Jump to content

Infected - Please help.


mpm32

Recommended Posts

Hi, My wife clicked on one of those "You have been infected, click here to remove the infection immediately" - again. She did it two years ago.

I can not run the malwarebytes I have on that PC, I can not install a new copy - I have tried most suggestions. Everyone ends with Malwarebytes installing until the end and then an "Access is denied" box pops up. I can not use the internet from that PC, every link or search is redirected.e logs

I was able to run rkill and get a log, I also had a version of Hijack This on the pc - v2.0.2.

The logs are below - in advance, thanks for your help.

Hijack This;

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:46:52 PM, on 1/16/2012

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\lxdccoms.exe

C:\Program Files\Norton 360\Norton 360\Engine\4.4.0.12\ccSvcHst.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\DRIVERS\WtSrv.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\winlogon.exe

C:\Program Files\Norton 360\Norton 360\Engine\4.4.0.12\ccSvcHst.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Lexmark 1300 Series\lxdcamon.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\Program Files\Radica\Stylin' Studio\SS_MW.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=6528

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Norton 360\Engine\4.4.0.12\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Norton 360\Engine\4.4.0.12\IPSBHO.DLL

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Norton 360\Engine\4.4.0.12\coIEPlg.dll

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

O4 - HKLM\..\Run: [sS_MW] C:\Program Files\Radica\Stylin' Studio\SS_MW.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ArcSoft MediaImpression Monitor] C:\Program Files\Kodak\MediaImpression\ArcMonitor.exe

O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

O4 - HKUS\S-1-5-21-3367265213-4223227456-216994003-1009\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" (User 'Stupid Virus')

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://notesdancl1.pb.com/iNotes6W.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137209401114

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab

O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe

O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://attwm.webex.com/client/v_mywebex-pso-attwm/webex/ieatgpc.cab

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://usextranet.aigfpc.com/dana-cached/setup/JuniperSetupSP1.cab

O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab

O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O20 - AppInit_DLLs:

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe

O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Norton 360\Engine\4.4.0.12\ccSvcHst.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe

--

End of file - 11503 bytes

Rkill;

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Rkill was run on 01/16/2012 at 20:00:37.

Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

N:\rkill.scr

--- ATTENTION ---

Windows was configured to use a proxy! Proxy settings have been removed.

The Proxy Server that was configured is:

If this was a valid setting, please double-click on the rk-proxy.reg file on your desktop and allow the data to be merged to restore your proxy settings.

Rkill completed on 01/16/2012 at 20:01:55.

Thanks again.

Link to post
Share on other sites

Welcome to the forum.

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

-------------

Next..........

Please download and run RogueKiller.

Choose 1 to scan the system

Post back the report.

-------------------------

Last.......

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

The scan will take about 10 minutes...depends on your hard drive size.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

Link to post
Share on other sites

Thanks, here are the log files;

FSS:

Farbar Service Scanner Version: 18-01-2012 01

Ran by Mark (administrator) on 18-01-2012 at 23:13:49

Microsoft Windows XP Professional Service Pack 3 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

There is no connection to network.

Attempt to access Google IP returned error: Google IP is unreachable

Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

Windows Update:

===========

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\wscsvc.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\wuauserv.dll => MD5 is legit

C:\WINDOWS\system32\qmgr.dll => MD5 is legit

C:\WINDOWS\system32\es.dll => MD5 is legit

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

Gpc(6) IPSec(4) NetBT(5) PSched(7) SYMTDI(8) Tcpip(3)

0x080000000400000001000000020000000300000008000000090000000500000006000000

IpSec Tag value is correct.

**** End of log ****

Rouge Killer;

RogueKiller V6.2.4 [01/12/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: Mark [Admin rights]

Mode: Scan -- Date : 01/18/2012 23:16:54

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 3 ¤¤¤

[PROXY FF] 37qlj6z6.default\ :0 -> FOUND

[HJPOL] HKLM\[...]\System : DisableTaskMgr (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

127.0.0.1 ad.a8.net

127.0.0.1 asy.a8ww.net

127.0.0.1 a9rhiwa.cn #[Google.Warning]

127.0.0.1 www.a9rhiwa.cn

127.0.0.1 acezip.net #[siteAdvisor.acezip.net]

127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]

127.0.0.1 phpadsnew.abac.com

127.0.0.1 a.abnad.net

127.0.0.1 b.abnad.net

127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]

