C-40A1-B322-80D2868D35CE}" = HP PSC & Officejet 4.2 Corporate Edition
    "{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0.7
    "{CA0A1E54-CE0F-4366-B09C-A87B61DC5633}" = Symantec Network Drivers Update
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "Adobe SVG Viewer" = Adobe SVG Viewer 3.0
    "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
    "ESET Online Scanner" = ESET Online Scanner v3
    "Freeciv-2.2.3-gtk2" = Freeciv 2.2.3 (GTK+ client)
    "HijackThis" = HijackThis 2.0.2
    "HitmanPro35" = Hitman Pro 3.5
    "Macromedia Shockwave Player" = Macromedia Shockwave Player
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
    "MS Access 97 SP2" = MS Access 97 SP2
    "Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
    "RealPlayer 6.0" = RealPlayer
    "Spotify" = Spotify
    "Totalcmd" = Total Commander (Remove or Repair)
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WinRAR archiver" = WinRAR archiver
    "WinZip" = WinZip

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 18/11/2010 05:54:05 | Computer Name = JONATHAN | Source = Application Hang | ID = 1002
    Description = Hanging application POWERPNT.EXE, version 10.0.2623.0, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 18/11/2010 05:54:30 | Computer Name = JONATHAN | Source = Application Hang | ID = 1002
    Description = Hanging application POWERPNT.EXE, version 10.0.2623.0, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 18/11/2010 05:54:37 | Computer Name = JONATHAN | Source = Application Hang | ID = 1002
    Description = Hanging application POWERPNT.EXE, version 10.0.2623.0, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 18/11/2010 05:54:48 | Computer Name = JONATHAN | Source = Application Hang | ID = 1002
    Description = Hanging application POWERPNT.EXE, version 10.0.2623.0, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 18/11/2010 05:55:44 | Computer Name = JONATHAN | Source = Application Hang | ID = 1002
    Description = Hanging application POWERPNT.EXE, version 10.0.2623.0, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 18/11/2010 05:56:32 | Computer Name = JONATHAN | Source = Application Hang | ID = 1002
    Description = Hanging application POWERPNT.EXE, version 10.0.2623.0, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 23/11/2010 15:55:15 | Computer Name = JONATHAN | Source = Application Hang | ID = 1002
    Description = Hanging application IEXPLORE.EXE, version 6.0.2800.1106, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 23/11/2010 16:08:38 | Computer Name = JONATHAN | Source = Application Hang | ID = 1002
    Description = Hanging application IEXPLORE.EXE, version 6.0.2800.1106, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 24/11/2010 18:52:09 | Computer Name = JONATHAN | Source = Application Error | ID = 1000
    Description = Faulting application plugin-container.exe, version 1.9.2.3951, faulting
    module ntdll.dll, version 5.1.2600.5755, fault address 0x0000100b.

    Error - 24/11/2010 19:41:57 | Computer Name = JONATHAN | Source = VSS | ID = 5013
    Description = Volume Shadow Copy Service error: Shadow Copy writer RemovableStorageManager
    called routine OpenNtmsSessionW which failed with status 0x80070015 (converted
    to 0x800423f3).

    [ System Events ]
    Error - 25/11/2010 04:11:25 | Computer Name = JONATHAN | Source = Service Control Manager | ID = 7022
    Description = The Avira AntiVir Guard service hung on starting.

    Error - 25/11/2010 05:15:09 | Computer Name = JONATHAN | Source = Service Control Manager | ID = 7011
    Description = Timeout (30000 milliseconds) waiting for a transaction response from
    the AntiVirSchedulerService service.

    Error - 25/11/2010 18:24:39 | Computer Name = JONATHAN | Source = Service Control Manager | ID = 7034
    Description = The Symantec Network Drivers Service service terminated unexpectedly.
    It has done this 1 time(s).

    Error - 25/11/2010 18:30:53 | Computer Name = JONATHAN | Source = ACPI | ID = 327685
    Description = AMLI: ACPI BIOS is attempting to write to an illegal IO port address
    (0xcf8), which lies in the 0xcf8 - 0xcff protected address range. This could lead
    to system instability. Please contact your system vendor for technical assistance.

    Error - 25/11/2010 18:31:10 | Computer Name = JONATHAN | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 14 minutes. NtpClient has no source of accurate
    time.

    Error - 26/11/2010 13:39:57 | Computer Name = JONATHAN | Source = ACPI | ID = 327685
    Description = AMLI: ACPI BIOS is attempting to write to an illegal IO port address
    (0xcf8), which lies in the 0xcf8 - 0xcff protected address range. This could lead
    to system instability. Please contact your system vendor for technical assistance.

    Error - 26/11/2010 13:39:57 | Computer Name = JONATHAN | Source = ACPI | ID = 327684
    Description = AMLI: ACPI BIOS is attempting to read from an illegal IO port address
    (0xcfc), which lies in the 0xcf8 - 0xcff protected address range. This could lead
    to system instability. Please contact your system vendor for technical assistance.

    Error - 28/11/2010 18:52:21 | Computer Name = JONATHAN | Source = ACPI | ID = 327685
    Description = AMLI: ACPI BIOS is attempting to write to an illegal IO port address
    (0xcf8), which lies in the 0xcf8 - 0xcff protected address range. This could lead
    to system instability. Please contact your system vendor for technical assistance.

