TechSpot

Winlogon.exe Trojan Virus

By mojojim
Dec 27, 2010
  1. Hello,

    I'm new to techspot.com and have followed the 6 step posting guide at http://www.techspot.com/vb/topic58138.html.

    Any time I open a new program, AVG pops up with:

    Threat Detected!
    c:\WINDOWS\system32\winlogon.exe
    Trojan horse PSW.Generc7.AUBW
    Detected on open.

    The requested MBAM, Gmer and DDS logs are attached below.

    Any guidance is much appreciated.

    MBAM: No issues found, but when I ran a full scan (prior to coming across the guide) it did find and remove 3 trojan files. That logfile is also included.


    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5405

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/27/2010 5:17:48 PM
    mbam-log-2010-12-27 (17-17-48).txt

    Scan type: Quick scan
    Objects scanned: 157152
    Time elapsed: 3 minute(s), 19 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    --------------------------------------------------------------------------------------------

    MBAM full scan:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5405

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/27/2010 5:07:37 PM
    mbam-log-2010-12-27 (17-07-37).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 240745
    Time elapsed: 35 minute(s), 55 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\6BTOP2GA8A (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\HJRUDZ5DT2 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    -------------------------------------------------------------------------------------


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-12-27 17:38:04
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\0000007d WDC_WD740GD-00FLA2 rev.31.08F31
    Running: yizhwu37.exe; Driver: C:\DOCUME~1\James\LOCALS~1\Temp\pxtdypob.sys


    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----

    ------------------------------------------------------------------------------------------------
    DDS.txt:



    DDS (Ver_10-12-12.02) - NTFSx86
    Run by James at 17:23:40.76 on Mon 12/27/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_01
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1285 [GMT -8:00]

    AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: Symantec AntiVirus Corporate Edition *Disabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    AV: Sunbelt VIPRE *Disabled/Outdated* {964FCE60-0B18-4D30-ADD6-EB178909041C}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    svchost.exe
    C:\Program Files\Turtle Beach\AudioAdvantageSRM\TBAA.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\WINDOWS\System32\svchost.exe -k Akamai
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    F:\AVG\avgtray.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    F:\AVG\avgwdsvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\MICROS~2\rapimgr.exe
    C:\Documents and Settings\James\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\runservice.exe
    C:\WINDOWS\system32\nvsvc32.exe
    F:\AVG\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\WINDOWS\system32\oodag.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Documents and Settings\James\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\James\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\James\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\James\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = <local>;*.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    mWinlogon: SFCDisable=-99 (0xffffff9d)
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - f:\avg\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Google Update] "c:\documents and settings\james\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [Logitech Mouse Settings] "c:\program files\logitech\setpoint\SetPoint.exe"
    mRun: [nwiz] nwiz.exe /install
    mRun: [Turtle Beach Audio Advantage SRM] "c:\program files\turtle beach\audioadvantagesrm\TBAA.exe"
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver\LVCOMS.EXE
    mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [AVG_TRAY] f:\avg\avgtray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
    DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123228477747
    DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123228855983
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} - hxxp://www.tricksteronline.com/control/tricksterActiveX.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} - hxxp://www.tricksteronline.com/control/KALogoutComponent.cab
    DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
    DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - f:\avg\avgpp.dll
    Notify: NavLogon - c:\windows\system32\NavLogon.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\james\applic~1\mozilla\firefox\profiles\o5gsec4s.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: network.proxy.type - 4
    FF - component: c:\documents and settings\james\application data\mozilla\firefox\profiles\o5gsec4s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - plugin: c:\documents and settings\james\application data\move networks\plugins\npqmp071503000010.dll
    FF - plugin: c:\documents and settings\james\application data\move networks\plugins\npqmp071701000002.dll
    FF - plugin: c:\documents and settings\james\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npssn.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - plugin: c:\windows\system32\solidstatenetworks\solidstateion\npssn.dll
    FF - plugin: f:\itunes\mozilla plugins\npitunes.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
    FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\james\application data\Move Networks

    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
    R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
    R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2001-8-23 14336]
    R2 avgwd;AVG WatchDog;f:\avg\avgwdsvc.exe [2010-10-22 265400]
    R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-10 255600]
    R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-10 243312]
    R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2006-4-15 16384]
    R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
    R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090711.006\naveng.sys [2009-7-11 89104]
    R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090711.006\navex15.sys [2009-7-11 876144]
    S1 SBRE;SBRE;c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
    S2 AVGIDSAgent;AVGIDSAgent;f:\avg\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
    S3 Boonty Games;Boonty Games;c:\program files\common files\boonty shared\service\Boonty.exe [2006-5-27 69120]
    S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-10 87664]
    S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-12-30 153416]
    S3 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-12-30 1107784]

    =============== Created Last 30 ================

    2010-12-28 00:05:36 388096 ----a-r- c:\docume~1\james\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2010-12-28 00:02:58 -------- d--h--w- C:\$AVG
    2010-12-27 23:42:55 -------- d-----w- c:\docume~1\james\applic~1\AVG10
    2010-12-27 23:41:58 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
    2010-12-27 23:41:18 -------- d-----w- c:\windows\system32\drivers\AVG
    2010-12-27 23:41:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
    2010-12-27 23:36:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
    2010-12-26 20:52:52 -------- d-----w- c:\docume~1\james\locals~1\applic~1\Activision
    2010-12-26 20:22:38 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
    2010-12-26 20:22:38 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
    2010-12-26 20:22:38 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
    2010-12-26 20:22:38 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
    2010-12-26 20:22:38 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
    2010-12-26 20:22:38 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
    2010-12-26 20:22:38 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
    2010-12-26 20:22:37 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
    2010-12-26 20:22:37 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
    2010-12-26 20:22:37 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
    2010-12-26 20:22:37 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
    2010-12-26 20:22:37 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
    2010-12-16 03:24:13 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-16 03:23:57 45568 -c----w- c:\windows\system32\dllcache\wab.exe
    2010-12-11 21:51:17 -------- d-----w- c:\windows\Gary Grigsby's War in the East
    2010-12-08 12:12:38 251728 ----a-w- c:\windows\system32\drivers\avgldx86.sys

    ==================== Find3M ====================

    2010-12-28 01:10:54 3657 --sha-w- c:\windows\system32\mmf.sys
    2010-12-01 05:25:23 189480 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2010-12-01 05:25:23 189480 ----a-w- c:\windows\system32\PnkBstrB.exe
    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

    ============= FINISH: 17:23:54.98 ===============

    ----------------------------------------------------------------------------------------------------
    Attach.txt:



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 8/5/2005 12:49:13 AM
    System Uptime: 12/27/2010 5:09:57 PM (0 hours ago)

    Motherboard: ASUSTeK Computer INC. | | A8N-SLI DELUXE
    Processor: AMD Athlon(tm) 64 FX-57 Processor | Socket 939 | 2814/200mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 69 GiB total, 44.933 GiB free.
    D: is CDROM (UDF)
    E: is FIXED (NTFS) - 117 GiB total, 24.279 GiB free.
    F: is FIXED (NTFS) - 116 GiB total, 76.716 GiB free.

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Instant Wireless PCI Card V2.7
    Device ID: PCI\VEN_14E4&DEV_4301&SUBSYS_43011737&REV_01\4&13699180&0&4048
    Manufacturer: The Linksys Group, Inc.
    Name: Instant Wireless PCI Card V2.7
    PNP Device ID: PCI\VEN_14E4&DEV_4301&SUBSYS_43011737&REV_01\4&13699180&0&4048
    Service: BCM43XX

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: RAID Controller
    Device ID: PCI\VEN_1095&DEV_3114&SUBSYS_81671043&REV_02\4&13699180&0&5048
    Manufacturer:
    Name: RAID Controller
    PNP Device ID: PCI\VEN_1095&DEV_3114&SUBSYS_81671043&REV_02\4&13699180&0&5048
    Service:

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 1394 Net Adapter
    Device ID: V1394\NIC1394\40E55D11D800
    Manufacturer: Microsoft
    Name: 1394 Net Adapter
    PNP Device ID: V1394\NIC1394\40E55D11D800
    Service: NIC1394

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: WPN311 RangeMax(TM) Wireless PCI Adapter
    Device ID: ROOT\NET\0000
    Manufacturer: NETGEAR, Inc.
    Name: WPN311 RangeMax(TM) Wireless PCI Adapter
    PNP Device ID: ROOT\NET\0000
    Service: AR5211

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    µTorrent
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.2.5
    Adobe Shockwave Player
    Advanced Tactics
    Akamai NetSession Interface
    America's Army 3
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft Print Creations
    ArcSoft Print Creations - Album Page
    ArcSoft Print Creations - Funhouse
    ArcSoft Print Creations - Greeting Card
    ArcSoft Print Creations - Photo Book
    ArcSoft Print Creations - Photo Calendar
    ArcSoft Print Creations - Scrapbook
    ArcSoft Print Creations - Slimline Card
    AusLogics Registry Defrag
    AutoUpdate
    AVG 2011
    Battlefront
    Big Fish Games: Game Manager
    Bonjour
    Call of Duty: Black Ops
    Call of Duty: Black Ops - Multiplayer
    Call of Duty: Modern Warfare 2
    Call of Duty: Modern Warfare 2 - Multiplayer
    CCScore
    Compatibility Pack for the 2007 Office system
    Debugging Tools for Windows (x86)
    Distant Worlds
    DivX
    Empire: Total War
    ESSBrwr
    ESSCDBK
    ESScore
    ESSgui
    ESSini
    ESSPCD
    ESSPDock
    ESSTOOLS
    essvatgt
    Gary Grigsby's War in the East
    Google Chrome
    Google Gmail Notifier
    Google Toolbar for Internet Explorer
    Hearts of Iron 3
    Heroes of Newerth
    Highlight Viewer (Windows Live Toolbar)
    HiJackThis
    Hitman Pro 3.5
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB932716-v2)
    Hotfix for Windows XP (KB945060-v3)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    InstallXML
    iTunes
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Jasc Animation Shop 3
    Jasc Paint Shop Pro 9
    Java(TM) SE Runtime Environment 6 Update 1
    Kharkov
    Kodak EasyShare software
    KSignAccessToolkit v1.0
    LiveUpdate 2.0 (Symantec Corporation)
    Logitech Audio Echo Cancellation Component
    Logitech Desktop Messenger
    Logitech Harmony Remote Software 7
    Logitech QuickCam
    Logitech SetPoint
    Logitech Video Enumerator
    Logitech® Camera Driver
    Luxor 3
    Malwarebytes' Anti-Malware
    Map Button (Windows Live Toolbar)
    MaxBlast 4
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft ActiveSync
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Managed DirectX (1126)
    Microsoft Office 2000 SR-1 Disc 2
    Microsoft Office 2000 SR-1 Small Business
    Microsoft Outlook 2002
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Windows Media Video 9 VCM
    Move Media Player
    Mozilla Firefox (3.0.19)
    MSVCRT
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MVision
    netbrdg
    NVIDIA Drivers
    NVIDIA PhysX
    O&O Defrag Professional Edition
    OfotoXMI
    OGA Notifier 2.0.0048.0
    OpenAL
    Paint Shop Pro 7 Evaluation
    Portal
    PunkBuster Services
    QuickTime
    Ragnarok Online
    Ragnarok Renewal
    Realtek AC'97 Audio
    Red Orchestra
    Remote Control USB Driver
    Security Task Manager 1.7e
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB911565)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Segoe UI
    SFR
    SHASTA
    Sid Meier's Pirates!
    Sins of a Solar Empire
    skin0001
    SKINXSDK
    Smart Menus (Windows Live Toolbar)
    Solid State ION Mozilla Plugin
    Spybot - Search & Destroy
    staticcr
    Steam(TM)
    Symantec AntiVirus
    Theatre of War 2 Kursk 1943 Demo (Remove Only)
    tooltips
    Uniblue RegistryBooster
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB971930)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Ventrilo Client
    Viewpoint Manager (Remove Only)
    Viewpoint Media Player
    VPRINTOL
    WebFldrs XP
    Winamp (remove only)
    Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Favorites for Windows Live Toolbar
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Toolbar Extension (Windows Live Toolbar)
    Windows Live Upload Tool
    Windows Media Format Runtime
    Windows Media Player 10
    Windows Media Player 10 Hotfix - KB894476
    Windows XP Service Pack 3
    WinFast(R) Display Driver
    WinRAR archiver
    WIRELESS
    Wireless-B PCI Adapter WLAN Monitor

