Inactive Malware trouble, only Firefox will connect, constant pop-ups

Status
Not open for further replies.
B

Boogie Daddie

Posts: 20   +0
A month or so ago I got infected with some sort of malware that caused constant pop ups of "Your computer is infected click here to fix it". Most of these popups seemed to mimic the built in Windows Internet Security, but clicking on them would take you to a site to purchase some program. I also get a pop up at start up every time that says Microsoft Windows Malicious Software Removal Tool needs my permission to continue.At the same time most of my internet based programs stopped working. IE wouldn't connect at all, Windows Mail would download my mail, but wouldn't get any of the pictures embedded in the messages. When ripping CDs Media Player couldn't connect to get album information. Firefox worked but only after clicking "Run as administrator". A few weeks ago, the pop-ups stopped without my having done anything to effect them. I came across your site, and downloaded all of the programs listed and the logs will follow. The programs found several things and after running them, my IE and mail appear to be working and Media Player is gathering album information again. I am concerned however that something is still lurking in my computer. Any help is much appreciated,

Boogie Daddie

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6304

Windows 6.0.6000
Internet Explorer 7.0.6000.17037

4/7/2011 6:51:44 PM
mbam-log-2011-04-07 (18-51-44).txt

Scan type: Quick scan
Objects scanned: 162162
Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\mdnkso81qq2 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_Application (Hijacker.Application) -> Value: bak_Application -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Lilheath\AppData\Local\evf.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Lilheath\AppData\Local\evf.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Lilheath\AppData\Local\evf.exe" -a "C:\Program Files\Intern") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\Application (Hijacker.Application) -> Bad: (http://www.helpmeopen.com/?n=app&ext=%s) Good: (http://shell.windows.com/fileassoc/x/xml/redir.asp?Ext=%s) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\windows\system32\drivers\orpokalx.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\Users\Lilheath\local settings\application data\evf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-04-07 19:29:31
Windows 6.0.6000
Running: gmer.exe; Driver: C:\Users\Lilheath\AppData\Local\Temp\uwlcrkow.sys


---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] orpokalx <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet004\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet004\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet004\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet005\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet005\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet005\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet005\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet006\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet006\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet006\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet006\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet007\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet007\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet007\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet007\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet008\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet008\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet008\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet008\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet009\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet009\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet009\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet009\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet010\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet010\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet010\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet010\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet011\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet011\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet011\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet011\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet012\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet012\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet012\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet012\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet013\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet013\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet013\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet013\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet014\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet014\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet014\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet014\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet015\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet015\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet015\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet015\Services\orpokalx@Group Boot Bus Extender

---- EOF - GMER 1.0.15 ----

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 9/6/2007 9:00:29 AM
System Uptime: 4/7/2011 6:53:06 PM (1 hours ago)
.
Motherboard: ASUSTek Computer INC. | | Acacia
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5000+ | Socket AM2 | 2400/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 364 GiB total, 233.037 GiB free.
D: is FIXED (NTFS) - 9 GiB total, 1.196 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
3ivx D4 4.5.1 Decoder (remove only)
ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Adobe Shockwave Player 11.5
Apple Application Support
Apple Software Update
Ask Toolbar
AVS DVDMenu Editor 1.2.1.19
AVS Video Tools 5.6
CyberLink PowerDirector
Digital Photo Navigator 1.5
EA Download Manager
EA Download Manager UI
eMusic Download Manager 4.1.4
Enhanced Multimedia Keyboard Solution
Everio MediaBrowser
Facebook Plug-In
Final Media Player 2010
GameTap
Greeting Card Factory Deluxe 7.0
Hardware Diagnostic Tools
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Advisor
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Frontend
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.01
HP Photosmart Essential2.01
HP Picasso Media Center Add-In
HP Update
Java(TM) SE Runtime Environment 6 Update 1
Lexmark 2300 Series
Lexmark Z700-P700 Series
LG USB Modem driver
LightScribe 1.6.45.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft FrontPage 2000
Microsoft Office 2000 Professional
Microsoft Office Home and Student 60 day trial
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
Mozilla Firefox (3.5.17)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 6.0
My HP Games
Napster Download Manager
NVIDIA Drivers
Opera 10.61
Oracle JInitiator 1.3.1.28
PSSWCORE
Python 2.5
QuickTime
Realtek High Definition Audio Driver
Rhapsody
Rhapsody Player Engine
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Encoder (KB954156)
SimCity™ Societies
SmartSound Quicktracks Plugin
Snapfish Picture Mover
Spelling Dictionaries Support For Adobe Reader 9
SPORE™
System Requirements Lab
Ulead GIF Animator 5 TBYB
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VideoToolkit01
WeatherBug Gadget
Windows Media Encoder 9 Series
World of Warcraft
Yahoo! Search Protection
Yahoo! Toolbar
.
==== End Of File ===========================

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Lilheath at 19:30:11.60 on Thu 04/07/2011
Internet Explorer: 7.0.6000.17037
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1918.1096 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxblcoms.exe
C:\Windows\system32\lxcgcoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\jusched.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k wdisvc
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Lilheath\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [mwptuym] rundll32.exe "c:\users\lilheath\appdata\roaming\chuygia.dll",pmcfiz
uRun: [HPADVISOR] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autorun=AUTORUN
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [<NO NAME>]
mRun: [ReminderApp] c:\program files\nova development\greeting card factory deluxe 7.0\ReminderApp.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,_RunDLLEntry@16
mRun: [lxcgmon.exe] "c:\program files\lexmark 2300 series\lxcgmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 2300 series\ezprint.exe"
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\8.0"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MRT] "c:\windows\system32\MRT.exe" /R
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mbcame~1.lnk - c:\program files\pixela\everio mediabrowser\MBCameraMonitor.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
Trusted Zone: mercerhrs.com\ibenefitcenter
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {3D3DBC64-0D21-4EA4-94EE-86D6D9B31C0C} - hxxp://www.worldwinner.com/games/v45/moneylist/moneylist.cab
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} - hxxp://www.worldwinner.com/games/v46/monopoly/monopoly.cab
DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxps://esis.ncwise.org/forms/jinitiator/jinit13128.exe
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\lilheath\appdata\roaming\mozilla\firefox\profiles\9q5nude7.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\gametap\bin\release\npgametaptool.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit13128.dll
FF - plugin: c:\program files\opera\program\plugins\npMozCouponPrinter.dll
FF - plugin: c:\users\lilheath\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R2 lxbl_device;lxbl_device;c:\windows\system32\lxblcoms.exe -service --> c:\windows\system32\lxblcoms.exe -service [?]
R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2007-8-31 464384]
R3 uwlcrkow;uwlcrkow;C:\uwlcrkow.sys [2011-4-7 94848]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\drivers\xcbda.sys [2007-9-7 156928]
.
=============== Created Last 30 ================
.
2011-04-07 22:56:57 94848 ----a-w- C:\uwlcrkow.sys
2011-04-07 22:44:33 -------- d-----w- c:\users\lilheath\appdata\roaming\Malwarebytes
2011-04-07 22:44:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-07 22:44:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-07 02:26:33 -------- d-----w- c:\program files\AVAST Software
2011-04-07 02:26:33 -------- d-----w- c:\progra~2\AVAST Software
2011-04-06 17:09:01 -------- d-----w- c:\users\lilheath\appdata\roaming\Unity
2011-03-29 20:45:17 -------- d-----w- c:\users\lilheath\appdata\roaming\Inspiration Software
2011-03-29 20:44:43 -------- d-----w- c:\program files\Inspiration 9
2011-03-29 20:40:40 -------- d-----w- c:\users\lilheath\appdata\roaming\Softland
2011-03-29 20:40:31 -------- d-----w- c:\program files\Softland
2011-03-29 20:40:13 -------- d-----w- c:\progra~2\Inspiration 9
.
==================== Find3M ====================
.
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 19:30:28.08 ===============
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=======================================================================

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

=======================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Broni,

Thanks for such a quick response, here are the additional logs you requested;

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: (build 6000), 32-bit
Base Board Manufacturer: ASUSTek Computer INC.
BIOS Manufacturer: Phoenix Technologies, LTD
System Manufacturer: HP-Pavilion
System Product Name: GN567AA-ABA s3220n
Logical Drives Mask: 0x000001fc

