Solved Can't seem to remove Trojan.ZeroAccess.B

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.4.53: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.4.53: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.4.53: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.4.53: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.4.53: c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@yahoo.com/BrowserPlus,version=2.9.8: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll (Yahoo! Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{203FB6B2-2E1E-4474-863B-4C483ECCE78E}: C:\Documents and Settings\All Users\Application Data\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_1.0.1.8\coFFNST\
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\IPSFFPlgn\ [2012/02/01 20:16:18 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\coFFPlgn_2011_7_10_1 [2012/07/17 22:56:53 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/05/22 10:25:22 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\Program Files\Web Assistant\Firefox [2012/06/03 10:33:20 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Netscape Browser 8.0.4.0\Extensions\\Components: C:\Program Files\Netscape\Netscape Browser\Components [2012/06/14 12:32:08 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Netscape Browser 8.0.4.0\Extensions\\Plugins: C:\Program Files\Netscape\Netscape Browser\Plugins [2012/06/14 12:34:19 | 000,000,000 | ---D | M]
O1 HOSTS File: ([2012/07/17 22:56:32 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O2 - BHO: (Yahooo Search Protection) - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\5.2.2.3\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\5.2.2.3\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
O2 - BHO: (hpWebHelper Class) - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll (Hewlett-Packard)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O2 - BHO: (IncrediMail MediaBar 2 Toolbar) - {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - C:\Program Files\IncrediMail_MediaBar_2\prxtbInc0.dll (Conduit Ltd.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (IE Toolbar)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\5.2.2.3\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
O3 - HKLM\..\Toolbar: (IncrediMail MediaBar 2 Toolbar) - {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - C:\Program Files\IncrediMail_MediaBar_2\prxtbInc0.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-4156177612-2444206607-219807860-1007\..\Toolbar\WebBrowser: (AOL Toolbar) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (IE Toolbar)
O3 - HKU\S-1-5-21-4156177612-2444206607-219807860-1007\..\Toolbar\WebBrowser: (IncrediMail MediaBar 2 Toolbar) - {D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0} - C:\Program Files\IncrediMail_MediaBar_2\prxtbInc0.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-4156177612-2444206607-219807860-1007\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [ddoctorv2] C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [DMAScheduler] c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe (Sonic Solutions)
O4 - HKLM..\Run: [ftutil2] C:\WINDOWS\System32\ftutil2.dll (Promise Technology, Inc.)
O4 - HKLM..\Run: [HPBootOp] C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe (Logitech Inc.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Symantec PIF AlertEng] C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe (Symantec Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-4156177612-2444206607-219807860-1007..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe (IncrediMail, Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe (Hewlett-Packard)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\Pin.lnk = C:\hp\bin\cloaker.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\PinMcLnk.lnk = C:\hp\bin\cloaker.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\_uninst_46628355.lnk = File not found
O4 - Startup: C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\_uninst_87143468.lnk = File not found
O4 - Startup: C:\Documents and Settings\LogMeInRemoteUser\Start Menu\Programs\Startup\Pin.lnk = C:\hp\bin\cloaker.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\LogMeInRemoteUser\Start Menu\Programs\Startup\PinMcLnk.lnk = C:\hp\bin\cloaker.exe (Hewlett-Packard Co.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-4156177612-2444206607-219807860-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4156177612-2444206607-219807860-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-4156177612-2444206607-219807860-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-4156177612-2444206607-219807860-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-4156177612-2444206607-219807860-1008\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4156177612-2444206607-219807860-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (IE Toolbar)
O9 - Extra 'Tools' menuitem : AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (IE Toolbar)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Computer, Inc.)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O9 - Extra 'Tools' menuitem : Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O15 - HKU\S-1-5-21-4156177612-2444206607-219807860-1007\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} http://games.bigfishgames.com/en_nightshift-legacy-the-jaguars-eye/online/Nightshift2Web.1.0.0.9.cab (CPlayFirstNightshiftControl Object)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1291073412375 (MUWebControl Class)
O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} http://aolsvc.aol.com/onlinegames/free-trial-dream-chronicles/dreamweb.1.0.0.9.cab (CPlayFirstdreamControl Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v10.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{CC1879E4-B962-4BB9-B2FD-B9776E1D1CE5}: DhcpNameServer = 192.168.1.1 192.168.0.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O27 - HKLM IFEO\ehshell.exe: Debugger - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/08/24 14:54:32 | 000,000,100 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 08:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/17 23:32:37 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
[2012/07/17 23:03:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Application Data\PriceGong
[2012/07/17 22:44:22 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/07/17 21:54:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Desktop\BootCheck
[2012/07/17 21:20:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/07/17 20:52:15 | 004,579,127 | R--- | C] (Swearware) -- C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
[2012/07/17 20:13:27 | 000,891,630 | ---- | C] (Farbar) -- C:\Documents and Settings\HP_Administrator\Desktop\FRST.exe
[2012/07/17 19:21:51 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\HP_Administrator\Desktop\aswMBR.exe
[2012/07/17 19:07:30 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
[2012/07/17 06:01:02 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\HP_Administrator\Recent
[2012/07/17 05:52:36 | 000,000,000 | ---D | C] -- C:\Program Files\HitmanPro
[2012/07/17 05:52:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2012/07/16 20:00:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\NPE
[2012/07/12 19:10:45 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/07/12 19:10:45 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/07/12 19:10:45 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/07/12 19:10:45 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/07/12 19:09:45 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/07/12 19:09:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2012/07/12 19:05:39 | 002,135,640 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\HP_Administrator\Desktop\tdsskiller.exe
[2012/07/12 19:01:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Desktop\RK_Quarantine
[2012/07/12 15:12:10 | 000,133,208 | ---- | C] (Kaspersky Lab ZAO) -- C:\WINDOWS\System32\drivers\46628355.sys