    ==== Event Viewer Messages From Past Week ========

    12/27/2010 5:08:03 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    12/27/2010 5:08:02 PM, error: Service Control Manager [7034] - The Viewpoint Manager Service service terminated unexpectedly. It has done this 1 time(s).
    12/27/2010 5:08:02 PM, error: Service Control Manager [7034] - The Symantec Settings Manager service terminated unexpectedly. It has done this 1 time(s).
    12/27/2010 5:08:02 PM, error: Service Control Manager [7034] - The Symantec Event Manager service terminated unexpectedly. It has done this 1 time(s).
    12/27/2010 5:08:02 PM, error: Service Control Manager [7034] - The Symantec AntiVirus Definition Watcher service terminated unexpectedly. It has done this 1 time(s).
    12/27/2010 5:08:02 PM, error: Service Control Manager [7034] - The ProtexisLicensing service terminated unexpectedly. It has done this 1 time(s).
    12/27/2010 5:08:02 PM, error: Service Control Manager [7034] - The Process Monitor service terminated unexpectedly. It has done this 1 time(s).
    12/27/2010 5:08:02 PM, error: Service Control Manager [7034] - The PnkBstrA service terminated unexpectedly. It has done this 1 time(s).
    12/27/2010 5:08:02 PM, error: Service Control Manager [7034] - The O&O Defrag service terminated unexpectedly. It has done this 1 time(s).
    12/27/2010 5:08:02 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    12/27/2010 5:08:02 PM, error: Service Control Manager [7034] - The LicCtrl Service service terminated unexpectedly. It has done this 1 time(s).
    12/27/2010 5:08:02 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    12/27/2010 5:08:02 PM, error: Service Control Manager [7034] - The ArcSoft Connect Daemon service terminated unexpectedly. It has done this 1 time(s).
    12/27/2010 5:08:02 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/26/2010 12:10:49 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    12/26/2010 1:07:32 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SBRE
    12/26/2010 1:07:16 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'SAVRT' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

    ==== End Of File ===========================
     
  2. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ======================================================================

    You're running two AV programs, AVG and Norton.
    One of them has to go.
    If Norton (preferably), use AppRemover to uninstall it: http://www.appremover.com/

    Then.....

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.pif
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. mojojim

    mojojim TS Rookie Topic Starter

    Thanks Broni! I removed Norton, then uninstalled AVG, ran combofix and re-installed AVG. Log is here:


    ComboFix 10-12-26.01 - James 12/27/2010 19:08:17.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1632 [GMT -8:00]
    Running from: c:\documents and settings\James\My Documents\Downloads\ComboFix.exe
    AV: Sunbelt VIPRE *Disabled/Outdated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_BOONTY_GAMES
    -------\Legacy_SSHNAS
    -------\Legacy_TDSSSERV.SYS
    -------\Service_Boonty Games


    ((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-28 )))))))))))))))))))))))))))))))
    .

    2010-12-28 00:05 . 2010-12-28 00:05 388096 ----a-r- c:\documents and settings\James\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-12-28 00:02 . 2010-12-28 00:02 -------- d-----w- C:\$AVG
    2010-12-27 23:41 . 2010-12-27 23:41 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2010-12-27 23:41 . 2010-12-28 03:01 -------- d-----w- c:\windows\system32\drivers\AVG
    2010-12-26 20:52 . 2010-12-26 20:52 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\Activision
    2010-12-26 20:22 . 2010-06-02 12:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
    2010-12-26 20:22 . 2010-06-02 12:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
    2010-12-26 20:22 . 2010-06-02 12:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
    2010-12-26 20:22 . 2010-05-26 19:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
    2010-12-26 20:22 . 2010-05-26 19:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
    2010-12-26 20:22 . 2010-05-26 19:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
    2010-12-26 20:22 . 2010-05-26 19:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
    2010-12-26 20:22 . 2010-05-26 19:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
    2010-12-26 20:22 . 2010-02-04 18:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
    2010-12-26 20:22 . 2010-02-04 18:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
    2010-12-26 20:22 . 2010-02-04 18:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
    2010-12-26 20:22 . 2010-02-04 18:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
    2010-12-16 03:24 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-16 03:23 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
    2010-12-11 21:51 . 2010-12-11 21:51 -------- d-----w- c:\windows\Gary Grigsby's War in the East

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-28 01:11 . 2010-04-21 06:47 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-12-21 02:09 . 2010-04-21 05:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-21 02:08 . 2010-04-21 05:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-01 05:25 . 2007-03-17 04:24 137544 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2010-12-01 05:25 . 2009-12-31 15:54 189480 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2010-12-01 05:25 . 2007-03-16 03:34 189480 ----a-w- c:\windows\system32\PnkBstrB.exe
    2010-11-18 18:12 . 2005-08-05 07:46 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:26 . 2004-01-08 22:23 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2001-08-23 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2001-08-23 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2001-08-23 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2001-08-23 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="c:\documents and settings\James\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-03 136176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-23 28160]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
    "Logitech Mouse Settings"="c:\program files\Logitech\SetPoint\SetPoint.exe" [2005-08-04 528384]
    "nwiz"="nwiz.exe" [2007-12-05 1626112]
    "Turtle Beach Audio Advantage SRM"="c:\program files\Turtle Beach\AudioAdvantageSRM\TBAA.exe" [2007-05-09 1679360]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
    "SoundMan"="SOUNDMAN.EXE" [2004-11-16 77824]
    "LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 98304]
    "HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-12-16 6347584]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-11-10 528384]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0f:\avg\avgchsvx.exe /sync\0f:\avg\avgrsx.exe /sync /restart

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "c:\\Program Files\\NetMeeting\\conf.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\\Program Files\\Mozilla Firefox\\plugins\\solidnm.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Matrix Games\\Kharkov\\update.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "e:\\Steam\\SteamApps\\common\\red orchestra\\System\\RedOrchestra.exe"=
    "c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "e:\\Steam\\SteamApps\\common\\hearts of iron 3\\hoi3game.exe"=
    "e:\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
    "c:\\Matrix Games\\Distant Worlds\\update.exe"=
    "e:\\Steam\\SteamApps\\oberstbix90\\age of chivalry\\hl2.exe"=
    "e:\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4sp.exe"=
    "e:\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4mp.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "f:\\iTunes\\iTunes.exe"=
    "e:\\Steam\\SteamApps\\common\\america's army 3\\Binaries\\AA3Game.exe"=
    "e:\\Steam\\SteamApps\\common\\call of duty black ops\\BlackOps.exe"=
    "e:\\Steam\\SteamApps\\common\\call of duty black ops\\BlackOpsMP.exe"=
    "f:\\AVG\\avgnsx.exe"=
    "f:\\AVG\\avgmfapx.exe"=
    "f:\\AVG\\avgemcx.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    "13899:TCP"= 13899:TCP:SolidNetworkManager
    "13899:UDP"= 13899:UDP:SolidNetworkManager
    "1035:TCP"= 1035:TCP:Akamai NetSession Interface
    "5000:UDP"= 5000:UDP:Akamai NetSession Interface

    R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/23/2001 4:00 AM 14336]
    R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [4/15/2006 7:52 AM 16384]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 2:07 PM 24652]
    S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-22 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

    2010-11-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1085031214-839522115-1003Core.job
    - c:\documents and settings\James\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-03 16:00]

    2010-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1085031214-839522115-1003UA.job
    - c:\documents and settings\James\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-03 16:00]

    2010-12-28 c:\windows\Tasks\RegistryBooster.job
    - c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2010-09-16 15:25]

    2010-12-28 c:\windows\Tasks\User_Feed_Synchronization-{C71CCB61-F7F2-4AFF-B095-B70C915532C0}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = <local>;*.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} - hxxp://www.tricksteronline.com/control/tricksterActiveX.cab
    DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} - hxxp://www.tricksteronline.com/control/KALogoutComponent.cab
    FF - ProfilePath - c:\documents and settings\James\Application Data\Mozilla\Firefox\Profiles\o5gsec4s.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
    FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - f:\avg\Firefox
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\James\Application Data\Move Networks
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    AddRemove-Raganrok Renewal - c:\windows\IFinst27.exe
    AddRemove-Ragnarok Online - c:\windows\IFinst27.exe
    AddRemove-SolidStateIONMozilla - c:\windows\system32\SolidStateNetworks\SolidStateION\soliduninstall
    AddRemove-{9AFA9294-C7A4-4DD5-ADBE-3DFC98752417}_is1 - c:\program files\Battlefront\1C Company\Theatre of War 2 Kursk 1943 Demo\unins000.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-27 19:13
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1960408961-1085031214-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_USERS\S-1-5-21-1960408961-1085031214-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:0a,0c,f2,0f,e5,2f,7e,50,7e,e3,db,c4,aa,eb,8a,24,8d,49,bb,47,a4,ae,6d,
    0b,2e,b1,dc,b8,be,1c,f6,1d,83,73,58,a8,b8,79,b3,47,07,b7,64,31,a5,5e,b2,04,\
    "??"=hex:e2,06,90,c3,a9,ab,f7,ca,1c,f7,63,d7,3e,f2,89,5d

    [HKEY_USERS\S-1-5-21-1960408961-1085031214-839522115-1003\Software\SecuROM\License information*]
    "datasecu"=hex:1c,8d,8a,ec,f3,cf,a2,1a,26,2e,ae,60,a9,da,1c,31,9f,ef,e5,93,1f,
    c7,fe,26,9f,c9,8a,0b,72,26,89,09,7f,1b,ce,f4,e7,59,c3,ca,a3,39,ef,2d,cd,d2,\
    "rkeysecu"=hex:c6,21,1f,e4,86,40,e0,86,37,a6,82,62,99,e3,e5,2f