    Error - 28/11/2010 18:52:21 | Computer Name = JONATHAN | Source = ACPI | ID = 327684
    Description = AMLI: ACPI BIOS is attempting to read from an illegal IO port address
    (0xcfc), which lies in the 0xcf8 - 0xcff protected address range. This could lead
    to system instability. Please contact your system vendor for technical assistance.

    Error - 28/11/2010 18:54:28 | Computer Name = JONATHAN | Source = Service Control Manager | ID = 7022
    Description = The Avira AntiVir Guard service hung on starting.


    < End of report >
  11. jonboysylvan

    jonboysylvan TS Rookie Topic Starter Posts: 37

    Somehow gone out of sync, the second part has posted first, but I hope you get the picture
     
  12. jonboysylvan

    jonboysylvan TS Rookie Topic Starter Posts: 37

    will need to wait on moderator to post first msg
  13. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Which browser is affected?

    You have very little of RAM. XP would run much better with at least 512MB of RAM (1GB would be ideal).

    ===================================================================

    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    =======================================================================

    You have some Norton's leftovers. Please, run this tool to remove them: http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN

    ======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
      O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
      O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
      [2008/11/10 20:13:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avg7
      @Alternate Data Stream - 158 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84
      @Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CE3BDCE7
      @Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29
      @Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
      
      :Services
      
      :Reg
      
      :Files
      ipconfig /flushdns /c
      C:\*.sqm
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  14. jonboysylvan

    jonboysylvan TS Rookie Topic Starter Posts: 37

    Results of OTL fix

    are below

    am sure you are right re 512 MB of RAM (in context, bought PC in 2001 with 64MB, has had XP on for last 4 years on 256MB without probs - until this virus hit me). Did Java stuff and Norton stuff as you directed. Because 2001 not sure have removed early Norton stuff as this removal tool only went back to 2003

    re: browser - definitely still redirecting on Firefox which is what I usually use. Tried 10 times on IE and hasn't yet redirected. Will carry on checking after have done OTL Quick Scan and posted. (If it means anything, had for the first time after OTL reboot a strange message about a script not running - related to Zotero, which runs on firefox and is an academic reference programme)

    All processes killed
    ========== OTL ==========
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
    File Animation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab not found.
    Starting removal of ActiveX control DirectAnimation Java Classes
    Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\DownloadInformation\\INF .
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\DirectAnimation Java Classes\ not found.
    File oft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab not found.
    Starting removal of ActiveX control Microsoft XML Parser for Java
    Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
    C:\Documents and Settings\All Users\Application Data\Avg7 folder moved successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:CE3BDCE7 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1 deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Documents and Settings\jon\Desktop\cmd.bat deleted successfully.
    C:\Documents and Settings\jon\Desktop\cmd.txt deleted successfully.
    C:\sqmdata00.sqm moved successfully.
    C:\sqmdata01.sqm moved successfully.
    C:\sqmdata02.sqm moved successfully.
    C:\sqmdata03.sqm moved successfully.
    C:\sqmdata04.sqm moved successfully.
    C:\sqmdata05.sqm moved successfully.
    C:\sqmdata06.sqm moved successfully.
    C:\sqmdata07.sqm moved successfully.
    C:\sqmdata08.sqm moved successfully.
    C:\sqmdata09.sqm moved successfully.
    C:\sqmdata10.sqm moved successfully.
    C:\sqmdata11.sqm moved successfully.
    C:\sqmdata12.sqm moved successfully.
    C:\sqmdata13.sqm moved successfully.
    C:\sqmdata14.sqm moved successfully.
    C:\sqmdata15.sqm moved successfully.
    C:\sqmdata16.sqm moved successfully.
    C:\sqmdata17.sqm moved successfully.
    C:\sqmdata18.sqm moved successfully.
    C:\sqmdata19.sqm moved successfully.
    C:\sqmnoopt00.sqm moved successfully.
    C:\sqmnoopt01.sqm moved successfully.
    C:\sqmnoopt02.sqm moved successfully.
    C:\sqmnoopt03.sqm moved successfully.
    C:\sqmnoopt04.sqm moved successfully.
    C:\sqmnoopt05.sqm moved successfully.
    C:\sqmnoopt06.sqm moved successfully.
    C:\sqmnoopt07.sqm moved successfully.
    C:\sqmnoopt08.sqm moved successfully.
    C:\sqmnoopt09.sqm moved successfully.
    C:\sqmnoopt10.sqm moved successfully.
    C:\sqmnoopt11.sqm moved successfully.
    C:\sqmnoopt12.sqm moved successfully.
    C:\sqmnoopt13.sqm moved successfully.
    C:\sqmnoopt14.sqm moved successfully.
    C:\sqmnoopt15.sqm moved successfully.
    C:\sqmnoopt16.sqm moved successfully.
    C:\sqmnoopt17.sqm moved successfully.
    C:\sqmnoopt18.sqm moved successfully.
    C:\sqmnoopt19.sqm moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: jon
    ->Temp folder emptied: 24384272 bytes
    ->Temporary Internet Files folder emptied: 5119858 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 59618931 bytes
    ->Flash cache emptied: 6344 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->FireFox cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 395 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 79872 bytes

    Total Files Cleaned = 85.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: jon
    ->Flash cache emptied: 0 bytes

    User: LocalService

    User: NetworkService

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.17.3 log created on 11292010_003352

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
  15. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    OK. After OTL run this for me...