Kernel Drivers (total 149):
0x82400000 \SystemRoot\system32\ntkrnlpa.exe
0x827A2000 \SystemRoot\system32\hal.dll
0x802C6000 \SystemRoot\system32\kdcom.dll
0x802BD000 \SystemRoot\system32\PSHED.dll
0x802B5000 \SystemRoot\system32\BOOTVID.dll
0x8027A000 \SystemRoot\system32\CLFS.SYS
0x8051F000 \SystemRoot\system32\CI.dll
0x8026C000 \SystemRoot\System32\drivers\qeyr.sys
0x804A4000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8025F000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8021C000 \SystemRoot\system32\drivers\acpi.sys
0x80213000 \SystemRoot\system32\drivers\WMILIB.SYS
0x8020B000 \SystemRoot\system32\drivers\msisadrv.sys
0x8047F000 \SystemRoot\system32\drivers\pci.sys
0x80470000 \SystemRoot\system32\drivers\volmgr.sys
0x80746000 \SystemRoot\System32\Drivers\orpokalx.sys
0x80460000 \SystemRoot\System32\drivers\mountmgr.sys
0x80204000 \SystemRoot\system32\drivers\pciide.sys
0x80452000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x80408000 \SystemRoot\System32\drivers\volmgrx.sys
0x80400000 \SystemRoot\system32\drivers\atapi.sys
0x80728000 \SystemRoot\system32\drivers\ataport.SYS
0x8070B000 \SystemRoot\system32\drivers\nvstor32.sys
0x806CB000 \SystemRoot\system32\drivers\storport.sys
0x8069A000 \SystemRoot\system32\drivers\fltmgr.sys
0x8068A000 \SystemRoot\system32\drivers\fileinfo.sys
0x80681000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x87AFC000 \SystemRoot\system32\drivers\ndis.sys
0x80656000 \SystemRoot\system32\drivers\msrpc.sys
0x8061D000 \SystemRoot\system32\drivers\NETIO.SYS
0x87CF8000 \SystemRoot\System32\Drivers\Ntfs.sys
0x87A92000 \SystemRoot\System32\Drivers\ksecdd.sys
0x87A5C000 \SystemRoot\system32\drivers\volsnap.sys
0x80615000 \SystemRoot\System32\Drivers\spldr.sys
0x80606000 \SystemRoot\System32\drivers\partmgr.sys
0x87A4D000 \SystemRoot\System32\Drivers\mup.sys
0x87A28000 \SystemRoot\System32\drivers\ecache.sys
0x87A17000 \SystemRoot\system32\drivers\disk.sys
0x87CD7000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x87A0E000 \SystemRoot\system32\drivers\crcdisk.sys
0x88A03000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8B094000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x87C37000 \SystemRoot\system32\DRIVERS\amdk8.sys
0x8B05D000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8B8A5000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x88A62000 \SystemRoot\system32\DRIVERS\PS2.sys
0x8B89A000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x88A0E000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x8B85D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8B84F000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8B150000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x8B841000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x8B81A000 \SystemRoot\system32\DRIVERS\xcbda.sys
0x8BF36000 \SystemRoot\system32\DRIVERS\ks.sys
0x88B34000 \SystemRoot\system32\DRIVERS\BdaSup.SYS
0x8C092000 \SystemRoot\system32\DRIVERS\xchal.sys
0x8BEDE000 \SystemRoot\system32\DRIVERS\xcmem.sys
0x8BE6B000 \SystemRoot\system32\DRIVERS\xcfe.sys
0x8B808000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8C6FD000 \SystemRoot\system32\DRIVERS\nvmfdx32.sys
0x8BE53000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8C8E1000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x8C65E000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8BE46000 \SystemRoot\System32\drivers\watchdog.sys
0x8BE1B000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8BE10000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8C07B000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8BE05000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8C058000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8B8B0000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8C045000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8B8BF000 \SystemRoot\system32\DRIVERS\termdd.sys
0x88B0B000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8C62E000 \SystemRoot\system32\drivers\windrvr6.sys
0x88B15000 \SystemRoot\system32\drivers\USBD.SYS
0x8BF60000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8C02D000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8C8AD000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8B1B0000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8D20D000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8C601000 \SystemRoot\system32\drivers\portcls.sys
0x8C888000 \SystemRoot\system32\drivers\drmk.sys
0x8B0AF000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8B000000 \SystemRoot\System32\Drivers\Null.SYS
0x8B007000 \SystemRoot\System32\Drivers\Beep.SYS
0x88AE3000 \SystemRoot\System32\drivers\vga.sys
0x8C827000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x886B8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x88650000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8C03A000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8C00F000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8B0B8000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8D47B000 \SystemRoot\System32\drivers\tcpip.sys
0x8D027000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8D012000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8D467000 \SystemRoot\system32\DRIVERS\smb.sys
0x8D420000 \SystemRoot\system32\drivers\afd.sys
0x8D7CE000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8D40A000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8C001000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8D7BB000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8D780000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8BF6A000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8D729000 \SystemRoot\System32\Drivers\dfsc.sys
0x88A3F000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8BF74000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x88A18000 \SystemRoot\System32\Drivers\dump_nvstor32.sys
0x911CB000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8D649000 \SystemRoot\system32\DRIVERS\usbscan.sys
0x8BF7E000 \SystemRoot\system32\DRIVERS\usbprint.sys
0x8B0A6000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x8B140000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8B038000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x911B9000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x95000000 \SystemRoot\System32\win32k.sys
0x8BF88000 \SystemRoot\System32\drivers\Dxapi.sys
0x91141000 \SystemRoot\system32\DRIVERS\netr73.sys
0x8B8CE000 \SystemRoot\system32\DRIVERS\monitor.sys
0x80C00000 \SystemRoot\System32\TSDDD.dll
0x80C10000 \SystemRoot\System32\cdd.dll
0x818A5000 \SystemRoot\system32\drivers\luafv.sys
0x99B72000 \SystemRoot\system32\drivers\spsys.sys
0x8B110000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x99B07000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x8BFA6000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x99AF4000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x9A597000 \SystemRoot\system32\drivers\HTTP.sys
0x99A19000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x99A00000 \SystemRoot\system32\DRIVERS\bowser.sys
0x9A543000 \SystemRoot\System32\drivers\mpsdrv.sys
0x9A523000 \SystemRoot\system32\drivers\mrxdav.sys
0x9A505000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9A4CC000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x9A4BA000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9A496000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9ABAF000 \SystemRoot\System32\DRIVERS\srv.sys
0x9B122000 \SystemRoot\system32\drivers\peauth.sys
0x8BFC4000 \SystemRoot\System32\Drivers\secdrv.SYS
0x8D566000 \SystemRoot\System32\drivers\tcpipreg.sys
0x8B9B2000 \??\C:\Program Files\GameTap\bin\Release\X4HSX32.Sys
0x9A481000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x9AA1D000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
0x8D571000 \SystemRoot\system32\drivers\tdtcp.sys
0x8D058000 \SystemRoot\System32\DRIVERS\tssecsrv.sys
0x9BC9E000 \SystemRoot\System32\Drivers\RDPWD.SYS
0x81913000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x9AA05000 \??\C:\Users\Lilheath\AppData\Local\Temp\uwlcrkow.sys
0x81117000 \??\C:\Users\Lilheath\AppData\Local\Temp\mbr.sys
0x771F0000 \Windows\System32\ntdll.dll

Processes (total 64):
0 System Idle Process
4 System
480 C:\Windows\System32\smss.exe
544 csrss.exe
600 C:\Windows\System32\wininit.exe
612 csrss.exe
644 C:\Windows\System32\services.exe
660 C:\Windows\System32\lsass.exe
672 C:\Windows\System32\lsm.exe
768 C:\Windows\System32\winlogon.exe
856 C:\Windows\System32\svchost.exe
896 C:\Windows\System32\nvvsvc.exe
924 C:\Windows\System32\svchost.exe
1016 C:\Windows\System32\svchost.exe
1080 C:\Windows\System32\svchost.exe
1096 C:\Windows\System32\svchost.exe
1204 C:\Windows\System32\audiodg.exe
1244 C:\Windows\System32\SLsvc.exe
1284 C:\Windows\System32\svchost.exe
1384 C:\Windows\System32\rundll32.exe
1460 C:\Windows\System32\svchost.exe
1668 C:\Windows\System32\spoolsv.exe
1704 C:\Windows\System32\svchost.exe
1928 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
2000 C:\Windows\System32\lxblcoms.exe
316 C:\Windows\System32\lxcgcoms.exe
488 C:\Windows\System32\svchost.exe
512 C:\Program Files\CyberLink\Shared files\RichVideo.exe
844 C:\Windows\System32\svchost.exe
1120 C:\Windows\System32\svchost.exe
1416 C:\Windows\System32\SearchIndexer.exe
2260 WUDFHost.exe
2528 C:\Windows\System32\taskeng.exe
2752 C:\Windows\System32\dwm.exe
2808 C:\Windows\explorer.exe
2844 C:\Windows\System32\taskeng.exe
3120 C:\hp\support\hpsysdrv.exe
3204 C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
3244 C:\Windows\RtHDVCpl.exe
3300 C:\Windows\System32\schtasks.exe
3320 C:\Program Files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe
3328 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
3344 C:\Windows\System32\rundll32.exe
3368 C:\Windows\System32\jusched.exe
3396 C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
3432 C:\Program Files\Lexmark 2300 Series\ezprint.exe
3496 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
3524 C:\Program Files\Windows Sidebar\sidebar.exe
3536 C:\Windows\ehome\ehtray.exe
3560 C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
3568 C:\Program Files\Windows Media Player\wmpnscfg.exe
3592 C:\Program Files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe
3660 C:\Windows\ehome\ehmsas.exe
3704 C:\Program Files\Windows Media Player\wmpnetwk.exe
2976 C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
3256 C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
2488 C:\hp\KBD\kbd.exe
3728 C:\Windows\System32\wuauclt.exe
260 C:\Program Files\Internet Explorer\ieuser.exe
1904 C:\Windows\System32\SearchProtocolHost.exe
3772 C:\Windows\System32\SearchFilterHost.exe
2988 dllhost.exe
944 dllhost.exe
328 C:\Users\Lilheath\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000005a`efda8000 (NTFS)

PhysicalDrive0 Model Number: HitachiHDT725040VLA, Rev: V5CO

Size Device Name MBR Status
--------------------------------------------
372 GB \\.\PhysicalDrive0 Hewlett-Packard MBR code detected
SHA1: 161E5DF10EB9B6EAC4AA8DF99305EF77B11BEBD8


Done!

ComboFix 11-04-07.08 - Lilheath 04/08/2011 12:18:52.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1918.1026 [GMT -4:00]
Running from: c:\users\Lilheath\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\arp.exe
c:\windows\system32\jusched.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-08 to 2011-04-08 )))))))))))))))))))))))))))))))
.
.
2011-04-08 16:16 . 2011-04-08 16:17 -------- d-----w- C:\32788R22FWJFW
2011-04-07 22:56 . 2011-04-07 22:56 94848 ----a-w- C:\uwlcrkow.sys
2011-04-07 22:44 . 2011-04-07 22:44 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Malwarebytes
2011-04-07 22:44 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-07 22:44 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-07 02:26 . 2011-04-07 02:26 -------- d-----w- c:\programdata\AVAST Software
2011-04-07 02:26 . 2011-04-07 02:26 -------- d-----w- c:\program files\AVAST Software
2011-04-06 17:09 . 2011-04-06 17:09 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Unity
2011-03-29 20:45 . 2011-03-29 20:45 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Inspiration Software
2011-03-29 20:44 . 2011-03-29 20:45 -------- d-----w- c:\program files\Inspiration 9
2011-03-29 20:40 . 2011-03-29 20:40 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Softland
2011-03-29 20:40 . 2011-03-29 20:40 -------- d-----w- c:\program files\Softland
2011-03-29 20:40 . 2011-03-29 20:40 -------- d-----w- c:\programdata\Inspiration 9
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-11 06:54 . 2011-03-04 07:19 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E626E5BF-FAF5-4DEE-92E3-58CA924D6384}\mpengine.dll
2011-02-02 22:11 . 2009-10-03 14:46 222080 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-07-17 21:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-05-24 71176]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"ReminderApp"="c:\program files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe" [2007-08-25 185664]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"LXCGCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2007-02-22 73728]
"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2007-04-30 205744]
"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2007-04-30 103344]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"MRT"="c:\windows\system32\MRT.exe" [2011-03-09 37943240]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
MBCameraMonitor.lnk - c:\program files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe [2009-8-7 541976]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R1 xaegahln;xaegahln;c:\windows\system32\drivers\xaegahln.sys [x]
S2 lxbl_device;lxbl_device;c:\windows\system32\lxblcoms.exe [2007-04-20 537520]
S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2007-08-31 464384]
S3 uwlcrkow;uwlcrkow;C:\uwlcrkow.sys [2011-04-07 94848]
S3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\DRIVERS\xcbda.sys [2007-09-07 156928]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - orpokalx
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-08 c:\windows\Tasks\Final Media Player Update Checker.job
- c:\program files\FinalMediaPlayer\FMPCheckForUpdates.exe [2010-08-07 02:22]
.
2011-04-07 c:\windows\Tasks\User_Feed_Synchronization-{4AA49B77-910B-4BDC-99FA-50B3303F99D2}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = <local>
Trusted Zone: mercerhrs.com\ibenefitcenter
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxps://esis.ncwise.org/forms/jinitiator/jinit13128.exe
FF - ProfilePath - c:\users\Lilheath\AppData\Roaming\Mozilla\Firefox\Profiles\9q5nude7.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
WebBrowser-{1392B8D2-5C05-419F-A8F6-B9F15A596612} - (no file)
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
HKCU-Run-mwptuym - c:\users\Lilheath\AppData\Roaming\chuygia.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-08 12:27
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\orpokalx]
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2270473045-1982684083-2497196655-1000\Software\SecuROM\License information*]
"datasecu"=hex:1a,95,15,66,a1,fb,51,b0,44,3e,00,ef,6f,d2,55,71,ac,fc,63,ce,01,
60,54,eb,8e,f4,d3,7a,46,ff,bd,72,e9,e5,b5,87,6c,3c,40,9e,c3,7b,cf,c6,bf,99,\
"rkeysecu"=hex:eb,0f,06,a9,1b,df,b5,82,23,57,e4,6f,2d,03,c1,76
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-04-08 12:30:14
ComboFix-quarantined-files.txt 2011-04-08 16:29
.
Pre-Run: 249,753,829,376 bytes free
Post-Run: 249,678,835,712 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=15 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
- - End Of File - - 5A111E8297FDFD8223836A6A77EE1F2F
 