[2012/07/12 15:08:34 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/07/12 13:50:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Application Data\FixZeroAccess
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/07/17 23:32:39 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
[2012/07/17 23:21:34 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/07/17 23:21:28 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/07/17 23:21:26 | 000,000,300 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-4156177612-2444206607-219807860-1007.job
[2012/07/17 22:56:32 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/07/17 22:56:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/07/17 22:56:02 | 2137,473,024 | -HS- | M] () -- C:\hiberfil.sys
[2012/07/17 22:44:30 | 000,000,318 | RHS- | M] () -- C:\boot.ini
[2012/07/17 22:42:47 | 001,012,656 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\rkill.exe
[2012/07/17 22:29:10 | 000,000,188 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.DAT
[2012/07/17 22:20:21 | 000,000,202 | ---- | M] () -- C:\Boot.bak
[2012/07/17 21:54:22 | 000,010,153 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\BootCheck.zip
[2012/07/17 21:47:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/07/17 21:45:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/07/17 21:24:15 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/07/17 20:52:36 | 004,579,127 | R--- | M] (Swearware) -- C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
[2012/07/17 20:13:29 | 000,891,630 | ---- | M] (Farbar) -- C:\Documents and Settings\HP_Administrator\Desktop\FRST.exe
[2012/07/17 20:01:04 | 000,009,728 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/07/17 19:52:59 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\MBR.dat
[2012/07/17 19:21:53 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\HP_Administrator\Desktop\aswMBR.exe
[2012/07/17 19:18:19 | 001,552,384 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\RogueKiller.exe
[2012/07/17 19:07:32 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
[2012/07/17 00:35:27 | 000,000,059 | ---- | M] () -- C:\WINDOWS\wwwbatch.ini
[2012/07/16 20:15:51 | 000,001,496 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\SMRResults300.dat
[2012/07/12 22:54:03 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) -- C:\WINDOWS\System32\drivers\46628355.sys
[2012/07/12 19:05:53 | 002,135,640 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\HP_Administrator\Desktop\tdsskiller.exe
[2012/07/12 15:20:53 | 000,000,858 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\_uninst_87143468.lnk
[2012/07/12 15:16:26 | 142,816,120 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\My Documents\setup_11.0.0.1245.x01_2012_07_12_22_54.exe
[2012/07/12 15:12:52 | 000,000,858 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\_uninst_46628355.lnk
[2012/07/12 13:23:00 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2012/07/12 12:21:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/07/12 07:30:19 | 000,083,392 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIRfsClientNP.dll
[2012/07/12 07:30:17 | 000,087,456 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIinit.dll
[2012/07/12 07:30:17 | 000,030,624 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIport.dll
[2012/07/11 09:56:31 | 000,265,416 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/07/09 18:34:45 | 000,051,326 | ---- | M] () -- C:\VETlog.dmp
[2012/07/09 08:14:21 | 001,524,736 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mb
[2012/07/09 08:07:53 | 002,620,416 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mbb
[2012/07/08 18:00:06 | 000,000,580 | ---- | M] () -- C:\WINDOWS\tasks\Norton Security Scan for HP_Administrator.job
[2012/07/07 07:38:17 | 000,016,224 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
[2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/07/03 09:16:00 | 000,010,240 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\My Documents\dog's prayer.wps
[2012/06/23 10:47:33 | 000,010,752 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\My Documents\Prayer # 2.wps
[2012/06/20 20:06:30 | 000,000,414 | ---- | M] () -- C:\WINDOWS\tasks\PC Checkup 3 Weekly Scan.job
[2012/06/19 10:26:00 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-4156177612-2444206607-219807860-1007.job
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/17 22:42:43 | 001,012,656 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\rkill.exe
[2012/07/17 22:37:33 | 2137,473,024 | -HS- | C] () -- C:\hiberfil.sys
[2012/07/17 21:54:22 | 000,010,153 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\BootCheck.zip
[2012/07/17 19:52:47 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\MBR.dat
[2012/07/17 19:18:14 | 001,552,384 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\RogueKiller.exe
[2012/07/17 00:35:23 | 000,000,059 | ---- | C] () -- C:\WINDOWS\wwwbatch.ini
[2012/07/16 20:15:34 | 000,001,496 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\SMRResults300.dat
[2012/07/12 19:10:45 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/07/12 19:10:45 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/07/12 19:10:45 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/07/12 19:10:45 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/07/12 19:10:45 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/07/12 15:20:53 | 000,000,858 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\_uninst_87143468.lnk
[2012/07/12 15:16:10 | 142,816,120 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\My Documents\setup_11.0.0.1245.x01_2012_07_12_22_54.exe
[2012/07/12 15:12:52 | 000,000,858 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\_uninst_46628355.lnk
[2012/07/08 21:58:30 | 000,000,804 | ---- | C] () -- C:\WINDOWS\Installer\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}\L\00000004.@
[2012/07/03 09:16:00 | 000,010,240 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\My Documents\dog's prayer.wps
[2012/06/23 10:47:33 | 000,010,752 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\My Documents\Prayer # 2.wps
[2012/05/26 22:38:55 | 000,253,234 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-4156177612-2444206607-219807860-1007-0.dat
[2012/05/16 21:11:53 | 000,253,234 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2012/04/09 20:22:33 | 000,021,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\RTAIODAT.DAT
[2012/03/18 23:44:05 | 000,000,139 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\fusioncache.dat
[2012/02/15 07:08:14 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/04/12 19:34:40 | 000,009,728 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/24 20:41:12 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2011/01/26 00:28:10 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4704.dll
[2011/01/26 00:16:37 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2010/11/09 21:45:32 | 000,102,744 | ---- | C] () -- C:\WINDOWS\System32\LogiDPPApp.exe
[2010/11/09 21:45:30 | 010,871,128 | ---- | C] () -- C:\WINDOWS\System32\LogiDPP.dll
[2010/11/09 21:45:20 | 000,316,248 | ---- | C] () -- C:\WINDOWS\System32\DevManagerCore.dll
[2010/11/09 21:31:42 | 000,026,286 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2010/10/14 21:06:25 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2009/05/30 10:30:50 | 000,000,023 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\presets.ini
[2008/08/29 12:51:46 | 000,000,000 | ---- | C] () -- C:\Program Files\temp01
[2008/05/03 10:55:04 | 000,000,032 | R--- | C] () -- C:\Documents and Settings\All Users\hash.dat
[2008/04/19 08:57:12 | 000,015,466 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
[2006/12/29 18:31:31 | 000,016,224 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
[2004/08/10 06:00:00 | 000,002,048 | ---- | C] () -- C:\WINDOWS\Installer\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}\@
[2004/08/10 06:00:00 | 000,002,048 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}\@