    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347]
    "1"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,60,bf,2f,c2,35,91,ae,
    25
    "2"=hex:fb,e6,50,7f,41,f4,51,a7,7f,ec,2d,f9,42,45,3a,02,3a,b7,45,15,3f,9d,8b,
    c3
    "3"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,5d,f5,58,d1,21,e0,48,
    8b,38,57,44,9c,4e,8d,78,88,fd,f1,01,9d,86,d8,b5,cb,d9,bf,23,55,4a,bb,31,1f

    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\0685B4039E83FFC215FE6F791AF60AF7]
    "1"=hex:e4,aa,f8,f3,74,8d,9e,c8,87,9d,1b,26,37,fe,f3,a9,e1,65,0b,4e,76,5e,be,
    cc,22,d3,ec,74,16,8a,da,65,11,e3,07,bb,51,b8,fc,76
    "2"=hex:e6,a5,36,9f,11,44,9e,82
    "3"=hex:e5,c8,d6,7c,ce,6b,bb,2d,13,db,f7,e4,30,c3,ba,69,dc,c4,01,e8,22,26,32,
    24,43,3e,53,02,2c,8b,d5,ae,50,be,43,7b,0c,2d,44,ed,65,59,10,e9,70,ca,a4,41,\
    "4"=hex:2f,ad,a2,e7,8a,bf,05,5e
    "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
    1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
    "6"=hex:e4,aa,f8,f3,74,8d,9e,c8,87,9d,1b,26,37,fe,f3,a9,e1,65,0b,4e,76,5e,be,
    cc,22,d3,ec,74,16,8a,da,65,0f,c0,7a,f1,45,b0,3f,7f,c9,37,5a,04,b6,c9,a9,b4,\
    "7"=hex:93,41,de,56,34,94,a7,b2,fc,ed,3e,91,10,66,4e,1a,c6,31,42,b5,d7,5d,59,
    d2,15,2d,46,f0,84,ba,60,d2,1d,15,55,8f,94,36,ff,d9,13,fd,dc,f4,43,be,c7,61,\
    "8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,2e,4e,96,8c,7e,a3,52,
    64,0b,26,ce,91,53,4b,53,9a,85,70,6c,f0,9f,1f,18,c9,f3,fb,e2,b4,f6,a7,d8,a5,\
    "9"=hex:81,20,8f,ab,28,6a,52,9c
    "18"=hex:d0,71,12,cb,08,b7,a7,d6
    "10"=hex:81,20,8f,ab,28,6a,52,9c
    "11"=hex:81,20,8f,ab,28,6a,52,9c
    "12"=hex:7d,56,b3,16,27,0d,30,a6,b4,2d,9e,0d,54,83,5d,aa,d4,f5,fb,b7,0f,44,39,
    b5,33,e9,c5,80,72,5d,6d,b9,09,3a,0f,47,4a,c2,50,47,08,06,28,9d,19,74,53,7f,\
    "13"=hex:6d,bf,7e,aa,05,42,35,08,4b,33,c2,d7,c6,7f,51,54,29,6c,f3,2f,f1,5c,70,
    bf,70,61,3f,f1,96,b8,9a,3f,6c,0c,4d,4c,c3,07,c4,46
    "14"=hex:3b,83,6e,d7,a9,36,c1,1e,90,df,83,d2,e7,7a,4d,c7
    "24"=hex:81,20,8f,ab,28,6a,52,9c
    "26"=hex:81,20,8f,ab,28,6a,52,9c
    "27"=hex:81,20,8f,ab,28,6a,52,9c
    "19"=hex:fc,8f,db,01,51,48,8e,9c,2d,37,6a,fc,44,0b,64,a6
    "22"=hex:81,20,8f,ab,28,6a,52,9c
    "15"=hex:bd,76,d1,9c,87,27,ca,41,12,f9,7a,b1,fe,8c,8c,07,6d,72,70,5c,f0,62,e3,
    f9,aa,25,a1,a9,a7,2b,24,25,c6,8f,d3,b1,cf,93,c6,3a,8c,96,05,cf,ec,ed,33,51,\

    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\B3E62936FE1487AF4E0CC9BD2A26433C]
    "1"=hex:df,c7,3a,96,ab,66,13,d2,35,84,aa,2e,3b,c4,59,82
    "2"=hex:a5,2d,b1,39,25,57,b6,7c,bd,55,f5,f4,85,30,c7,12
    "3"=hex:d2,33,fd,7c,c2,99,0e,fb,95,99,42,3e,5f,e6,cb,8d,2e,25,e9,14,7d,a7,9a,
    61,5d,3a,bb,52,35,19,05,fa,7d,b2,b6,2b,a6,c3,2f,9c,b2,98,a0,45,80,79,bc,4b,\
    "4"=hex:2f,ad,a2,e7,8a,bf,05,5e
    "5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
    1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
    "6"=hex:df,c7,3a,96,ab,66,13,d2,0e,90,72,68,c4,63,c8,bb,00,5d,70,3b,08,36,97,
    bd,ee,04,c1,4a,7c,6f,fd,5f,f7,67,d1,43,f2,ef,e6,1c,89,7c,fa,9f,4c,d6,39,08,\
    "7"=hex:93,41,de,56,34,94,a7,b2,13,ca,26,2f,35,a5,e0,53,1e,d5,e7,20,4a,dd,09,
    c9,2d,37,7b,a2,3c,71,f4,5e,ed,02,2a,97,fd,fb,2c,72,12,5f,23,ff,c4,2a,48,c4,\
    "8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,2e,4e,96,8c,7e,a3,52,
    64,c9,4f,a5,f8,51,27,e9,29,77,5c,86,6d,0a,20,f9,c7,d7,30,8a,47,ce,07,3e,13,\
    "9"=hex:81,20,8f,ab,28,6a,52,9c
    "18"=hex:d0,71,12,cb,08,b7,a7,d6
    "10"=hex:81,20,8f,ab,28,6a,52,9c
    "11"=hex:81,20,8f,ab,28,6a,52,9c
    "12"=hex:56,22,2d,86,89,ba,a9,f2,ec,6a,e9,66,d0,11,f8,64,2a,92,45,89,a2,63,76,
    a7,fb,1a,71,cb,a6,6b,b8,d8,2f,9d,90,59,b2,8d,b0,95,67,65,f2,7d,a3,fc,3c,39,\
    "13"=hex:0c,07,09,f8,d6,bc,fc,50,8e,3a,03,94,c8,13,7d,9c,df,f0,72,b0,20,73,30,
    d5,eb,61,cd,d7,f5,f9,06,2f,8e,27,76,4b,91,e6,aa,f6
    "14"=hex:d2,08,a4,82,f1,1a,a0,b4,f5,1f,60,13,49,13,4c,d5
    "24"=hex:81,20,8f,ab,28,6a,52,9c
    "26"=hex:81,20,8f,ab,28,6a,52,9c
    "27"=hex:81,20,8f,ab,28,6a,52,9c
    "19"=hex:7e,41,81,a4,10,d1,f2,9f,85,0c,92,e9,97,05,af,6e
    "22"=hex:81,20,8f,ab,28,6a,52,9c
    "15"=hex:6d,7d,47,2e,56,8b,e0,59,79,81,46,f4,be,4c,8e,78,1c,6c,d7,71,f3,71,7c,
    b9,ae,88,75,d3,a0,e4,7a,5f,06,3e,f0,b9,5f,e8,ef,97,57,88,09,96,42,7f,d7,b8,\

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
    "OODEFRAG10.00.00.01WORKSTATION"="C66F5062FB4B31CB8D6A223B669C3351F74E3A83441F1B156E8FD6BAF39E3FCF0C05DB785A65572AEAAB09D5AD62F251663D3B24C12A08D5FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79339DB7CE019D40AA5C9DB7CE019D40AA5CA9C6AECB7A5D1407862CB82A26BBA06D1FF2696675894AFB04F7844543F45B67A420C1665A18914851C05A753B80AABE0533CE5B7123F2D94D37B14E7AB05A4231AA9525BE2EA5C0B08CF48194DF2206D5D13C47D70DF255528756E994006F6BAD4DD4FDB3F1064883121F24CD293E38D0AE33C5F780BDB6D4477C182DAB63210002B5F5C85977B4ED08558A079DDDDE7ADD1AC69EACE65E5A06942D68ECA6B74CF54DE711CBDF6C575879B1E46F01161B26398DA434A9BEAA88ED5369F24B157C0A9802A1A44D6DE922CE6C0DCACB10BE83BFB25E2C64DC53C54005DBE10835BF54F4C315B56DC61638FD62AC4A0992B526BCA02C1E9752276C2795ECCFB728071FA7858BC1169D0E9F930E7281A4F59470A618EC89EACFB8DC1F284D485A100BE6D77027803D29C8147F3D13732FA8B2FAD7AC845F2715E3A98CB534491224425E10018E9E01B6818416944599DD2AAC8F8B465D063A7BC21D338B59C7A5B16DE9C00AEB3B20273812900945E08912612F6521E3D6356A39344049FBA880950EA2BD316FEC7EECAF958A66D22BAE87F60DE94B8721CF606B1DBFE5DC4932446BD63C7049B8A390ED1605CB314C6F495591822ABDA5E271413E262842F66BC48D09D816311C3C304055E42A280F10A72756FA75FE1CEC43E9AFC8ADF4F404B2C26D13C1E20718F9B4C4F0CA03AEF887DD2C8738482D8F0F563EE1E6C3F977BB1F6DCEEB1CDDAA339D0B564612DCB664AC173C539AF610243A6A90180032652577A7525C1F760CB41381A68CA83E7C498C4C9278F80BD9641067565CFEBB0FC6E56CCAB1B3A0F7E9EFB7D3601EEC1C58B8BA6732EC71F8C6141F9A9D9AA95C89494245DC2319CF53D3EF39574FF411C6B27EFC5A8322A0D3482EA61E3004576DC26237253D951584212191DE9A57765DBE6D7921CD8BA62B7164A9F2A1C43007B93A7723D4BD70A70076FBB2E2098E7AE28EE3895F90838098C7370454DAB87BD6EAC0453FACAF775A4C7F671374BD8E6D9C2B6D5186D7170A0EC20EB2AAE7080A4BB14D5874BF43603703E313F50D9F6D0820F641B7624A5826A8A22A88597B846250D07D1737F1847CD362555DA8463774F927CD628B89D83028A62B434BB8BB7102B9128DCC7AFE1821F04CF0E030E2384F509C385BD5A37FE0D02D1621B76A6613C4FD445BE84AB600F36E692D9DCC609F9956DE81C6969DDB31A837E10210E8B2052A19645DA43CE8A0B9F3A4E595ABCB02A871CE85D24882269B4BB738"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(8260)
    c:\windows\system32\WININET.dll
    c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
    c:\program files\Logitech\SetPoint\lgscroll.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\oodag.exe
    c:\windows\system32\PnkBstrA.exe
    c:\windows\system32\PSIService.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    c:\windows\system32\RUNDLL32.EXE
    c:\windows\SOUNDMAN.EXE
    c:\program files\Microsoft ActiveSync\wcescomm.exe
    c:\documents and settings\James\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
    c:\progra~1\MICROS~2\rapimgr.exe
    c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    .
    **************************************************************************
    .
    Completion time: 2010-12-27 19:16:49 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-12-28 03:16

    Pre-Run: 49,082,675,200 bytes free
    Post-Run: 48,967,086,080 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /usepmtimer

    - - End Of File - - BBA612E268A98A3C9D79B01BB4832209
     
  4. mojojim

    mojojim TS Rookie Topic Starter

    I just had another message from AVG pop up, while my computer was sitting idle:

    c:\System Volume Information\_restore-{98DE1A25-2A3F-4C64-AAA4-0ACE7802E9E9}-\RP1\A0000025.exe
    Trojan horse PSW.Generic7.AUBW
    Detected on open.
     