Uninstall Ask Toolbar, known foistware.

I don't see any AV program running. I can see some Avast leftovers though.
What's the story there?

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
C:\uwlcrkow.sys
c:\windows\system32\drivers\xaegahln.sys


DDS::
uInternet Settings,ProxyOverride = <local>
Trusted Zone: mercerhrs.com\ibenefitcenter

Driver::
xaegahln
uwlcrkow

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\orpokalx]


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
I d/led Avast after my computer starting going nutty at first but it wouldn't complete set up since it couldn't connect to the internet. Thanks again for the help, will get these other steps completed asap and let ya know.
 
I uninstalled the ask toolbar, copied and pasted the script and dragged it into combofix. Combofix ran like it did before. I left the computer, came back and was at a Windows shut down unexpectedly screen asking if I wanted to start normal, safe mode etc. When I went back into the computer I didn't see any combofix logs anywhere. Should I try that part again?
 
When I ran the Combofix the most recent time it gave a prompt that there was a newer version available, and asked if I wanted to d/l it. Should I grab the new version, or stick with the one I have?
 
Reran the Combofix by dragging the script file into it, rebooted and got the log which follows. Now none of my programs will open. I get an error saying they have been marked for deletion.

ComboFix 11-04-12.01 - Lilheath 04/12/2011 17:12:09.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1918.1301 [GMT -4:00]
Running from: c:\users\Lilheath\Desktop\ComboFix.exe
Command switches used :: c:\users\Lilheath\Desktop\CFScript.txt
.
FILE ::
"C:\uwlcrkow.sys"
"c:\windows\system32\drivers\xaegahln.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_UWLCRKOW
-------\Service_xaegahln
.
.
((((((((((((((((((((((((( Files Created from 2011-03-12 to 2011-04-12 )))))))))))))))))))))))))))))))
.
.
2011-04-12 21:20 . 2011-04-12 21:20 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2011-04-12 21:20 . 2011-04-12 21:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-12 21:09 . 2011-04-12 21:10 -------- d-----w- C:\32788R22FWJFW
2011-04-07 22:44 . 2011-04-07 22:44 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Malwarebytes
2011-04-07 22:44 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-07 22:44 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-07 02:26 . 2011-04-07 02:26 -------- d-----w- c:\programdata\AVAST Software
2011-04-07 02:26 . 2011-04-07 02:26 -------- d-----w- c:\program files\AVAST Software
2011-04-06 17:09 . 2011-04-06 17:09 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Unity
2011-03-29 20:45 . 2011-03-29 20:45 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Inspiration Software
2011-03-29 20:44 . 2011-03-29 20:45 -------- d-----w- c:\program files\Inspiration 9
2011-03-29 20:40 . 2011-03-29 20:40 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Softland
2011-03-29 20:40 . 2011-03-29 20:40 -------- d-----w- c:\program files\Softland
2011-03-29 20:40 . 2011-03-29 20:40 -------- d-----w- c:\programdata\Inspiration 9
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-11 06:54 . 2011-03-04 07:19 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E626E5BF-FAF5-4DEE-92E3-58CA924D6384}\mpengine.dll
2011-02-02 22:11 . 2009-10-03 14:46 222080 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-05-24 71176]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"ReminderApp"="c:\program files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe" [2007-08-25 185664]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"LXCGCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2007-02-22 73728]
"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2007-04-30 205744]
"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2007-04-30 103344]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"MRT"="c:\windows\system32\MRT.exe" [2011-03-09 37943240]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
MBCameraMonitor.lnk - c:\program files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe [2009-8-7 541976]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 lxbl_device;lxbl_device;c:\windows\system32\lxblcoms.exe [2007-04-20 537520]
S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2007-08-31 464384]
S3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\DRIVERS\xcbda.sys [2007-09-07 156928]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - orpokalx
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-12 c:\windows\Tasks\Final Media Player Update Checker.job
- c:\program files\FinalMediaPlayer\FMPCheckForUpdates.exe [2010-08-07 02:22]
.
2011-04-12 c:\windows\Tasks\User_Feed_Synchronization-{4AA49B77-910B-4BDC-99FA-50B3303F99D2}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxps://esis.ncwise.org/forms/jinitiator/jinit13128.exe
FF - ProfilePath - c:\users\Lilheath\AppData\Roaming\Mozilla\Firefox\Profiles\9q5nude7.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-12 18:11
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\orpokalx]
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2270473045-1982684083-2497196655-1000\Software\SecuROM\License information*]
"datasecu"=hex:1a,95,15,66,a1,fb,51,b0,44,3e,00,ef,6f,d2,55,71,ac,fc,63,ce,01,
60,54,eb,8e,f4,d3,7a,46,ff,bd,72,e9,e5,b5,87,6c,3c,40,9e,c3,7b,cf,c6,bf,99,\
"rkeysecu"=hex:eb,0f,06,a9,1b,df,b5,82,23,57,e4,6f,2d,03,c1,76
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\lxcgcoms.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\RtHDVCpl.exe
c:\windows\System32\rundll32.exe
c:\windows\system32\schtasks.exe
c:\windows\ehome\ehmsas.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
Completion time: 2011-04-12 18:16:10 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-12 22:16
ComboFix2.txt 2011-04-08 16:30
.
Pre-Run: 249,770,536,960 bytes free
Post-Run: 249,582,768,128 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=15 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
- - End Of File - - 72593E030E5684FD4F91A9D15E5E6510
 
I get an error saying they have been marked for deletion.
Click to expand...
Simply restart computer to fix the issue.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\orpokalx]


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
Thanks again, here's the latest log;

ComboFix 11-04-13.04 - Lilheath 04/14/2011 9:36.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1918.1066 [GMT -4:00]
Running from: c:\users\Lilheath\Desktop\ComboFix.exe
Command switches used :: c:\users\Lilheath\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-03-14 to 2011-04-14 )))))))))))))))))))))))))))))))
.
.
2011-04-14 13:44 . 2011-04-14 13:44 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2011-04-14 13:44 . 2011-04-14 13:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-07 22:44 . 2011-04-07 22:44 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Malwarebytes
2011-04-07 22:44 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-07 22:44 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-07 02:26 . 2011-04-07 02:26 -------- d-----w- c:\programdata\AVAST Software
2011-04-07 02:26 . 2011-04-07 02:26 -------- d-----w- c:\program files\AVAST Software
2011-04-06 17:09 . 2011-04-06 17:09 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Unity
2011-03-29 20:45 . 2011-03-29 20:45 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Inspiration Software
2011-03-29 20:44 . 2011-03-29 20:45 -------- d-----w- c:\program files\Inspiration 9
2011-03-29 20:40 . 2011-03-29 20:40 -------- d-----w- c:\users\Lilheath\AppData\Roaming\Softland
2011-03-29 20:40 . 2011-03-29 20:40 -------- d-----w- c:\program files\Softland
2011-03-29 20:40 . 2011-03-29 20:40 -------- d-----w- c:\programdata\Inspiration 9
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-11 06:54 . 2011-03-04 07:19 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E626E5BF-FAF5-4DEE-92E3-58CA924D6384}\mpengine.dll
2011-02-02 22:11 . 2009-10-03 14:46 222080 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-05-24 71176]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"ReminderApp"="c:\program files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe" [2007-08-25 185664]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"LXCGCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2007-02-22 73728]
"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2007-04-30 205744]
"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2007-04-30 103344]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"MRT"="c:\windows\system32\MRT.exe" [2011-03-09 37943240]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
MBCameraMonitor.lnk - c:\program files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe [2009-8-7 541976]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 lxbl_device;lxbl_device;c:\windows\system32\lxblcoms.exe [2007-04-20 537520]
S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2007-08-31 464384]
S3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\DRIVERS\xcbda.sys [2007-09-07 156928]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - orpokalx
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-13 c:\windows\Tasks\Final Media Player Update Checker.job
- c:\program files\FinalMediaPlayer\FMPCheckForUpdates.exe [2010-08-07 02:22]
.
2011-04-14 c:\windows\Tasks\User_Feed_Synchronization-{4AA49B77-910B-4BDC-99FA-50B3303F99D2}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxps://esis.ncwise.org/forms/jinitiator/jinit13128.exe
FF - ProfilePath - c:\users\Lilheath\AppData\Roaming\Mozilla\Firefox\Profiles\9q5nude7.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-14 09:44
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\orpokalx]
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2270473045-1982684083-2497196655-1000\Software\SecuROM\License information*]
"datasecu"=hex:1a,95,15,66,a1,fb,51,b0,44,3e,00,ef,6f,d2,55,71,ac,fc,63,ce,01,
60,54,eb,8e,f4,d3,7a,46,ff,bd,72,e9,e5,b5,87,6c,3c,40,9e,c3,7b,cf,c6,bf,99,\
"rkeysecu"=hex:eb,0f,06,a9,1b,df,b5,82,23,57,e4,6f,2d,03,c1,76
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-04-14 09:46:45
ComboFix-quarantined-files.txt 2011-04-14 13:46
ComboFix2.txt 2011-04-12 22:16
ComboFix3.txt 2011-04-08 16:30
.
Pre-Run: 248,693,051,392 bytes free
Post-Run: 248,655,663,104 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=15 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
- - End Of File - - 81ADEE9D5A82FB03ACCA94731D5D680C
 
Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
Here are the OTL logs;

OTL logfile created on: 4/14/2011 2:28:32 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Lilheath\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 60.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 363.75 Gb Total Space | 232.12 Gb Free Space | 63.81% Space Free | Partition Type: NTFS
Drive D: | 8.86 Gb Total Space | 1.20 Gb Free Space | 13.50% Space Free | Partition Type: NTFS

Computer Name: LILHEATH-PC | User Name: Lilheath | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/14 14:13:49 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Lilheath\Desktop\OTL.exe
PRC - [2008/10/29 02:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/09/03 15:04:22 | 000,541,976 | ---- | M] (PIXELA CORPORATION) -- C:\Program Files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe
PRC - [2008/01/15 11:26:18 | 004,874,240 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/08/25 01:03:20 | 000,185,664 | ---- | M] () -- C:\Program Files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe
PRC - [2007/04/29 23:57:42 | 000,103,344 | ---- | M] (Lexmark International Inc.) -- C:\Program Files\Lexmark 2300 Series\ezprint.exe
PRC - [2007/04/29 23:55:32 | 000,205,744 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
PRC - [2007/04/29 23:54:44 | 000,537,520 | ---- | M] ( ) -- C:\Windows\System32\lxcgcoms.exe
PRC - [2007/04/20 13:24:20 | 000,537,520 | ---- | M] ( ) -- C:\Windows\System32\lxblcoms.exe
PRC - [2007/04/18 11:01:34 | 000,065,536 | ---- | M] (Hewlett-Packard Company) -- C:\hp\support\hpsysdrv.exe
PRC - [2007/02/15 07:59:00 | 000,118,784 | ---- | M] (OsdMaestro) -- C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
PRC - [2006/11/02 05:45:39 | 000,150,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\schtasks.exe


========== Modules (SafeList) ==========

MOD - [2011/04/14 14:13:49 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Lilheath\Desktop\OTL.exe
MOD - [2006/11/02 05:38:57 | 001,648,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2007/04/29 23:54:44 | 000,537,520 | ---- | M] ( ) [Auto | Running] -- C:\Windows\System32\lxcgcoms.exe -- (lxcg_device)
SRV - [2007/04/20 13:24:20 | 000,537,520 | ---- | M] ( ) [Auto | Running] -- C:\Windows\System32\lxblcoms.exe -- (lxbl_device)


========== Driver Services (SafeList) ==========

DRV - [2009/03/16 21:45:53 | 000,194,362 | ---- | M] (Jungo) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\windrvr6.sys -- (WinDriver6)
DRV - [2008/11/11 13:42:00 | 000,024,832 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgusbmodem.sys -- (USBModem)
DRV - [2008/11/11 13:41:00 | 000,019,968 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgusbdiag.sys -- (UsbDiag)
DRV - [2008/11/11 13:41:00 | 000,013,056 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgusbbus.sys -- (usbbus)
DRV - [2008/05/22 14:49:00 | 007,465,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/03/07 07:18:26 | 000,031,264 | ---- | M] (Exent Technologies Ltd.) [Kernel | Auto | Running] -- C:\Program Files\GameTap\bin\Release\X4HSX32.sys -- (X4HSX32)
DRV - [2007/10/26 11:51:22 | 000,110,624 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2007/09/07 07:36:08 | 000,156,928 | ---- | M] (ViXS Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\xcbda.sys -- (xcbdaNtsc) ViXS Tuner Card (NTSC)
DRV - [2007/08/31 14:54:04 | 000,464,384 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netr73.sys -- (netr73)
DRV - [2007/05/03 14:29:10 | 001,065,384 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2005/12/12 13:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PS2.sys -- (Ps2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2270473045-1982684083-2497196655-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-2270473045-1982684083-2497196655-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2270473045-1982684083-2497196655-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\software\mozilla\eMusic Download Manager\Extensions\\Components: C:\Program Files\eMusic Download Manager\xulrunner\components [2010/04/23 12:09:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\eMusic Download Manager\Extensions\\Plugins: C:\Program Files\eMusic Download Manager\xulrunner\plugins [2010/07/16 12:24:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.18\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/13 15:24:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.18\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/13 15:24:59 | 000,000,000 | ---D | M]

[2008/12/04 14:47:21 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Lilheath\AppData\Roaming\Mozilla\Extensions
[2011/04/13 15:35:19 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Lilheath\AppData\Roaming\Mozilla\Firefox\Profiles\9q5nude7.default\extensions
[2010/05/01 14:21:15 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Lilheath\AppData\Roaming\Mozilla\Firefox\Profiles\9q5nude7.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008/12/04 14:46:09 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/23 12:09:03 | 000,000,000 | ---D | M] (eMusic - Apple iTunes Support) -- C:\PROGRAM FILES\EMUSIC DOWNLOAD MANAGER\XULRUNNER\EXTENSIONS\DLM_ITUNES@EMUSIC.COM
[2010/04/23 12:09:03 | 000,000,000 | ---D | M] (eMusic - Nullsoft Winamp Support) -- C:\PROGRAM FILES\EMUSIC DOWNLOAD MANAGER\XULRUNNER\EXTENSIONS\DLM_WINAMP@EMUSIC.COM
[2010/04/23 12:09:03 | 000,000,000 | ---D | M] (eMusic - Microsoft Media Player Support) -- C:\PROGRAM FILES\EMUSIC DOWNLOAD MANAGER\XULRUNNER\EXTENSIONS\DLM_WMP@EMUSIC.COM
[2006/09/28 05:45:46 | 000,053,355 | ---- | M] (Oracle Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPJinit13128.dll

O1 HOSTS File: ([2011/04/12 18:10:50 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [EzPrint] C:\Program Files\Lexmark 2300 Series\ezprint.exe (Lexmark International Inc.)
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [KBD] C:\hp\KBD\KbdStub.exe ()
O4 - HKLM..\Run: [LXCGCATS] C:\Windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.DLL ()
O4 - HKLM..\Run: [lxcgmon.exe] C:\Program Files\Lexmark 2300 Series\lxcgmon.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [OsdMaestro] C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe (OsdMaestro)
O4 - HKLM..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe ()
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SunJavaUpdateReg] C:\Windows\System32\jureg.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UpdatePDRShortCut] C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\RunOnce: [Launcher] C:\Windows\SMINST\Launcher.exe (soft thinks)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2270473045-1982684083-2497196655-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2270473045-1982684083-2497196655-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (Sun Microsystems, Inc.)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {3D3DBC64-0D21-4EA4-94EE-86D6D9B31C0C} http://www.worldwinner.com/games/v45/moneylist/moneylist.cab (MoneyList Control)
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} http://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab (Reg Error: Key error.)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.systemrequirementslab.com/sysreqlab2.cab (System Requirements Lab Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} http://lads.myspace.com/upload/MySpaceUploader2.cab (MySpace Uploader Control)
O16 - DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} http://www.worldwinner.com/games/v46/monopoly/monopoly.cab (Monopoly Control)
O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} https://esis.ncwise.org/forms/jinitiator/jinit13128.exe (JInitiator 1.3.1.28)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Lilheath\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Lilheath\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/08/11 04:15:15 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-2270473045-1982684083-2497196655-1000..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-2270473045-1982684083-2497196655-1000\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

Drivers32: msacm.ac3acm - C:\Windows\System32\AC3ACM.acm (fccHandler)
Drivers32: msacm.alf2cd - C:\Windows\System32\alf2cd.acm (NCT Company)
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.scg726 - C:\Windows\System32\Scg726.acm (SHARP Corporation)
Drivers32: msacm.voxacm160 - C:\Windows\System32\vct3216.acm (Voxware, Inc.)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.3IV2 - C:\Windows\System32\3ivxVfWCodec_dec.dll (3ivx.com)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\Windows\System32\divx.dll (DivXNetworks, Inc.)
Drivers32: vidc.dvsd - C:\Windows\System32\mcdvd_32.dll (MainConcept)
Drivers32: vidc.xvid - C:\Windows\System32\xvidvfw.dll ()

