Solved Google Redirect Virus. Please Help

[BillyNYC]

Hi There,

My search results have been being redirected for about a month or two. I've tried tdss killer, but it didn't find anything. MalwareBytes and SAS have been ineffectual as well. I've completed the 8 step removal that you've suggested. Logs are attached. Any help would be immensely appreciated.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5630

Windows 6.0.6000
Internet Explorer 7.0.6000.16473

1/28/2011 11:24:14 AM
mbam-log-2011-01-28 (11-24-14).txt

Scan type: Quick scan
Objects scanned: 141634
Time elapsed: 6 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-01-28 11:34:30
Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 FUJITSU_MHV2080BH_PL rev.892C
Running: bz3kw3gg.exe; Driver: C:\Users\WILLIA~1\AppData\Local\Temp\pwldikod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


DDS (Ver_10-12-12.02) - NTFSx86
Run by William J at 11:39:34.26 on Fri 01/28/2011
Internet Explorer: 7.0.6000.16473
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.501.149 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\WerCon.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\notepad.exe
C:\Users\William J\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.nytimes.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpconn~1.lnk - c:\program files\hp connections\6811507\program\HP Connections.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\willia~1\appdata\roaming\mozilla\firefox\profiles\ldn7ks29.default\
FF - plugin: c:\program files\bittorrent_dna\npbtdna.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: XULRunner: {7ACA325A-5030-4D0E-9050-4FBF4A640E17} - c:\users\william j\appdata\local\{7ACA325A-5030-4D0E-9050-4FBF4A640E17}
FF - Ext: oldbar: {46868735-c3fa-47ce-8ce7-cce51a66aceb} - %profile%\extensions\{46868735-c3fa-47ce-8ce7-cce51a66aceb}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Adblock Plus Pop-up Addon: adblockpopups@jessehakanen.net - %profile%\extensions\adblockpopups@jessehakanen.net

============= SERVICES / DRIVERS ===============

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-1-28 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-1-28 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-1-28 61960]

=============== Created Last 30 ================

2011-01-28 15:13:21 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-28 15:13:09 -------- d-----w- c:\program files\Avira
2011-01-28 15:13:09 -------- d-----w- c:\progra~2\Avira
2011-01-20 19:50:39 -------- d-----w- c:\windows\pss
2011-01-20 18:39:35 -------- d-----w- c:\users\willia~1\appdata\local\Seven Zip
2011-01-20 15:35:26 -------- d-----w- c:\progra~2\SITEguard
2011-01-20 15:33:41 -------- d-----w- c:\program files\common files\iS3
2011-01-20 15:33:40 -------- d-----w- c:\progra~2\STOPzilla!
2011-01-14 17:48:36 -------- d-----w- c:\users\willia~1\appdata\local\Amazon
2011-01-10 20:46:57 -------- d-----w- c:\program files\common files\PC Tools

==================== Find3M ====================

2009-10-24 13:56:15 3550592 ----a-w- c:\program files\explorer.exe.exe

============= FINISH: 11:40:50.75 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume1
Install Date: 2/15/2007 5:17:12 AM
System Uptime: 1/28/2011 10:48:01 AM (1 hours ago)

Motherboard: Quanta | | 30BB
Processor: Genuine Intel(R) CPU T2060 @ 1.60GHz | U2E1 | 296/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 68 GiB total, 31.467 GiB free.
D: is FIXED (NTFS) - 6 GiB total, 0.763 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

µTorrent
Activation Assistant for the 2007 Microsoft Office suites
ActiveCheck component for HP Active Support Library
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8
Amazon Kindle For PC
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ASL_HS_Installer32
AutoUpdate
Avira AntiVir Personal - Free Antivirus
Conexant HD Audio
CutePDF Writer 2.8
DivX
Drivers Install For Linksys Easylink Advisor
HP Active Support Library
HP Connections (remove only)
HP Customer Experience Enhancements
HP Easy Setup - Core
HP Easy Setup - Frontend
HP Help and Support
HP Quick Launch Buttons 6.10 B9
HP QuickPlay 3.0
HP Total Care Advisor
HP Update
HP User Guide 0048
HP Wireless Assistant
HPAsset component for HP Active Support Library
HPNetworkAssistant
Intel(R) Graphics Media Accelerator Driver
iTunes
Java(TM) SE Runtime Environment 6
LightScribe 1.4.124.1
Linksys EasyLink Advisor 1.6 (0044)
Malwarebytes' Anti-Malware
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Mozilla Firefox (3.5.16)
MSXML 4.0 SP2 (KB927978)
muvee autoProducer 5.0
OpenOffice.org 2.2
QuickTime
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Soft Data Fax Modem with SmartCP
Sonic Activation Module
SUPERAntiSpyware
Switch Sound File Converter
Synaptics Pointing Device Driver
Viewpoint Media Player
WavePad Sound Editor
Windows Media Player Firefox Plugin
WMPTagSupportExtender

==== Event Viewer Messages From Past Week ========

1/27/2011 6:40:39 PM, Error: EventLog [6008] - The previous system shutdown at 11:51:50 AM on 1/27/2011 was unexpected.
1/27/2011 11:33:50 AM, Error: EventLog [6008] - The previous system shutdown at 9:26:07 AM on 1/27/2011 was unexpected.
1/26/2011 9:52:30 PM, Error: EventLog [6008] - The previous system shutdown at 9:45:11 PM on 1/26/2011 was unexpected.
1/25/2011 7:58:26 PM, Error: EventLog [6008] - The previous system shutdown at 6:27:11 PM on 1/25/2011 was unexpected.
1/25/2011 6:24:55 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ASPI32 SASDIFSV SASKUTIL
1/25/2011 6:24:55 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/25/2011 5:41:00 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ASPI32 SASDIFSV SASKUTIL spldr Wanarpv6
1/25/2011 5:41:00 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
1/25/2011 5:40:04 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
1/25/2011 5:40:01 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
1/25/2011 5:39:56 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/25/2011 5:39:47 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
1/24/2011 6:32:41 PM, Error: EventLog [6008] - The previous system shutdown at 6:31:23 PM on 1/24/2011 was unexpected.
1/21/2011 3:38:13 PM, Error: EventLog [6008] - The previous system shutdown at 1:22:00 PM on 1/21/2011 was unexpected.

==== End Of File ===========================

 

[Broni]

Welcome aboard

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

======================================================================

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

=======================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[BillyNYC]

Thank you so much. Logs are attached.



MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Basic Edition
Windows Information: (build 6000), 32-bit
Base Board Manufacturer: Quanta
BIOS Manufacturer: Hewlett-Packard
System Manufacturer: Hewlett-Packard
System Product Name: HP Pavilion dv6000 (RD870AV#ABA)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 155):
0x81C00000 \SystemRoot\system32\ntkrnlpa.exe
0x81FA1000 \SystemRoot\system32\hal.dll
0x802C6000 \SystemRoot\system32\kdcom.dll
0x80277000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8026E000 \SystemRoot\system32\PSHED.dll
0x80266000 \SystemRoot\system32\BOOTVID.dll
0x8022B000 \SystemRoot\system32\CLFS.SYS
0x8051F000 \SystemRoot\system32\CI.dll
0x804A4000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8021E000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80461000 \SystemRoot\system32\drivers\acpi.sys
0x80215000 \SystemRoot\system32\drivers\WMILIB.SYS
0x8020D000 \SystemRoot\system32\drivers\msisadrv.sys
0x8043C000 \SystemRoot\system32\drivers\pci.sys
0x8042D000 \SystemRoot\system32\drivers\volmgr.sys
0x8020A000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x80200000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8041D000 \SystemRoot\System32\drivers\mountmgr.sys
0x80416000 \SystemRoot\system32\drivers\intelide.sys
0x80408000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x807B6000 \SystemRoot\System32\drivers\volmgrx.sys
0x80400000 \SystemRoot\system32\drivers\atapi.sys
0x80798000 \SystemRoot\system32\drivers\ataport.SYS
0x8078F000 \SystemRoot\system32\drivers\msahci.sys
0x8075E000 \SystemRoot\system32\drivers\fltmgr.sys
0x8074E000 \SystemRoot\system32\drivers\fileinfo.sys
0x80745000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x80641000 \SystemRoot\system32\drivers\ndis.sys
0x80616000 \SystemRoot\system32\drivers\msrpc.sys
0x81BC7000 \SystemRoot\system32\drivers\NETIO.SYS
0x81ABF000 \SystemRoot\System32\Drivers\Ntfs.sys
0x81A55000 \SystemRoot\System32\Drivers\ksecdd.sys
0x81A1F000 \SystemRoot\system32\drivers\volsnap.sys
0x8060E000 \SystemRoot\System32\Drivers\spldr.sys
0x81A10000 \SystemRoot\System32\drivers\partmgr.sys
0x81A01000 \SystemRoot\System32\Drivers\mup.sys
0x825DB000 \SystemRoot\System32\drivers\ecache.sys
0x825CA000 \SystemRoot\system32\drivers\disk.sys
0x825A9000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x80605000 \SystemRoot\system32\drivers\crcdisk.sys
0x86F5B000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8320E000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x88520000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x86EF0000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x83217000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x88629000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x88164000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x88157000 \SystemRoot\System32\drivers\watchdog.sys
0x88131000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x88C3F000 \SystemRoot\system32\DRIVERS\NETw3v32.sys
0x86F66000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x88092000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8853C000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x82F71000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x8854A000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x8807A000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x88558000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0x8801C000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0x88426000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0x88601000 \SystemRoot\system32\DRIVERS\e100b325.sys
0x82E0F000 \SystemRoot\system32\DRIVERS\cpqbttn.sys
0x82F81000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x87E02000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x88413000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x86F71000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x88C14000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x86F4E000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x86F7C000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x88FC4000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x87C00000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x88F58000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x88F18000 \SystemRoot\system32\DRIVERS\storport.sys
0x86F87000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x88F01000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x86F92000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x88EDE000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x86E00000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x88C01000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x86E0F000 \SystemRoot\system32\DRIVERS\termdd.sys
0x86F32000 \SystemRoot\system32\DRIVERS\swenum.sys
0x88E77000 \SystemRoot\system32\DRIVERS\ks.sys
0x88E2D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x88E20000 \SystemRoot\system32\DRIVERS\umbus.sys
0x89264000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x83220000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x82F11000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x88EB5000 \SystemRoot\system32\drivers\CHDART.sys
0x88F97000 \SystemRoot\system32\drivers\portcls.sys
0x88FDC000 \SystemRoot\system32\drivers\drmk.sys
0x890A4000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
0x892FD000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0x89681000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0x89046000 \SystemRoot\system32\drivers\modem.sys
0x83244000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x890F6000 \SystemRoot\System32\Drivers\Null.SYS
0x890FD000 \SystemRoot\System32\Drivers\Beep.SYS
0x87D13000 \SystemRoot\System32\drivers\vga.sys
0x87C18000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8337C000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x83384000 \SystemRoot\system32\drivers\rdpencdd.sys
0x86FC9000 \SystemRoot\System32\Drivers\Msfs.SYS
0x88566000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8324D000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x87ECF000 \SystemRoot\System32\drivers\tcpip.sys
0x87EB6000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x86F1B000 \SystemRoot\system32\DRIVERS\tdx.sys
0x87EA2000 \SystemRoot\system32\DRIVERS\smb.sys
0x87E5B000 \SystemRoot\system32\drivers\afd.sys
0x87E29000 \SystemRoot\System32\DRIVERS\netbt.sys
0x87E13000 \SystemRoot\system32\DRIVERS\pacer.sys
0x88574000 \SystemRoot\system32\DRIVERS\netbios.sys
0x86F44000 \SystemRoot\system32\DRIVERS\eabfiltr.sys
0x88009000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x87FAC000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0x8803F000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x87C9B000 \SystemRoot\system32\drivers\nsiproxy.sys
0x88509000 \SystemRoot\System32\Drivers\dfsc.sys
0x884E3000 \SystemRoot\system32\DRIVERS\avipbb.sys
0x89B57000 \SystemRoot\System32\Drivers\crashdmp.sys
0x86FD4000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x83256000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x94600000 \SystemRoot\System32\win32k.sys
0x87CA5000 \SystemRoot\System32\drivers\Dxapi.sys
0x86E3C000 \SystemRoot\system32\DRIVERS\monitor.sys
0x94800000 \SystemRoot\System32\TSDDD.dll
0x94810000 \SystemRoot\System32\ATMFD.DLL
0x94860000 \SystemRoot\System32\cdd.dll
0x898A5000 \SystemRoot\system32\drivers\luafv.sys
0x89890000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0x89104000 \SystemRoot\system32\DRIVERS\elagopro.sys
0x82F51000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x897E5000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x87CAF000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x89A1D000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xA60B2000 \SystemRoot\system32\drivers\spsys.sys
0xA604C000 \SystemRoot\system32\drivers\HTTP.sys
0x89A02000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xA69A7000 \SystemRoot\system32\DRIVERS\bowser.sys
0xA5804000 \SystemRoot\System32\drivers\mpsdrv.sys
0xA65E1000 \SystemRoot\system32\drivers\mrxdav.sys
0xA65C3000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA658A000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xA6578000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xA6554000 \SystemRoot\System32\DRIVERS\srv2.sys
0xA6508000 \SystemRoot\System32\DRIVERS\srv.sys
0xA686F000 \SystemRoot\system32\DRIVERS\elaunidr.sys
0xA7390000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA7262000 \SystemRoot\system32\drivers\peauth.sys
0x87CB9000 \SystemRoot\System32\Drivers\secdrv.SYS
0x86FDF000 \SystemRoot\System32\drivers\tcpipreg.sys
0x83374000 \SystemRoot\system32\DRIVERS\xaudio.sys
0xA5869000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x884AF000 \??\C:\Users\WILLIA~1\AppData\Local\Temp\pwldikod.sys
0x8910B000 \??\C:\Users\WILLIA~1\AppData\Local\Temp\mbr.sys
0x77040000 \Windows\System32\ntdll.dll

Processes (total 53):
0 System Idle Process
4 System
372 C:\Windows\System32\smss.exe
440 csrss.exe
476 C:\Windows\System32\wininit.exe
496 csrss.exe
528 C:\Windows\System32\services.exe
540 C:\Windows\System32\lsass.exe
548 C:\Windows\System32\lsm.exe
696 C:\Windows\System32\winlogon.exe
704 C:\Windows\System32\svchost.exe
796 C:\Windows\System32\svchost.exe
840 C:\Windows\System32\svchost.exe
896 C:\Windows\System32\svchost.exe
944 C:\Windows\System32\svchost.exe
992 C:\Windows\System32\svchost.exe
1068 C:\Windows\System32\audiodg.exe
1128 C:\Windows\System32\SLsvc.exe
1208 C:\Windows\System32\svchost.exe
1328 C:\Windows\System32\svchost.exe
1512 C:\Windows\System32\spoolsv.exe
1540 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1576 C:\Windows\System32\svchost.exe
1968 C:\Windows\System32\dwm.exe
2004 C:\Windows\explorer.exe
420 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
444 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
520 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
500 C:\Windows\System32\svchost.exe
848 C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
1200 C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
1388 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
1924 C:\Windows\System32\svchost.exe
1852 C:\Windows\System32\svchost.exe
1020 C:\Windows\System32\svchost.exe
1240 C:\Windows\System32\SearchIndexer.exe
1196 C:\Windows\System32\drivers\XAudio.exe
1560 C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
1052 C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
2472 C:\Windows\System32\taskeng.exe
2576 C:\Windows\System32\taskeng.exe
2924 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
3028 C:\Program Files\Java\jre1.6.0\bin\jusched.exe
3064 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
3116 C:\Windows\System32\hkcmd.exe
3156 C:\Windows\System32\igfxpers.exe
3656 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
1088 C:\Windows\System32\wercon.exe
3528 C:\Program Files\Hewlett-Packard\HP Health Check\HPHC.exe
2780 C:\Program Files\Mozilla Firefox\firefox.exe
3836 C:\Windows\System32\SearchProtocolHost.exe
1588 C:\Windows\System32\SearchFilterHost.exe
2820 C:\Users\William J\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000011`15a73200 (NTFS)

PhysicalDrive0 Model Number: FUJITSUMHV2080BHPL, Rev: 892C

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: D94F393960D1CD66C2071F2D7260A5196DF105AC


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!




ComboFix 11-01-28.01 - William J 01/28/2011 12:26:56.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.501.171 [GMT -5:00]
Running from: c:\users\William J\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\William J\AppData\Local\{7ACA325A-5030-4D0E-9050-4FBF4A640E17}
c:\users\William J\AppData\Local\{7ACA325A-5030-4D0E-9050-4FBF4A640E17}\chrome.manifest
c:\users\William J\AppData\Local\{7ACA325A-5030-4D0E-9050-4FBF4A640E17}\chrome\content\_cfg.js
c:\users\William J\AppData\Local\{7ACA325A-5030-4D0E-9050-4FBF4A640E17}\chrome\content\overlay.xul
c:\users\William J\AppData\Local\{7ACA325A-5030-4D0E-9050-4FBF4A640E17}\install.rdf

.
((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-28 )))))))))))))))))))))))))))))))
.

2011-01-28 17:38 . 2011-01-28 17:39 -------- d-----w- c:\users\William J\AppData\Local\temp
2011-01-28 17:38 . 2011-01-28 17:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-28 16:43 . 2011-01-28 16:43 -------- d-----w- c:\users\William J\AppData\Roaming\Avira
2011-01-28 15:13 . 2010-12-13 13:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-01-28 15:13 . 2010-12-13 13:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-28 15:13 . 2011-01-28 15:13 -------- d-----w- c:\programdata\Avira
2011-01-28 15:13 . 2011-01-28 15:13 -------- d-----w- c:\program files\Avira
2011-01-20 18:53 . 2011-01-20 18:54 -------- d-----w- c:\users\William J\AppData\Roaming\muvee Technologies
2011-01-20 18:53 . 2011-01-20 18:53 -------- d-----w- c:\programdata\muvee Technologies
2011-01-20 18:45 . 2011-01-20 18:45 -------- d-----w- c:\users\William J\AppData\Roaming\Template
2011-01-20 18:39 . 2011-01-20 18:39 -------- d-----w- c:\users\William J\AppData\Local\Seven Zip
2011-01-20 15:35 . 2011-01-20 15:35 -------- d-----w- c:\programdata\SITEguard
2011-01-20 15:33 . 2011-01-20 15:33 -------- d-----w- c:\program files\Common Files\iS3
2011-01-20 15:33 . 2011-01-20 18:38 -------- d-----w- c:\programdata\STOPzilla!
2011-01-14 17:49 . 2011-01-14 17:49 -------- d-----w- c:\users\William J\AppData\Roaming\Amazon
2011-01-14 17:48 . 2011-01-14 17:48 -------- d-----w- c:\users\William J\AppData\Local\Amazon
2011-01-10 20:46 . 2011-01-10 21:32 -------- d-----w- c:\program files\Common Files\PC Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-10 14:36 . 2009-10-26 13:38 0 ----a-w- c:\users\William J\AppData\Local\Hlividemaw.bin
2010-12-20 23:09 . 2009-10-24 14:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2009-10-24 14:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-24 13:56 . 2009-10-24 13:55 3550592 ----a-w- c:\program files\explorer.exe.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-28 46704]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2006-12-18 77824]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 151552]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 126976]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Connections.lnk - c:\program files\HP Connections\6811507\Program\HP Connections.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-18 01:59 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-12-20 23:08 963976 ----a-w- c:\malwarebytes' anti-malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-20 23:08 963976 ----a-w- c:\malwarebytes' anti-malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2006-11-24 23:33 167936 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-11-22 16:29 2424560 ----a-w- c:\users\William J\Desktop\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R1 SASDIFSV;SASDIFSV;c:\users\William J\Desktop\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\William J\Desktop\SASKUTIL.SYS [x]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-12-13 135336]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - PWLDIKOD
*NewlyCreated* - SSMDRV
*Deregistered* - pwldikod