========== LOP Check ==========

[2010/08/03 20:54:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AlawarWrapper
[2011/12/30 01:17:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Big Fish Games
[2009/12/05 23:00:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\blg
[2008/08/06 14:15:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Christmasville
[2010/05/09 19:20:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Deadtime Stories
[2006/08/24 14:49:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Digital Interactive Systems Corporation
[2009/09/23 16:00:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2008/08/08 00:30:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FloodLightGames
[2009/08/20 11:57:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FreshGames
[2010/03/03 13:07:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Green Clover Games
[2012/07/17 06:05:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2011/02/14 14:14:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IM
[2011/02/14 14:13:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IncrediMail
[2008/08/18 17:03:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iWin
[2011/07/01 18:30:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iWin Games
[2009/02/11 09:13:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\JollyBear
[2012/07/17 00:05:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2011/02/04 20:54:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCSettings
[2011/02/14 14:14:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Photo Notifier and Animation Creator
[2010/04/30 12:47:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2010/02/07 21:04:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayPond
[2007/08/17 13:35:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2008/11/13 23:53:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCapGamesv1005
[2010/01/15 08:39:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Princess Isabella
[2009/05/08 21:54:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SpinTop Games
[2010/01/15 10:16:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SulusGames
[2011/02/04 18:08:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2010/04/03 19:03:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Top Evidence
[2009/09/23 16:11:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UDL
[2007/02/08 08:34:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/12/11 09:25:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2012/06/20 20:06:30 | 000,000,414 | ---- | M] () -- C:\WINDOWS\Tasks\PC Checkup 3 Weekly Scan.job

========== Purity Check ==========


< End of report >
 
Hmm...the Extras.txt log didn't seem to pop up (I still have OTL and the notepad window open) and now Norton just popped up with a message in the corner of the screen that says "Auto-Protect is processing security risk "Backdoor.Graybird"
 
OK...

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
O4 - Startup: C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\_uninst_46628355.lnk = File not found
O4 - Startup: C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\_uninst_87143468.lnk = File not found
O15 - HKU\S-1-5-21-4156177612-2444206607-219807860-1007\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v10.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

===================================================

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


3. Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


4. Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
Here's the OTL log. Doing the other scans now...

All processes killed
========== OTL ==========
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\_uninst_46628355.lnk moved successfully.
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\_uninst_87143468.lnk moved successfully.
Registry key HKEY_USERS\S-1-5-21-4156177612-2444206607-219807860-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\aol.com\objects\ deleted successfully.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
C:\WINDOWS\Downloaded Program Files\popcaploader.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 294871 bytes
->Flash cache emptied: 598 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 41661 bytes

User: HP_Administrator
->Temp folder emptied: 857680 bytes
->Temporary Internet Files folder emptied: 13854524 bytes
->Java cache emptied: 150021547 bytes
->Flash cache emptied: 1571188 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LogMeInRemoteUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 134 bytes
->Flash cache emptied: 41661 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 8114 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 6111619 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 39727 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 165.00 mb


[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: HP_Administrator
->Java cache emptied: 0 bytes

User: LocalService

User: LogMeInRemoteUser

User: NetworkService

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: HP_Administrator
->Flash cache emptied: 0 bytes

User: LocalService

User: LogMeInRemoteUser
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.53.1 log created on 07182012_001759
Files\Folders moved on Reboot...
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\IadHide5.dll moved successfully.
File\Folder C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DFCBA0.tmp not found!
File\Folder C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DFCC59.tmp not found!
File\Folder C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DFCE5A.tmp not found!
File\Folder C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DFCE67.tmp not found!
File\Folder C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DFCFB2.tmp not found!
File\Folder C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DFCFC9.tmp not found!
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\XL55UTMX\27acd1ed-da1d-4a4a-a4a7-53407650c4db[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\XL55UTMX\component[1].html moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\XL55UTMX\stat[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\XDE2LQA9\page-2[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\XDE2LQA9\stat[4].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\XDE2LQA9\stat_target[2].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\6W3Q8TMG\htm[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\5SVXQNFO\index[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\5SVXQNFO\stat_target[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\5SVXQNFO\topix-conduit-localnews-small.2[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\SuggestedSites.dat moved successfully.
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_730.dat not found!
PendingFileRenameOperations files...
File C:\Documents and Settings\HP_Administrator\Local Settings\Temp\IadHide5.dll not found!
File C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DFCBA0.tmp not found!
File C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DFCC59.tmp not found!
File C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DFCE5A.tmp not found!
File C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DFCE67.tmp not found!
File C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DFCFB2.tmp not found!
File C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DFCFC9.tmp not found!
File C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\XL55UTMX\27acd1ed-da1d-4a4a-a4a7-53407650c4db[1].htm not found!
File C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\XL55UTMX\component[1].html not found!
File C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\XL55UTMX\stat[1].htm not found!
File C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\XDE2LQA9\page-2[1].htm not found!
File C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\XDE2LQA9\stat[4].htm not found!
File C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\XDE2LQA9\stat_target[2].htm not found!
File C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\6W3Q8TMG\htm[1].htm not found!
File C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\5SVXQNFO\index[1].htm not found!
File C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\5SVXQNFO\stat_target[1].htm not found!
File C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\5SVXQNFO\topix-conduit-localnews-small.2[1].htm not found!
File C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat not found!
File C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\SuggestedSites.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_730.dat not found!
Registry entries deleted on Reboot...
 