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/04/14 14:13:43 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\Lilheath\Desktop\OTL.exe
[2011/04/14 09:46:47 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/04/14 09:46:02 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/04/12 17:10:17 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2011/04/12 17:10:17 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/04/12 17:10:17 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/04/12 17:10:17 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/04/08 12:52:07 | 000,000,000 | ---D | C] -- C:\Users\Lilheath\Documents\JVC
[2011/04/08 12:47:29 | 000,000,000 | ---D | C] -- C:\Users\Lilheath\Desktop\Malware Programs
[2011/04/08 12:17:40 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/04/08 12:17:11 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/07 18:44:33 | 000,000,000 | ---D | C] -- C:\Users\Lilheath\AppData\Roaming\Malwarebytes
[2011/04/07 18:44:22 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/04/07 18:44:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/07 18:44:18 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/04/07 18:13:24 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Users\Lilheath\Desktop\TFC.exe
[2011/04/06 22:26:33 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2011/04/06 22:26:33 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/04/06 13:09:01 | 000,000,000 | ---D | C] -- C:\Users\Lilheath\AppData\Roaming\Unity
[2011/03/29 16:45:17 | 000,000,000 | ---D | C] -- C:\Users\Lilheath\AppData\Roaming\Inspiration Software
[2011/03/29 16:44:43 | 000,000,000 | ---D | C] -- C:\Program Files\Inspiration 9
[2011/03/29 16:40:40 | 000,000,000 | ---D | C] -- C:\Users\Lilheath\AppData\Roaming\Softland
[2011/03/29 16:40:31 | 000,000,000 | ---D | C] -- C:\Program Files\Softland
[2011/03/29 16:40:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Inspiration 9
[2008/12/05 12:25:32 | 000,413,696 | ---- | C] ( ) -- C:\Windows\System32\lxcginpa.dll
[2008/12/05 12:25:32 | 000,323,584 | ---- | C] ( ) -- C:\Windows\System32\lxcghcp.dll
[2008/12/05 12:25:31 | 001,224,704 | ---- | C] ( ) -- C:\Windows\System32\lxcgserv.dll
[2008/12/05 12:25:31 | 000,995,328 | ---- | C] ( ) -- C:\Windows\System32\lxcgusb1.dll
[2008/12/05 12:25:31 | 000,397,312 | ---- | C] ( ) -- C:\Windows\System32\lxcgiesc.dll
[2008/12/05 12:25:31 | 000,163,840 | ---- | C] ( ) -- C:\Windows\System32\lxcgprox.dll
[2008/12/05 12:25:30 | 000,643,072 | ---- | C] ( ) -- C:\Windows\System32\lxcgpmui.dll
[2008/12/05 12:25:30 | 000,585,728 | ---- | C] ( ) -- C:\Windows\System32\lxcglmpm.dll
[2008/12/05 12:25:30 | 000,385,968 | ---- | C] ( ) -- C:\Windows\System32\lxcgih.exe
[2008/12/05 12:25:30 | 000,094,208 | ---- | C] ( ) -- C:\Windows\System32\lxcgpplc.dll
[2008/12/05 12:25:29 | 000,696,320 | ---- | C] ( ) -- C:\Windows\System32\lxcghbn3.dll
[2008/12/05 12:25:29 | 000,684,032 | ---- | C] ( ) -- C:\Windows\System32\lxcgcomc.dll
[2008/12/05 12:25:29 | 000,537,520 | ---- | C] ( ) -- C:\Windows\System32\lxcgcoms.exe
[2008/12/05 12:25:29 | 000,421,888 | ---- | C] ( ) -- C:\Windows\System32\lxcgcomm.dll
[2008/12/05 12:25:29 | 000,381,872 | ---- | C] ( ) -- C:\Windows\System32\lxcgcfg.exe
[2007/11/29 06:15:20 | 001,224,704 | ---- | C] ( ) -- C:\Windows\System32\lxblserv.dll
[2007/11/29 06:15:20 | 000,995,328 | ---- | C] ( ) -- C:\Windows\System32\lxblusb1.dll
[2007/11/29 06:15:20 | 000,413,696 | ---- | C] ( ) -- C:\Windows\System32\lxblinpa.dll
[2007/11/29 06:15:20 | 000,397,312 | ---- | C] ( ) -- C:\Windows\System32\lxbliesc.dll
[2007/11/29 06:15:20 | 000,323,584 | ---- | C] ( ) -- C:\Windows\System32\LXBLhcp.dll
[2007/11/29 06:15:19 | 000,696,320 | ---- | C] ( ) -- C:\Windows\System32\lxblhbn3.dll
[2007/11/29 06:15:19 | 000,643,072 | ---- | C] ( ) -- C:\Windows\System32\lxblpmui.dll
[2007/11/29 06:15:19 | 000,585,728 | ---- | C] ( ) -- C:\Windows\System32\lxbllmpm.dll
[2007/11/29 06:15:19 | 000,385,968 | ---- | C] ( ) -- C:\Windows\System32\lxblih.exe
[2007/11/29 06:15:19 | 000,163,840 | ---- | C] ( ) -- C:\Windows\System32\lxblprox.dll
[2007/11/29 06:15:19 | 000,094,208 | ---- | C] ( ) -- C:\Windows\System32\lxblpplc.dll
[2007/11/29 06:15:18 | 000,684,032 | ---- | C] ( ) -- C:\Windows\System32\lxblcomc.dll
[2007/11/29 06:15:18 | 000,537,520 | ---- | C] ( ) -- C:\Windows\System32\lxblcoms.exe
[2007/11/29 06:15:18 | 000,421,888 | ---- | C] ( ) -- C:\Windows\System32\lxblcomm.dll
[2007/11/29 06:15:18 | 000,381,872 | ---- | C] ( ) -- C:\Windows\System32\lxblcfg.exe
[1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/14 14:30:52 | 000,741,376 | ---- | M] () -- C:\Windows\System32\drivers\orpokalx.sys
[2011/04/14 14:18:02 | 000,003,584 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/04/14 14:18:02 | 000,003,584 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/04/14 14:13:49 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Lilheath\Desktop\OTL.exe
[2011/04/14 12:31:33 | 000,618,410 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/04/14 12:31:33 | 000,103,818 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/04/14 12:18:13 | 000,000,392 | ---- | M] () -- C:\Windows\tasks\Final Media Player Update Checker.job
[2011/04/14 12:18:00 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/04/14 12:17:55 | 2011,750,400 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/14 09:33:16 | 004,320,788 | R--- | M] () -- C:\Users\Lilheath\Desktop\ComboFix.exe
[2011/04/14 00:01:10 | 000,000,424 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{4AA49B77-910B-4BDC-99FA-50B3303F99D2}.job
[2011/04/12 18:10:50 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/04/09 15:52:01 | 000,400,928 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/04/09 15:51:13 | 275,160,944 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/04/07 18:13:24 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Users\Lilheath\Desktop\TFC.exe
[1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/12 17:10:17 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/04/12 17:10:17 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/04/12 17:10:17 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2011/04/12 17:10:17 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/04/12 17:10:17 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/04/08 11:43:31 | 004,320,788 | R--- | C] () -- C:\Users\Lilheath\Desktop\ComboFix.exe
[2011/03/05 10:12:34 | 000,010,658 | -HS- | C] () -- C:\Users\Lilheath\AppData\Local\1380560618
[2011/03/05 10:12:34 | 000,010,658 | -HS- | C] () -- C:\ProgramData\1380560618
[2010/08/23 11:38:08 | 000,000,628 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2010/01/03 17:54:41 | 000,741,376 | ---- | C] () -- C:\Windows\System32\drivers\orpokalx.sys
[2009/03/06 22:16:20 | 000,036,962 | ---- | C] () -- C:\Windows\System32\ActPanel.dll
[2008/12/05 12:25:32 | 000,274,432 | ---- | C] () -- C:\Windows\System32\lxcginst.dll
[2008/09/23 13:38:55 | 000,000,680 | ---- | C] () -- C:\Users\Lilheath\AppData\Local\d3d9caps.dat
[2008/09/06 14:52:35 | 000,524,288 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2008/09/06 14:52:35 | 000,139,264 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2007/11/29 06:15:20 | 000,274,432 | ---- | C] () -- C:\Windows\System32\LXBLinst.dll
[2007/11/09 11:52:40 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2007/11/02 01:06:29 | 000,002,640 | ---- | C] () -- C:\Users\Lilheath\AppData\Roaming\wklnhst.dat
[2007/11/02 01:04:42 | 000,051,712 | ---- | C] () -- C:\Users\Lilheath\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/08/11 04:03:27 | 000,107,026 | ---- | C] () -- C:\Windows\hpqins13.dat
[2007/08/11 03:47:01 | 000,061,440 | ---- | C] () -- C:\Windows\System32\OsdRemove.exe
[2007/08/11 03:38:25 | 000,327,680 | ---- | C] () -- C:\Windows\System32\pythoncom25.dll
[2007/08/11 03:38:25 | 000,102,400 | ---- | C] () -- C:\Windows\System32\pywintypes25.dll
[2007/05/14 08:28:10 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2007/02/22 19:32:00 | 000,344,064 | ---- | C] () -- C:\Windows\System32\lxcgcoin.dll
[2007/02/22 19:32:00 | 000,344,064 | ---- | C] () -- C:\Windows\System32\lxblcoin.dll
[2006/12/14 02:01:36 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/12/14 02:01:36 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2006/11/02 08:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:47:37 | 000,400,928 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 06:33:01 | 000,618,410 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 06:33:01 | 000,103,818 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/02 03:22:43 | 000,099,999 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2006/11/02 03:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2005/09/07 14:44:34 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxblvs.dll
[2005/08/18 07:26:46 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxcgvs.dll
[2005/03/13 15:32:14 | 000,061,440 | ---- | C] () -- C:\Windows\System32\lxcgcnv4.dll
[2004/01/27 08:13:02 | 000,421,888 | ---- | C] () -- C:\Windows\System32\OpenQuicktimeLib_dec.dll
[1999/01/22 14:46:58 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2009/08/08 00:24:24 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\AVSMedia
[2009/08/17 20:56:27 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/04/23 12:09:04 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\eMusic
[2010/06/14 19:50:52 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Facebook
[2011/04/07 20:25:27 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\FinalMediaPlayer
[2010/08/31 19:32:57 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\GetRightToGo
[2011/03/29 16:45:17 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Inspiration Software
[2007/11/14 21:19:07 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\iWin
[2011/01/18 20:40:47 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\NCH Swift Sound
[2010/08/15 18:09:46 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Opera
[2007/10/27 22:54:26 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Snapfish
[2011/03/29 16:40:40 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Softland
[2008/09/07 16:23:09 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\SPORE
[2007/11/02 01:06:49 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Template
[2011/04/06 13:09:01 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Unity
[2009/02/04 20:02:00 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\Walgreens
[2007/10/27 23:57:19 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\WildTangent
[2007/11/05 19:57:15 | 000,000,000 | ---D | M] -- C:\Users\Lilheath\AppData\Roaming\WinBatch
[2011/04/14 12:18:13 | 000,000,392 | ---- | M] () -- C:\Windows\Tasks\Final Media Player Update Checker.job
[2011/04/14 12:16:53 | 000,032,582 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2011/04/14 00:01:10 | 000,000,424 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{4AA49B77-910B-4BDC-99FA-50B3303F99D2}.job