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nytimes.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\William J\AppData\Roaming\Mozilla\Firefox\Profiles\ldn7ks29.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: oldbar: {46868735-c3fa-47ce-8ce7-cce51a66aceb} - %profile%\extensions\{46868735-c3fa-47ce-8ce7-cce51a66aceb}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Adblock Plus Pop-up Addon: adblockpopups@jessehakanen.net - %profile%\extensions\adblockpopups@jessehakanen.net
.
- - - - ORPHANS REMOVED - - - -

AddRemove-{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA} - c:\users\William J\Desktop\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-28 12:39
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2891663152-3519609071-3247606995-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{136EE694-47F7-17B3-262A-0098708902DB}*]
"haegaheefgkfnkgf"=hex:6a,61,6c,62,65,67,64,67,6d,62,66,61,61,69,70,68,6d,6c,
61,64,00,00
"iaoekinngimcoimhok"=hex:69,61,6d,62,62,67,65,61,67,62,6e,66,66,68,64,6c,66,62,
00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-01-28 12:44:44
ComboFix-quarantined-files.txt 2011-01-28 17:44

Pre-Run: 33,694,769,152 bytes free
Post-Run: 33,640,669,184 bytes free

- - End Of File - - D5D024BC95B572A63C394908BC4CBEEC

 

[Broni]

How is redirection?

We need to doublecheck your MBR...

Download Bootkit Remover to your Desktop.

• You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
• After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator).
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

 

[BillyNYC]

Thank you. Search results seem ok for now. Here is the log:

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows Vista Home Basic Edition (build 6000), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: df1c10548966c4f16c540ebf80ffd180

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...

 

[Broni]

Good news

We need to fix your MBR though...

Please download NTBR by noahdfear and save it to your Desktop.
File size: 2.44 MB (2,565,432 bytes)

• Place a blank CD in your CD drive.
• Double click on NTBR_CD.exe file and a folder of the same name will appear.
• Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
• Follow the prompts to burn the CD.

• Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
• If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.

• Insert the newly created CD into your infected PC and reboot your computer.
• Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
• Read the warning and then continue as prompted.
• You first need to select your keyboard layout - press Enter for English.
• Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
• On the following screen enter 5 to select Install Standard MBR code.
• Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
• When asked to confirm please do so.
• Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
• Eject the disc and then press ctrl+alt+del to reboot the PC.

Once rebooted, run MBRCheck again and post its log.

**Important note to Dell users - fixing the MBR may prevent access to the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. If this is Dell computer, let me know before proceeding.

 

[BillyNYC]

• Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
• If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.

Hey I'm really unfamiliar with this, so I have a question before I proceed. I checked out the link to see how to go about setting CDROM as boot device, but none of the solutions listed look like what came up on my computer.

When I restarted, I clicked f10 to enter setup, and got this screen:

EDIT BOOT OPTIONS

Path: \windows\system32\winload

Partition: I
Hard Disk: 2ed509c4

{/NOEXECUTE=OPTIN

Enter= Submit

ESC= Cancel

I wasn't sure what to do. Probably just click enter to continue?

 

[Broni]

I don't think, it's correct.
To access BIOS on HP computers...

Hewlett-Parkard (HP Pavilion, TouchSmart, Vectra, OmniBook, Tablet): Press [F1] Upon Startup or Bootup
Hewlett-Parkard (HP Alternative): Press [F2] or [Esc]
Hewlett-Parkard (HP) Tablet PC: Press [F10] or [F12]

 

[BillyNYC]

I found boot order info from hp support, and was able to set cdrom as boot order #1. Will use the disk now and update you with a log shortly.

 

[Broni]

Very well

 

[BillyNYC]

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Basic Edition
Windows Information: (build 6000), 32-bit
Base Board Manufacturer: Quanta
BIOS Manufacturer: Hewlett-Packard
System Manufacturer: Hewlett-Packard
System Product Name: HP Pavilion dv6000 (RD870AV#ABA)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 153):
0x81C00000 \SystemRoot\system32\ntkrnlpa.exe
0x81FA1000 \SystemRoot\system32\hal.dll
0x802C6000 \SystemRoot\system32\kdcom.dll
0x80277000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8026E000 \SystemRoot\system32\PSHED.dll
0x80266000 \SystemRoot\system32\BOOTVID.dll
0x8022B000 \SystemRoot\system32\CLFS.SYS
0x8051F000 \SystemRoot\system32\CI.dll
0x804A4000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8021E000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80461000 \SystemRoot\system32\drivers\acpi.sys
0x80215000 \SystemRoot\system32\drivers\WMILIB.SYS
0x8020D000 \SystemRoot\system32\drivers\msisadrv.sys
0x8043C000 \SystemRoot\system32\drivers\pci.sys
0x8042D000 \SystemRoot\system32\drivers\volmgr.sys
0x8020A000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x80200000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8041D000 \SystemRoot\System32\drivers\mountmgr.sys
0x80416000 \SystemRoot\system32\drivers\intelide.sys
0x80408000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x807B6000 \SystemRoot\System32\drivers\volmgrx.sys
0x80400000 \SystemRoot\system32\drivers\atapi.sys
0x80798000 \SystemRoot\system32\drivers\ataport.SYS
0x8078F000 \SystemRoot\system32\drivers\msahci.sys
0x8075E000 \SystemRoot\system32\drivers\fltmgr.sys
0x8074E000 \SystemRoot\system32\drivers\fileinfo.sys
0x80745000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x80641000 \SystemRoot\system32\drivers\ndis.sys
0x80616000 \SystemRoot\system32\drivers\msrpc.sys
0x81BC7000 \SystemRoot\system32\drivers\NETIO.SYS
0x81ABF000 \SystemRoot\System32\Drivers\Ntfs.sys
0x81A55000 \SystemRoot\System32\Drivers\ksecdd.sys
0x81A1F000 \SystemRoot\system32\drivers\volsnap.sys
0x8060E000 \SystemRoot\System32\Drivers\spldr.sys
0x81A10000 \SystemRoot\System32\drivers\partmgr.sys
0x81A01000 \SystemRoot\System32\Drivers\mup.sys
0x825DB000 \SystemRoot\System32\drivers\ecache.sys
0x825CA000 \SystemRoot\system32\drivers\disk.sys
0x825A9000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x80605000 \SystemRoot\system32\drivers\crcdisk.sys
0x87805000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x83382000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x87D20000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8322E000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8338B000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x88229000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x87900000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x87008000 \SystemRoot\System32\drivers\watchdog.sys
0x871C0000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x87644000 \SystemRoot\system32\DRIVERS\NETw3v32.sys
0x870F2000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x87607000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x87D2E000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x82F81000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x87D3C000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x87D08000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x87D4A000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0x87CF4000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0x87CA3000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0x87C7B000 \SystemRoot\system32\DRIVERS\e100b325.sys
0x871A8000 \SystemRoot\system32\DRIVERS\cpqbttn.sys
0x82FDD000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x83200000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x87C38000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x870FD000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x87A5A000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x871E8000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x87108000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x87A42000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x87810000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x88002000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x88189000 \SystemRoot\system32\DRIVERS\storport.sys
0x87113000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x88172000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8711E000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8814F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x82FF1000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x88119000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8810A000 \SystemRoot\system32\DRIVERS\termdd.sys
0x871EC000 \SystemRoot\system32\DRIVERS\swenum.sys
0x880E0000 \SystemRoot\system32\DRIVERS\ks.sys
0x8809D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x880D3000 \SystemRoot\system32\DRIVERS\umbus.sys
0x88D7A000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8339D000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x82F11000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x88C54000 \SystemRoot\system32\drivers\CHDART.sys
0x88C27000 \SystemRoot\system32\drivers\portcls.sys
0x88C02000 \SystemRoot\system32\drivers\drmk.sys
0x88FC3000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
0x88EC0000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0x88E0C000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0x880AE000 \SystemRoot\system32\drivers\modem.sys
0x833B8000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8805E000 \SystemRoot\System32\Drivers\Null.SYS
0x88065000 \SystemRoot\System32\Drivers\Beep.SYS
0x87B84000 \SystemRoot\System32\drivers\vga.sys
0x870B5000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x83333000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8333B000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8713F000 \SystemRoot\System32\Drivers\Msfs.SYS
0x87D82000 \SystemRoot\System32\Drivers\Npfs.SYS
0x833C1000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8885F000 \SystemRoot\System32\drivers\tcpip.sys
0x878E7000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x878D2000 \SystemRoot\system32\DRIVERS\tdx.sys
0x87A18000 \SystemRoot\system32\DRIVERS\smb.sys
0x879D1000 \SystemRoot\system32\drivers\afd.sys
0x8799F000 \SystemRoot\System32\DRIVERS\netbt.sys
0x87B62000 \SystemRoot\system32\DRIVERS\pacer.sys
0x87D90000 \SystemRoot\system32\DRIVERS\netbios.sys
0x871D4000 \SystemRoot\system32\DRIVERS\eabfiltr.sys
0x87B4F000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x881E1000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0x87B14000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x87047000 \SystemRoot\system32\drivers\nsiproxy.sys
0x87AFD000 \SystemRoot\System32\Drivers\dfsc.sys
0x87AD7000 \SystemRoot\system32\DRIVERS\avipbb.sys
0x8893D000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8714A000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x833CA000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x93800000 \SystemRoot\System32\win32k.sys
0x87051000 \SystemRoot\System32\drivers\Dxapi.sys
0x93A90000 \SystemRoot\system32\DRIVERS\monitor.sys
0xA4600000 \SystemRoot\System32\TSDDD.dll
0xA4610000 \SystemRoot\System32\ATMFD.DLL
0xA4660000 \SystemRoot\System32\cdd.dll
0xA3CAF000 \SystemRoot\system32\drivers\luafv.sys
0xA3C9A000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0x8806C000 \SystemRoot\system32\DRIVERS\elagopro.sys
0x82F41000 \SystemRoot\system32\DRIVERS\lltdio.sys
0xA4927000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x8705B000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA4914000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xA5264000 \SystemRoot\system32\drivers\HTTP.sys
0xA5772000 \SystemRoot\system32\drivers\spsys.sys
0xA5757000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xA56FE000 \SystemRoot\system32\DRIVERS\bowser.sys
0xA56EA000 \SystemRoot\System32\drivers\mpsdrv.sys
0xA56CB000 \SystemRoot\system32\drivers\mrxdav.sys
0xA5631000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA59C7000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xA561F000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xA59A3000 \SystemRoot\System32\DRIVERS\srv2.sys
0xA5957000 \SystemRoot\System32\DRIVERS\srv.sys
0xA56AB000 \SystemRoot\system32\DRIVERS\elaunidr.sys
0xA5AC4000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA6F22000 \SystemRoot\system32\drivers\peauth.sys
0x87065000 \SystemRoot\System32\Drivers\secdrv.SYS
0x87155000 \SystemRoot\System32\drivers\tcpipreg.sys
0x8331B000 \SystemRoot\system32\DRIVERS\xaudio.sys
0xA4C8A000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x77300000 \Windows\System32\ntdll.dll