127.0.0.1 d.abnad.net

127.0.0.1 e.abnad.net

127.0.0.1 t.abnad.net

127.0.0.1 z.abnad.net

127.0.0.1 banners.absolpublisher.com

127.0.0.1 tracking.absolstats.com

127.0.0.1 adv.abv.bg

127.0.0.1 bimg.abv.bg

127.0.0.1 www2.a-counter.kiev.ua

[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++

--- User ---

[MBR] b06e73c66339463180a39c4c9d62e582

[bSP] bbcdba4976219ebf1709000fd9b570dd : MBR Code unknown

Partition table:

0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 41 Mo

1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 80325 | Size: 74965 Mo

2 - [XXXXXX] FAT32 [HIDDEN!] Offset (sectors): 146496735 | Size: 4984 Mo

User != LL1 ... KO!

--- LL1 ---

[MBR] de5b23b5d87475d0281791499ed5b35a

[bSP] bbcdba4976219ebf1709000fd9b570dd : MBR Code unknown

Partition table:

0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 41 Mo

1 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 80325 | Size: 74965 Mo

2 - [XXXXXX] FAT32 [HIDDEN!] Offset (sectors): 146496735 | Size: 4984 Mo

3 - [ACTIVE] NTFS [HIDDEN!] Offset (sectors): 156232125 | Size: 9 Mo

User != LL2 ... KO!

--- LL2 ---

[MBR] de5b23b5d87475d0281791499ed5b35a

[bSP] bbcdba4976219ebf1709000fd9b570dd : MBR Code unknown

Partition table:

0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 41 Mo

1 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 80325 | Size: 74965 Mo

2 - [XXXXXX] FAT32 [HIDDEN!] Offset (sectors): 146496735 | Size: 4984 Mo

3 - [ACTIVE] NTFS [HIDDEN!] Offset (sectors): 156232125 | Size: 9 Mo

+++++ PhysicalDrive1: +++++

--- User ---

[MBR] 87aa69135d8ecba8a019e15d9fb5f2b8

[bSP] 9996da91efd12bf70d3515aa329765c1 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 63 | Size: 80015 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1].txt >>

RKreport[1].txt

OTL:

OTL logfile created on: 1/18/2012 11:22:16 PM - Run 1

OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Mark\Desktop

Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.07 Mb Total Physical Memory | 490.65 Mb Available Physical Memory | 48.38% Memory free

2.38 Gb Paging File | 1.75 Gb Available in Paging File | 73.20% Paging File free

Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 69.82 Gb Total Space | 5.63 Gb Free Space | 8.06% Space Free | Partition Type: NTFS

Drive N: | 74.52 Gb Total Space | 4.63 Gb Free Space | 6.22% Space Free | Partition Type: NTFS

Computer Name: D1FWGW81 | User Name: Mark | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/18 22:58:18 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTL.exe

PRC - [2012/01/18 22:58:07 | 000,787,456 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\RogueKiller.exe

PRC - [2011/08/03 23:18:43 | 000,126,400 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Norton 360\Engine\4.4.0.12\ccsvchst.exe

PRC - [2010/12/15 17:03:02 | 000,080,448 | -H-- | M] (ArcSoft, Inc.) -- C:\Program Files\Kodak\MediaImpression\ArcMonitor.exe

PRC - [2010/10/27 18:17:52 | 000,207,424 | -H-- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

PRC - [2010/08/25 10:27:44 | 000,309,824 | -H-- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

PRC - [2010/08/23 19:21:40 | 000,013,672 | -H-- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

PRC - [2010/03/18 10:19:26 | 000,113,152 | -H-- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

PRC - [2009/01/08 06:36:42 | 002,521,464 | -H-- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe

PRC - [2008/04/25 21:47:13 | 000,396,288 | -H-- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

PRC - [2008/04/25 19:31:40 | 000,524,288 | -H-- | M] (Radica) -- C:\Program Files\Radica\Stylin' Studio\SS_MW.exe

PRC - [2008/04/13 19:12:19 | 001,033,728 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2008/04/13 19:12:18 | 000,180,224 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dwwin.exe

PRC - [2008/04/13 19:12:14 | 000,389,120 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cmd.exe

PRC - [2007/11/28 20:18:13 | 000,312,880 | -H-- | M] (GRISOFT s.r.o.) -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

PRC - [2007/05/25 08:38:20 | 000,537,520 | -H-- | M] ( ) -- C:\WINDOWS\system32\lxdccoms.exe

PRC - [2007/04/30 03:19:53 | 000,020,480 | -H-- | M] () -- C:\Program Files\Lexmark 1300 Series\lxdcamon.exe