========== Purity Check ==========



========== Custom Scans ==========


< * >
[2007/08/11 04:15:15 | 000,000,074 | ---- | M] () -- \autoexec.bat
[2006/11/02 05:53:57 | 000,438,840 | RHS- | M] () -- \bootmgr
[2007/08/11 04:24:04 | 000,008,192 | R-S- | M] () -- \BOOTSECT.BAK
[2009/02/04 18:02:15 | 000,001,921 | ---- | M] () -- \CDFE.log
[2011/04/14 09:46:46 | 000,008,997 | ---- | M] () -- \ComboFix.txt
[2006/09/18 17:43:37 | 000,000,010 | ---- | M] () -- \config.sys
[2010/04/12 17:02:12 | 000,000,125 | ---- | M] () -- \FINIS_IT.TXT
[2011/04/14 12:17:55 | 2011,750,400 | -HS- | M] () --
[2008/12/05 12:21:11 | 000,000,178 | ---- | M] () -- \lxcg.log
[2007/11/02 01:35:25 | 000,000,000 | ---- | M] () -- \lxcgfire.000
[2008/12/02 19:44:07 | 000,000,000 | ---- | M] () -- \lxcgfire.001
[2008/12/05 12:07:09 | 000,000,000 | ---- | M] () -- \lxcgfire.002
[2008/12/05 12:09:45 | 000,000,000 | ---- | M] () -- \lxcgfire.003
[2008/12/05 12:10:51 | 000,000,000 | ---- | M] () -- \lxcgfire.004
[2009/02/04 17:52:18 | 000,000,000 | ---- | M] () -- \lxcgfire.005
[2009/02/04 18:02:14 | 000,000,000 | ---- | M] () -- \lxcgfire.csv
[2007/11/02 01:37:36 | 000,000,291 | ---- | M] () -- \LXCGINST.000
[2008/12/02 19:44:47 | 000,000,468 | ---- | M] () -- \LXCGINST.001
[2008/12/05 12:07:44 | 000,000,468 | ---- | M] () -- \LXCGINST.002
[2008/12/05 12:10:12 | 000,000,714 | ---- | M] () -- \LXCGINST.003
[2008/12/05 12:11:16 | 000,000,714 | ---- | M] () -- \LXCGINST.004
[2009/02/04 17:55:58 | 000,000,592 | ---- | M] () -- \LXCGINST.005
[2009/02/04 18:02:27 | 000,000,139 | ---- | M] () -- \LXCGINST.csv
[2008/12/05 12:21:19 | 000,299,717 | ---- | M] () -- \lxcgunst.csv
[2011/04/14 12:17:54 | 2325,676,032 | -HS- | M] () --
[2008/04/12 13:46:59 | 000,000,477 | ---- | M] () -- \RHDSetup.log
[2010/08/31 20:00:53 | 000,000,271 | ---- | M] () -- \rkill.log
[2011/02/04 15:08:07 | 000,010,799 | ---- | M] () -- \Setup Log.txt

< %SYSTEMDRIVE%\*.* >
[2007/08/11 04:15:15 | 000,000,074 | ---- | M] () -- C:\autoexec.bat
[2006/11/02 05:53:57 | 000,438,840 | RHS- | M] () -- C:\bootmgr
[2007/08/11 04:24:04 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2009/02/04 18:02:15 | 000,001,921 | ---- | M] () -- C:\CDFE.log
[2011/04/14 09:46:46 | 000,008,997 | ---- | M] () -- C:\ComboFix.txt
[2006/09/18 17:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2010/04/12 17:02:12 | 000,000,125 | ---- | M] () -- C:\FINIS_IT.TXT
[2011/04/14 12:17:55 | 2011,750,400 | -HS- | M] () -- C:\hiberfil.sys
[2008/12/05 12:21:11 | 000,000,178 | ---- | M] () -- C:\lxcg.log
[2007/11/02 01:35:25 | 000,000,000 | ---- | M] () -- C:\lxcgfire.000
[2008/12/02 19:44:07 | 000,000,000 | ---- | M] () -- C:\lxcgfire.001
[2008/12/05 12:07:09 | 000,000,000 | ---- | M] () -- C:\lxcgfire.002
[2008/12/05 12:09:45 | 000,000,000 | ---- | M] () -- C:\lxcgfire.003
[2008/12/05 12:10:51 | 000,000,000 | ---- | M] () -- C:\lxcgfire.004
[2009/02/04 17:52:18 | 000,000,000 | ---- | M] () -- C:\lxcgfire.005
[2009/02/04 18:02:14 | 000,000,000 | ---- | M] () -- C:\lxcgfire.csv
[2007/11/02 01:37:36 | 000,000,291 | ---- | M] () -- C:\LXCGINST.000
[2008/12/02 19:44:47 | 000,000,468 | ---- | M] () -- C:\LXCGINST.001
[2008/12/05 12:07:44 | 000,000,468 | ---- | M] () -- C:\LXCGINST.002
[2008/12/05 12:10:12 | 000,000,714 | ---- | M] () -- C:\LXCGINST.003
[2008/12/05 12:11:16 | 000,000,714 | ---- | M] () -- C:\LXCGINST.004
[2009/02/04 17:55:58 | 000,000,592 | ---- | M] () -- C:\LXCGINST.005
[2009/02/04 18:02:27 | 000,000,139 | ---- | M] () -- C:\LXCGINST.csv
[2008/12/05 12:21:19 | 000,299,717 | ---- | M] () -- C:\lxcgunst.csv
[2011/04/14 12:17:54 | 2325,676,032 | -HS- | M] () -- C:\pagefile.sys
[2008/04/12 13:46:59 | 000,000,477 | ---- | M] () -- C:\RHDSetup.log
[2010/08/31 20:00:53 | 000,000,271 | ---- | M] () -- C:\rkill.log
[2011/02/04 15:08:07 | 000,010,799 | ---- | M] () -- C:\Setup Log.txt

< %systemroot%\Fonts\*.com >
[2006/11/02 08:37:12 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2006/11/02 08:37:12 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2006/11/02 08:37:12 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2006/11/02 08:37:12 | 000,030,808 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2006/09/18 17:37:34 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2006/11/02 08:35:48 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll
[2007/03/23 03:10:00 | 000,117,760 | ---- | M] (Lexmark International, Inc.) -- C:\Windows\System32\spool\prtprocs\w32x86\lxblpp5c.dll
[2007/01/30 07:32:46 | 000,118,272 | ---- | M] (Lexmark International, Inc.) -- C:\Windows\System32\spool\prtprocs\w32x86\lxcgpp5c.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2008/12/13 09:53:28 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2006/11/02 06:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/02 06:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/02 06:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 06:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 06:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2010/04/01 08:06:48 | 000,000,286 | -HS- | M] () -- C:\Users\Lilheath\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

< %USERPROFILE%\Desktop\*.exe >
[2011/04/14 09:33:16 | 004,320,788 | R--- | M] () -- C:\Users\Lilheath\Desktop\ComboFix.exe
[2011/04/14 14:13:49 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Lilheath\Desktop\OTL.exe
[2011/04/07 18:13:24 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Users\Lilheath\Desktop\TFC.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >
[2007/09/06 09:00:55 | 000,008,192 | ---- | M] () -- C:\Windows\security\database\edb.chk
[2007/09/06 09:00:25 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edb.log
[2007/09/06 09:00:25 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00001.jrs
[2007/09/06 09:00:25 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbres00002.jrs
[2007/09/06 09:00:25 | 001,048,576 | ---- | M] () -- C:\Windows\security\database\edbtmp.log
[2007/09/06 09:00:25 | 001,056,768 | ---- | M] () -- C:\Windows\security\database\tmp.edb

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2007/10/28 16:16:08 | 000,000,402 | -HS- | M] () -- C:\Users\Lilheath\Favorites\desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >
[2011/03/11 10:57:32 | 000,010,658 | -HS- | M] () -- C:\ProgramData\1380560618
[2007/08/11 04:03:47 | 000,000,343 | ---- | M] () -- C:\ProgramData\hpzinstall.log
[1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-03-09 08:27:50


< * >
[2007/08/11 04:15:15 | 000,000,074 | ---- | M] () -- \autoexec.bat
[2006/11/02 05:53:57 | 000,438,840 | RHS- | M] () -- \bootmgr
[2007/08/11 04:24:04 | 000,008,192 | R-S- | M] () -- \BOOTSECT.BAK
[2009/02/04 18:02:15 | 000,001,921 | ---- | M] () -- \CDFE.log
[2011/04/14 09:46:46 | 000,008,997 | ---- | M] () -- \ComboFix.txt
[2006/09/18 17:43:37 | 000,000,010 | ---- | M] () -- \config.sys
[2010/04/12 17:02:12 | 000,000,125 | ---- | M] () -- \FINIS_IT.TXT
[2011/04/14 12:17:55 | 2011,750,400 | -HS- | M] () --
[2008/12/05 12:21:11 | 000,000,178 | ---- | M] () -- \lxcg.log
[2007/11/02 01:35:25 | 000,000,000 | ---- | M] () -- \lxcgfire.000
[2008/12/02 19:44:07 | 000,000,000 | ---- | M] () -- \lxcgfire.001
[2008/12/05 12:07:09 | 000,000,000 | ---- | M] () -- \lxcgfire.002
[2008/12/05 12:09:45 | 000,000,000 | ---- | M] () -- \lxcgfire.003
[2008/12/05 12:10:51 | 000,000,000 | ---- | M] () -- \lxcgfire.004
[2009/02/04 17:52:18 | 000,000,000 | ---- | M] () -- \lxcgfire.005
[2009/02/04 18:02:14 | 000,000,000 | ---- | M] () -- \lxcgfire.csv
[2007/11/02 01:37:36 | 000,000,291 | ---- | M] () -- \LXCGINST.000
[2008/12/02 19:44:47 | 000,000,468 | ---- | M] () -- \LXCGINST.001
[2008/12/05 12:07:44 | 000,000,468 | ---- | M] () -- \LXCGINST.002
[2008/12/05 12:10:12 | 000,000,714 | ---- | M] () -- \LXCGINST.003
[2008/12/05 12:11:16 | 000,000,714 | ---- | M] () -- \LXCGINST.004
[2009/02/04 17:55:58 | 000,000,592 | ---- | M] () -- \LXCGINST.005
[2009/02/04 18:02:27 | 000,000,139 | ---- | M] () -- \LXCGINST.csv
[2008/12/05 12:21:19 | 000,299,717 | ---- | M] () -- \lxcgunst.csv
[2011/04/14 12:17:54 | 2325,676,032 | -HS- | M] () --
[2008/04/12 13:46:59 | 000,000,477 | ---- | M] () -- \RHDSetup.log
[2010/08/31 20:00:53 | 000,000,271 | ---- | M] () -- \rkill.log
[2011/02/04 15:08:07 | 000,010,799 | ---- | M] () -- \Setup Log.txt

========== Alternate Data Streams ==========

@Alternate Data Stream - 64 bytes -> C:\Users\Lilheath\Documents\rewards.ppt:TOC.WMV
@Alternate Data Stream - 64 bytes -> C:\Users\Lilheath\Documents\011411-160105[1].mp3:TOC.WMV
@Alternate Data Stream - 270 bytes -> C:\Windows\System32\drivers\hajqkyws.sys:changelist

< End of report >
 
And the 2nd log;

OTL Extras logfile created on: 4/14/2011 2:28:32 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Lilheath\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 60.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 363.75 Gb Total Space | 232.12 Gb Free Space | 63.81% Space Free | Partition Type: NTFS
Drive D: | 8.86 Gb Total Space | 1.20 Gb Free Space | 13.50% Space Free | Partition Type: NTFS

Computer Name: LILHEATH-PC | User Name: Lilheath | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-2270473045-1982684083-2497196655-1000\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink -- (EarthLink, Inc.)