Processes (total 52):
0 System Idle Process
4 System
372 C:\Windows\System32\smss.exe
440 csrss.exe
492 C:\Windows\System32\wininit.exe
512 csrss.exe
544 C:\Windows\System32\services.exe
556 C:\Windows\System32\lsass.exe
564 C:\Windows\System32\lsm.exe
720 C:\Windows\System32\svchost.exe
728 C:\Windows\System32\winlogon.exe
820 C:\Windows\System32\svchost.exe
864 C:\Windows\System32\svchost.exe
932 C:\Windows\System32\svchost.exe
1004 C:\Windows\System32\svchost.exe
1032 C:\Windows\System32\svchost.exe
1128 C:\Windows\System32\audiodg.exe
1164 C:\Windows\System32\SLsvc.exe
1240 C:\Windows\System32\svchost.exe
1380 C:\Windows\System32\svchost.exe
1580 C:\Windows\System32\spoolsv.exe
1604 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1624 C:\Windows\System32\svchost.exe
1956 C:\Windows\System32\dwm.exe
1964 C:\Windows\System32\taskeng.exe
2036 C:\Windows\explorer.exe
696 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
640 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
884 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
1232 C:\Windows\System32\svchost.exe
1352 C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
1632 C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
1896 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
844 C:\Windows\System32\svchost.exe
1156 C:\Windows\System32\svchost.exe
1652 C:\Windows\System32\svchost.exe
1804 C:\Windows\System32\SearchIndexer.exe
2104 C:\Windows\System32\drivers\XAudio.exe
2120 C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
2140 C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
2596 C:\Windows\System32\taskeng.exe
2864 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2888 C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
2920 C:\Program Files\Java\jre1.6.0\bin\jusched.exe
2932 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
3012 C:\Windows\System32\hkcmd.exe
3028 C:\Windows\System32\igfxpers.exe
3052 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
3516 C:\Windows\System32\wercon.exe
3560 C:\Windows\System32\SearchProtocolHost.exe
3932 C:\Users\William J\Desktop\MBRCheck.exe
3948 C:\Windows\System32\SearchFilterHost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000011`15a73200 (NTFS)

PhysicalDrive0 Model Number: FUJITSUMHV2080BHPL, Rev: 892C

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

 

[Broni]

Well done

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\users\William J\AppData\Local\Hlividemaw.bin


Folder::
c:\programdata\SITEguard
c:\program files\Common Files\iS3
c:\programdata\STOPzilla!


RegNull::
[HKEY_USERS\S-1-5-21-2891663152-3519609071-3247606995-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{136EE694-47F7-17B3-262A-0098708902DB}*]

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[BillyNYC]

ComboFix 11-01-28.01 - William J 01/28/2011 15:54:17.2.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.501.182 [GMT -5:00]
Running from: c:\users\William J\Desktop\ComboFix.exe
Command switches used :: c:\users\William J\Desktop\CFscript.txt
* Created a new restore point

FILE ::
"c:\users\William J\AppData\Local\Hlividemaw.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\iS3
c:\program files\Common Files\iS3\Anti-Spyware\sgdfull.rsf
c:\programdata\SITEguard
c:\programdata\SITEguard\siteguard.db
c:\programdata\STOPzilla!
c:\programdata\STOPzilla!\modules_scanned.db
c:\programdata\STOPzilla!\modules_scanned.db.bak
c:\programdata\STOPzilla!\scanner.log
c:\programdata\STOPzilla!\sgdefs.db
c:\programdata\STOPzilla!\sgdwc.db
c:\programdata\STOPzilla!\userdata.db
c:\programdata\STOPzilla!\zilla5.log
c:\users\William J\AppData\Local\Hlividemaw.bin

.
((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-28 )))))))))))))))))))))))))))))))
.

2011-01-28 21:08 . 2011-01-28 21:09 -------- d-----w- c:\users\William J\AppData\Local\temp
2011-01-28 21:08 . 2011-01-28 21:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-28 18:12 . 2011-01-28 18:12 -------- d-----w- c:\program files\7-Zip
2011-01-28 16:43 . 2011-01-28 16:43 -------- d-----w- c:\users\William J\AppData\Roaming\Avira
2011-01-28 15:13 . 2010-12-13 13:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-01-28 15:13 . 2010-12-13 13:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-28 15:13 . 2011-01-28 15:13 -------- d-----w- c:\programdata\Avira
2011-01-28 15:13 . 2011-01-28 15:13 -------- d-----w- c:\program files\Avira
2011-01-20 18:53 . 2011-01-20 18:54 -------- d-----w- c:\users\William J\AppData\Roaming\muvee Technologies
2011-01-20 18:53 . 2011-01-20 18:53 -------- d-----w- c:\programdata\muvee Technologies
2011-01-20 18:45 . 2011-01-20 18:45 -------- d-----w- c:\users\William J\AppData\Roaming\Template
2011-01-20 18:39 . 2011-01-20 18:39 -------- d-----w- c:\users\William J\AppData\Local\Seven Zip
2011-01-14 17:49 . 2011-01-14 17:49 -------- d-----w- c:\users\William J\AppData\Roaming\Amazon
2011-01-14 17:48 . 2011-01-14 17:48 -------- d-----w- c:\users\William J\AppData\Local\Amazon
2011-01-10 20:46 . 2011-01-10 21:32 -------- d-----w- c:\program files\Common Files\PC Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2009-10-24 14:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2009-10-24 14:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-24 13:56 . 2009-10-24 13:55 3550592 ----a-w- c:\program files\explorer.exe.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-28 46704]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2006-12-18 77824]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 151552]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 126976]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Connections.lnk - c:\program files\HP Connections\6811507\Program\HP Connections.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-18 01:59 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-12-20 23:08 963976 ----a-w- c:\malwarebytes' anti-malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-20 23:08 963976 ----a-w- c:\malwarebytes' anti-malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2006-11-24 23:33 167936 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-11-22 16:29 2424560 ----a-w- c:\users\William J\Desktop\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R1 SASDIFSV;SASDIFSV;c:\users\William J\Desktop\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\William J\Desktop\SASKUTIL.SYS [x]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-12-13 135336]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nytimes.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\William J\AppData\Roaming\Mozilla\Firefox\Profiles\ldn7ks29.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: oldbar: {46868735-c3fa-47ce-8ce7-cce51a66aceb} - %profile%\extensions\{46868735-c3fa-47ce-8ce7-cce51a66aceb}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Adblock Plus Pop-up Addon: adblockpopups@jessehakanen.net - %profile%\extensions\adblockpopups@jessehakanen.net
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-28 16:08
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-01-28 16:18:03
ComboFix-quarantined-files.txt 2011-01-28 21:17
ComboFix2.txt 2011-01-28 17:44

Pre-Run: 33,558,065,152 bytes free
Post-Run: 33,535,537,152 bytes free

- - End Of File - - CAF6C6C867C2337F47408224F544DBB5

 

[Broni]

Good

Download OTL to your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the Scan All Users checkbox.
• Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[BillyNYC]

in two posts: first the OTL.txt


OTL logfile created on: 1/28/2011 4:38:55 PM - Run 1
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Users\William J\Desktop
Windows Vista Home Basic Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.16473)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

501.00 Mb Total Physical Memory | 200.00 Mb Available Physical Memory | 40.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 58.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 68.34 Gb Total Space | 31.27 Gb Free Space | 45.75% Space Free | Partition Type: NTFS
Drive D: | 6.19 Gb Total Space | 0.76 Gb Free Space | 12.33% Space Free | Partition Type: NTFS