  5. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    That's one of your restore points.
    You can safely ignore it for now.
    We'll reset all restore points at the end of out cleaning process.

    ======================================================================

    Unless you installed Viewpoint Manager knowledgeably...
    Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
    Uninstall any of the following programs associated with Viewpoint:
    * Viewpoint Manager
    * Viewpoint Media Player
    * Viewpoint Toolbar
    This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOl, AIM, Compuserve, etc.

    ====================================================================

    Uninstall Uniblue RegistryBooster

    Registry cleaners/optimizers are not recommended for several reasons:

    • Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

      The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.
    • Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.
    • Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.
    • Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.
    • The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".
    Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.


    =====================================================================

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  6. mojojim

    mojojim TS Rookie Topic Starter

    Thanks again. I removed Viewopint and Uniblue and I'll be careful around registry editors in the future.

    OTL.txt:


    OTL logfile created on: 12/27/2010 11:40:05 PM - Run 1
    OTL by OldTimer - Version 3.2.18.0 Folder = C:\Documents and Settings\James\My Documents\Downloads
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 72.00% Memory free
    6.00 Gb Paging File | 5.00 Gb Available in Paging File | 93.00% Paging File free
    Paging file location(s): E:\pagefile.sys 4092 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 69.23 Gb Total Space | 45.04 Gb Free Space | 65.06% Space Free | Partition Type: NTFS
    Drive D: | 7.39 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
    Drive E: | 117.42 Gb Total Space | 24.28 Gb Free Space | 20.68% Space Free | Partition Type: NTFS
    Drive F: | 116.34 Gb Total Space | 77.15 Gb Free Space | 66.31% Space Free | Partition Type: NTFS

    Computer Name: JIM | User Name: James | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2010/12/27 23:39:00 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\James\My Documents\Downloads\OTL.exe
    PRC - [2010/12/05 16:26:40 | 000,654,176 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgrsx.exe
    PRC - [2010/12/05 16:26:12 | 000,650,592 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgchsvx.exe
    PRC - [2010/12/01 04:14:46 | 001,084,256 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgnsx.exe
    PRC - [2010/11/23 13:34:16 | 000,724,048 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
    PRC - [2010/11/23 13:34:14 | 006,128,208 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    PRC - [2010/10/22 04:58:18 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe
    PRC - [2010/10/22 04:57:54 | 002,745,696 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgtray.exe
    PRC - [2010/10/22 04:56:58 | 000,845,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgcsrvx.exe
    PRC - [2010/10/15 04:14:05 | 000,134,808 | ---- | M] (Google Inc.) -- C:\Documents and Settings\James\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
    PRC - [2010/06/10 20:03:08 | 000,144,176 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    PRC - [2010/02/21 16:45:36 | 000,016,384 | ---- | M] () -- C:\WINDOWS\Runservice.exe
    PRC - [2009/02/06 16:02:14 | 000,109,056 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    PRC - [2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2007/06/05 12:20:32 | 000,177,704 | ---- | M] () -- C:\WINDOWS\system32\PSIService.exe
    PRC - [2007/05/11 01:09:48 | 001,050,120 | ---- | M] (O&O Software GmbH) -- C:\WINDOWS\system32\oodag.exe
    PRC - [2007/05/08 17:51:22 | 001,679,360 | ---- | M] (Voyetra Turtle Beach, Inc.) -- C:\Program Files\Turtle Beach\AudioAdvantageSRM\TBAA.exe
    PRC - [2007/02/06 16:45:26 | 000,109,344 | ---- | M] (Logitech Inc.) -- c:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    PRC - [2006/11/13 12:39:52 | 001,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    PRC - [2006/11/13 12:39:34 | 000,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe
    PRC - [2005/08/04 02:42:00 | 000,528,384 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
    PRC - [2005/08/04 02:42:00 | 000,028,160 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    PRC - [2004/11/15 17:20:20 | 000,077,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\soundman.exe
    PRC - [2001/09/24 09:39:28 | 000,098,304 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\QCDriver\LVComS.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/12/27 23:39:00 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\James\My Documents\Downloads\OTL.exe
    MOD - [2010/08/23 08:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
    MOD - [2007/02/06 16:45:14 | 000,092,960 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcInj.dll
    MOD - [2005/08/04 02:42:00 | 000,057,344 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2010/12/08 20:16:17 | 003,020,888 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\netsession_win_aeec0f0.dll -- (Akamai)
    SRV - [2010/11/23 13:34:14 | 006,128,208 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
    SRV - [2010/10/22 04:58:18 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
    SRV - [2010/06/10 20:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
    SRV - [2010/02/21 16:45:36 | 000,016,384 | ---- | M] () [Auto | Running] -- C:\WINDOWS\Runservice.exe -- (LicCtrlService)
    SRV - [2009/02/06 16:02:14 | 000,109,056 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
    SRV - [2007/06/05 12:20:32 | 000,177,704 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PSIService.exe -- (ProtexisLicensing)
    SRV - [2007/05/11 01:09:48 | 001,050,120 | ---- | M] (O&O Software GmbH) [Auto | Running] -- C:\WINDOWS\system32\oodag.exe -- (O&O Defrag)
    SRV - [2007/02/06 16:47:12 | 000,105,248 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)
    SRV - [2007/02/06 16:45:26 | 000,109,344 | ---- | M] (Logitech Inc.) [Auto | Running] -- c:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
    SRV - [2005/11/14 01:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
    SRV - [2003/07/29 13:41:42 | 000,458,752 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe -- (NICSer_WMP11)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\SBREDrv.sys -- (SBRE)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\RimUsb.sys -- (RimUsb)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
    DRV - [2010/12/08 04:12:38 | 000,251,728 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
    DRV - [2010/11/12 13:19:38 | 000,299,984 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
    DRV - [2010/09/13 15:27:24 | 000,025,680 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
    DRV - [2010/09/07 03:48:56 | 000,034,384 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
    DRV - [2010/09/07 03:48:50 | 000,026,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
    DRV - [2010/08/19 20:42:38 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
    DRV - [2010/08/19 20:42:36 | 000,123,472 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
    DRV - [2010/08/19 20:42:34 | 000,026,192 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
    DRV - [2008/04/13 10:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
    DRV - [2008/04/13 10:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
    DRV - [2007/12/05 00:41:00 | 007,435,392 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
    DRV - [2007/02/06 16:45:04 | 000,025,632 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
    DRV - [2007/02/06 16:44:36 | 001,964,064 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVMVdrv.sys -- (LVMVDrv)
    DRV - [2007/02/06 16:42:40 | 001,691,808 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Lvckap.sys -- (LVcKap)
    DRV - [2006/07/01 21:39:40 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
    DRV - [2005/11/25 16:07:53 | 000,015,890 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x)
    DRV - [2005/11/03 06:40:07 | 000,063,488 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfvfs02.sys -- (sfvfs02) StarForce Protection VFS Driver (version 2.x)
    DRV - [2005/10/03 10:07:34 | 001,334,272 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\cmudau.sys -- (cmudau)
    DRV - [2005/09/16 08:46:30 | 000,044,224 | R--- | M] (BVRP Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
    DRV - [2005/08/10 04:44:04 | 000,050,688 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)
    DRV - [2005/07/22 23:41:46 | 000,026,112 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidKE.Sys -- (LHidKe)
    DRV - [2005/07/22 23:41:42 | 000,068,864 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouKE.Sys -- (LMouKE)
    DRV - [2005/07/22 23:41:08 | 000,055,040 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042MOU.SYS -- (L8042mou)
    DRV - [2005/07/22 23:40:58 | 000,013,440 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042Kbd.SYS -- (L8042Kbd)
    DRV - [2005/05/16 05:20:39 | 000,006,656 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)
    DRV - [2005/01/27 17:51:02 | 000,400,288 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WPN311.sys -- (AR5211)
    DRV - [2004/11/17 18:05:38 | 002,297,664 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
    DRV - [2004/11/10 19:56:40 | 000,012,928 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
    DRV - [2004/11/10 19:56:38 | 000,033,408 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
    DRV - [2004/11/03 12:58:20 | 000,086,144 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\nvatabus.sys -- (nvatabus)
    DRV - [2004/08/18 15:21:00 | 000,189,568 | R--- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
    DRV - [2004/08/13 02:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
    DRV - [2003/09/25 22:15:32 | 000,015,872 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\GTNDIS5.sys -- (GTNDIS5)
    DRV - [2003/02/12 14:29:00 | 000,166,272 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bcmwl5.sys -- (BCM43XX)
    DRV - [2001/08/17 06:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)
    DRV - [2001/08/01 15:36:18 | 000,348,169 | ---- | M] (Philips Semiconductors) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CamDrL21.sys -- (PhilCam8116) Logitech QuickCam Pro 3000(PID_08B0)
    DRV - [2000/10/15 17:38:54 | 000,016,068 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\PCANDIS5.SYS -- (PCANDIS5)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7E D7 6F B3 D2 A0 CB 01 [binary data]
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "Google"
    FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
    FF - prefs.js..browser.search.selectedEngine: "Google"
    FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
    FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
    FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:10.0.0.1178
    FF - prefs.js..network.proxy.type: 4


    FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG10\Firefox\ [2010/12/27 20:31:06 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/13 23:20:10 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/12 18:03:45 | 000,000,000 | ---D | M]

    [2009/04/20 16:10:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Mozilla\Extensions
    [2010/12/27 17:46:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\o5gsec4s.default\extensions
    [2009/09/08 21:04:05 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\o5gsec4s.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2010/09/12 20:52:19 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\o5gsec4s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
    [2010/12/26 15:46:14 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2006/12/22 20:40:35 | 000,114,688 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
    [2007/12/30 16:08:28 | 000,102,400 | ---- | M] (Solid State Networks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npssn.dll

    O1 HOSTS File: ([2010/12/27 19:12:57 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
    O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
    O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
    O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
    O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
    O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)
    O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech Inc.)
    O4 - HKLM..\Run: [Logitech Mouse Settings] C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech Inc.)
    O4 - HKLM..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVComS.exe (Logitech Inc.)
    O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
    O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
    O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
    O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
    O4 - HKLM..\Run: [Turtle Beach Audio Advantage SRM] C:\Program Files\Turtle Beach\AudioAdvantageSRM\TBAA.exe (Voyetra Turtle Beach, Inc.)
    O4 - HKCU..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech Inc.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll (Sun Microsystems, Inc.)
    O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class)
    O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab (Reg Error: Key error.)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123228477747 (WUWebControl Class)
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab (Symantec RuFSI Utility Class)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123228855983 (MUWebControl Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
    O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab (Java Plug-in 1.5.0_09)
    O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
    O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} http://www.tricksteronline.com/control/tricksterActiveX.cab (TricksterActiveX Control)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} http://www.tricksteronline.com/control/KALogoutComponent.cab (Logout Class)
    O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab (Reg Error: Key error.)
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab (Minesweeper Flags Class)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
    O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.)
    O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\James\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\James\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2005/08/04 23:48:05 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2010/09/23 11:32:44 | 000,000,133 | R--- | M] () - D:\autorun.inf -- [ UDF ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O34 - HKLM BootExecute: (OODBS) - C:\WINDOWS\System32\OODBS.exe (O&O Software GmbH)
    O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
    O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: msacm.voxacm160 - C:\WINDOWS\System32\vct3216.acm (Voxware, Inc.)
    Drivers32: MSVideo - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
    Drivers32: VIDC.WMV3 - C:\WINDOWS\System32\wmv9vcm.dll (Microsoft Corporation)
    Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point (12398453892055040)