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{07F9C309-E457-4F65-9C5A-80718212CE79}" = lport=445 | protocol=6 | dir=in | app=system |
"{15AFCEF5-47F3-4928-B4AA-85C6F50BBE51}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{1DEF95AB-8DBC-4796-8FC5-8BF87B05935C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{2169E430-85EB-48BF-BE23-DB5707258F63}" = lport=137 | protocol=17 | dir=in | app=system |
"{25DAFDF8-23EE-4F08-84D1-4AB6828A351B}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{2BA55E27-393B-44F6-8CE0-B6716C479611}" = rport=10244 | protocol=6 | dir=out | app=system |
"{307EFDC6-4274-445C-BAAF-6B61A3A4CBF5}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{33D6F9BE-75C9-4C65-9A04-C989953CEEC2}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{39367858-DBCE-4573-80FB-822738CF4508}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{455D9EF9-F653-4F34-B768-0F74FBB0679F}" = lport=554 | protocol=6 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{46F35AFB-7112-4015-993E-8C6B03727C3B}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{4D19B24A-A687-46AC-8A7A-CC09D7C14BEA}" = lport=138 | protocol=17 | dir=in | app=system |
"{4DE5EF23-2DB4-4A52-82BD-13FB5D653132}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{4EDD83C5-5DE1-45B4-846F-DE167EBD73D8}" = rport=139 | protocol=6 | dir=out | app=system |
"{59595BE0-E2BF-4488-9064-E50E6C3158A9}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{60A435F7-9BAC-4E4B-B2EB-A673CEC4156F}" = lport=3390 | protocol=6 | dir=in | app=system |
"{68680473-24AC-4233-8E93-82F34D9965B0}" = lport=7777 | protocol=17 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{6E30F747-82A9-44AD-9903-A7F9081E8A2D}" = rport=10243 | protocol=6 | dir=out | app=system |
"{751339F5-659E-44B4-A035-20CC4AEB1BA0}" = rport=138 | protocol=17 | dir=out | app=system |
"{78BCF7A6-67CB-44EB-85C7-56F24143CDB4}" = lport=3724 | protocol=6 | dir=in | name=blizzard downloader: 3724 |
"{7CC10976-58CD-4881-91C9-996D64164FA1}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{7D2D6AFE-F83B-4319-86BD-314AD00B3A9B}" = lport=10243 | protocol=6 | dir=in | app=system |
"{82F1FF83-9086-4114-8679-7BD071867843}" = rport=445 | protocol=6 | dir=out | app=system |
"{8329CA9C-51FB-4912-BE4F-F16491E92391}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{8348A419-EC9B-4033-94A8-D66313546AD0}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{8A243C6C-55A8-4A18-AD2E-CCDD67DB60C2}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{8DA86A58-CDFA-42FD-9729-F65D1987CAB5}" = lport=7777 | protocol=17 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{8EFF1EBE-5752-4040-94FC-FA8B35E655BB}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{8FC6B481-F44F-4902-82CB-684C5DDF887A}" = lport=10244 | protocol=6 | dir=in | app=system |
"{9A54E0CD-0F0F-449A-8545-5EE352A6FABD}" = lport=554 | protocol=6 | dir=in | app=%systemroot%\ehome\ehshell.exe |
"{9B248BB6-C859-4A07-B7B3-764D744CF549}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{A5B722C9-D2D3-4A2E-A7C2-2A61B61A7ADE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{A9BE8414-6752-4ACA-B2D6-64CB5B846E32}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{B975C268-8513-4F0A-B1FF-290609EAD823}" = lport=3390 | protocol=6 | dir=in | app=system |
"{C27780C7-9112-4672-A53D-4D0D4AB1446D}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{CCC512D4-44F4-4F9C-93AC-F7EE11E397B0}" = lport=139 | protocol=6 | dir=in | app=system |
"{E18F036E-541B-4742-B747-6A5E3B99671B}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{E1999439-CB56-47D5-AA14-F0CD94082F9F}" = lport=10244 | protocol=6 | dir=in | app=system |
"{E1A1AFEC-EE78-44A8-BDD2-476FA6E32536}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{E7560BE2-46DE-4BDE-8913-F040EE3F9CDD}" = rport=10244 | protocol=6 | dir=out | app=system |
"{E81B7658-0A45-47B5-9F94-6B4F6843244C}" = lport=2869 | protocol=6 | dir=in | app=system |
"{F264D92E-3536-4A94-BD41-5FF8EC33F272}" = rport=137 | protocol=17 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{054D363F-FFA1-4E3E-A2C5-2D3FD9D9499C}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{056ACDA9-82B3-4A6F-B1C3-B8AFA347A5FA}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{0B595D48-F0AA-4B6E-9C6A-71DDD53F4691}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{1A166425-0B43-4CC3-81E6-AE30F2A6AA6A}" = protocol=6 | dir=out | app=system |
"{1D795682-6A79-4059-820C-7C1D9FF2F3F9}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxcgpswx.exe |
"{366CC5E9-7ACF-41B9-A647-FDE671A07868}" = protocol=17 | dir=in | app=c:\windows\system32\lxcgcoms.exe |
"{3A7D56B6-389F-4654-9F5F-3AE05AA6F46C}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{3B4A2DA2-7ECF-4128-A214-DBD6B75DB447}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe |
"{50E7AAA4-C04F-4712-AF9E-E796594EDD1F}" = protocol=6 | dir=in | app=c:\windows\system32\lxcgcoms.exe |
"{646F2BFA-BBFB-4A89-AD21-29D7922F6EEE}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{65D0A517-97B1-4C83-B59B-0120260E9FCD}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{661FC9EF-423D-4FBA-9C2B-FC4A23300B1F}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{68E1D7A4-FC22-4DE4-8E30-D0B8CAFADB18}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxcgpswx.exe |
"{6CCF88FE-5A52-4F95-B85B-5A58A7A916C3}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{72677AE4-33BD-44BE-853A-41CF5A885181}" = protocol=17 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{790D01DB-C872-45F4-BE78-4CB3B849E412}" = protocol=17 | dir=in | app=c:\program files\opera\opera.exe |
"{7F693533-2C65-4B77-9C34-39AE7C89237B}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxblpswx.exe |
"{80388BD2-05C6-4374-81C7-38FF9AC457B8}" = protocol=6 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{85714614-83AA-4D7A-93D4-446E931FDB0B}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxblpswx.exe |
"{8B139DBF-DB3B-4D05-A0FE-8C02409A3C51}" = protocol=6 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{9577B62E-435C-45DE-B5EA-A396C993B5E5}" = protocol=17 | dir=in | app=c:\windows\system32\lxblcoms.exe |
"{9D94C639-810F-405E-8585-4AFCC5834288}" = protocol=6 | dir=out | app=%systemroot%\ehome\mcx2prov.exe |
"{A2495E7E-EAC6-4465-97D0-BF748D7DA8B0}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{B3BBA716-5D8A-44A4-9061-D1C401A33F48}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{BC5E8EEA-FA2C-49AD-BD66-017DA7E2E78A}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{BE0EAF16-66DE-497F-81D3-00B34D27FAAC}" = protocol=6 | dir=out | svc=mcx2svc | app=%systemroot%\system32\svchost.exe |
"{C1D035BC-CEB8-4903-95F9-48A7509FB5C0}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{C4BF8AC0-6475-4572-9583-04756C2DD107}" = protocol=6 | dir=in | app=c:\windows\system32\lxblcoms.exe |
"{C9297834-A66D-4E8A-BBE6-D338FAE174FE}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{CC822E85-59DC-4E23-86F2-C2162AB543F2}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{CCF1C77C-CC7A-44D1-A2F1-837874C6F6E6}" = protocol=6 | dir=out | app=%systemroot%\ehome\mcx2prov.exe |
"{CDD1E740-2625-491C-8ACD-A4E5D3B41744}" = protocol=17 | dir=out | app=%systemroot%\ehome\ehshell.exe |
"{CF7953B9-A9D9-4710-A21A-25EB39D26704}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{D04EC2BA-6EAB-4C91-BCAA-2CBF8F970E60}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{D32C77AB-DC41-45E7-8198-325DB506DFDD}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{E1E3E792-D32B-42C8-A3D3-C0849E601115}" = protocol=6 | dir=in | app=c:\windows\system32\lxcgcoms.exe |
"{E2CC40C9-22AA-404C-80B8-4F55EFC0B064}" = protocol=6 | dir=in | app=c:\program files\opera\opera.exe |
"{E4A8B9A1-FD6C-4B80-8961-25C4E0804D15}" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-2.2.0-enus-downloader.exe |
"{E576DAD5-C5BB-4E91-88FC-CAF9CA994149}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{E7656EBE-EF96-44F8-A27C-BE9AAA6C5988}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{EA6F8AAE-AC83-4B4E-8A81-37BDF7167ADA}" = protocol=17 | dir=in | app=c:\windows\system32\lxcgcoms.exe |
"{EDFE1A18-77F4-4A22-94D5-0D1D761D5D05}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{F5D1D11A-9456-4A40-9547-BD351E852037}" = dir=in | app=c:\program files\finalmediaplayer\fmpcheckforupdates.exe |
"{FA27EAC5-D3EA-4B54-B930-5A0F1A8F040B}" = protocol=6 | dir=out | svc=mcx2svc | app=%systemroot%\system32\svchost.exe |
"{FAB6A75F-05B0-4630-9D82-8797D5940100}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{FC71017C-303B-4EBD-9359-5B0FEFCAB554}" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-2.2.0-enus-downloader.exe |
"TCP Query User{03B77975-71E1-4346-B51C-038942581ADA}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"TCP Query User{0B5195CC-2159-462A-8A92-ADA5CCAC2A79}C:\program files\hp games\jeopardy\jeopardy!.exe" = protocol=6 | dir=in | app=c:\program files\hp games\jeopardy\jeopardy!.exe |
"TCP Query User{165A05B1-03E9-4816-933E-1247F04F1191}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"TCP Query User{2841E688-D7B8-4208-9EC9-5895E04748C9}C:\program files\gametap\bin\release\gametap.exe" = protocol=6 | dir=in | app=c:\program files\gametap\bin\release\gametap.exe |
"TCP Query User{3918E368-B252-4A01-B188-2E01C5BCE576}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"TCP Query User{4967C311-9A3C-405E-A2BA-F0AE39D8F383}C:\program files\electronic arts\eadm\core.exe" = protocol=6 | dir=in | app=c:\program files\electronic arts\eadm\core.exe |
"TCP Query User{8D03BC34-92BC-40A6-A4B3-52D7FD0FA748}C:\program files\world of warcraft\wow-1.12.x-to-2.0.1-enus-patch-downloader.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-1.12.x-to-2.0.1-enus-patch-downloader.exe |
"TCP Query User{BE1C5B4D-0A5C-4DAF-85E9-37557A222BA4}C:\program files\electronic arts\eadm\core.exe" = protocol=6 | dir=in | app=c:\program files\electronic arts\eadm\core.exe |
"TCP Query User{DAB823FB-0299-472C-A367-79120DB67D51}C:\program files\world of warcraft\wow-1.12.0-enus-downloader.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-1.12.0-enus-downloader.exe |
"TCP Query User{F00F1088-A0C0-419B-86C4-52D2BC9561CA}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{FE62901B-6F6A-4AEC-B383-D11D0A4FF04B}C:\program files\hp games\wheel of fortune\wheel of fortune.exe" = protocol=6 | dir=in | app=c:\program files\hp games\wheel of fortune\wheel of fortune.exe |
"UDP Query User{0D8914AF-48E3-49E1-B074-047996E3E674}C:\program files\electronic arts\eadm\core.exe" = protocol=17 | dir=in | app=c:\program files\electronic arts\eadm\core.exe |
"UDP Query User{1B61986C-3342-49F2-8E58-ADCB227BB3F8}C:\program files\world of warcraft\wow-1.12.0-enus-downloader.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-1.12.0-enus-downloader.exe |
"UDP Query User{28BC68DE-1163-4FA0-97E2-912233676DD6}C:\program files\hp games\wheel of fortune\wheel of fortune.exe" = protocol=17 | dir=in | app=c:\program files\hp games\wheel of fortune\wheel of fortune.exe |
"UDP Query User{2C7957BB-8C83-4FAC-8130-F2DD7AF73019}C:\program files\gametap\bin\release\gametap.exe" = protocol=17 | dir=in | app=c:\program files\gametap\bin\release\gametap.exe |
"UDP Query User{38AB18A5-A598-43CB-A153-D38EAECFA2D3}C:\program files\electronic arts\eadm\core.exe" = protocol=17 | dir=in | app=c:\program files\electronic arts\eadm\core.exe |
"UDP Query User{793F15CB-AB17-4083-AB7E-F9AC230F5A9D}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |
"UDP Query User{A3D6D131-2A5E-4710-ABD0-0D3975FB766B}C:\program files\world of warcraft\wow-1.12.x-to-2.0.1-enus-patch-downloader.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-1.12.x-to-2.0.1-enus-patch-downloader.exe |
"UDP Query User{B9C56F3A-323D-455F-8E9A-9FD88B4F1450}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{C5E79401-3A08-4768-B1C3-170B99C6063E}C:\program files\hp games\jeopardy\jeopardy!.exe" = protocol=17 | dir=in | app=c:\program files\hp games\jeopardy\jeopardy!.exe |
"UDP Query User{DC4F4011-1DB9-4163-871E-9641C6AEC1BB}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{E7F1F49B-DC3D-4FDD-9AAD-EFB74EAE9E66}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional
"{00120409-78E1-11D2-B60F-006097C998E7}" = Microsoft FrontPage 2000
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{029B5901-1F27-4347-9923-E8ACC8F54E15}" = Snapfish Picture Mover
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{0A2C5854-557E-48C8-835A-3B9F074BDCAA}" = Python 2.5
"{0A47BAFF-D4FF-4BD3-96CA-02A22EA62722}" = HP Active Support Library
"{0B5154C0-8F00-4616-B0AB-6240AE80D9CE}" = SimCity™ Societies
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}" = Roxio Creator EasyArchive
"{14AF024E-2E3B-49D0-A175-D1C1A06B155A}" = muvee autoProducer 6.0
"{1E99F5D7-4262-4C7C-9135-F066E7485811}" = System Requirements Lab
"{209CDA54-D390-46A2-A97C-7BF61734418D}" = WeatherBug Gadget
"{254C37AA-6B72-4300-84F6-98A82419187E}" = Hewlett-Packard Active Check
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java(TM) SE Runtime Environment 6 Update 1
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Roxio Activation Module
"{40F7AED3-0C7D-4582-99F6-484A515C73F2}" = HP Easy Setup - Frontend
"{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{55979C41-7D6A-49CC-B591-64AC1BBE2C8B}" = HP Picasso Media Center Add-In
"{55D6B4DA-50E9-47AF-99C1-9A8E3A234763}" = Greeting Card Factory Deluxe 7.0
"{5CA03ECF-B4A6-464B-9F5D-64D8B61B083F}" = Everio MediaBrowser
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = Hewlett-Packard Asset Agent for Health Check
"{67E158AF-8856-4337-B483-EA21930786AF}" = GameTap
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D3DB611-D5E8-4E4B-8952-0D3F549F9CC6}" = HP Active Support Library 32 bit components
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73A43E42-3658-4DD9-8551-FACDA3632538}" = HP Advisor
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{824D3839-DAA1-4315-A822-7AE3E620E528}" = VideoToolkit01
"{8389382B-53BA-4A87-8854-91E3D80A5AC7}" = HP Photosmart Essential2.01
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8AF3E926-ED59-11D4-A44B-0000E86D2305}" = Ulead GIF Animator 5 TBYB
"{938B1CD7-7C60-491E-AA90-1F1888168240}" = Roxio MyDVD Basic v9
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9DBA770F-BF73-4D39-B1DF-6035D95268FC}" = HP Customer Feedback
"{9DF0196F-B6B8-4C3A-8790-DE42AA530101}" = SPORE™
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{AB5E289E-76BF-4251-9F3F-9B763F681AE0}" = HP Customer Experience Enhancements
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{B6ADA0E4-9451-43EB-B86E-878AD9E68D4F}" = LightScribe 1.6.45.1
"{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator Basic v9
"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update
"{CAFECAFE-0013-0001-0128-ABCDEFABCDEF}" = Oracle JInitiator 1.3.1.28
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF9CD37C-E29A-11D5-AE3D-005004B8E30C}" = Digital Photo Navigator 1.5
"{D5A9DA4B-E4F9-FB49-017D-769FC540F1F0}" = EA Download Manager UI
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E7C97E98-4C2D-BEAF-5D2F-CC45A2F95D90}" = Acrobat.com
"{EF7E931D-DC84-471B-8DB6-A83358095474}" = EA Download Manager
"{F07737AC-C218-4272-A678-26CA5F6CD8DF}" = Opera 10.61
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F72E2DDC-3DB8-4190-A21D-63883D955FE7}" = PSSWCORE
"3ivx D4 4.5.1 Decoder" = 3ivx D4 4.5.1 Decoder (remove only)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AVS DVDMenu Editor_is1" = AVS DVDMenu Editor 1.2.1.19
"AVS Video Tools 5_is1" = AVS Video Tools 5.6
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"com.ea.Vault.919CACB699904AC5D41B606703500DD39747C02D.1" = EA Download Manager UI
"EA Download Manager" = EA Download Manager
"eMusic Download Manager" = eMusic Download Manager 4.1.4
"FinalMediaPlayer_is1" = Final Media Player 2010
"HP Photosmart Essential" = HP Photosmart Essential 2.01
"InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector
"Lexmark 2300 Series" = Lexmark 2300 Series
"Lexmark Z700-P700 Series" = Lexmark Z700-P700 Series
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.18)" = Mozilla Firefox (3.5.18)
"NVIDIA Drivers" = NVIDIA Drivers
"OfficeTrial" = Microsoft Office Home and Student 60 day trial
"OsdMaestro" = HP On-Screen Cap/Num/Scroll Lock Indicator
"PC-Doctor 5 for Windows" = Hardware Diagnostic Tools
"Rhapsody" = Rhapsody
"SystemRequirementsLab" = System Requirements Lab
"WildTangent hp Master Uninstall" = My HP Games
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"World of Warcraft" = World of Warcraft
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Search Defender" = Yahoo! Search Protection
"Yahoo! Toolbar" = Yahoo! Toolbar