Computer Name: WILLIAMJ-PC | User Name: William J | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/01/28 16:37:24 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\William J\Desktop\OTL.exe
PRC - [2010/12/13 08:40:07 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/12/13 08:39:54 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/12/13 08:39:54 | 000,267,944 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2006/12/18 01:24:26 | 000,077,824 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0\bin\jusched.exe
PRC - [2006/11/24 18:34:20 | 000,118,877 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
PRC - [2006/11/24 18:34:16 | 000,270,431 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
PRC - [2006/11/02 04:45:07 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/01/28 16:37:24 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\William J\Desktop\OTL.exe
MOD - [2006/11/02 04:38:57 | 001,648,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/12/13 08:40:07 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/12/13 08:39:54 | 000,267,944 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2007/04/11 16:51:42 | 000,265,912 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2006/11/24 18:34:20 | 000,118,877 | ---- | M] () [Auto | Running] -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe -- (CLSched) CyberLink Task Scheduler (CTS)
SRV - [2006/11/24 18:34:16 | 000,270,431 | ---- | M] () [Auto | Running] -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe -- (CLCapSvc) CyberLink Background Capture Service (CBCS)
SRV - [2006/06/26 12:50:08 | 000,126,976 | ---- | M] (Hewlett-Packard Development Company, L.P.) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe -- (AddFiltr)
SRV - [2004/10/22 06:24:18 | 000,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2010/12/13 08:40:21 | 000,135,096 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/12/13 08:40:21 | 000,061,960 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/06/17 14:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2007/03/22 11:57:14 | 000,028,672 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\elagopro.sys -- (elagopro)
DRV - [2007/03/22 11:57:14 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\elaunidr.sys -- (elaunidr)
DRV - [2007/02/26 17:54:08 | 001,608,192 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2007/02/26 17:54:08 | 001,608,192 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\igdkmd32.sys -- (ialm)
DRV - [2006/11/19 06:32:16 | 000,145,920 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDART.sys -- (HdAudAddService)
DRV - [2006/11/16 04:16:24 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2006/11/15 23:42:46 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/15 21:35:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2006/11/15 00:24:00 | 000,179,256 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2006/11/09 04:02:30 | 001,786,880 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel(R)
DRV - [2006/11/02 04:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 04:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 04:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 04:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 04:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 04:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 04:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 04:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 04:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 04:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 04:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 04:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 04:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 04:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 04:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 04:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 04:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/11/02 04:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 04:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 04:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 04:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 04:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 04:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 04:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 04:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 04:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 04:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 04:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 04:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 04:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 04:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 04:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 04:49:30 | 000,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2006/11/02 04:49:28 | 000,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2006/11/02 04:49:20 | 000,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2006/11/02 03:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 03:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 03:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 03:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 03:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 03:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 02:41:49 | 000,200,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTAZL3.SYS -- (HSFHWAZL)
DRV - [2006/11/02 02:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 02:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel(R)
DRV - [2006/11/02 02:30:53 | 000,464,384 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BCMWL6.SYS -- (BCM43XV)
DRV - [2006/10/18 06:09:26 | 000,986,624 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2006/10/18 06:08:14 | 000,206,848 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2006/10/18 06:08:04 | 000,659,968 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2006/08/04 12:39:10 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2006/06/28 12:57:00 | 000,008,192 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | System | Running] -- C:\Windows\System32\drivers\eabfiltr.sys -- (eabfiltr)
DRV - [2006/06/28 12:54:00 | 000,009,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2004/02/16 16:51:26 | 000,016,128 | ---- | M] (Digital Networks North America, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RIOUNIV.SYS -- (RIOUNIV)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2891663152-3519609071-3247606995-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
IE - HKU\S-1-5-21-2891663152-3519609071-3247606995-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2891663152-3519609071-3247606995-1000\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-2891663152-3519609071-3247606995-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3
FF - prefs.js..extensions.enabledItems: adblockpopups@jessehakanen.net:0.2.1
FF - prefs.js..extensions.enabledItems: {46868735-c3fa-47ce-8ce7-cce51a66aceb}:1.2

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/14 17:57:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/14 17:57:49 | 000,000,000 | ---D | M]

[2009/01/19 18:00:13 | 000,000,000 | ---D | M] (No name found) -- C:\Users\William J\AppData\Roaming\Mozilla\Extensions
[2011/01/27 19:04:42 | 000,000,000 | ---D | M] (No name found) -- C:\Users\William J\AppData\Roaming\Mozilla\Firefox\Profiles\ldn7ks29.default\extensions
[2010/08/15 22:00:01 | 000,000,000 | ---D | M] (oldbar) -- C:\Users\William J\AppData\Roaming\Mozilla\Firefox\Profiles\ldn7ks29.default\extensions\{46868735-c3fa-47ce-8ce7-cce51a66aceb}
[2011/01/21 19:52:34 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\William J\AppData\Roaming\Mozilla\Firefox\Profiles\ldn7ks29.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/01/23 19:39:36 | 000,000,000 | ---D | M] (Adblock Plus Pop-up Addon) -- C:\Users\William J\AppData\Roaming\Mozilla\Firefox\Profiles\ldn7ks29.default\extensions\adblockpopups@jessehakanen.net
[2009/06/30 18:56:20 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2011/01/28 16:08:31 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\RunOnce: [Launcher] C:\Windows\SMINST\Launcher.exe (soft thinks)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-2891663152-3519609071-3247606995-1000\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-2891663152-3519609071-3247606995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.)
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-21-2891663152-3519609071-3247606995-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Users\William J\Pictures\girl in gallery.jpg
O24 - Desktop BackupWallPaper: C:\Users\William J\Pictures\girl in gallery.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/12/18 01:10:51 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/09/11 09:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-2891663152-3519609071-3247606995-1000\...exe [@ = exefile] -- Reg Error: Key error. File not found

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3codecp - File not found
Drivers32: msacm.lameacm - C:\Windows\System32\lameACM.acm (http://www.mp3dev.org/)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\Windows\System32\divx.dll (DivX, Inc.)
Drivers32: vidc.xvid - C:\Windows\System32\xvidvfw.dll ()

CREATERESTOREPOINT
Error creating restore point.

========== Files/Folders - Created Within 30 Days ==========

[2011/01/28 16:37:14 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Users\William J\Desktop\OTL.exe
[2011/01/28 16:18:27 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/01/28 16:18:14 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/01/28 16:18:14 | 000,000,000 | ---D | C] -- C:\Users\William J\AppData\Local\temp
[2011/01/28 13:30:12 | 000,000,000 | ---D | C] -- C:\Users\William J\Desktop\NTBR_CD
[2011/01/28 13:13:31 | 000,083,968 | ---- | C] (eSage Lab) -- C:\Users\William J\Desktop\remover.exe
[2011/01/28 13:12:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
[2011/01/28 13:12:40 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip
[2011/01/28 12:24:01 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2011/01/28 12:24:01 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/01/28 12:24:01 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/01/28 12:24:01 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/01/28 12:23:50 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/01/28 12:22:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/01/28 12:13:03 | 000,000,000 | ---D | C] -- C:\Users\William J\Desktop\virus removal
[2011/01/28 11:43:10 | 000,000,000 | ---D | C] -- C:\Users\William J\AppData\Roaming\Avira
[2011/01/28 10:36:00 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Users\William J\Desktop\TFC.exe
[2011/01/28 10:14:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
[2011/01/28 10:13:28 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys
[2011/01/28 10:13:22 | 000,135,096 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[2011/01/28 10:13:21 | 000,061,960 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys
[2011/01/28 10:13:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira
[2011/01/28 10:13:09 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2011/01/20 14:50:39 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2011/01/20 13:53:57 | 000,000,000 | ---D | C] -- C:\Users\William J\AppData\Roaming\muvee Technologies
[2011/01/20 13:53:56 | 000,000,000 | ---D | C] -- C:\ProgramData\muvee Technologies
[2011/01/20 13:45:44 | 000,000,000 | ---D | C] -- C:\Users\William J\AppData\Roaming\Template
[2011/01/20 13:39:35 | 000,000,000 | ---D | C] -- C:\Users\William J\AppData\Local\Seven Zip
[2011/01/14 12:49:52 | 000,000,000 | ---D | C] -- C:\Users\William J\AppData\Roaming\Amazon
[2011/01/14 12:49:50 | 000,000,000 | ---D | C] -- C:\Users\William J\Documents\My Kindle Content
[2011/01/14 12:48:40 | 000,000,000 | ---D | C] -- C:\Users\William J\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Amazon
[2011/01/14 12:48:36 | 000,000,000 | ---D | C] -- C:\Users\William J\AppData\Local\Amazon
[2011/01/10 15:46:57 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2011/01/10 15:46:55 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2009/10/24 08:55:41 | 003,550,592 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Program Files\explorer.exe.exe

========== Files - Modified Within 30 Days ==========

[2011/01/28 16:37:24 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\William J\Desktop\OTL.exe
[2011/01/28 16:19:28 | 000,008,299 | ---- | M] () -- C:\Users\William J\Desktop\combofix2.exe
[2011/01/28 16:08:31 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/01/28 15:46:00 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/01/28 15:46:00 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/01/28 14:45:52 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/01/28 14:41:42 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2011/01/28 13:29:48 | 002,565,432 | ---- | M] () -- C:\Users\William J\Desktop\NTBR_CD.exe
[2011/01/28 13:11:13 | 001,110,476 | ---- | M] () -- C:\Users\William J\Desktop\7z920.exe
[2011/01/28 13:09:56 | 000,039,605 | ---- | M] () -- C:\Users\William J\Desktop\bootkit_remover.rar
[2011/01/28 12:15:57 | 004,261,554 | R--- | M] () -- C:\Users\William J\Desktop\ComboFix.exe
[2011/01/28 12:10:41 | 000,080,384 | ---- | M] () -- C:\Users\William J\Desktop\MBRCheck.exe
[2011/01/28 10:36:10 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Users\William J\Desktop\TFC.exe
[2011/01/28 10:14:22 | 000,001,847 | ---- | M] () -- C:\Users\Public\Desktop\Avira AntiVir Control Center.lnk
[2011/01/23 09:58:37 | 000,618,648 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/01/23 09:58:37 | 000,104,024 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/01/21 16:40:04 | 000,052,837 | ---- | M] () -- C:\Users\William J\Documents\drumsorbison.wma
[2011/01/20 15:04:53 | 000,494,387 | ---- | M] () -- C:\Users\William J\Documents\bachata drums 2.wma
[2011/01/20 15:03:11 | 000,579,697 | ---- | M] () -- C:\Users\William J\Documents\bachata drums.wma
[2011/01/20 14:45:28 | 000,000,149 | ---- | M] () -- C:\Users\Public\Documents\hpqp.ini
[2011/01/20 14:40:44 | 000,001,356 | ---- | M] () -- C:\Users\William J\AppData\Local\d3d9caps.dat
[2011/01/20 13:52:12 | 000,000,956 | ---- | M] () -- C:\Users\William J\Desktop\WavePad Sound Editor.lnk
[2011/01/20 13:49:42 | 000,661,452 | ---- | M] () -- C:\Users\William J\Documents\DRUMS7772.wav
[2011/01/20 13:45:23 | 000,000,000 | ---- | M] () -- C:\Users\William J\AppData\Roaming\wklnhst.dat
[2011/01/20 13:32:18 | 000,000,240 | ---- | M] () -- C:\Windows\System32\drivers\kgpcpy.cfg
[2011/01/20 10:38:06 | 000,040,960 | -H-- | M] () -- C:\SZKGFS.dat
[2011/01/18 14:10:13 | 000,017,920 | ---- | M] () -- C:\Users\William J\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/01/14 12:48:43 | 000,002,128 | ---- | M] () -- C:\Users\William J\Desktop\Kindle For PC.lnk
[2011/01/10 15:48:20 | 000,787,364 | ---- | M] () -- C:\Windows\System32\drivers\Cat.DB
[2011/01/10 15:23:23 | 000,000,120 | ---- | M] () -- C:\Users\William J\AppData\Local\Ejitet.dat