    Please download GooredFix from one of the locations below and save it to your Desktop
    Download Mirror #1
    Download Mirror #2
    • Ensure all Firefox windows are closed.
    • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
    • When prompted to run the scan, click Yes.
    • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
  16. jonboysylvan

    jonboysylvan TS Rookie Topic Starter Posts: 37

    OTL quick scan

    assumed you didn't want me to paste anything into custom scan box, so just clicked quick scan - hope thats right?

    OTL logfile created on: 29/11/2010 00:48:55 - Run 2
    OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\jon\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.5512)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    255.00 Mb Total Physical Memory | 158.00 Mb Available Physical Memory | 62.00% Memory free
    620.00 Mb Paging File | 388.00 Mb Available in Paging File | 63.00% Paging File free
    Paging file location(s): C:\pagefile.sys 384 768 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 14.65 Gb Total Space | 3.50 Gb Free Space | 23.89% Space Free | Partition Type: NTFS
    Drive D: | 4.48 Gb Total Space | 3.48 Gb Free Space | 77.75% Space Free | Partition Type: NTFS

    Computer Name: JONATHAN | User Name: jon | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2010/11/28 22:58:38 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jon\Desktop\OTL.exe
    PRC - [2010/08/02 16:10:00 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
    PRC - [2010/08/02 16:09:55 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    PRC - [2010/08/02 16:09:55 | 000,267,944 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    PRC - [2010/01/14 22:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    PRC - [2009/03/10 22:18:14 | 000,934,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\WgaTray.exe
    PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2005/07/05 16:53:39 | 000,180,269 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/11/28 22:58:38 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jon\Desktop\OTL.exe
    MOD - [2010/08/23 16:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
    SRV - [2010/08/02 16:10:00 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
    SRV - [2010/08/02 16:09:55 | 000,267,944 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20081108.002\symidsco.sys -- (SYMIDSCO)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\jon\LOCALS~1\Temp\catchme.sys -- (catchme)
    DRV - [2010/08/02 16:10:08 | 000,126,856 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
    DRV - [2010/08/02 16:10:08 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
    DRV - [2010/06/17 15:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
    DRV - [2010/06/17 15:27:12 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
    DRV - [2008/04/14 00:15:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
    DRV - [2008/04/13 22:04:32 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
    DRV - [2005/04/05 10:17:02 | 000,267,192 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
    DRV - [2005/04/05 10:17:00 | 000,017,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
    DRV - [2005/04/05 10:16:58 | 000,036,984 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMIDS.SYS -- (SYMIDS)
    DRV - [2005/04/05 10:16:56 | 000,047,192 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMNDIS.SYS -- (SYMNDIS)
    DRV - [2005/04/05 10:16:54 | 000,173,208 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMFW.SYS -- (SYMFW)
    DRV - [2005/04/05 10:16:52 | 000,011,512 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMDNS.SYS -- (SYMDNS)
    DRV - [2002/08/28 23:00:56 | 000,084,480 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ac97via.sys -- (VIAudio) VIA AC'97 Audio Controller (WDM)
    DRV - [2002/08/28 22:59:12 | 000,036,224 | ---- | M] (ADMtek Incorporated.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\an983.sys -- (AN983)
    DRV - [2001/08/17 13:28:12 | 000,488,383 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_V124.sys -- (V124)
    DRV - [2001/08/17 13:28:12 | 000,050,751 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_TONE.sys -- (Tones)
    DRV - [2001/08/17 13:28:10 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_MSFT.sys -- (hsf_msft)
    DRV - [2001/08/17 13:28:10 | 000,057,471 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_SAMP.sys -- (Rksample)
    DRV - [2001/08/17 13:28:08 | 000,391,199 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_K56K.sys -- (K56)
    DRV - [2001/08/17 13:28:06 | 000,289,887 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FALL.sys -- (Fallback)
    DRV - [2001/08/17 13:28:06 | 000,199,711 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FAXX.sys -- (SoftFax)
    DRV - [2001/08/17 13:28:06 | 000,115,807 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FSKS.sys -- (Fsks)
    DRV - [2001/08/17 13:28:04 | 000,067,167 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_BSC2.sys -- (basic2)
    DRV - [1997/12/23 01:02:46 | 000,023,936 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\aspi32.sys -- (Aspi32)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
    FF - prefs.js..extensions.enabledItems: zotero@chnm.gmu.edu:2.0.2
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22

    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/29 18:50:33 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/28 23:54:11 | 000,000,000 | ---D | M]

    [2008/08/17 20:27:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\Mozilla\Extensions
    [2010/11/29 00:16:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\Mozilla\Firefox\Profiles\ddkusqlm.default\extensions
    [2010/03/15 19:06:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\Mozilla\Firefox\Profiles\ddkusqlm.default\extensions\zotero@chnm.gmu.edu
    [2010/11/29 00:16:35 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2010/11/28 23:54:24 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    [2010/11/28 23:53:13 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