    ========== Files/Folders - Created Within 30 Days ==========

    [2010/12/27 20:32:22 | 000,000,000 | -HSD | C] -- C:\RECYCLER
    [2010/12/27 20:32:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\James\Application Data\AVG10
    [2010/12/27 20:31:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG10
    [2010/12/27 20:30:41 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
    [2010/12/27 20:28:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
    [2010/12/27 19:07:42 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2010/12/27 19:05:47 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2010/12/27 19:05:47 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2010/12/27 19:05:47 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2010/12/27 19:05:47 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2010/12/27 19:05:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2010/12/27 19:05:42 | 000,000,000 | ---D | C] -- C:\ComboFix
    [2010/12/27 19:05:28 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/12/27 16:46:11 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\James\Desktop\TFC.exe
    [2010/12/27 16:02:58 | 000,000,000 | ---D | C] -- C:\$AVG
    [2010/12/27 15:41:58 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
    [2010/12/27 15:41:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\James\My Documents\Starcraft2
    [2010/12/27 15:41:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\AVG
    [2010/12/27 15:33:30 | 003,216,374 | ---- | C] (Blizzard Entertainment) -- C:\Documents and Settings\James\Desktop\StarCraft_2_NA_en-US.exe
    [2010/12/26 12:52:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\James\Local Settings\Application Data\Activision
    [2010/12/11 13:51:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\Gary Grigsby's War in the East
    [2010/12/08 04:12:38 | 000,251,728 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys

    ========== Files - Modified Within 30 Days ==========

    [2010/12/27 23:19:00 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1085031214-839522115-1003UA.job
    [2010/12/27 20:33:01 | 102,785,539 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
    [2010/12/27 20:31:30 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 2011.lnk
    [2010/12/27 20:26:48 | 000,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/12/27 20:26:40 | 000,003,657 | -HS- | M] () -- C:\WINDOWS\System32\mmf.sys
    [2010/12/27 20:26:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/12/27 20:26:23 | 000,269,440 | ---- | M] () -- C:\WINDOWS\System32\oodbs.lor
    [2010/12/27 19:12:57 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2010/12/27 19:07:44 | 000,000,339 | RHS- | M] () -- C:\boot.ini
    [2010/12/27 17:15:23 | 000,296,448 | ---- | M] () -- C:\Documents and Settings\James\Desktop\yizhwu37.exe
    [2010/12/27 17:11:29 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
    [2010/12/27 17:10:32 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{C71CCB61-F7F2-4AFF-B095-B70C915532C0}.job
    [2010/12/27 16:46:07 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\James\Desktop\TFC.exe
    [2010/12/27 16:05:41 | 000,002,313 | ---- | M] () -- C:\Documents and Settings\James\Desktop\HiJackThis.lnk
    [2010/12/27 15:33:32 | 003,216,374 | ---- | M] (Blizzard Entertainment) -- C:\Documents and Settings\James\Desktop\StarCraft_2_NA_en-US.exe
    [2010/12/26 12:41:28 | 000,000,201 | ---- | M] () -- C:\Documents and Settings\James\Desktop\Call of Duty Black Ops.url
    [2010/12/26 12:41:28 | 000,000,201 | ---- | M] () -- C:\Documents and Settings\James\Desktop\Call of Duty Black Ops - Multiplayer.url
    [2010/12/21 23:37:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    [2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2010/12/16 16:25:32 | 000,529,408 | ---- | M] () -- C:\Documents and Settings\James\Desktop\NFL PR PLAN FINAL-2.doc
    [2010/12/16 12:01:53 | 000,261,432 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2010/12/16 11:25:17 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2010/12/15 21:27:57 | 000,043,008 | ---- | M] () -- C:\Documents and Settings\James\My Documents\Campaign.doc
    [2010/12/15 19:40:09 | 000,003,584 | ---- | M] () -- C:\Documents and Settings\James\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/12/14 00:17:21 | 000,023,040 | ---- | M] () -- C:\Documents and Settings\James\My Documents\indy2.doc
    [2010/12/14 00:17:10 | 000,029,184 | ---- | M] () -- C:\Documents and Settings\James\My Documents\industryanalysis.doc
    [2010/12/11 13:53:57 | 000,001,720 | ---- | M] () -- C:\Documents and Settings\James\Desktop\Gary Grigsby's War in the East (Game Menu).lnk
    [2010/12/09 01:20:14 | 000,023,040 | ---- | M] () -- C:\Documents and Settings\James\My Documents\partiii.doc
    [2010/12/09 01:17:33 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\James\My Documents\Creation.doc
    [2010/12/08 04:12:38 | 000,251,728 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
    [2010/11/30 21:25:31 | 000,137,544 | ---- | M] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
    [2010/11/30 21:25:23 | 000,189,480 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.xtr

    ========== Files Created - No Company Name ==========

    [2010/12/27 20:33:01 | 102,785,539 | ---- | C] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
    [2010/12/27 20:31:30 | 000,000,690 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG 2011.lnk
    [2010/12/27 19:07:44 | 000,000,223 | ---- | C] () -- C:\Boot.bak
    [2010/12/27 19:07:43 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2010/12/27 19:05:47 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2010/12/27 19:05:47 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2010/12/27 19:05:47 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2010/12/27 19:05:47 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2010/12/27 19:05:47 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2010/12/27 17:15:25 | 000,296,448 | ---- | C] () -- C:\Documents and Settings\James\Desktop\yizhwu37.exe
    [2010/12/27 16:05:36 | 000,002,313 | ---- | C] () -- C:\Documents and Settings\James\Desktop\HiJackThis.lnk
    [2010/12/26 12:41:28 | 000,000,201 | ---- | C] () -- C:\Documents and Settings\James\Desktop\Call of Duty Black Ops.url
    [2010/12/26 12:41:28 | 000,000,201 | ---- | C] () -- C:\Documents and Settings\James\Desktop\Call of Duty Black Ops - Multiplayer.url
    [2010/12/16 16:25:32 | 000,529,408 | ---- | C] () -- C:\Documents and Settings\James\Desktop\NFL PR PLAN FINAL-2.doc
    [2010/12/15 20:30:17 | 000,043,008 | ---- | C] () -- C:\Documents and Settings\James\My Documents\Campaign.doc
    [2010/12/15 19:40:09 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\James\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/12/13 23:51:15 | 000,023,040 | ---- | C] () -- C:\Documents and Settings\James\My Documents\indy2.doc
    [2010/12/13 21:51:05 | 000,029,184 | ---- | C] () -- C:\Documents and Settings\James\My Documents\industryanalysis.doc
    [2010/12/11 13:53:57 | 000,001,720 | ---- | C] () -- C:\Documents and Settings\James\Desktop\Gary Grigsby's War in the East (Game Menu).lnk
    [2010/12/09 01:17:33 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\James\My Documents\Creation.doc
    [2010/12/09 00:46:59 | 000,023,040 | ---- | C] () -- C:\Documents and Settings\James\My Documents\partiii.doc
    [2010/11/06 18:49:29 | 000,000,072 | ---- | C] () -- C:\WINDOWS\JascCmdFile.INI
    [2010/04/20 22:47:12 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
    [2010/02/12 00:03:57 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
    [2010/02/10 13:08:49 | 000,000,260 | ---- | C] () -- C:\WINDOWS\_delis32.ini
    [2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
    [2008/10/07 09:13:30 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
    [2008/10/07 09:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
    [2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
    [2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
    [2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
    [2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
    [2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
    [2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
    [2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
    [2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
    [2008/05/24 10:50:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OODCNT.INI
    [2008/03/27 11:54:01 | 000,000,168 | RHS- | C] () -- C:\WINDOWS\System32\55F1397EE9.sys
    [2008/01/03 21:01:36 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\cmdrvrmu.dll
    [2008/01/03 20:56:26 | 000,000,093 | ---- | C] () -- C:\WINDOWS\wininit.ini
    [2008/01/03 19:21:01 | 000,086,016 | ---- | C] () -- C:\WINDOWS\CMedia.dll
    [2007/12/30 17:45:21 | 000,139,152 | ---- | C] () -- C:\Documents and Settings\James\Application Data\PnkBstrK.sys
    [2007/12/15 01:46:41 | 000,000,056 | RHS- | C] () -- C:\WINDOWS\System32\E97E39F155.sys
    [2007/12/15 01:27:04 | 000,007,308 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
    [2007/08/07 18:22:22 | 000,141,180 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
    [2007/03/16 20:24:25 | 000,137,544 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
    [2007/02/06 16:45:04 | 000,025,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
    [2007/02/06 16:42:40 | 001,691,808 | ---- | C] () -- C:\WINDOWS\System32\drivers\Lvckap.sys
    [2006/12/29 12:12:56 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
    [2006/12/29 12:12:56 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
    [2006/12/29 12:12:55 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
    [2006/12/29 12:12:55 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
    [2006/12/29 12:12:55 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
    [2006/12/29 12:12:55 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
    [2006/11/20 19:03:33 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\James\Local Settings\Application Data\fusioncache.dat
    [2006/11/05 12:58:27 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\James\Application Data\$_hpcst$.hpc
    [2006/07/26 18:05:58 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
    [2006/06/21 02:33:40 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
    [2006/04/15 07:52:47 | 000,048,640 | ---- | C] () -- C:\WINDOWS\mmfs.dll
    [2006/04/15 07:52:47 | 000,003,657 | -HS- | C] () -- C:\WINDOWS\System32\mmf.sys
    [2006/04/09 13:21:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
    [2005/12/11 13:33:11 | 000,000,080 | ---- | C] () -- C:\WINDOWS\CoD.ini
    [2005/11/27 20:54:01 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
    [2005/10/25 20:58:13 | 000,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
    [2005/08/06 03:29:25 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
    [2005/08/05 01:38:33 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2005/08/05 00:35:28 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
    [2005/08/05 00:33:22 | 000,000,269 | R--- | C] () -- C:\WINDOWS\System32\raidmgmt.ini
    [2005/08/05 00:30:12 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
    [2005/08/05 00:30:12 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
    [2005/08/05 00:28:32 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
    [2005/08/05 00:28:31 | 000,006,379 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
    [2005/08/05 00:28:29 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
    [2002/12/31 16:29:12 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [1999/01/22 10:46:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