========== Files Created - No Company Name ==========

[2011/01/28 16:19:28 | 000,008,299 | ---- | C] () -- C:\Users\William J\Desktop\combofix2.exe
[2011/01/28 13:29:39 | 002,565,432 | ---- | C] () -- C:\Users\William J\Desktop\NTBR_CD.exe
[2011/01/28 13:11:08 | 001,110,476 | ---- | C] () -- C:\Users\William J\Desktop\7z920.exe
[2011/01/28 13:09:48 | 000,039,605 | ---- | C] () -- C:\Users\William J\Desktop\bootkit_remover.rar
[2011/01/28 12:24:01 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/01/28 12:24:01 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/01/28 12:24:01 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2011/01/28 12:24:01 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/01/28 12:24:01 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/01/28 12:15:38 | 004,261,554 | R--- | C] () -- C:\Users\William J\Desktop\ComboFix.exe
[2011/01/28 12:10:36 | 000,080,384 | ---- | C] () -- C:\Users\William J\Desktop\MBRCheck.exe
[2011/01/28 10:14:22 | 000,001,847 | ---- | C] () -- C:\Users\Public\Desktop\Avira AntiVir Control Center.lnk
[2011/01/21 16:37:09 | 000,052,837 | ---- | C] () -- C:\Users\William J\Documents\drumsorbison.wma
[2011/01/20 15:04:53 | 000,494,387 | ---- | C] () -- C:\Users\William J\Documents\bachata drums 2.wma
[2011/01/20 15:03:11 | 000,579,697 | ---- | C] () -- C:\Users\William J\Documents\bachata drums.wma
[2011/01/20 13:52:12 | 000,000,956 | ---- | C] () -- C:\Users\William J\Desktop\WavePad Sound Editor.lnk
[2011/01/20 13:49:39 | 000,661,452 | ---- | C] () -- C:\Users\William J\Documents\DRUMS7772.wav
[2011/01/20 13:45:23 | 000,000,000 | ---- | C] () -- C:\Users\William J\AppData\Roaming\wklnhst.dat
[2011/01/20 13:32:18 | 000,000,240 | ---- | C] () -- C:\Windows\System32\drivers\kgpcpy.cfg
[2011/01/20 10:38:06 | 000,040,960 | -H-- | C] () -- C:\SZKGFS.dat
[2011/01/14 12:48:43 | 000,002,128 | ---- | C] () -- C:\Users\William J\Desktop\Kindle For PC.lnk
[2011/01/10 15:48:06 | 000,787,364 | ---- | C] () -- C:\Windows\System32\drivers\Cat.DB
[2010/09/17 14:10:04 | 000,087,552 | ---- | C] () -- C:\Windows\System32\cpwmon2k.dll
[2009/10/26 08:38:13 | 000,000,120 | ---- | C] () -- C:\Users\William J\AppData\Local\Ejitet.dat
[2008/05/21 19:29:55 | 000,761,856 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2008/05/21 19:29:55 | 000,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2008/05/21 19:29:53 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2008/04/16 17:47:54 | 000,001,356 | ---- | C] () -- C:\Users\William J\AppData\Local\d3d9caps.dat
[2007/09/12 05:02:10 | 000,022,312 | ---- | C] () -- C:\Users\William J\AppData\Roaming\UserTile.png
[2007/03/23 19:52:19 | 000,000,029 | ---- | C] () -- C:\Windows\atid.ini
[2007/03/08 04:50:12 | 000,017,920 | ---- | C] () -- C:\Users\William J\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/02/26 17:54:14 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1187.dll
[2007/02/15 13:44:51 | 000,000,000 | ---- | C] () -- C:\Users\William J\AppData\Local\QSwitch.txt
[2007/02/15 13:44:51 | 000,000,000 | ---- | C] () -- C:\Users\William J\AppData\Local\DSwitch.txt
[2007/02/15 13:44:51 | 000,000,000 | ---- | C] () -- C:\Users\William J\AppData\Local\AtStart.txt
[2006/11/29 02:32:42 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2006/11/06 06:02:10 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1114.dll
[2006/11/06 04:05:40 | 000,180,224 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/09/19 02:02:40 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/09/19 02:02:40 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2006/03/09 18:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2005/05/07 23:06:00 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2004/09/16 15:24:26 | 003,375,104 | ---- | C] () -- C:\Windows\System32\qt-mt331.dll

========== LOP Check ==========

[2011/01/20 13:40:52 | 000,000,000 | ---D | M] -- C:\Users\William J\AppData\Roaming\Aim
[2011/01/14 12:49:52 | 000,000,000 | ---D | M] -- C:\Users\William J\AppData\Roaming\Amazon
[2007/11/23 00:58:03 | 000,000,000 | ---D | M] -- C:\Users\William J\AppData\Roaming\BitTorrent
[2011/01/20 13:54:15 | 000,000,000 | ---D | M] -- C:\Users\William J\AppData\Roaming\muvee Technologies
[2009/05/25 13:51:01 | 000,000,000 | ---D | M] -- C:\Users\William J\AppData\Roaming\NCH Swift Sound
[2007/09/12 05:02:09 | 000,000,000 | ---D | M] -- C:\Users\William J\AppData\Roaming\PeerNetworking
[2011/01/20 13:45:44 | 000,000,000 | ---D | M] -- C:\Users\William J\AppData\Roaming\Template
[2010/09/16 23:00:03 | 000,000,000 | ---D | M] -- C:\Users\William J\AppData\Roaming\uTorrent
[2011/01/28 14:45:58 | 000,032,546 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2008/04/30 23:19:49 | 000,001,024 | ---- | M] () -- C:\.rnd
[2006/12/18 01:10:51 | 000,000,074 | ---- | M] () -- C:\autoexec.bat
[2006/11/02 04:53:57 | 000,438,840 | RHS- | M] () -- C:\bootmgr
[2011/01/28 16:18:08 | 000,008,299 | ---- | M] () -- C:\ComboFix.txt
[2006/09/18 16:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2009/06/30 18:53:03 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2007/03/23 20:01:34 | 000,001,356 | -H-- | M] () -- C:\IPH.PH
[2011/01/10 16:42:29 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2009/06/30 18:53:03 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2011/01/28 14:45:48 | 1073,741,824 | -HS- | M] () -- C:\pagefile.sys
[2010/12/02 09:52:53 | 000,000,383 | ---- | M] () -- C:\rkill.log
[2011/01/20 10:38:06 | 000,040,960 | -H-- | M] () -- C:\SZKGFS.dat
[2011/01/11 12:37:38 | 000,058,002 | ---- | M] () -- C:\TDSSKiller.2.4.12.0_11.01.2011_12.36.55_log.txt
[2011/01/11 12:45:35 | 000,114,022 | ---- | M] () -- C:\TDSSKiller.2.4.12.0_11.01.2011_12.43.36_log.txt
[2011/01/11 12:45:07 | 000,001,892 | ---- | M] () -- C:\TDSSKiller.2.4.12.0_11.01.2011_12.45.05_log.txt
[2011/01/13 07:40:08 | 000,058,002 | ---- | M] () -- C:\TDSSKiller.2.4.12.0_13.01.2011_07.39.16_log.txt
[2011/01/18 13:09:24 | 000,058,002 | ---- | M] () -- C:\TDSSKiller.2.4.12.0_18.01.2011_13.08.27_log.txt
[2011/01/21 12:07:44 | 000,058,248 | ---- | M] () -- C:\TDSSKiller.2.4.12.0_21.01.2011_12.05.44_log.txt
[2011/01/25 17:44:37 | 000,058,024 | ---- | M] () -- C:\TDSSKiller.2.4.12.0_25.01.2011_17.43.12_log.txt
[2011/01/25 17:57:33 | 000,058,024 | ---- | M] () -- C:\TDSSKiller.2.4.12.0_25.01.2011_17.55.32_log.txt
[2011/01/27 20:00:31 | 000,058,248 | ---- | M] () -- C:\TDSSKiller.2.4.15.0_27.01.2011_19.58.17_log.txt

< %systemroot%\Fonts\*.com >
[2006/11/02 07:35:34 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2006/11/02 07:35:34 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2006/11/02 07:35:34 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2006/11/02 07:35:34 | 000,030,808 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2006/09/18 16:37:34 | 000,000,065 | -H-- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2006/10/26 22:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\msonpppr.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2006/11/02 07:48:00 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini
[2009/10/24 08:56:15 | 003,550,592 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Program Files\explorer.exe.exe

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2006/11/02 05:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/02 05:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/02 05:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 05:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 05:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2007/06/13 14:40:08 | 000,000,365 | -HS- | M] () -- C:\Users\William J\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