PRC - [2006/11/03 18:19:58 | 000,013,592 | -H-- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe

PRC - [2006/10/01 13:03:52 | 000,255,552 | -H-- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe

PRC - [2005/11/23 02:52:52 | 000,026,112 | -H-- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\realplay.exe

PRC - [2005/09/30 18:22:50 | 000,096,341 | -H-- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe

PRC - [2005/05/25 09:35:10 | 000,069,632 | -H-- | M] (CANON INC.) -- C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe

PRC - [2005/03/23 01:20:44 | 000,339,968 | -H-- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe

PRC - [2003/09/29 21:41:32 | 000,040,960 | -H-- | M] (Tablet Driver) -- C:\WINDOWS\system32\drivers\WtSrv.exe

========== Modules (No Company Name) ==========

MOD - [2012/01/16 18:11:19 | 005,025,792 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll

MOD - [2012/01/16 18:11:11 | 000,114,688 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll

MOD - [2012/01/16 18:11:07 | 002,048,000 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll

MOD - [2012/01/16 18:11:06 | 000,261,632 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll

MOD - [2012/01/16 18:11:05 | 000,258,048 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll

MOD - [2012/01/16 18:11:03 | 000,303,104 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll

MOD - [2012/01/16 18:11:02 | 000,626,688 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll

MOD - [2012/01/16 18:10:55 | 000,425,984 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll

MOD - [2012/01/16 18:10:54 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll

MOD - [2012/01/16 18:10:51 | 003,182,592 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll

MOD - [2011/10/12 20:25:24 | 000,212,992 | -H-- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\abef85f2fb8ba830eda73e2d12e8d41e\System.ServiceProcess.ni.dll

MOD - [2011/10/12 18:23:54 | 000,025,600 | -H-- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\d86a3346c3d90ff12d0df9d7726f3ece\Accessibility.ni.dll

MOD - [2011/10/12 18:20:09 | 005,450,752 | -H-- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\70cacc44f0b4257f6037eda7a59a0aeb\System.Xml.ni.dll

MOD - [2011/10/12 18:18:22 | 001,587,200 | -H-- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\c10bea3c4bb7ef654651141bf9419090\System.Drawing.ni.dll

MOD - [2011/10/12 17:59:35 | 007,950,848 | -H-- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\af39f6e644af02873b9bae319f2bfb13\System.ni.dll

MOD - [2011/10/12 17:58:24 | 011,490,816 | -H-- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll

MOD - [2011/03/26 13:04:46 | 000,854,016 | -H-- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data.SQLite\1.0.61.0__db937bc2d44ff139\System.Data.SQLite.dll

MOD - [2011/03/26 13:04:40 | 000,270,336 | -H-- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\log4net\1.2.10.0__1b44e1d426115821\log4net.dll

MOD - [2011/03/26 13:04:37 | 000,409,960 | -H-- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.WindowsFirewallUtilities\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.WindowsFirewallUtilities.dll

MOD - [2011/03/26 13:04:34 | 000,476,520 | -H-- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Reporter.dll

MOD - [2011/03/26 13:04:18 | 000,046,952 | -H-- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin.dll

MOD - [2011/03/26 13:04:17 | 000,012,136 | -H-- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateService.PluginContract\1.0.0.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateService.PluginContract.dll

MOD - [2011/03/26 13:04:15 | 000,023,912 | -H-- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateService\1.0.0.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateService.dll

MOD - [2011/03/26 13:04:15 | 000,018,792 | -H-- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker.dll

MOD - [2011/03/26 13:04:13 | 000,421,224 | -H-- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Api.Net\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Api.Net.dll

MOD - [2011/03/26 13:04:10 | 000,269,672 | -H-- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Core\3.1.26.0__540d4816ead86321\Intuit.Spc.Esd.Core.dll

MOD - [2011/03/26 13:04:07 | 000,120,168 | -H-- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.DataAccess\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.Client.DataAccess.dll

MOD - [2011/03/26 13:04:06 | 000,121,704 | -H-- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.BusinessLogic\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.Client.BusinessLogic.dll

MOD - [2011/03/26 13:04:06 | 000,070,504 | -H-- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.Common\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.Client.Common.dll

MOD - [2009/11/03 15:51:42 | 000,067,872 | -H-- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll

MOD - [2007/05/02 00:11:55 | 000,040,960 | -H-- | M] () -- C:\Program Files\Lexmark 1300 Series\App4R.Monitor.Core.dll