    ========== LOP Check ==========

    [2010/12/27 20:31:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
    [2010/08/18 20:23:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BioWare
    [2006/05/27 14:19:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BOONTY
    [2010/12/27 15:41:58 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
    [2010/09/15 19:57:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
    [2010/12/27 20:30:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
    [2008/12/22 21:48:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MumboJumbo
    [2007/03/15 19:01:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Muzzy Lane Software
    [2008/12/22 15:53:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Playrix Entertainment
    [2006/06/16 18:27:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
    [2005/08/05 01:43:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBT
    [2008/02/03 16:09:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
    [2010/11/27 03:03:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2010/12/27 23:32:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
    [2009/08/23 08:07:38 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}
    [2010/04/27 07:31:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2006/11/09 18:23:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Aim
    [2008/05/24 10:50:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Auslogics
    [2010/12/27 20:32:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\AVG10
    [2007/04/28 13:43:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Azureus
    [2010/03/27 16:10:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Code Force Limited
    [2006/03/12 21:54:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\DownloadManager
    [2010/09/15 20:06:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Dyxuub
    [2007/06/17 20:08:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\eLanguage
    [2006/07/01 10:32:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Gearbox Software
    [2009/05/25 19:37:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\GetRightToGo
    [2007/12/30 03:05:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Jasc
    [2008/11/04 23:40:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Skinux
    [2009/10/13 07:43:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\The Creative Assembly
    [2010/09/15 19:59:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Uniblue
    [2010/12/26 16:34:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\uTorrent
    [2007/06/07 17:48:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Viewpoint
    [2008/12/09 00:11:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\W Photo Studio Viewer
    [2010/12/27 17:10:32 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{C71CCB61-F7F2-4AFF-B095-B70C915532C0}.job

    ========== Purity Check ==========



    ========== Custom Scans ==========
     
  7. mojojim

    mojojim TS Rookie Topic Starter

    OTL continued:

    < %SYSTEMDRIVE%\*.* >
    [2005/08/04 23:48:05 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2009/08/08 13:51:52 | 000,000,223 | ---- | M] () -- C:\Boot.bak
    [2010/12/27 19:07:44 | 000,000,339 | RHS- | M] () -- C:\boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2010/12/27 19:16:49 | 000,022,664 | ---- | M] () -- C:\ComboFix.txt
    [2005/08/04 23:48:05 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2005/08/04 23:48:05 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2007/05/13 01:56:10 | 000,002,185 | -H-- | M] () -- C:\IPH.PH
    [2005/08/04 23:48:05 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2005/08/05 00:24:05 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2008/09/21 14:50:38 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2009/06/16 21:13:17 | 000,000,232 | -H-- | M] () -- C:\sqmdata00.sqm
    [2009/06/20 13:33:26 | 000,000,232 | -H-- | M] () -- C:\sqmdata01.sqm
    [2009/08/13 20:13:22 | 000,000,232 | -H-- | M] () -- C:\sqmdata02.sqm
    [2009/08/17 20:42:38 | 000,000,232 | -H-- | M] () -- C:\sqmdata03.sqm
    [2009/08/19 20:10:31 | 000,000,232 | -H-- | M] () -- C:\sqmdata04.sqm
    [2009/08/20 18:16:58 | 000,000,232 | -H-- | M] () -- C:\sqmdata05.sqm
    [2009/08/23 07:56:29 | 000,000,232 | -H-- | M] () -- C:\sqmdata06.sqm
    [2009/08/23 21:09:05 | 000,000,232 | -H-- | M] () -- C:\sqmdata07.sqm
    [2009/08/28 18:03:51 | 000,000,232 | -H-- | M] () -- C:\sqmdata08.sqm
    [2009/08/31 07:39:29 | 000,000,232 | -H-- | M] () -- C:\sqmdata09.sqm
    [2009/10/18 20:50:31 | 000,000,232 | -H-- | M] () -- C:\sqmdata10.sqm
    [2009/10/19 18:35:13 | 000,000,232 | -H-- | M] () -- C:\sqmdata11.sqm
    [2009/10/22 17:53:56 | 000,000,232 | -H-- | M] () -- C:\sqmdata12.sqm
    [2009/10/24 08:23:35 | 000,000,232 | -H-- | M] () -- C:\sqmdata13.sqm
    [2009/05/12 06:57:24 | 000,000,232 | -H-- | M] () -- C:\sqmdata14.sqm
    [2009/05/29 08:11:12 | 000,000,232 | -H-- | M] () -- C:\sqmdata15.sqm
    [2009/05/31 14:17:09 | 000,000,232 | -H-- | M] () -- C:\sqmdata16.sqm
    [2009/06/03 19:25:50 | 000,000,232 | -H-- | M] () -- C:\sqmdata17.sqm
    [2009/06/07 10:37:59 | 000,000,232 | -H-- | M] () -- C:\sqmdata18.sqm
    [2009/06/09 16:03:29 | 000,000,232 | -H-- | M] () -- C:\sqmdata19.sqm
    [2009/06/16 21:13:17 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
    [2009/06/20 13:33:26 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
    [2009/08/13 20:13:22 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
    [2009/08/17 20:42:38 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
    [2009/08/19 20:10:31 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
    [2009/08/20 18:16:58 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
    [2009/08/23 07:56:29 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
    [2009/08/23 21:09:05 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
    [2009/08/28 18:03:51 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
    [2009/08/31 07:39:29 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
    [2009/10/18 20:50:31 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
    [2009/10/19 18:35:13 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
    [2009/10/22 17:53:56 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
    [2009/10/24 08:23:35 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
    [2009/05/12 06:57:24 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
    [2009/05/29 08:11:12 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
    [2009/05/31 14:17:09 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
    [2009/06/03 19:25:50 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
    [2009/06/07 10:37:59 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
    [2009/06/09 16:03:29 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm
    [2010/12/27 18:53:15 | 000,009,788 | ---- | M] () -- C:\~StanfordSAV9Config.LOG

    < %systemroot%\Fonts\*.com >
    [2006/04/18 14:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 13:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 14:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 13:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2005/08/04 23:47:52 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2008/07/06 04:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2008/07/06 02:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >
    [2005/11/25 16:50:11 | 000,001,610 | -H-- | M] () -- C:\Documents and Settings\James\Application Data\Microsoft\LastFlashConfig.WFC

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2002/12/31 16:26:48 | 000,090,112 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2002/12/31 16:26:48 | 000,630,784 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2002/12/31 16:26:48 | 000,425,984 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2008/09/21 14:52:40 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2008/09/21 14:59:01 | 000,000,177 | -HS- | M] () -- C:\Documents and Settings\James\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2005/08/04 23:52:19 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\James\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2010/12/27 15:33:32 | 003,216,374 | ---- | M] (Blizzard Entertainment) -- C:\Documents and Settings\James\Desktop\StarCraft_2_NA_en-US.exe
    [2010/12/27 16:46:07 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\James\Desktop\TFC.exe
    [2010/12/27 17:15:23 | 000,296,448 | ---- | M] () -- C:\Documents and Settings\James\Desktop\yizhwu37.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2008/09/21 14:59:01 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\James\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2010/02/01 12:44:18 | 000,000,067 | -HS- | M] () -- C:\Documents and Settings\James\Cookies\desktop.ini
    [2010/12/27 23:32:49 | 000,999,424 | ---- | M] () -- C:\Documents and Settings\James\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2004/09/22 17:46:10 | 000,192,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2001/05/02 14:24:18 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\blogo.gif
    [2008/04/13 16:11:51 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2004/07/17 10:41:08 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2001/03/07 05:00:26 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2001/05/22 12:06:52 | 000,000,866 | ---- | M] () -- C:\Program Files\Messenger\mailtmpl.txt
    [2008/05/02 06:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2008/04/13 09:30:28 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008/04/13 16:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2001/02/01 05:00:26 | 000,000,685 | ---- | M] () -- C:\Program Files\Messenger\msmsgs.exe.manifest
    [2001/08/01 20:58:12 | 000,016,415 | ---- | M] () -- C:\Program Files\Messenger\msmsgsin.exe
    [2004/07/17 10:41:08 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2004/07/17 10:41:08 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2004/07/17 10:41:08 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2000/12/05 12:10:32 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2004/07/17 10:41:04 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >
    [2004/09/03 16:41:30 | 000,061,440 | ---- | M] () -- C:\WINDOWS\system\cmsnxeye.exe

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D4D38596
    @Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:59846E5E
    @Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5CE2502D
    @Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4295826C

    < End of report >

    ------------------------------------------------------------------
    Extras.txt



    OTL Extras logfile created on: 12/27/2010 11:40:05 PM - Run 1
    OTL by OldTimer - Version 3.2.18.0 Folder = C:\Documents and Settings\James\My Documents\Downloads
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 72.00% Memory free
    6.00 Gb Paging File | 5.00 Gb Available in Paging File | 93.00% Paging File free
    Paging file location(s): E:\pagefile.sys 4092 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 69.23 Gb Total Space | 45.04 Gb Free Space | 65.06% Space Free | Partition Type: NTFS
    Drive D: | 7.39 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
    Drive E: | 117.42 Gb Total Space | 24.28 Gb Free Space | 20.68% Space Free | Partition Type: NTFS
    Drive F: | 116.34 Gb Total Space | 77.15 Gb Free Space | 66.31% Space Free | Partition Type: NTFS

    Computer Name: JIM | User Name: James | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = ChromeHTML] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- "E:\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\Winamp.exe" /BOOKMARK "%1" (Nullsoft)
    Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\Winamp.exe" /ADD "%1" (Nullsoft)
    Directory [Winamp.Play] -- "C:\Program Files\Winamp\Winamp.exe" "%1" (Nullsoft)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0
    "AntiVirusDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002
    "26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002
    "1900:UDP" = 1900:UDP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22008
    "26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    "13899:TCP" = 13899:TCP:*:Enabled:SolidNetworkManager
    "13899:UDP" = 13899:UDP:*:Enabled:SolidNetworkManager
    "1035:TCP" = 1035:TCP:*:Enabled:Akamai NetSession Interface
    "5000:UDP" = 5000:UDP:*:Enabled:Akamai NetSession Interface