    O1 HOSTS File: ([2010/11/26 18:29:23 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
    O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\jon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\jon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2005/06/08 20:07:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2010/11/29 00:33:52 | 000,000,000 | ---D | C] -- C:\_OTL
    [2010/11/29 00:06:03 | 000,000,000 | -HSD | C] -- C:\RECYCLER
    [2010/11/29 00:02:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jon\My Documents\JavaRa
    [2010/11/28 23:55:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
    [2010/11/28 23:55:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
    [2010/11/28 23:52:56 | 000,000,000 | ---D | C] -- C:\Program Files\Java
    [2010/11/28 23:50:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jon\Application Data\Sun
    [2010/11/28 22:58:33 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\jon\Desktop\OTL.exe
    [2010/11/26 18:33:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
    [2010/11/26 18:19:13 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2010/11/26 18:16:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2010/11/26 18:16:08 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2010/11/26 18:16:08 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2010/11/26 18:16:08 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2010/11/26 18:15:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2010/11/26 18:15:30 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/11/26 06:14:04 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
    [2010/11/25 23:09:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
    [2010/11/25 22:41:12 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010/11/25 22:41:06 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2010/11/25 22:41:05 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2010/11/25 22:13:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Avira
    [2010/11/25 21:01:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla
    [2010/11/25 21:01:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Mozilla
    [2010/11/25 21:00:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
    [2010/11/24 21:55:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
    [2010/11/24 21:51:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jon\Application Data\Avira
    [2010/11/24 21:38:36 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
    [2010/11/24 21:38:30 | 000,126,856 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
    [2010/11/24 21:38:30 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
    [2010/11/24 21:38:30 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
    [2010/11/24 21:38:30 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
    [2010/11/24 21:38:20 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
    [2010/11/24 21:38:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
    [2010/11/24 20:48:16 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
    [2010/11/24 20:45:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
    [2010/11/24 03:00:46 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
    [2010/11/24 00:28:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ESET
    [2010/11/23 23:54:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jon\Local Settings\Application Data\ESET
    [2010/11/23 23:10:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
    [2010/11/23 22:59:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us
    [2010/11/23 22:59:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\provisioning
    [2010/11/23 22:59:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
    [2010/11/23 22:59:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
    [2010/11/23 22:59:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\peernet
    [2010/11/23 22:59:47 | 000,000,000 | ---D | C] -- C:\Program Files\msn
    [2010/11/23 22:59:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en
    [2010/11/23 22:54:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
    [2010/11/23 22:50:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic
    [2010/11/23 22:47:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ReinstallBackups
    [2010/11/23 22:39:40 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
    [2010/11/23 22:39:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\EHome
    [2010/11/23 07:36:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\PreInstall
    [2010/11/22 23:12:58 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$hf_mig$
    [2010/11/22 09:49:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jon\Application Data\Malwarebytes
    [2010/11/22 09:47:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2010/11/21 18:40:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\SoftwareDistribution
    [2010/11/21 13:50:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2010/11/21 13:34:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
    [2010/11/20 22:59:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
    [2010/11/20 22:58:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\aqmlk
    [2010/11/20 22:56:19 | 000,000,000 | ---D | C] -- C:\Config.Msi
    [2010/11/20 22:32:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Hewlett-Packard
    [2010/11/20 22:30:14 | 000,000,000 | ---D | C] -- C:\Program Files\HP
    [2010/11/09 12:35:09 | 000,000,000 | ---D | C] -- C:\Program Files\Freeciv-2.2.3-gtk2
    [2010/10/31 15:51:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\McAfee
    [2005/06/20 16:32:15 | 020,798,256 | ---- | C] (Netopsystems AG ) -- C:\Program Files\AdbeRdr70_enu_full.exe