< %USERPROFILE%\Desktop\*.exe >
[2011/01/28 13:11:13 | 001,110,476 | ---- | M] () -- C:\Users\William J\Desktop\7z920.exe
[2011/01/28 12:15:57 | 004,261,554 | R--- | M] () -- C:\Users\William J\Desktop\ComboFix.exe
[2011/01/28 16:19:28 | 000,008,299 | ---- | M] () -- C:\Users\William J\Desktop\combofix2.exe
[2011/01/28 12:10:41 | 000,080,384 | ---- | M] () -- C:\Users\William J\Desktop\MBRCheck.exe
[2011/01/28 13:29:48 | 002,565,432 | ---- | M] () -- C:\Users\William J\Desktop\NTBR_CD.exe
[2011/01/28 16:37:24 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\William J\Desktop\OTL.exe
[2010/09/01 15:33:49 | 000,083,968 | ---- | M] (eSage Lab) -- C:\Users\William J\Desktop\remover.exe
[2010/11/22 11:29:41 | 002,424,560 | ---- | M] (SUPERAntiSpyware.com) -- C:\Users\William J\Desktop\SUPERAntiSpyware.exe
[2011/01/28 10:36:10 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Users\William J\Desktop\TFC.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >
[2007/02/15 05:17:22 | 000,008,192 | ---- | M] () -- C:\Windows\security\database\edb.chk
[2007/02/15 05:16:52 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edb.log
[2007/02/15 05:16:52 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00001.jrs
[2007/02/15 05:16:52 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00002.jrs
[2007/02/15 05:16:52 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbtmp.log
[2007/02/15 05:16:52 | 001,056,768 | ---- | M] () -- C:\Windows\security\database\tmp.edb

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2007/02/15 13:43:03 | 000,000,402 | -HS- | M] () -- C:\Users\William J\Favorites\desktop.ini
[2009/05/25 13:51:01 | 000,000,468 | ---- | M] () -- C:\Users\William J\Favorites\NCH Audio and Telephony Software.lnk

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMPFC5A2B2

< End of report >

 

[BillyNYC]

Now, Extras.txt


OTL Extras logfile created on: 1/28/2011 4:38:55 PM - Run 1
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Users\William J\Desktop
Windows Vista Home Basic Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.16473)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

501.00 Mb Total Physical Memory | 200.00 Mb Available Physical Memory | 40.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 58.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 68.34 Gb Total Space | 31.27 Gb Free Space | 45.75% Space Free | Partition Type: NTFS
Drive D: | 6.19 Gb Total Space | 0.76 Gb Free Space | 12.33% Space Free | Partition Type: NTFS

Computer Name: WILLIAMJ-PC | User Name: William J | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-2891663152-3519609071-3247606995-1000\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink -- (EarthLink, Inc.)
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01B9E51C-3A0D-4677-A209-ADBA27BF624E}" = protocol=17 | dir=in | app=c:\program files\hp connections\6811507\program\hp connections.exe |
"{10A9AF8D-2892-4826-99B7-D7A36A70EE42}" = protocol=17 | dir=in | app=c:\program files\hp\quickplay\qp.exe |
"{1DD85121-B762-48B5-A47A-D07266BE6DE2}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{24B1327D-5460-4CC8-8E56-795C47F779C5}" = protocol=6 | dir=in | app=c:\program files\hp\quickplay\qp.exe |
"{2E51F4FD-3664-476F-B51F-DB75E04BB35F}" = dir=in | app=c:\program files\hp connections\6811507\program\hp connections |
"{337110B0-A88D-44F5-B06F-BDA91B4BFCBC}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{5B2FEE81-7E3E-4393-A0C2-5468AEA20C5D}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{691A846D-FE87-40A2-ACEC-083FBFC7D14A}" = protocol=6 | dir=in | app=c:\program files\hp connections\6811507\program\hp connections.exe |
"{6C83BF44-8A32-4A6D-92A9-7354B721C304}" = protocol=17 | dir=in | app=c:\program files\hp connections\6811507\program\hp connections.exe |
"{6CBC1BF2-0E6F-485F-8C97-E48FD1BD675A}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{828C1FEB-96DC-46A1-A782-EFF987D8B65A}" = protocol=6 | dir=in | app=c:\program files\hp connections\6811507\program\hp connections.exe |
"{8AD136F6-7C6D-4DF7-A1D3-320336CB5099}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{98AA6E4E-FFBD-4EED-953A-D7EB39DDABED}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{AD43046B-B6E4-4112-A7E6-C846FAA33008}" = protocol=6 | dir=in | app=c:\program files\bittorrent_dna\dna.exe |
"{B65615D0-97B8-4DDF-9461-1730C4E87079}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{C9951064-7CCC-4C61-A002-CF6EDF7CAE50}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{CA693391-D185-4079-81D4-05BF70EADB40}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{CB975633-67A2-4538-BA84-BB30402088A8}" = protocol=6 | dir=in | app=c:\program files\hp connections\6811507\program\hp connections.exe |
"{D5E8A9B9-7BAD-4B0D-89DE-A61A6267018D}" = protocol=17 | dir=in | app=c:\program files\bittorrent_dna\dna.exe |
"{E383AF01-B4E7-41D0-8249-5FCF8E631B3C}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02F33FB0-F7D5-4C0A-B4AD-8CE5CE230BBE}" = HP Wireless Assistant
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}" = Roxio Creator EasyArchive
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{21E62565-8639-457C-B64C-A3FF0A8B4D80}" = HP Active Support Library
"{228C6B46-64E2-404E-898A-EF0830603EF4}" = HPNetworkAssistant
"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java(TM) SE Runtime Environment 6
"{33C65B6A-5D73-4E3E-A1F9-127C27BD3F72}" = Roxio MyDVD Basic v9
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.10 B9
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{3CCBC9FF-7F35-4220-B66D-B60E2E7AB4E2}" = OpenOffice.org 2.2
"{40F7AED3-0C7D-4582-99F6-484A515C73F2}" = HP Easy Setup - Frontend
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP QuickPlay 3.0
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7AEBFFF0-15A1-48A9-88F3-06604486C7C9}" = WMPTagSupportExtender
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{99C5770C-1C90-42E7-9B74-D47CFAF14621}" = muvee autoProducer 5.0
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A12A3DED-CCDA-4F29-A1BA-00F0C6521CD5}" = HP Total Care Advisor
"{A1960A82-DB70-474D-A86B-FA74466103C6}" = Drivers Install For Linksys Easylink Advisor
"{AB5E289E-76BF-4251-9F3F-9B763F681AE0}" = HP Customer Experience Enhancements
"{AC76BA86-7AD7-1033-7B44-A80000000002}" = Adobe Reader 8
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator Basic v9
"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update
"{E1180142-3B31-4DCC-9D27-7AC2D37662BF}" = LightScribe 1.4.124.1
"{E4DDBA93-769B-49D8-BA33-8814E45ED0C1}" = HP Help and Support
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{ED4905E3-2B32-4DD8-BC14-7CAFD30E9ECD}" = HP User Guide 0048
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F94234DB-FD06-42C3-B88D-6FC4DC9F988C}" = HP Easy Setup - Core
"{FAB0C302-CB18-4A7A-BA03-C3DC23101A68}" = ASL_HS_Installer32
"{FAE36873-1941-4076-A9A5-48812B5EA0B7}" = iTunes
"7-Zip" = 7-Zip 9.20
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CNXT_HDAUDIO" = Conexant HD Audio
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_5045&SUBSYS_103C30B7" = Soft Data Fax Modem with SmartCP
"CutePDF Writer Installation" = CutePDF Writer 2.8
"EasyLinkAdvisor" = Linksys EasyLink Advisor 1.6 (0044)
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"HPOOVClient-6811507 Uninstaller" = HP Connections (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.5.16)" = Mozilla Firefox (3.5.16)
"Switch" = Switch Sound File Converter
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"ViewpointMediaPlayer" = Viewpoint Media Player
"WavePad" = WavePad Sound Editor

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2891663152-3519609071-3247606995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Amazon Kindle For PC" = Amazon Kindle For PC
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/28/2011 5:45:36 PM | Computer Name = WilliamJ-PC | Source = ESENT | ID = 476
Description = wuaueng.dll (1032) SUS20ClientDataStore: The database page read from
the file "C:\Windows\SoftwareDistribution\DataStore\DataStore.edb" at offset 4530176
(0x0000000000452000) (database page 1105 (0x451)) for 4096 (0x00001000) bytes failed
verification because it contains no page data. The read operation will fail with
error -1019 (0xfffffc05). If this condition persists then please restore the database
from a previous backup. This problem is likely due to faulty hardware. Please contact
your hardware vendor for further assistance diagnosing the problem.

Error - 1/28/2011 5:45:36 PM | Computer Name = WilliamJ-PC | Source = ESENT | ID = 476
Description = wuaueng.dll (1032) SUS20ClientDataStore: The database page read from
the file "C:\Windows\SoftwareDistribution\DataStore\DataStore.edb" at offset 4530176
(0x0000000000452000) (database page 1105 (0x451)) for 4096 (0x00001000) bytes failed
verification because it contains no page data. The read operation will fail with
error -1019 (0xfffffc05). If this condition persists then please restore the database
from a previous backup. This problem is likely due to faulty hardware. Please contact
your hardware vendor for further assistance diagnosing the problem.

Error - 1/28/2011 5:45:36 PM | Computer Name = WilliamJ-PC | Source = ESENT | ID = 476
Description = wuaueng.dll (1032) SUS20ClientDataStore: The database page read from
the file "C:\Windows\SoftwareDistribution\DataStore\DataStore.edb" at offset 4530176
(0x0000000000452000) (database page 1105 (0x451)) for 4096 (0x00001000) bytes failed
verification because it contains no page data. The read operation will fail with
error -1019 (0xfffffc05). If this condition persists then please restore the database
from a previous backup. This problem is likely due to faulty hardware. Please contact
your hardware vendor for further assistance diagnosing the problem.