Security Check Log

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Norton 360
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Treasure Seekers: Follow the Ghosts Collector's Edition
CCleaner
Java(TM) 6 Update 29
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Out of date Java installed!
Adobe Flash Player ( 10.0.22.87) Flash Player Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
``````````End of Log````````````
 
Farbar Service Scanner

Farbar Service Scanner Version: 08-07-2012
Ran by HP_Administrator (administrator) on 18-07-2012 at 00:30:59
Running from "C:\Documents and Settings\HP_Administrator\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Security Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) SYMTDI(9) Tcpip(3)
0x09000000040000000100000002000000030000000900000008000000050000000600000007000000
IpSec Tag value is correct.
**** End of log ****
 
Here are the results of the ESET Scan...

C:\Program Files\Netscape\Netscape Browser\chrome\m3ntstbr.jar Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\Netscape\Netscape Browser\plugins\NPMyWebS.dll Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1942\A0292228.dll Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
D:\I386\APPS\APP14588\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
D:\I386\APPS\APP14588\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1942\A0292230.exe a variant of Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1942\A0292231.exe a variant of Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
 
Update Adobe Flash Player
Download the Latest Adobe Flash for Firefox and IE Without Any Extras: http://www.404techsupport.com/2010/...-flash-for-firefox-and-ie-without-any-extras/

======================================

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Do NOT post JavaRa log.

======================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code: 
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.
 
Thanks. I went through all the steps including updating Adobe Flash Player and Java. But when I restarted the computer last, Norton popped up again saying "Auto-Protect is processing security risk Backdoor.Graybird" again. Is that a false positive or do you think there's something to it?

Also, since RogueKiller was one of the only programs that detected the ZeroAccess trojan, should I re-scan with it to see if the ZeroAccess infection message is gone?

I won't do anything until I hear back from you.
 
It looks like it's saying OTL.exe was the cause so that's probably a false positive, right?

Here is a screenshot of the log: http://I.imgur.com/zHPTe.jpg

Also the RogueKiller log...

RogueKiller V7.6.4 [07/17/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: HP_Administrator [Admin rights]
Mode: Scan -- Date: 07/18/2012 20:01:54

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤
[IFEO] HKLM\[...]\Image File Execution Options : ehshell.exe ("C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" -MceShellRedirect) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : c:\windows\installer\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\windows\installer\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}\L --> FOUND
[ZeroAccess][FILE] @ : c:\documents and settings\hp_administrator\local settings\application data\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\documents and settings\hp_administrator\local settings\application data\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\documents and settings\hp_administrator\local settings\application data\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}\L --> FOUND

¤¤¤ Driver: [LOADED] ¤¤¤
SSDT[12] : NtAlertResumeThread @ 0x805D4BDC -> HOOKED (Unknown @ 0x897FB050)
SSDT[13] : NtAlertThread @ 0x805D4B8C -> HOOKED (Unknown @ 0x897FB130)
SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AC2 -> HOOKED (Unknown @ 0x898F32C0)
SSDT[19] : NtAssignProcessToJobObject @ 0x805D66A0 -> HOOKED (Unknown @ 0x898FF138)
SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x895B7C28)
SSDT[43] : NtCreateMutant @ 0x8061758E -> HOOKED (Unknown @ 0x89777008)
SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A02 -> HOOKED (Unknown @ 0x897E40A0)
SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0x898016B0)
SSDT[57] : NtDebugActiveProcess @ 0x80643A1C -> HOOKED (Unknown @ 0x897330D8)
SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0x897A9810)
SSDT[83] : NtFreeVirtualMemory @ 0x805B2FBA -> HOOKED (Unknown @ 0x89A160D8)
SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9258 -> HOOKED (Unknown @ 0x897E2130)
SSDT[91] : NtImpersonateThread @ 0x805D7860 -> HOOKED (Unknown @ 0x897A30D0)
SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x897E61E0)
SSDT[108] : NtMapViewOfSection @ 0x805B2042 -> HOOKED (Unknown @ 0x897D1108)
SSDT[114] : NtOpenEvent @ 0x8060EF4C -> HOOKED (Unknown @ 0x897770B0)
SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0x89770310)
SSDT[123] : NtOpenProcessToken @ 0x805EDF26 -> HOOKED (Unknown @ 0x897DD830)
SSDT[125] : NtOpenSection @ 0x805AA3F4 -> HOOKED (Unknown @ 0x89ACD008)
SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0x89770240)
SSDT[137] : NtProtectVirtualMemory @ 0x805B8426 -> HOOKED (Unknown @ 0x897E4008)
SSDT[206] : NtResumeThread @ 0x805D4A18 -> HOOKED (Unknown @ 0x897D33D8)
SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0x898700E8)
SSDT[228] : NtSetInformationProcess @ 0x805CDEA0 -> HOOKED (Unknown @ 0x897C6070)
SSDT[240] : NtSetSystemInformation @ 0x8060FC04 -> HOOKED (Unknown @ 0x89ACD048)
SSDT[253] : NtSuspendProcess @ 0x805D4AE0 -> HOOKED (Unknown @ 0x898F00F8)
SSDT[254] : NtSuspendThread @ 0x805D4952 -> HOOKED (Unknown @ 0x8976C068)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0x898017B0)
SSDT[258] : NtTerminateThread @ 0x805D24D2 -> HOOKED (Unknown @ 0x8976C128)
SSDT[267] : NtUnmapViewOfSection @ 0x805B2E50 -> HOOKED (Unknown @ 0x897C6008)
SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (Unknown @ 0x898F31F0)
S_SSDT[307] : Unknown -> HOOKED (Unknown @ 0x897D0440)
S_SSDT[383] : Unknown -> HOOKED (Unknown @ 0x89844ED8)
S_SSDT[414] : Unknown -> HOOKED (Unknown @ 0x89959D00)
S_SSDT[416] : Unknown -> HOOKED (Unknown @ 0x8980E208)
S_SSDT[428] : Unknown -> HOOKED (Unknown @ 0x897C2C90)
S_SSDT[460] : Unknown -> HOOKED (Unknown @ 0x8979F2E0)
S_SSDT[475] : Unknown -> HOOKED (Unknown @ 0x89951250)
S_SSDT[476] : Unknown -> HOOKED (Unknown @ 0x898043D8)
S_SSDT[549] : Unknown -> HOOKED (Unknown @ 0x89850AB8)
S_SSDT[552] : Unknown -> HOOKED (Unknown @ 0x898181A8)

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3320833AS +++++
--- User ---
[MBR] 32ee40c0deaf917452b588b469c0e38d
[BSP] 05e3161cf4ce79602881f99911e8893d : Toshiba tatooed MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 296386 Mo
1 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 607016025 | Size: 8848 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt
 
It looks like it's saying OTL.exe was the cause so that's probably a false positive, right?
Click to expand...
Absolutely.

Download fresh copy of Combofix and post new log.
It looks to me like those items from RK are just ZeroAccess leftovers but we can double check.
 
Here is the latest log from Combofix...

ComboFix 12-07-18.04 - HP_Administrator 07/18/2012 20:33:50.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1244 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\Application Data\PriceGong