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2270473045-1982684083-2497196655-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"61240c64869513c2" = Napster Download Manager
"Facebook Plug-In" = Facebook Plug-In

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >
 
I don't see any AV program running.
Please, install ONE of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
Update, run full scan, report on any findings.

========================================================================

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.

====================================================================

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} http://srtest-cdn.systemrequirements...qlabdetect.cab (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
[1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[2011/04/14 14:30:52 | 000,741,376 | ---- | M] () -- C:\Windows\System32\drivers\orpokalx.sys
@Alternate Data Stream - 64 bytes -> C:\Users\Lilheath\Documents\rewards.ppt:TOC.WMV
@Alternate Data Stream - 64 bytes -> C:\Users\Lilheath\Documents\011411-160105[1].mp3:TOC.WMV
@Alternate Data Stream - 270 bytes -> C:\Windows\System32\drivers\hajqkyws.sys:changelist

:Services

:Reg
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\orpokalx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" =-

:Files

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.
 
Sorry for the delay. I'm having new problems now. I d/led and installed Avast, updated my Java and removed old java with the Javara. After restarting the computer I got a blue screen after loading windows saying that it couldn't load up properly. I tried it a few more times and could never get it to load. It goes up through me selecting my Windows user and then to the blue screen. I started in safe mode, and am there now. Ran avast and it has 1 bad file, orco something, but it can't fix it. I'm going to run OTL again with the new script in the last post and will let you know what I find afterwards.
 
Ran OTL again with the fix, when computer restarted, it came back to the blue screen. I took a picture with my cell phone, will try to get it uploaded. It goes by way too quick to read what is on it.
 
Restarted manually, still getting blue screen. I have attached a pic of the screen that I'm getting.

Thanks as always,

Boogie Daddie
 

Attachments

  • bluescreen1.jpg
    bluescreen1.jpg
    25.1 KB · Views: 2
I can't really see from your picture what's the stop number is.

Did you try Safe Mode, Last Known Good Configuration?
 
Status
Not open for further replies.

Similar threads

wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
796
uber_beetle
uber_beetle
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A

Latest posts

Back