Error - 1/28/2011 5:45:36 PM | Computer Name = WilliamJ-PC | Source = ESENT | ID = 476
Description = wuaueng.dll (1032) SUS20ClientDataStore: The database page read from
the file "C:\Windows\SoftwareDistribution\DataStore\DataStore.edb" at offset 4530176
(0x0000000000452000) (database page 1105 (0x451)) for 4096 (0x00001000) bytes failed
verification because it contains no page data. The read operation will fail with
error -1019 (0xfffffc05). If this condition persists then please restore the database
from a previous backup. This problem is likely due to faulty hardware. Please contact
your hardware vendor for further assistance diagnosing the problem.

Error - 1/28/2011 5:45:36 PM | Computer Name = WilliamJ-PC | Source = ESENT | ID = 476
Description = wuaueng.dll (1032) SUS20ClientDataStore: The database page read from
the file "C:\Windows\SoftwareDistribution\DataStore\DataStore.edb" at offset 4530176
(0x0000000000452000) (database page 1105 (0x451)) for 4096 (0x00001000) bytes failed
verification because it contains no page data. The read operation will fail with
error -1019 (0xfffffc05). If this condition persists then please restore the database
from a previous backup. This problem is likely due to faulty hardware. Please contact
your hardware vendor for further assistance diagnosing the problem.

Error - 1/28/2011 5:45:36 PM | Computer Name = WilliamJ-PC | Source = ESENT | ID = 476
Description = wuaueng.dll (1032) SUS20ClientDataStore: The database page read from
the file "C:\Windows\SoftwareDistribution\DataStore\DataStore.edb" at offset 4530176
(0x0000000000452000) (database page 1105 (0x451)) for 4096 (0x00001000) bytes failed
verification because it contains no page data. The read operation will fail with
error -1019 (0xfffffc05). If this condition persists then please restore the database
from a previous backup. This problem is likely due to faulty hardware. Please contact
your hardware vendor for further assistance diagnosing the problem.

Error - 1/28/2011 5:45:36 PM | Computer Name = WilliamJ-PC | Source = ESENT | ID = 476
Description = wuaueng.dll (1032) SUS20ClientDataStore: The database page read from
the file "C:\Windows\SoftwareDistribution\DataStore\DataStore.edb" at offset 4530176
(0x0000000000452000) (database page 1105 (0x451)) for 4096 (0x00001000) bytes failed
verification because it contains no page data. The read operation will fail with
error -1019 (0xfffffc05). If this condition persists then please restore the database
from a previous backup. This problem is likely due to faulty hardware. Please contact
your hardware vendor for further assistance diagnosing the problem.

Error - 1/28/2011 5:45:36 PM | Computer Name = WilliamJ-PC | Source = ESENT | ID = 476
Description = wuaueng.dll (1032) SUS20ClientDataStore: The database page read from
the file "C:\Windows\SoftwareDistribution\DataStore\DataStore.edb" at offset 4530176
(0x0000000000452000) (database page 1105 (0x451)) for 4096 (0x00001000) bytes failed
verification because it contains no page data. The read operation will fail with
error -1019 (0xfffffc05). If this condition persists then please restore the database
from a previous backup. This problem is likely due to faulty hardware. Please contact
your hardware vendor for further assistance diagnosing the problem.

Error - 1/28/2011 5:45:36 PM | Computer Name = WilliamJ-PC | Source = ESENT | ID = 476
Description = wuaueng.dll (1032) SUS20ClientDataStore: The database page read from
the file "C:\Windows\SoftwareDistribution\DataStore\DataStore.edb" at offset 4530176
(0x0000000000452000) (database page 1105 (0x451)) for 4096 (0x00001000) bytes failed
verification because it contains no page data. The read operation will fail with
error -1019 (0xfffffc05). If this condition persists then please restore the database
from a previous backup. This problem is likely due to faulty hardware. Please contact
your hardware vendor for further assistance diagnosing the problem.

Error - 1/28/2011 5:45:36 PM | Computer Name = WilliamJ-PC | Source = ESENT | ID = 476
Description = wuaueng.dll (1032) SUS20ClientDataStore: The database page read from
the file "C:\Windows\SoftwareDistribution\DataStore\DataStore.edb" at offset 4530176
(0x0000000000452000) (database page 1105 (0x451)) for 4096 (0x00001000) bytes failed
verification because it contains no page data. The read operation will fail with
error -1019 (0xfffffc05). If this condition persists then please restore the database
from a previous backup. This problem is likely due to faulty hardware. Please contact
your hardware vendor for further assistance diagnosing the problem.

[ System Events ]
Error - 1/28/2011 3:12:41 PM | Computer Name = WilliamJ-PC | Source = Service Control Manager | ID = 7022
Description =

Error - 1/28/2011 3:12:42 PM | Computer Name = WilliamJ-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 1/28/2011 3:16:32 PM | Computer Name = WilliamJ-PC | Source = Service Control Manager | ID = 7043
Description =

Error - 1/28/2011 3:40:49 PM | Computer Name = WilliamJ-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 1/28/2011 3:40:49 PM | Computer Name = WilliamJ-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 1/28/2011 3:47:14 PM | Computer Name = WilliamJ-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 1/28/2011 3:47:14 PM | Computer Name = WilliamJ-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 1/28/2011 4:52:13 PM | Computer Name = WilliamJ-PC | Source = Service Control Manager | ID = 7034
Description =

Error - 1/28/2011 4:53:43 PM | Computer Name = WilliamJ-PC | Source = Service Control Manager | ID = 7030
Description =

Error - 1/28/2011 5:08:43 PM | Computer Name = WilliamJ-PC | Source = Service Control Manager | ID = 7030
Description =


< End of report >

 

[Broni]

501.00 Mb Total Physical Memory

You have very, very little of RAM for running Vista.
Vista needs at least 2 GB of RAM to run well.

=======================================================================

Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.

========================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  IE - HKU\S-1-5-21-2891663152-3519609071-3247606995-1000\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
  O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
  O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
  O15 - HKU\S-1-5-21-2891663152-3519609071-3247606995-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
  O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
  O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
  [2011/01/20 10:38:06 | 000,040,960 | -H-- | M] () -- C:\SZKGFS.dat
  [2009/10/26 08:38:13 | 000,000,120 | ---- | C] () -- C:\Users\William J\AppData\Local\Ejitet.dat
  @Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:DFC5A2B2
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

==================================================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  
  NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

3. Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• Click Start
• IMPORTANT! UN-check Remove found threats
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push List of found threats
• Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• NOTE. If Eset won't find any threats, it won't produce any log.

 

[BillyNYC]

Duly noted about the RAM. I bought two 1GB sticks from newegg, and they should be here next week. Hopefully that'll work.

Here's the OTL log:

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-2891663152-3519609071-3247606995-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\\{472734EA-242A-422b-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422b-ADF8-83D1E48CC825}\ not found.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1\\http deleted successfully.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1\\http not found.
Registry value HKEY_USERS\S-1-5-21-2891663152-3519609071-3247606995-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1\\http deleted successfully.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\Windows\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
C:\SZKGFS.dat moved successfully.
C:\Users\William J\AppData\Local\Ejitet.dat moved successfully.
ADS C:\ProgramData\TEMPFC5A2B2 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: William J
->Temp folder emptied: 68337 bytes
->Temporary Internet Files folder emptied: 107928 bytes
->Java cache emptied: 1913 bytes
->FireFox cache emptied: 40320012 bytes
->Flash cache emptied: 560 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 106 bytes
RecycleBin emptied: 131984 bytes

Total Files Cleaned = 39.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Public

User: William J
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.20.6 log created on 01282011_172649

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


I'm getting ready to run the last scans now. The TFC is the same program I used in the initial "8 step process," correct?

 

[BillyNYC]

here is the security check log:

Results of screen317's Security Check version 0.99.7
Windows Vista (UAC is enabled)
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Avira AntiVir Personal - Free Antivirus
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
Avira successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 23
Java(TM) SE Runtime Environment 6
Out of date Java installed!
Adobe Flash Player 10.0.32.18
Adobe Reader 8
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````End of Log````````````



Avira updated while I was doing this scan - is that ok?

I'm working on the last two steps now.

 

[Broni]

Avira updated while I was doing this scan - is that ok?

Yes.

Uninstall Java(TM) SE Runtime Environment 6 .

Update Adobe Reader

You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.

=====================================================================

Any particular reason, why there is no single service pack installed?

 

[BillyNYC]

I'm replying from my other computer while the eset scan is completing on the HP.

I'll post the log, uninstall Java and update Adobe Reader once the scan completes.

Sorry, I'm a complete luddite and I don't know what a service pack is. Is there a pertinent step you could recommend for when this is all done?

 

[Broni]

I'll let you know after you post Eset log.

 

[BillyNYC]

OK -

ESET finished scanning and found no threats.

I uninstalled Java SE Runtime Environment 6

I uninstalled Adobe Reader and installed Foxit.

 

[Broni]

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how your computer is doing.

 

[BillyNYC]

Here is the OTL log:

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: William J
->Temp folder emptied: 586407 bytes
->Temporary Internet Files folder emptied: 5914445 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 46700884 bytes
->Flash cache emptied: 434 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1054764 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 52.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Public

User: William J
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb



OTL by OldTimer - Version 3.2.20.6 log created on 01282011_201503

Files\Folders moved on Reboot...
File\Folder C:\Windows\temp\TMP00000035BE6AEC2E45821B7C not found!
File\Folder C:\Windows\temp\TMP00000036902F6CAFB588F116 not found!

Registry entries deleted on Reboot...



I'm now using OTL to clean up the tools that we used today. I'll also check out WoT, and run MalwareBytes and TFC this week. I'll let you know how things are going...

Can you let me know about the service pack? What is it? Also, where can i download windows updates from?