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\1.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\10020.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\16685.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\2229.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\2501.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\946.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\9491.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\a.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\b.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\c.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\d.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\e.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\f.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\g.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\h.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\I.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\j.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\k.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\l.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\m.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\n.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\o.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\p.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\q.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\r.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\s.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\t.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\u.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\v.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\w.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\x.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\y.txt
c:\documents and settings\HP_Administrator\Application Data\PriceGong\Data\z.txt
c:\documents and settings\HP_Administrator\Local Settings\temp\IadHide5.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-06-19 to 2012-07-19 )))))))))))))))))))))))))))))))
.
.
2012-07-19 00:00 . 2012-07-19 00:00 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2012-07-18 23:46 . 2012-07-18 23:46 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Secunia PSI
2012-07-18 23:45 . 2012-07-18 23:45 -------- d-----w- c:\program files\Secunia
2012-07-18 23:42 . 2012-07-18 23:42 -------- d-----w- c:\program files\WOT
2012-07-18 22:02 . 2012-07-18 22:02 -------- d-----w- c:\program files\Oracle
2012-07-18 22:01 . 2012-07-18 22:01 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Oracle
2012-07-18 22:01 . 2012-07-06 03:06 772544 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-07-18 21:43 . 2012-07-18 21:43 -------- d--h--w- c:\windows\system32\GroupPolicy
2012-07-18 19:42 . 2011-08-09 22:33 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2012-07-18 19:32 . 2009-12-14 17:33 53248 ----a-w- c:\windows\system32\CSVer.dll
2012-07-18 12:31 . 2012-07-18 12:31 -------- d-----w- c:\program files\AmIcoSingLun
2012-07-18 12:31 . 2012-07-18 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AmUStor
2012-07-18 12:19 . 2012-07-18 12:18 11264 ----a-w- c:\windows\system32\drivers\vulfntr.sys
2012-07-18 12:19 . 2005-01-05 23:02 6912 ----a-w- c:\windows\system32\drivers\vulfnth.sys
2012-07-18 12:19 . 2003-10-03 21:28 45056 ----a-w- c:\windows\system32\vusetup.dll
2012-07-18 12:05 . 2006-10-06 17:09 155648 ----a-w- c:\windows\system32\igfxres.dll
2012-07-18 11:40 . 2012-07-18 19:31 -------- d-----w- C:\swsetup
2012-07-18 11:24 . 2012-07-18 11:24 -------- d-----w- C:\Intel
2012-07-18 11:13 . 2012-07-18 11:13 -------- d-----w- c:\program files\SystemRequirementsLab
2012-07-18 05:45 . 2012-07-18 05:45 -------- d-----w- c:\program files\ESET
2012-07-18 05:17 . 2012-07-18 05:17 -------- d-----w- C:\_OTL
2012-07-17 10:52 . 2012-07-17 10:52 -------- d-----w- c:\program files\HitmanPro
2012-07-17 10:52 . 2012-07-17 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-07-17 02:32 . 2012-07-17 02:32 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-07-17 01:00 . 2012-07-17 01:15 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\NPE
2012-07-17 00:52 . 2012-07-17 00:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NPE
2012-07-16 21:56 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-07-16 21:56 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2012-07-16 21:53 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2012-07-16 21:53 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2012-07-16 21:53 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-07-16 21:53 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2012-07-12 20:12 . 2012-07-13 03:54 133208 ----a-w- c:\windows\system32\drivers\46628355.sys
2012-07-12 20:08 . 2012-07-12 20:08 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-12 18:50 . 2012-07-12 18:50 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\FixZeroAccess
2012-07-12 16:47 . 2012-07-12 16:47 9226440 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-18 23:54 . 2011-05-15 13:10 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-18 21:36 . 2012-04-18 13:29 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-12 12:30 . 2010-07-16 03:12 83392 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-07-12 12:30 . 2010-07-16 03:12 52128 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2012-07-12 12:30 . 2010-07-16 03:12 30624 ----a-w- c:\windows\system32\LMIport.dll
2012-07-12 12:30 . 2010-07-16 03:12 87456 ----a-w- c:\windows\system32\LMIinit.dll
2012-07-06 03:07 . 2007-05-04 12:19 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-03 18:46 . 2011-02-18 05:42 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:19 . 2004-08-10 04:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-08-18 21:20 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-10 04:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 22:35 . 2009-08-07 01:23 222448 ----a-w- c:\windows\system32\muweb.dll
2012-06-04 04:32 . 2004-08-10 04:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 20:19 . 2007-06-05 17:52 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 20:19 . 2007-06-05 17:52 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 20:19 . 2004-08-10 04:00 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 20:19 . 2004-08-10 04:00 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 20:19 . 2004-08-10 04:00 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 20:19 . 2007-06-05 17:52 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 20:19 . 2005-05-26 12:16 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 20:19 . 2004-08-10 04:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 20:19 . 2004-08-10 04:00 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 20:19 . 2004-08-10 04:00 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 20:19 . 2007-06-05 17:52 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 20:19 . 2004-08-10 04:00 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 20:19 . 2004-08-10 04:00 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 20:18 . 2010-12-01 21:34 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 20:18 . 2010-12-01 21:34 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22 . 2004-08-10 04:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-21 22:04 . 2010-07-16 03:12 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2012-05-21 22:04 . 2010-07-16 03:12 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