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()
    "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger -- (Logitech Inc.)
    "C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
    "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
    "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()
    "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger -- (Logitech Inc.)
    "C:\Program Files\NetMeeting\conf.exe" = C:\Program Files\NetMeeting\conf.exe:*:Disabled:Windows® NetMeeting® -- (Microsoft Corporation)
    "C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
    "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
    "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)
    "C:\Program Files\Mozilla Firefox\plugins\solidnm.exe" = C:\Program Files\Mozilla Firefox\plugins\solidnm.exe:*:Enabled:Solid State Networks Browser Plugin -- ()
    "C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
    "C:\Matrix Games\Kharkov\update.exe" = C:\Matrix Games\Kharkov\update.exe:*:Enabled:TrueUpdate Client -- ()
    "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe" = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- (Eastman Kodak Company)
    "E:\Steam\SteamApps\common\red orchestra\System\RedOrchestra.exe" = E:\Steam\SteamApps\common\red orchestra\System\RedOrchestra.exe:*:Enabled:Red Orchestra -- ()
    "C:\Program Files\Stardock Games\Sins of a Solar Empire\Sins of a Solar Empire.exe" = C:\Program Files\Stardock Games\Sins of a Solar Empire\Sins of a Solar Empire.exe:*:Enabled:Sins of a Solar Empire -- (Ironclad Games)
    "C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
    "C:\Program Files\Ventrilo\Ventrilo.exe" = C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- (Flagship Industries, Inc.)
    "E:\Steam\SteamApps\common\hearts of iron 3\hoi3game.exe" = E:\Steam\SteamApps\common\hearts of iron 3\hoi3game.exe:*:Enabled:Hearts of Iron III -- ()
    "E:\Steam\SteamApps\common\empire total war\Empire.exe" = E:\Steam\SteamApps\common\empire total war\Empire.exe:*:Enabled:Empire: Total War -- (The Creative Assembly Ltd)
    "C:\Matrix Games\Distant Worlds\update.exe" = C:\Matrix Games\Distant Worlds\update.exe:*:Enabled:TrueUpdate Client -- ()
    "E:\Steam\SteamApps\oberstbix90\age of chivalry\hl2.exe" = E:\Steam\SteamApps\oberstbix90\age of chivalry\hl2.exe:*:Enabled:Age of Chivalry -- ()
    "E:\Steam\SteamApps\common\call of duty modern warfare 2\iw4sp.exe" = E:\Steam\SteamApps\common\call of duty modern warfare 2\iw4sp.exe:*:Enabled:Call of Duty: Modern Warfare 2 -- ()
    "E:\Steam\SteamApps\common\call of duty modern warfare 2\iw4mp.exe" = E:\Steam\SteamApps\common\call of duty modern warfare 2\iw4mp.exe:*:Enabled:Call of Duty: Modern Warfare 2 - Multiplayer -- ()
    "F:\iTunes\iTunes.exe" = F:\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
    "E:\Steam\SteamApps\common\america's army 3\Binaries\AA3Game.exe" = E:\Steam\SteamApps\common\america's army 3\Binaries\AA3Game.exe:*:Enabled:America's Army 3 -- ()
    "E:\Steam\SteamApps\common\call of duty black ops\BlackOps.exe" = E:\Steam\SteamApps\common\call of duty black ops\BlackOps.exe:*:Enabled:Call of Duty: Black Ops -- ()
    "E:\Steam\SteamApps\common\call of duty black ops\BlackOpsMP.exe" = E:\Steam\SteamApps\common\call of duty black ops\BlackOpsMP.exe:*:Enabled:Call of Duty: Black Ops - Multiplayer -- ()
    "F:\AVG\avgnsx.exe" = F:\AVG\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)
    "F:\AVG\avgmfapx.exe" = F:\AVG\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
    "F:\AVG\avgemcx.exe" = F:\AVG\avgemcx.exe:*:Enabled:personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.)
    "C:\Program Files\AVG\AVG10\avgnsx.exe" = C:\Program Files\AVG\AVG10\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)
    "C:\Program Files\AVG\AVG10\avgmfapx.exe" = C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
    "C:\Program Files\AVG\AVG10\avgemcx.exe" = C:\Program Files\AVG\AVG10\avgemcx.exe:*:Enabled:personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{00030409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Small Business
    "{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Disc 2
    "{007B37D9-0C45-4202-834B-DD5FAAE99D63}" = ArcSoft Print Creations - Slimline Card
    "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}" = Google Gmail Notifier
    "{04E7A3BB-DB38-481C-A809-35FA60C78EDF}" = AVG 2011
    "{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
    "{0E70CFA6-93E3-453F-B47C-855196C2589E}" = Logitech Harmony Remote Software 7
    "{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
    "{1632FD86-1BA4-4FC4-8B25-A8C655D63F68}" = Sid Meier's Pirates!
    "{174D5678-D941-433C-BD23-58A5C7B0D36D}" = Jasc Animation Shop 3
    "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
    "{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
    "{1C4551A6-4743-4093-91E4-1477CD655043}" = NVIDIA PhysX
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
    "{20DEB77C-21D6-4D22-BB47-233E47613D57}" = Microsoft Games for Windows - LIVE Redistributable
    "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
    "{2A6E9B4B-F456-46F9-B2A0-8F4F1D36275A}" = InstallXML
    "{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
    "{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}" = Logitech SetPoint
    "{300A2961-B2B5-4889-9CB9-5C2A570D08AD}" = Debugging Tools for Windows (x86)
    "{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
    "{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
    "{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java(TM) SE Runtime Environment 6 Update 1
    "{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar)
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{35725FBC-A136-4A46-9F29-091759D9BB93}" = MVision
    "{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
    "{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
    "{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
    "{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
    "{53480330-E1D1-41CA-B8F8-7F78644F7F50}" = O&O Defrag Professional Edition
    "{54DF7BDA-1058-4D53-B3D4-2344C69B7D0C}" = Ragnarok Online
    "{56589DFE-0C29-4DFE-8E42-887B771ECD23}" = ArcSoft Print Creations - Photo Book
    "{5C6956F3-B586-4674-BCD0-CCF7EC1DF766}" = Wireless-B PCI Adapter WLAN Monitor
    "{5C6F884D-680C-448B-B4C9-22296EE1B206}" = Logitech Harmony Remote Software 7
    "{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
    "{639858DD-4966-40F3-A706-7C838BCF3A2B}" = MaxBlast 4
    "{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
    "{69997863-7239-4E5C-833C-EAC2F0116EB3}" = Red Orchestra
    "{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{7745B7A9-F323-4BB9-9811-01BF57A028DA}" = Map Button (Windows Live Toolbar)
    "{77E70C3C-DBB9-4C47-8663-1E1F81FEC623}" = Logitech QuickCam
    "{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites for Windows Live Toolbar
    "{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
    "{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
    "{7D2370AC-D8E6-4996-986A-19824F8A167C}" = Logitech QuickCam
    "{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
    "{8471021C-F529-43DE-84DF-3612E10F58C4}" = Remote Control USB Driver
    "{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
    "{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
    "{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
    "{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{911A0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Outlook 2002
    "{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
    "{91F7F3F3-CE80-48C3-8327-7D24A0A5716A}" = iTunes
    "{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9591C049-5CAE-4E89-A8D9-191F1899628B}" = ArcSoft Print Creations - Funhouse
    "{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
    "{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9AFA9294-C7A4-4DD5-ADBE-3DFC98752417}_is1" = Theatre of War 2 Kursk 1943 Demo (Remove Only)
    "{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}" = Highlight Viewer (Windows Live Toolbar)
    "{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
    "{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.5
    "{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
    "{B0D83FCD-9D42-43ED-8315-250326AADA02}" = ArcSoft Print Creations - Scrapbook
    "{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
    "{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
    "{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
    "{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
    "{B4C88CF0-B617-4658-8F84-C4E847FBC9F7}" = Microsoft Managed DirectX (1126)
    "{BEF726DD-4037-4214-8C6A-E625C02D2870}" = Logitech Audio Echo Cancellation Component
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
    "{CA9ED5E4-1548-485B-A293-417840060158}" = ArcSoft Print Creations - Photo Calendar
    "{CAE8A0F1-B498-4C23-95FA-55047E730C8F}" = ArcSoft Print Creations
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
    "{D627784F-B3EE-44E8-96B1-9509B991EA34}_is1" = AusLogics Registry Defrag
    "{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7 Evaluation
    "{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
    "{E6B4117F-AC59-4B13-9274-EB136E8897EE}" = ArcSoft Print Creations - Album Page
    "{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}" = tooltips
    "{EA516024-D84D-41F1-814F-83175A6188F2}" = Logitech Video Enumerator
    "{ECCA8FE7-767A-4C8A-9DAA-BAB60F877C41}" = Sins of a Solar Empire
    "{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
    "{F04F9557-81A9-4293-BC49-2C216FA325A7}" = ArcSoft Print Creations - Greeting Card
    "{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar)
    "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
    "{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
    "{F4C68898-EBA5-46A9-82B3-2D30426086BF}" = AVG 2011
    "{F69FD33C-8815-46BF-9134-A643DE68F3C0}" = WinFast(R) Display Driver
    "{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
    "{F843C6A3-224D-4615-94F8-3C461BD9AEA0}" = Jasc Paint Shop Pro 9
    "{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
    "{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
    "{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
    "53F13DB4D9611FD63BE580F06F0729BF236ABE68" = Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "Adobe Shockwave Player" = Adobe Shockwave Player
    "Advanced Tactics1.00" = Advanced Tactics
    "Akamai" = Akamai NetSession Interface
    "AVG" = AVG 2011
    "Battlefront1.00" = Battlefront
    "BFGC" = Big Fish Games: Game Manager
    "BFG-Luxor 3" = Luxor 3
    "Distant Worlds1.00" = Distant Worlds
    "Gary Grigsby's War in the East1.00" = Gary Grigsby's War in the East
    "HitmanPro35" = Hitman Pro 3.5
    "hon" = Heroes of Newerth
    "ie8" = Windows Internet Explorer 8
    "InstallShield_{1632FD86-1BA4-4FC4-8B25-A8C655D63F68}" = Sid Meier's Pirates!
    "Kharkov1.00" = Kharkov
    "KSignAccessToolkit" = KSignAccessToolkit v1.0
    "LiveUpdate" = LiveUpdate 2.0 (Symantec Corporation)
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)
    "NVIDIA Drivers" = NVIDIA Drivers
    "OpenAL" = OpenAL
    "PunkBusterSvc" = PunkBuster Services
    "QcDrv" = Logitech® Camera Driver
    "Raganrok Renewal" = Ragnarok Renewal
    "Ragnarok Online" = Ragnarok Online
    "Security Task Manager" = Security Task Manager 1.7e
    "Sins of a Solar Empire" = Sins of a Solar Empire
    "SolidStateIONMozilla" = Solid State ION Mozilla Plugin
    "Steam App 10180" = Call of Duty: Modern Warfare 2
    "Steam App 10190" = Call of Duty: Modern Warfare 2 - Multiplayer
    "Steam App 10500" = Empire: Total War
    "Steam App 13140" = America's Army 3
    "Steam App 25890" = Hearts of Iron 3
    "Steam App 400" = Portal
    "Steam App 42700" = Call of Duty: Black Ops
    "Steam App 42710" = Call of Duty: Black Ops - Multiplayer
    "Steam(TM)" = Steam(TM)
    "uTorrent" = µTorrent
    "Winamp" = Winamp (remove only)
    "Windows Media Format Runtime" = Windows Media Format Runtime
    "Windows Media Player" = Windows Media Player 10
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WinLiveSuite_Wave3" = Windows Live Essentials
    "WinRAR archiver" = WinRAR archiver
    "WMV9_VCM" = Microsoft Windows Media Video 9 VCM

    ========== HKEY_CURRENT_USER Uninstall List ==========

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Google Chrome" = Google Chrome
    "Move Media Player" = Move Media Player

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 12/23/2010 12:41:59 PM | Computer Name = JIM | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledEvent 2303750

    Error - 12/23/2010 12:41:59 PM | Computer Name = JIM | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledSPRetry 2303750

    Error - 12/25/2010 4:24:36 AM | Computer Name = JIM | Source = Application Hang | ID = 1002
    Description = Hanging application firefox.exe, version 1.9.0.3725, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    Error - 12/25/2010 4:24:37 AM | Computer Name = JIM | Source = Application Hang | ID = 1002
    Description = Hanging application firefox.exe, version 1.9.0.3725, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    Error - 12/26/2010 12:22:48 PM | Computer Name = JIM | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: Continuously busy for more than a second

    Error - 12/26/2010 12:22:48 PM | Computer Name = JIM | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledEvent 57774047

    Error - 12/26/2010 12:22:48 PM | Computer Name = JIM | Source = Bonjour Service | ID = 100
    Description = Task Scheduling Error: m->NextScheduledSPRetry 57774047

    Error - 12/26/2010 5:27:22 PM | Computer Name = JIM | Source = Application Hang | ID = 1002
    Description = Hanging application BlackOps.exe, version 0.0.0.0, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    Error - 12/27/2010 7:44:09 PM | Computer Name = JIM | Source = Bonjour Service | ID = 100
    Description = Client application bug: DNSServiceResolve(BZDN1611532334-QkxaMDAwMjhCOkktMDI4M3I9OEV4QzZDMFUwQnI=._bzdn._tcp.local.)
    active for over two minutes. This places considerable burden on the network.