    ========== Files - Modified Within 30 Days ==========

    [2010/11/29 00:37:29 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/11/29 00:35:45 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/11/29 00:35:43 | 267,968,512 | -HS- | M] () -- C:\hiberfil.sys
    [2010/11/28 22:58:38 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jon\Desktop\OTL.exe
    [2010/11/26 18:29:23 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2010/11/26 18:19:18 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2010/11/26 18:14:11 | 003,909,115 | R--- | M] () -- C:\Documents and Settings\jon\Desktop\ComboFix.exe
    [2010/11/25 23:20:22 | 000,076,288 | ---- | M] () -- C:\Documents and Settings\jon\My Documents\virus log so far.doc
    [2010/11/25 22:41:15 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010/11/25 03:36:42 | 000,312,378 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/11/25 03:36:42 | 000,040,448 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/11/25 03:13:49 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2010/11/24 21:39:16 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
    [2010/11/24 20:48:18 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
    [2010/11/24 20:48:16 | 000,001,663 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
    [2010/11/24 09:17:28 | 000,122,136 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2010/11/23 23:15:21 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
    [2010/11/23 23:12:34 | 000,000,779 | ---- | M] () -- C:\Documents and Settings\jon\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2010/11/23 23:03:38 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2010/11/23 22:50:12 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2010/11/23 22:50:12 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2010/11/23 19:23:24 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
    [2010/11/22 09:49:56 | 000,119,808 | ---- | M] () -- C:\Documents and Settings\jon\My Documents\screen print.doc
    [2010/11/21 18:12:07 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\jon\Local Settings\Application Data\housecall.guid.cache
    [2010/11/20 22:33:24 | 000,102,006 | ---- | M] () -- C:\WINDOWS\hpoins04.dat.temp
    [2010/11/20 22:33:24 | 000,102,006 | ---- | M] () -- C:\WINDOWS\hpoins04.dat
    [2010/11/18 20:49:00 | 000,006,870 | ---- | M] () -- C:\Documents and Settings\jon\Application Data\.freeciv-client-rc-2.2
    [2010/11/12 11:02:00 | 000,048,640 | ---- | M] () -- C:\Documents and Settings\jon\My Documents\BlackRock proposal draft 3.doc
    [2010/11/09 22:01:05 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\jon\My Documents\milestones.xls
    [2010/11/08 06:52:29 | 001,756,454 | ---- | M] () -- C:\Documents and Settings\jon\My Documents\AVIVA%20Policy%20Wording.pdf
    [2010/11/08 06:52:10 | 000,376,849 | ---- | M] () -- C:\Documents and Settings\jon\My Documents\cert%20for%2099%20sylvan%20ave%2014.07.10.pdf
    [2010/11/08 01:20:24 | 000,089,088 | ---- | M] () -- C:\WINDOWS\MBR.exe
    [2010/11/05 21:40:51 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\jon\My Documents\Maintain a continued relationship with the customer.doc
    [2010/11/01 20:18:24 | 000,199,434 | ---- | M] () -- C:\Documents and Settings\jon\My Documents\Malaga BoardingPass.pdf
    [2010/10/30 17:59:36 | 000,045,186 | ---- | M] () -- C:\WINDOWS\cdplayer.ini