MOD - [2007/05/02 00:11:55 | 000,028,672 | -H-- | M] () -- C:\Program Files\Lexmark 1300 Series\App4R.Monitor.Common.dll

MOD - [2007/05/02 00:10:58 | 000,057,344 | -H-- | M] () -- C:\Program Files\Lexmark 1300 Series\App4R.DevMons.MCMDevMon.dll

MOD - [2007/04/30 03:20:25 | 000,011,776 | -H-- | M] () -- C:\Program Files\Lexmark 1300 Series\App4R.DevMons.MCMDevMon.AutoPlayUtil.dll

MOD - [2007/04/30 03:19:53 | 000,020,480 | -H-- | M] () -- C:\Program Files\Lexmark 1300 Series\lxdcamon.exe

MOD - [2007/04/30 03:19:51 | 000,020,480 | -H-- | M] () -- C:\Program Files\Lexmark 1300 Series\App4R.DevMons.ScanDevMon.dll

MOD - [2007/04/30 03:19:48 | 000,020,480 | -H-- | M] () -- C:\Program Files\Lexmark 1300 Series\App4R.DevMons.NetworkCardDevMon.dll

MOD - [2007/01/18 00:18:54 | 000,103,936 | -H-- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\lxdcdrpp.dll

========== Win32 Services (SafeList) ==========

========== Driver Services (SafeList) ==========

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3367265213-4223227456-216994003-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=6528

IE - HKU\S-1-5-21-3367265213-4223227456-216994003-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3367265213-4223227456-216994003-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

IE - HKU\S-1-5-21-3367265213-4223227456-216994003-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html

IE - HKU\S-1-5-21-3367265213-4223227456-216994003-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

IE - HKU\S-1-5-21-3367265213-4223227456-216994003-1009\..\URLSearchHook: {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - No CLSID value found

IE - HKU\S-1-5-21-3367265213-4223227456-216994003-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://my.msn.com/default.armx?lc=1033&id=6528"

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - prefs.js..extensions.enabledItems: 2020Player@2020Technologies.com:4.5.2.0

FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.9

FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.91

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:3.0

FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:2010.9.0.6

FF - prefs.js..extensions.enabledItems: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}:5.6.0.8442

FF - prefs.js..network.proxy.no_proxies_on: "dynhost.inetcam.com,register.inetcam.com"

FF - prefs.js..network.proxy.type: 1

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()

FF - HKLM\Software\MozillaPlugins\@ei.Guffins.com/Plugin: C:\Program Files\GuffinsEI\Installr\3.bin\NPu4EISB.dll (Guffins)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@nosltd.com/getPlus+®,version=1.6.2.91: C:\Program Files\NOS\bin\np_gp.dll (NOS Microsystems Ltd.)

FF - HKLM\Software\MozillaPlugins\@unity3d.com/UnityPlayer: C:\Program Files\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKCU\Software\MozillaPlugins\@adobe.com/Acrobat,version=5.1: C:\Program Files\Adobe\Acrobat 5.0\Reader\Browser\nppdf32.dll File not found

FF - HKCU\Software\MozillaPlugins\mattelinc.com/HotWheelsLoader: C:\Documents and Settings\Mark\Local Settings\Application Data\sswat_hwrc_win_live\npHotWheelsLoader.dll (Mattel, Inc)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\IPSFFPlgn\ [2011/07/22 14:06:19 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\coFFPlgn_2010_9_0_6 [2012/01/16 20:23:38 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Components: C:\Program Files\Internet Explorer\components

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Plugins: C:\Program Files\Internet Explorer\plugins [2011/05/30 21:24:30 | 000,000,000 | -H-D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Internet Explorer\components

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Internet Explorer\plugins [2011/05/30 21:24:30 | 000,000,000 | -H-D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/12/26 23:25:30 | 000,000,000 | -H-D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/12/26 23:25:41 | 000,000,000 | -H-D | M]

[2008/12/18 18:55:29 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Mark\Application Data\Mozilla\Extensions

[2011/12/26 23:25:59 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\37qlj6z6.default\extensions

[2010/07/21 17:28:26 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\37qlj6z6.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2010/11/07 09:31:14 | 000,000,000 | ---D | M] (20-20 3D Viewer) -- C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\37qlj6z6.default\extensions\2020Player@2020Technologies.com

[2011/12/26 23:25:40 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\37qlj6z6.default\extensions\nostmp

[2011/12/26 23:25:30 | 000,000,000 | -H-D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2011/11/13 12:33:12 | 000,000,000 | -H-D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}