    Error - 12/27/2010 8:02:27 PM | Computer Name = JIM | Source = Application Error | ID = 1000
    Description = Faulting application winhlp32.exe, version 5.1.2600.5512, faulting
    module imm32.dll, version 5.1.2600.5512, fault address 0x00014769.

    [ System Events ]
    Error - 12/27/2010 11:01:30 PM | Computer Name = JIM | Source = Service Control Manager | ID = 7031
    Description = The AVG WatchDog service terminated unexpectedly. It has done this
    1 time(s). The following corrective action will be taken in 0 milliseconds: Restart
    the service.

    Error - 12/27/2010 11:01:30 PM | Computer Name = JIM | Source = Service Control Manager | ID = 7034
    Description = The AVG WatchDog service terminated unexpectedly. It has done this
    2 time(s).

    Error - 12/27/2010 11:04:06 PM | Computer Name = JIM | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    SBRE

    Error - 12/27/2010 11:05:15 PM | Computer Name = JIM | Source = Service Control Manager | ID = 7034
    Description = The Process Monitor service terminated unexpectedly. It has done
    this 1 time(s).

    Error - 12/27/2010 11:08:13 PM | Computer Name = JIM | Source = Service Control Manager | ID = 7034
    Description = The LicCtrl Service service terminated unexpectedly. It has done
    this 1 time(s).

    Error - 12/27/2010 11:12:36 PM | Computer Name = JIM | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    SBRE

    Error - 12/27/2010 11:39:04 PM | Computer Name = JIM | Source = DCOM | ID = 10010
    Description = The server {1F87137D-0E7C-44D5-8C73-4EFFB68962F2} did not register
    with DCOM within the required timeout.

    Error - 12/27/2010 11:53:41 PM | Computer Name = JIM | Source = DCOM | ID = 10010
    Description = The server {1F87137D-0E7C-44D5-8C73-4EFFB68962F2} did not register
    with DCOM within the required timeout.

    Error - 12/27/2010 11:59:02 PM | Computer Name = JIM | Source = DCOM | ID = 10010
    Description = The server {1F87137D-0E7C-44D5-8C73-4EFFB68962F2} did not register
    with DCOM within the required timeout.

    Error - 12/28/2010 12:26:46 AM | Computer Name = JIM | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    SBRE


    < End of report >
     
  8. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    =======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\SBREDrv.sys -- (SBRE)
      IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local
      O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
      O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
      O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/downlo...8f/wvc1dmo.cab (Reg Error: Key error.)
      O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab (Reg Error: Key error.)
      O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/S.../bin/cabsa.cab (Symantec RuFSI Utility Class)
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
      O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} http://mvnet.xlontech.net/qm/fox/061...ie06101001.cab (Reg Error: Key error.)
      [2010/12/27 23:32:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
      [2007/06/07 17:48:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\James\Application Data\Viewpoint
      @Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D4D38596
      @Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:59846E5E
      @Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5CE2502D
      @Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4295826C
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ======================================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  9. mojojim

    mojojim TS Rookie Topic Starter

    Ok I have the OTL, Checkup and ESET logs.


    All processes killed
    ========== OTL ==========
    Service SBRE stopped successfully!
    Service SBRE deleted successfully!
    File C:\WINDOWS\System32\drivers\SBREDrv.sys not found.
    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ deleted successfully.
    Starting removal of ActiveX control {31435657-9980-0010-8000-00AA00389B71}
    C:\WINDOWS\Downloaded Program Files\wvc1dmo.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{31435657-9980-0010-8000-00AA00389B71}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{31435657-9980-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
    Starting removal of ActiveX control {39B0684F-D7BF-4743-B050-FDC3F48F7E3B}
    Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{39B0684F-D7BF-4743-B050-FDC3F48F7E3B}\DownloadInformation\\INF .
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{39B0684F-D7BF-4743-B050-FDC3F48F7E3B}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39B0684F-D7BF-4743-B050-FDC3F48F7E3B}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{39B0684F-D7BF-4743-B050-FDC3F48F7E3B}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39B0684F-D7BF-4743-B050-FDC3F48F7E3B}\ not found.
    Starting removal of ActiveX control {644E432F-49D3-41A1-8DD5-E099162EEEC5}
    C:\WINDOWS\Downloaded Program Files\CabSA.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{644E432F-49D3-41A1-8DD5-E099162EEEC5}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{644E432F-49D3-41A1-8DD5-E099162EEEC5}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{644E432F-49D3-41A1-8DD5-E099162EEEC5}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{644E432F-49D3-41A1-8DD5-E099162EEEC5}\ not found.
    Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
    C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Starting removal of ActiveX control {E473A65C-8087-49A3-AFFD-C5BC4A10669B}
    C:\WINDOWS\Downloaded Program Files\qsp2ie.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E473A65C-8087-49A3-AFFD-C5BC4A10669B}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E473A65C-8087-49A3-AFFD-C5BC4A10669B}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{E473A65C-8087-49A3-AFFD-C5BC4A10669B}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E473A65C-8087-49A3-AFFD-C5BC4A10669B}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E473A65C-8087-49A3-AFFD-C5BC4A10669B}\ not found.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Toolbar folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\UserShell\AOL9Plus folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\UserShell\AOL9 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\UserShell folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\Resources folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Toolbar Runtime folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\AxMetaStream_Win folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint folder moved successfully.
    C:\Documents and Settings\James\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03 folder moved successfully.
    C:\Documents and Settings\James\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02 folder moved successfully.
    C:\Documents and Settings\James\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01 folder moved successfully.
    C:\Documents and Settings\James\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00 folder moved successfully.
    C:\Documents and Settings\James\Application Data\Viewpoint\Viewpoint Experience Technology\Resources folder moved successfully.
    C:\Documents and Settings\James\Application Data\Viewpoint\Viewpoint Experience Technology folder moved successfully.
    C:\Documents and Settings\James\Application Data\Viewpoint folder moved successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:D4D38596 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:59846E5E deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:5CE2502D deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:4295826C deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: James
    ->Temp folder emptied: 9447272 bytes
    ->Temporary Internet Files folder emptied: 6166661 bytes
    ->Java cache emptied: 1853 bytes
    ->FireFox cache emptied: 3827116 bytes
    ->Google Chrome cache emptied: 49758852 bytes
    ->Flash cache emptied: 1893 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 16957 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 66.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default User

    User: James
    ->Flash cache emptied: 0 bytes

    User: LocalService

    User: NetworkService

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.18.0 log created on 12282010_121140

    Files\Folders moved on Reboot...
    File\Folder C:\WINDOWS\temp\Perflib_Perfdata_74c.dat not found!

    Registry entries deleted on Reboot...

    ---------------------------------------------------------------------------------------------------

    Checkup:

    Results of screen317's Security Check version 0.99.7
    Windows XP Service Pack 3
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    AVG 2011
    Antivirus out of date! (On Access scanning disabled!)
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 23
    Java(TM) SE Runtime Environment 6 Update 1
    Out of date Java installed!
    Adobe Flash Player 10.0.45.2
    Adobe Reader 8.2.5
    Out of date Adobe Reader installed!
    Mozilla Firefox (3.0.19) Firefox Out of Date!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    AVG avgwdsvc.exe
    AVG avgtray.exe
    AVG avgrsx.exe
    AVG avgnsx.exe
    ``````````End of Log````````````


    ------------------------------------------------------------------------------------------------------
    ESET

    C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.32.1\setup.exe probably a variant of Win32/Agent.HZHBURL trojan
    C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe probably a variant of Win32/Agent.HZHBURL trojan
    C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir Win32/Spy.Ursnif.A virus
    C:\System Volume Information\_restore{9BDE1A25-2A3F-4C64-AAA4-0ACE7802E9E9}\RP3\A0001145.exe Win32/RegistryBooster application
    F:\powersuite.exe multiple threats
     
  10. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Make sure, you keep your AVG up to date!

    ========================================================================

    Uninstall Java(TM) SE Runtime Environment 6 Update 1

    ========================================================================

    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.
    On this page:

    [​IMG]

    make sure, you have both boxes UN-checked AND (important!) click on Decline button

    =======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      
      :Services
      
      :Reg
      
      :Files
      C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.32.1\setup.exe 
      C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ======================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how your computer is doing.
     
  11. mojojim

    mojojim TS Rookie Topic Starter

    Thanks so much for your help, Broni.

    AVG is a new install (installed for the first time two days ago, which is how I discovered the trojan) and I checked for updates but found none.

    I updated Adobe and removed the Java Runtime environment. I haven't seen any recurring instances of the virus, and I'll let you know if any subsequent scans find any problems.

    OTL log is posted here:


    All processes killed
    ========== OTL ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.32.1\setup.exe moved successfully.
    C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: James
    ->Temp folder emptied: 74825 bytes
    ->Temporary Internet Files folder emptied: 5092959 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 45384249 bytes
    ->Flash cache emptied: 735 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 16867 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 48.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default User

    User: James
    ->Flash cache emptied: 0 bytes

    User: LocalService

    User: NetworkService

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.18.0 log created on 12282010_145259

    Files\Folders moved on Reboot...
    File move failed. C:\WINDOWS\temp\Perflib_Perfdata_744.dat scheduled to be moved on reboot.

    Registry entries deleted on Reboot...
     
  12. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    OK, go on....
     
  13. mojojim

    mojojim TS Rookie Topic Starter

    Are there any other specific details you'd like?

    I followed some of your other advice, like running cleanup, downloading WOT and Secunia and will continue weekly runs of Malwarebytes.

    I'm pretty sure my sister caused the infection - she dabbles often in torrents and this has happened before but I was able to clean it myself.

    Again, thanks for all your help.
     
  14. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    All, I need is:
     
  15. mojojim

    mojojim TS Rookie Topic Starter

    Ah gotcha. Things look pretty good, not seeing any warning signals from any of the latest scans (e.g. MBAM full scan) or AVG. Seems I may be out of the woods!

    I'll keep an eye out and if anything changes I'll let you know.

    You saved me countless hours of aimlessly wandering about the antivirus world. You really ought to consider getting paid for these services - I know I would've paid for your help!
     
  16. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Way to go!! [​IMG]
    Good luck and stay safe :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...