    ========== Files Created - No Company Name ==========

    [2010/11/26 18:19:18 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2010/11/26 18:19:15 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2010/11/26 18:16:08 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2010/11/26 18:16:08 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2010/11/26 18:16:08 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2010/11/26 18:16:08 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2010/11/26 18:16:08 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2010/11/26 18:14:11 | 003,909,115 | R--- | C] () -- C:\Documents and Settings\jon\Desktop\ComboFix.exe
    [2010/11/25 23:02:56 | 000,076,288 | ---- | C] () -- C:\Documents and Settings\jon\My Documents\virus log so far.doc
    [2010/11/25 22:41:15 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010/11/24 21:39:15 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
    [2010/11/24 20:48:18 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
    [2010/11/24 20:48:16 | 000,001,663 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
    [2010/11/23 23:11:49 | 000,316,640 | ---- | C] () -- C:\WINDOWS\WMSysPr9.prx
    [2010/11/23 23:00:52 | 000,010,457 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmptour.hta
    [2010/11/23 23:00:52 | 000,001,771 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmptour.css
    [2010/11/23 23:00:51 | 000,613,334 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplayer.chm
    [2010/11/23 23:00:51 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud9.wav
    [2010/11/23 23:00:51 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud8.wav
    [2010/11/23 23:00:51 | 000,067,374 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplayer.adm
    [2010/11/23 23:00:51 | 000,023,195 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplay.chm
    [2010/11/23 23:00:51 | 000,000,855 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpocm.inf
    [2010/11/23 23:00:51 | 000,000,420 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmploc.js
    [2010/11/23 23:00:50 | 000,343,204 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud7.wav
    [2010/11/23 23:00:50 | 000,343,204 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud6.wav
    [2010/11/23 23:00:50 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud3.wav
    [2010/11/23 23:00:50 | 000,086,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud5.wav
    [2010/11/23 23:00:50 | 000,086,180 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud4.wav
    [2010/11/23 23:00:50 | 000,086,180 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud2.wav
    [2010/11/23 23:00:49 | 000,354,468 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud1.wav
    [2010/11/23 23:00:49 | 000,029,070 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmp.inf
    [2010/11/23 23:00:49 | 000,017,272 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmdm.inf
    [2010/11/23 23:00:49 | 000,007,892 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm9.gif
    [2010/11/23 23:00:49 | 000,006,769 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmfsdk.inf
    [2010/11/23 23:00:48 | 000,572,557 | ---- | C] () -- C:\WINDOWS\System32\dllcache\rtuner.wmv
    [2010/11/23 23:00:48 | 000,300,969 | ---- | C] () -- C:\WINDOWS\System32\dllcache\viz.wmv
    [2010/11/23 23:00:48 | 000,077,307 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plyr_err.chm
    [2010/11/23 23:00:48 | 000,066,725 | ---- | C] () -- C:\WINDOWS\System32\dllcache\revert.wmz
    [2010/11/23 23:00:48 | 000,023,829 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tourbg.gif
    [2010/11/23 23:00:48 | 000,017,489 | ---- | C] () -- C:\WINDOWS\System32\dllcache\videobg.gif
    [2010/11/23 23:00:48 | 000,008,677 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm7.gif
    [2010/11/23 23:00:48 | 000,007,636 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm2.gif
    [2010/11/23 23:00:48 | 000,007,369 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm4.gif
    [2010/11/23 23:00:48 | 000,006,241 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm3.gif
    [2010/11/23 23:00:48 | 000,006,060 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm6.gif
    [2010/11/23 23:00:48 | 000,005,789 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm1.gif
    [2010/11/23 23:00:48 | 000,005,290 | ---- | C] () -- C:\WINDOWS\System32\dllcache\vidsamp.gif
    [2010/11/23 23:00:48 | 000,004,193 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm8.gif
    [2010/11/23 23:00:48 | 000,003,187 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tour.js
    [2010/11/23 23:00:48 | 000,002,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm5.gif
    [2010/11/23 23:00:48 | 000,002,469 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tplay.gif
    [2010/11/23 23:00:48 | 000,002,450 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tpause.gif
    [2010/11/23 23:00:48 | 000,002,375 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tplayh.gif
    [2010/11/23 23:00:48 | 000,002,371 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tpauseh.gif
    [2010/11/23 23:00:48 | 000,001,398 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taon.gif
    [2010/11/23 23:00:48 | 000,001,380 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taonh.gif
    [2010/11/23 23:00:48 | 000,001,380 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taoff.gif
    [2010/11/23 23:00:48 | 000,001,367 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taoffh.gif
    [2010/11/23 23:00:48 | 000,001,148 | ---- | C] () -- C:\WINDOWS\System32\dllcache\snd.htm
    [2010/11/23 23:00:48 | 000,000,908 | ---- | C] () -- C:\WINDOWS\System32\dllcache\skins.inf
    [2010/11/23 23:00:47 | 000,375,519 | ---- | C] () -- C:\WINDOWS\System32\dllcache\nuskin.wmv
    [2010/11/23 23:00:47 | 000,022,060 | ---- | C] () -- C:\WINDOWS\System32\dllcache\npds.zip
    [2010/11/23 23:00:47 | 000,001,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst6.wpl
    [2010/11/23 23:00:47 | 000,001,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst5.wpl
    [2010/11/23 23:00:47 | 000,001,474 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst3.wpl
    [2010/11/23 23:00:47 | 000,001,451 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst12.wpl
    [2010/11/23 23:00:47 | 000,001,448 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst4.wpl
    [2010/11/23 23:00:47 | 000,001,250 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst1.wpl