2012-05-16 15:08 . 2004-08-10 04:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42 . 2004-08-10 04:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2004-08-10 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-10 04:00 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:16 . 2004-08-10 11:00 2148352 ------w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-10 11:00 2026496 ------w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2004-08-10 04:00 139656 ------w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}"= "c:\program files\IncrediMail_MediaBar_2\prxtbInc0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
2011-05-09 09:49 176936 ----a-w- c:\program files\IncrediMail_MediaBar_2\prxtbInc0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}"= "c:\program files\IncrediMail_MediaBar_2\prxtbInc0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0}"= "c:\program files\IncrediMail_MediaBar_2\prxtbInc0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2012-03-07 366024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2008-01-29 583048]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-01-27 63048]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"RTHDCPL"="RTHDCPL.EXE" [2012-03-14 20065896]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-05-22 296056]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-06 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-06 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-06 94208]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"AmIcoSinglun"="c:\program files\AmIcoSingLun\AmIcoSinglun.exe" [2010-09-08 237568]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\documents and settings\LogMeInRemoteUser\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-24 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-24 27136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-8-24 36903]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-24 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-24 27136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-07-12 12:30 87456 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ehshell.exe]
"Debugger"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" -MceShellRedirect
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
backup=c:\windows\pss\Secunia PSI Tray.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 16:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 12:50 71216 ----a-r- c:\program files\Common Files\AOL\ACS\AOLDial.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-10-28 01:17 207424 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
2007-10-31 02:57 1095256 ----a-w- c:\program files\DISC\DISCover.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2008-12-04 18:24 665424 ------w- c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2011-10-05 21:23 161336 ----a-w- c:\program files\Google\Google Updater\GoogleUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2007-04-12 21:23 42032 ----a-w- c:\program files\Common Files\AOL\1166656723\EE\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-03-12 18:08 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2011-01-13 02:01 6129496 ----a-w- c:\program files\Logitech\Vid HD\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2011-08-22 07:18 6276408 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 01:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2012-05-22 15:25 499312 ----a-w- c:\program files\Real\realplayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 16:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-10-19 20:19 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\IncrediMail\\Bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\Bin\\ImApp.exe"=
.
R0 46628355;46628355;c:\windows\system32\drivers\46628355.sys [7/12/2012 3:12 PM 133208]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502020.003\symds.sys [6/12/2012 7:24 AM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502020.003\symefa.sys [6/12/2012 7:24 AM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20120711.002\BHDrvx86.sys [7/12/2012 7:37 AM 821920]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502020.003\ironx86.sys [6/12/2012 7:24 AM 136312]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/29/2010 12:46 PM 374184]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/27/2010 12:22 PM 12856]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\5.2.2.3\ccsvchst.exe [6/12/2012 7:24 AM 130008]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe [5/4/2012 7:31 PM 131512]
R2 NSL;Norton Safe Web Lite;c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe [7/11/2010 9:51 PM 126904]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe [12/10/2009 1:43 PM 126392]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [6/27/2012 2:25 AM 1326176]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [6/27/2012 2:25 AM 681056]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/31/2012 3:03 PM 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20120717.003\IDSXpx86.sys [7/18/2012 2:31 AM 369632]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [12/16/2011 9:19 AM 15544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 12:26 PM 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/18/2012 8:29 AM 250056]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [6/2/2011 11:08 AM 11336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 12:26 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 21:36]
.
2012-07-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-07-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-07 21:23]
.
2012-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 17:26]
.
2012-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 17:26]
.
2012-07-18 c:\windows\Tasks\Norton Security Scan for HP_Administrator.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2011-02-10 00:00]
.
2012-07-19 c:\windows\Tasks\PC Checkup 3 Weekly Scan.job
- c:\program files\Norton PC Checkup 3.0\NLAppLauncher.exe [2012-05-05 01:06]
.
2012-07-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4156177612-2444206607-219807860-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 23:21]
.
2012-06-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4156177612-2444206607-219807860-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 23:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} - hxxp://games.bigfishgames.com/en_nightshift-legacy-the-jaguars-eye/online/Nightshift2Web.1.0.0.9.cab
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-77887498.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-18 20:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.2.2.3\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NSL]
"ImagePath"="\"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe\" /s \"NSL\" /m \"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(840)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(1716)
c:\windows\system32\WININET.dll
c:\windows\system32\logishrd\LVPrcInj01.dll
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
c:\program files\IncrediMail\Bin\ImApp.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2012-07-18 20:53:20 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-19 01:53
.
Pre-Run: 275,217,727,488 bytes free
Post-Run: 275,225,341,952 bytes free
.
- - End Of File - - C0AF27D10C292514FE39B45D5D40EE5E
 
1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::

Folder::