    [2010/11/23 23:00:47 | 000,001,049 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst2.wpl
    [2010/11/23 23:00:47 | 000,001,046 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst7.wpl
    [2010/11/23 23:00:47 | 000,001,036 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst8.wpl
    [2010/11/23 23:00:47 | 000,000,789 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst11.wpl
    [2010/11/23 23:00:47 | 000,000,787 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst10.wpl
    [2010/11/23 23:00:47 | 000,000,784 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst9.wpl
    [2010/11/23 23:00:47 | 000,000,783 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst13.wpl
    [2010/11/23 23:00:47 | 000,000,775 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst14.wpl
    [2010/11/23 23:00:47 | 000,000,733 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst15.wpl
    [2010/11/23 23:00:47 | 000,000,403 | ---- | C] () -- C:\WINDOWS\System32\dllcache\npdrmv2.zip
    [2010/11/23 23:00:46 | 000,457,607 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mdlib.wmv
    [2010/11/23 23:00:46 | 000,018,286 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplayer2.inf
    [2010/11/23 23:00:46 | 000,005,971 | ---- | C] () -- C:\WINDOWS\System32\dllcache\events.js
    [2010/11/23 23:00:46 | 000,002,778 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplogoh.gif
    [2010/11/23 23:00:46 | 000,002,545 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplogo.gif
    [2010/11/23 23:00:45 | 000,381,425 | ---- | C] () -- C:\WINDOWS\System32\dllcache\copycd.wmv
    [2010/11/23 23:00:45 | 000,184,959 | ---- | C] () -- C:\WINDOWS\System32\dllcache\compact.wmz
    [2010/11/23 23:00:45 | 000,009,585 | ---- | C] () -- C:\WINDOWS\System32\dllcache\controls.css
    [2010/11/23 23:00:45 | 000,008,298 | ---- | C] () -- C:\WINDOWS\System32\dllcache\contents.htm
    [2010/11/23 23:00:45 | 000,006,878 | ---- | C] () -- C:\WINDOWS\System32\dllcache\controls.js
    [2010/11/23 23:00:45 | 000,000,999 | ---- | C] () -- C:\WINDOWS\System32\dllcache\bktrh.gif
    [2010/11/23 23:00:45 | 000,000,773 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cnth.gif
    [2010/11/23 23:00:45 | 000,000,773 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cnt.gif
    [2010/11/23 23:00:45 | 000,000,772 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cntd.gif
    [2010/11/23 23:00:45 | 000,000,760 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cloapph.gif
    [2010/11/23 23:00:45 | 000,000,717 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cloapp.gif
    [2010/11/23 23:00:25 | 000,239,616 | ---- | C] () -- C:\WINDOWS\System32\wstrenderer.ax
    [2010/11/23 23:00:25 | 000,164,352 | ---- | C] () -- C:\WINDOWS\System32\wstpager.ax
    [2010/11/23 23:00:25 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\vbicodec.ax
    [2010/11/23 22:50:38 | 000,129,045 | ---- | C] () -- C:\WINDOWS\System32\drivers\cxthsfs2.cty
    [2010/11/23 22:50:38 | 000,064,352 | ---- | C] () -- C:\WINDOWS\System32\drivers\ativmc20.cod
    [2010/11/23 22:50:36 | 000,067,866 | ---- | C] () -- C:\WINDOWS\System32\drivers\netwlan5.img
    [2010/11/22 09:49:56 | 000,119,808 | ---- | C] () -- C:\Documents and Settings\jon\My Documents\screen print.doc
    [2010/11/21 18:12:07 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\jon\Local Settings\Application Data\housecall.guid.cache
    [2010/11/20 22:58:27 | 000,001,393 | ---- | C] () -- C:\WINDOWS\imsins.BAK
    [2010/11/20 22:50:06 | 000,009,847 | ---- | C] () -- C:\WINDOWS\hpwscr12.dat
    [2010/11/20 22:38:48 | 000,102,006 | ---- | C] () -- C:\WINDOWS\hpoins04.dat.temp
    [2010/11/20 22:38:48 | 000,017,218 | ---- | C] () -- C:\WINDOWS\hpomdl04.dat.temp
    [2010/11/20 22:28:51 | 000,002,506 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
    [2010/11/20 22:28:49 | 000,102,006 | ---- | C] () -- C:\WINDOWS\hpoins04.dat
    [2010/11/20 22:28:49 | 000,017,218 | ---- | C] () -- C:\WINDOWS\hpomdl04.dat
    [2010/11/12 09:18:09 | 000,048,640 | ---- | C] () -- C:\Documents and Settings\jon\My Documents\BlackRock proposal draft 3.doc
    [2010/11/09 14:01:18 | 000,006,870 | ---- | C] () -- C:\Documents and Settings\jon\Application Data\.freeciv-client-rc-2.2
    [2010/11/09 11:08:54 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\jon\My Documents\milestones.xls
    [2010/11/08 06:52:28 | 001,756,454 | ---- | C] () -- C:\Documents and Settings\jon\My Documents\AVIVA%20Policy%20Wording.pdf
    [2010/11/08 06:52:10 | 000,376,849 | ---- | C] () -- C:\Documents and Settings\jon\My Documents\cert%20for%2099%20sylvan%20ave%2014.07.10.pdf
    [2010/11/05 21:40:50 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\jon\My Documents\Maintain a continued relationship with the customer.doc
    [2010/11/01 20:18:24 | 000,199,434 | ---- | C] () -- C:\Documents and Settings\jon\My Documents\Malaga BoardingPass.pdf
    [2010/09/15 13:34:52 | 000,000,632 | ---- | C] () -- C:\WINDOWS\Vtw.INI
    [2010/09/09 19:12:20 | 000,004,990 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\mtbjfghn.xbe
    [2009/01/25 12:46:32 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
    [2008/11/02 07:25:31 | 000,007,458 | ---- | C] () -- C:\Documents and Settings\jon\Application Data\.civclientrc
    [2008/05/08 17:56:18 | 000,000,560 | ---- | C] () -- C:\Program Files\Global.sw
    [2006/11/16 12:08:10 | 000,045,056 | ---- | C] () -- C:\WINDOWS\TRAYHOOK.DLL
    [2006/05/14 14:35:04 | 000,000,006 | ---- | C] () -- C:\WINDOWS\System32\x517_256.dll
    [2006/02/16 09:35:23 | 000,022,528 | ---- | C] () -- C:\Documents and Settings\jon\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2005/08/11 10:00:16 | 000,045,186 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
    [2005/06/08 21:35:54 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
    [2005/06/08 21:32:10 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
    [2005/06/08 21:25:36 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2005/06/08 21:24:03 | 000,010,022 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
    [2005/06/08 21:01:17 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2005/06/08 20:41:53 | 000,000,635 | ---- | C] () -- C:\WINDOWS\wincmd.ini
    [2004/07/12 21:07:21 | 003,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
    [2000/01/27 23:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL
    [1999/01/22 18:46:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