c:\windows\installer\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}
c:\documents and settings\hp_administrator\local settings\application data\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}

Driver::

Registry::

ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
ComboFix 12-07-18.04 - HP_Administrator 07/18/2012 21:19:04.9.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1266 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\hp_administrator\local settings\application data\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}
c:\documents and settings\hp_administrator\local settings\application data\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}\@
c:\documents and settings\HP_Administrator\Local Settings\temp\IadHide5.dll
c:\windows\installer\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}
c:\windows\installer\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}\@
c:\windows\installer\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}\L\00000004.@
c:\windows\installer\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}\L\1afb2d56
c:\windows\installer\{c4ee18df-3dd6-00a2-0059-b808e7cadfbb}\L\201d3dde
.
Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected
Restored copy from - c:\windows\erdnt\cache\atapi.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-06-19 to 2012-07-19 )))))))))))))))))))))))))))))))
.
.
2012-07-19 00:00 . 2012-07-19 00:00 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2012-07-18 23:46 . 2012-07-18 23:46 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Secunia PSI
2012-07-18 23:45 . 2012-07-18 23:45 -------- d-----w- c:\program files\Secunia
2012-07-18 23:42 . 2012-07-18 23:42 -------- d-----w- c:\program files\WOT
2012-07-18 22:02 . 2012-07-18 22:02 -------- d-----w- c:\program files\Oracle
2012-07-18 22:01 . 2012-07-18 22:01 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Oracle
2012-07-18 22:01 . 2012-07-06 03:06 772544 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-07-18 21:43 . 2012-07-18 21:43 -------- d--h--w- c:\windows\system32\GroupPolicy
2012-07-18 19:42 . 2011-08-09 22:33 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2012-07-18 19:32 . 2009-12-14 17:33 53248 ----a-w- c:\windows\system32\CSVer.dll
2012-07-18 12:31 . 2012-07-18 12:31 -------- d-----w- c:\program files\AmIcoSingLun
2012-07-18 12:31 . 2012-07-18 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AmUStor
2012-07-18 12:19 . 2012-07-18 12:18 11264 ----a-w- c:\windows\system32\drivers\vulfntr.sys
2012-07-18 12:19 . 2005-01-05 23:02 6912 ----a-w- c:\windows\system32\drivers\vulfnth.sys
2012-07-18 12:19 . 2003-10-03 21:28 45056 ----a-w- c:\windows\system32\vusetup.dll
2012-07-18 12:05 . 2006-10-06 17:09 155648 ----a-w- c:\windows\system32\igfxres.dll
2012-07-18 11:40 . 2012-07-18 19:31 -------- d-----w- C:\swsetup
2012-07-18 11:24 . 2012-07-18 11:24 -------- d-----w- C:\Intel
2012-07-18 11:13 . 2012-07-18 11:13 -------- d-----w- c:\program files\SystemRequirementsLab
2012-07-18 05:45 . 2012-07-18 05:45 -------- d-----w- c:\program files\ESET
2012-07-18 05:17 . 2012-07-18 05:17 -------- d-----w- C:\_OTL
2012-07-17 10:52 . 2012-07-17 10:52 -------- d-----w- c:\program files\HitmanPro
2012-07-17 10:52 . 2012-07-17 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-07-17 02:32 . 2012-07-17 02:32 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-07-17 01:00 . 2012-07-17 01:15 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\NPE
2012-07-17 00:52 . 2012-07-17 00:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NPE
2012-07-16 21:56 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-07-16 21:56 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2012-07-16 21:53 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2012-07-16 21:53 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2012-07-16 21:53 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-07-16 21:53 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2012-07-12 20:12 . 2012-07-13 03:54 133208 ----a-w- c:\windows\system32\drivers\46628355.sys
2012-07-12 20:08 . 2012-07-12 20:08 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-12 18:50 . 2012-07-12 18:50 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\FixZeroAccess
2012-07-12 16:47 . 2012-07-12 16:47 9226440 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-18 23:54 . 2011-05-15 13:10 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-18 21:36 . 2012-04-18 13:29 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-12 12:30 . 2010-07-16 03:12 83392 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-07-12 12:30 . 2010-07-16 03:12 52128 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2012-07-12 12:30 . 2010-07-16 03:12 30624 ----a-w- c:\windows\system32\LMIport.dll
2012-07-12 12:30 . 2010-07-16 03:12 87456 ----a-w- c:\windows\system32\LMIinit.dll
2012-07-06 03:07 . 2007-05-04 12:19 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-03 18:46 . 2011-02-18 05:42 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:19 . 2004-08-10 04:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-08-18 21:20 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-10 04:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 22:35 . 2009-08-07 01:23 222448 ----a-w- c:\windows\system32\muweb.dll
2012-06-04 04:32 . 2004-08-10 04:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 20:19 . 2007-06-05 17:52 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 20:19 . 2007-06-05 17:52 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 20:19 . 2004-08-10 04:00 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 20:19 . 2004-08-10 04:00 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 20:19 . 2004-08-10 04:00 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 20:19 . 2007-06-05 17:52 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 20:19 . 2005-05-26 12:16 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 20:19 . 2004-08-10 04:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 20:19 . 2004-08-10 04:00 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 20:19 . 2004-08-10 04:00 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 20:19 . 2007-06-05 17:52 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 20:19 . 2004-08-10 04:00 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 20:19 . 2004-08-10 04:00 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 20:18 . 2010-12-01 21:34 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 20:18 . 2010-12-01 21:34 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22 . 2004-08-10 04:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-21 22:04 . 2010-07-16 03:12 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2012-05-21 22:04 . 2010-07-16 03:12 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
2012-05-16 15:08 . 2004-08-10 04:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42 . 2004-08-10 04:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2004-08-10 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-10 04:00 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:16 . 2004-08-10 11:00 2148352 ------w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-10 11:00 2026496 ------w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2004-08-10 04:00 139656 ------w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-19_01.45.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-19 02:31 . 2012-07-19 02:31 16384 c:\windows\temp\Perflib_Perfdata_984.dat