    ========== LOP Check ==========

    [2010/11/23 19:23:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2008/11/02 09:38:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
    [2010/09/11 08:30:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
    [2010/11/24 20:46:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
    [2010/11/21 13:34:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
    [2006/07/09 21:53:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
    [2010/01/30 18:51:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2010/11/18 20:44:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\.freeciv
    [2008/11/02 07:25:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\.ggz
    [2010/06/27 11:24:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
    [2010/09/09 19:12:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\Carambis
    [2008/12/22 06:51:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\PCToolsFirewallPlus
    [2008/12/22 06:51:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\PCToolsSpamMonitorPlus
    [2008/01/14 19:10:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\Sports Interactive
    [2010/11/25 17:16:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\Spotify
    [2008/12/09 15:44:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\TSO
    [2008/11/02 09:59:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jon\Application Data\VCOM

    ========== Purity Check ==========



    < End of report >
  17. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Yes. Let me check it and you see my previous reply.
  18. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    We need to remove Norton leftovers manually...

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20081108.002\symidsco.sys -- (SYMIDSCO)
      DRV - [2005/04/05 10:17:02 | 000,267,192 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
      DRV - [2005/04/05 10:17:00 | 000,017,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
      DRV - [2005/04/05 10:16:58 | 000,036,984 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMIDS.SYS -- (SYMIDS)
      DRV - [2005/04/05 10:16:56 | 000,047,192 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMNDIS.SYS -- (SYMNDIS)
      DRV - [2005/04/05 10:16:54 | 000,173,208 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMFW.SYS -- (SYMFW)
      DRV - [2005/04/05 10:16:52 | 000,011,512 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMDNS.SYS -- (SYMDNS)
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
  19. jonboysylvan

    jonboysylvan TS Rookie Topic Starter Posts: 37

    Goored

    IE hasn't redirected on another 10-15 clicks tho some weird formatting (possibly cos I have IE6?? but still surprising), some messages about page load aborted (very similar to what was happening a few days ago with the virus on my work laptop which only had IE), and one seemingly ordinary webpage seeming to load and reload a lot (never seen that before) ....???

    Goored below

    Will get onto Norton stuff

    GooredFix by jpshortstuff (03.07.10.1)
    Log created at 01:15 on 29/11/2010 (jon)
    Firefox version 3.6.12 (en-US)

    ========== GooredScan ==========


    ========== GooredLog ==========

    C:\Program Files\Mozilla Firefox\extensions\
    {972ce4c6-7e08-4474-a285-3208198ce6fd} [09:16 24/10/2010]
    {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [23:54 28/11/2010]

    C:\Documents and Settings\jon\Application Data\Mozilla\Firefox\Profiles\ddkusqlm.default\extensions\
    zotero@chnm.gmu.edu [19:06 15/03/2010]

    [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
    (none)

    -=E.O.F=-
  20. jonboysylvan

    jonboysylvan TS Rookie Topic Starter Posts: 37

    All processes killed
    ========== OTL ==========
    Service SYMIDSCO stopped successfully!
    Service SYMIDSCO deleted successfully!
    File C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20081108.002\symidsco.sys not found.
    Service SYMTDI stopped successfully!
    Service SYMTDI deleted successfully!
    C:\WINDOWS\system32\drivers\symtdi.sys moved successfully.
    Service SYMREDRV stopped successfully!
    Service SYMREDRV deleted successfully!
    C:\WINDOWS\system32\drivers\symredrv.sys moved successfully.
    Service SYMIDS stopped successfully!
    Service SYMIDS deleted successfully!
    C:\WINDOWS\system32\drivers\symids.sys moved successfully.
    Service SYMNDIS stopped successfully!
    Service SYMNDIS deleted successfully!
    C:\WINDOWS\system32\drivers\symndis.sys moved successfully.
    Service SYMFW stopped successfully!
    Service SYMFW deleted successfully!
    C:\WINDOWS\system32\drivers\symfw.sys moved successfully.
    Service SYMDNS stopped successfully!
    Service SYMDNS deleted successfully!
    C:\WINDOWS\system32\drivers\symdns.sys moved successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: jon
    ->Temp folder emptied: 754 bytes
    ->Temporary Internet Files folder emptied: 12980416 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 22502849 bytes
    ->Flash cache emptied: 878 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->FireFox cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 395 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 34.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: jon
    ->Flash cache emptied: 0 bytes

    User: LocalService

    User: NetworkService

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.17.3 log created on 11292010_012335

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
  21. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    You have to upgrade IE to at least version 7 right away.
    Version 6 is obsolete and thus dangerous.
    Do so and let me know, how the issue is in IE7.

    Let's see, if resetting router will help.

    Go Start>Run (Start search in Vista), type in:
    cmd
    Click OK (in Vista and Windows 7, while holding CTRL, and SHIFT, press Enter).

    In Command Prompt window, type in following commands, and hit Enter after each one:
    ipconfig /flushdns
    ipconfig /registerdns
    ipconfig /release
    ipconfig /renew
    net stop "dns client"
    net start "dns client"


    Turn the computer off.

    On your router, you'll find a pinhole marked "Reset".
    Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
    NOTE. Simple router disconnecting from a power source will NOT do.
    Restart computer and check for redirections.

    NOTE. You may need to re-check your router security settings, as described HERE
  22. jonboysylvan

    jonboysylvan TS Rookie Topic Starter Posts: 37

    Do you think the router is involved

    Not sure how far we've got through the process; but I was wondering whether you think it is possible the router software could be involved? My wife has asked her work to send a new laptop - and of course if she connects and it is carrying something....
  23. jonboysylvan

    jonboysylvan TS Rookie Topic Starter Posts: 37

    Urgent problem - router crashed

    Hi
    Followed your steps but my router totally crashed after restoring settings and only way I can write this is because I have a dongle. My Internet service provider could not help me reset router.

    Is there anything you suggested which might have caused and which i could undo with your help? Otherwise - maybe a faulty router - but this seems strange because have previously restored settings without problem - will have to wait for several days for new router to be sent out to us...
  24. jonboysylvan

    jonboysylvan TS Rookie Topic Starter Posts: 37

    please hold this thread active

    i'm really grateful for what you've done so far

    i now have to be away from home for a week, so I hope that you'll hold the thread open until I get back next monday

    best wishes

    J
  25. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Resetting a router shouldn't cause any physical damages, so maybe it was on its way out.

    Keep me posted.

    I'll change topic prefix to "On-hold", so it won't get closed.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.