+ 2012-07-19 02:29 . 2012-07-19 02:29 16384 c:\windows\temp\Perflib_Perfdata_618.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}"= "c:\program files\IncrediMail_MediaBar_2\prxtbInc0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
2011-05-09 09:49 176936 ----a-w- c:\program files\IncrediMail_MediaBar_2\prxtbInc0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}"= "c:\program files\IncrediMail_MediaBar_2\prxtbInc0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0}"= "c:\program files\IncrediMail_MediaBar_2\prxtbInc0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2012-03-07 366024]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-19 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2008-01-29 583048]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-01-27 63048]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"RTHDCPL"="RTHDCPL.EXE" [2012-03-14 20065896]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-05-22 296056]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-06 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-06 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-06 94208]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"AmIcoSinglun"="c:\program files\AmIcoSingLun\AmIcoSinglun.exe" [2010-09-08 237568]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\documents and settings\LogMeInRemoteUser\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-24 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-24 27136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-8-24 36903]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-24 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-24 27136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-07-12 12:30 87456 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ehshell.exe]
"Debugger"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" -MceShellRedirect
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
backup=c:\windows\pss\Secunia PSI Tray.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 16:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 12:50 71216 ----a-r- c:\program files\Common Files\AOL\ACS\AOLDial.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-10-28 01:17 207424 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
2007-10-31 02:57 1095256 ----a-w- c:\program files\DISC\DISCover.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2008-12-04 18:24 665424 ------w- c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2011-10-05 21:23 161336 ----a-w- c:\program files\Google\Google Updater\GoogleUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2007-04-12 21:23 42032 ----a-w- c:\program files\Common Files\AOL\1166656723\EE\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-03-12 18:08 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2011-01-13 02:01 6129496 ----a-w- c:\program files\Logitech\Vid HD\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2011-08-22 07:18 6276408 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 01:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2012-05-22 15:25 499312 ----a-w- c:\program files\Real\realplayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 16:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-10-19 20:19 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\IncrediMail\\Bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\Bin\\ImApp.exe"=
.
R0 46628355;46628355;c:\windows\system32\drivers\46628355.sys [7/12/2012 3:12 PM 133208]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502020.003\symds.sys [6/12/2012 7:24 AM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502020.003\symefa.sys [6/12/2012 7:24 AM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20120711.002\BHDrvx86.sys [7/12/2012 7:37 AM 821920]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502020.003\ironx86.sys [6/12/2012 7:24 AM 136312]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/29/2010 12:46 PM 374184]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/27/2010 12:22 PM 12856]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\5.2.2.3\ccsvchst.exe [6/12/2012 7:24 AM 130008]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe [5/4/2012 7:31 PM 131512]
R2 NSL;Norton Safe Web Lite;c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe [7/11/2010 9:51 PM 126904]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe [12/10/2009 1:43 PM 126392]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [6/27/2012 2:25 AM 1326176]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [6/27/2012 2:25 AM 681056]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/31/2012 3:03 PM 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20120717.003\IDSXpx86.sys [7/18/2012 2:31 AM 369632]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [12/16/2011 9:19 AM 15544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 12:26 PM 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/18/2012 8:29 AM 250056]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [6/2/2011 11:08 AM 11336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 12:26 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 21:36]
.
2012-07-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-07-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-07 21:23]
.
2012-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 17:26]
.
2012-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 17:26]
.
2012-07-18 c:\windows\Tasks\Norton Security Scan for HP_Administrator.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2011-02-10 00:00]
.
2012-07-19 c:\windows\Tasks\PC Checkup 3 Weekly Scan.job
- c:\program files\Norton PC Checkup 3.0\NLAppLauncher.exe [2012-05-05 01:06]
.
2012-07-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4156177612-2444206607-219807860-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 23:21]
.
2012-06-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4156177612-2444206607-219807860-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 23:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} - hxxp://games.bigfishgames.com/en_nightshift-legacy-the-jaguars-eye/online/Nightshift2Web.1.0.0.9.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-18 21:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.2.2.3\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NSL]
"ImagePath"="\"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe\" /s \"NSL\" /m \"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(820)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(1432)
c:\windows\system32\WININET.dll
c:\windows\system32\logishrd\LVPrcInj01.dll
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\eHome\ehmsas.exe
c:\program files\IncrediMail\Bin\ImApp.exe
.
**************************************************************************
.
Completion time: 2012-07-18 21:38:33 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-19 02:38
ComboFix2.txt 2012-07-19 01:53
.
Pre-Run: 275,196,702,720 bytes free
Post-Run: 275,170,140,160 bytes free
.
- - End Of File - - E59F9052299787BC2D96CD0A0C169062
 
You must log in or register to reply here.

Similar threads

midian182
Paid services that remove you from people-finder sites aren't very effective
Replies
3
Views
363
sdms96825
S
D
Being spyed on
Replies
1
Views
643
Nelson28
N
Bob O'Donnell
Google's Pixel 9 series stands out by bringing practical AI to your pocket
Replies
3
Views
424
p51d007
p51d007

Latest posts

Back