() (No name found) -- C:\DOCUMENTS AND SETTINGS\MARK\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\37QLJ6Z6.DEFAULT\EXTENSIONS\{A7C6CF7F-112C-4500-A7EA-39801A327E5F}.XPI

[2011/12/21 02:24:52 | 000,121,816 | -H-- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll

[2011/07/13 16:52:56 | 000,091,552 | -H-- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll

[2010/06/01 09:16:02 | 000,411,368 | -H-- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

[2011/07/13 16:52:58 | 000,091,552 | -H-- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll

[2011/12/20 23:30:41 | 000,002,252 | -H-- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

[2011/12/20 23:30:41 | 000,002,040 | -H-- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2009/03/11 06:13:44 | 000,610,716 | -H-- | M]) - C:\WINDOWS\system32\drivers\etc\HOSTS

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 ad.a8.net

O1 - Hosts: 127.0.0.1 asy.a8ww.net

O1 - Hosts: 127.0.0.1 a9rhiwa.cn #[Google.Warning]

O1 - Hosts: 127.0.0.1 www.a9rhiwa.cn

O1 - Hosts: 127.0.0.1 acezip.net #[siteAdvisor.acezip.net]

O1 - Hosts: 127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]

O1 - Hosts: 127.0.0.1 phpadsnew.abac.com

O1 - Hosts: 127.0.0.1 a.abnad.net

O1 - Hosts: 127.0.0.1 b.abnad.net

O1 - Hosts: 127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]

O1 - Hosts: 127.0.0.1 d.abnad.net

O1 - Hosts: 127.0.0.1 e.abnad.net

O1 - Hosts: 127.0.0.1 t.abnad.net

O1 - Hosts: 127.0.0.1 z.abnad.net

O1 - Hosts: 127.0.0.1 banners.absolpublisher.com

O1 - Hosts: 127.0.0.1 tracking.absolstats.com

O1 - Hosts: 127.0.0.1 adv.abv.bg

O1 - Hosts: 127.0.0.1 bimg.abv.bg

O1 - Hosts: 127.0.0.1 www2.a-counter.kiev.ua

O1 - Hosts: 127.0.0.1 track.acclaimnetwork.com

O1 - Hosts: 127.0.0.1 accuserveadsystem.com

O1 - Hosts: 127.0.0.1 www.accuserveadsystem.com

O1 - Hosts: 127.0.0.1 gtb5.acecounter.com

O1 - Hosts: 127.0.0.1 gtb19.acecounter.com

O1 - Hosts: 16252 more lines...

O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Norton 360\Engine\4.4.0.12\coieplg.dll (Symantec Corporation)

O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Norton 360\Engine\4.4.0.12\ipsbho.dll (Symantec Corporation)

O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()

O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Norton 360\Engine\4.4.0.12\coieplg.dll (Symantec Corporation)

O3 - HKU\S-1-5-21-3367265213-4223227456-216994003-1005\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

O3 - HKU\S-1-5-21-3367265213-4223227456-216994003-1005\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.

O3 - HKU\S-1-5-21-3367265213-4223227456-216994003-1005\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Norton 360\Engine\4.4.0.12\coieplg.dll (Symantec Corporation)

O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)

O4 - HKLM..\Run: [ArcSoft MediaImpression Monitor] C:\Program Files\Kodak\MediaImpression\ArcMonitor.exe (ArcSoft, Inc.)

O4 - HKLM..\Run: [EleFunAnimatedWallpaper] File not found

O4 - HKLM..\Run: [lxdcamon] C:\Program Files\Lexmark 1300 Series\lxdcamon.exe ()

O4 - HKLM..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe (CANON INC.)

O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.)

O4 - HKLM..\Run: [sigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)

O4 - HKLM..\Run: [sS_MW] C:\Program Files\Radica\Stylin' Studio\SS_MW.exe (Radica)

O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe (BillP Studios)

O4 - HKU\S-1-5-21-3367265213-4223227456-216994003-1009..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" File not found

O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)

O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)

O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\cfp.exe (COMODO)

O4 - Startup: C:\Documents and Settings\Amie\Start Menu\Programs\Startup\Dropbox.lnk = File not found

O4 - Startup: C:\Documents and Settings\Mark\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-3367265213-4223227456-216994003-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-3367265213-4223227456-216994003-1005\Software\Policies\Microsoft\Internet Explorer\Recovery present

O7 - HKU\S-1-5-21-3367265213-4223227456-216994003-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-3367265213-4223227456-216994003-1009\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-3367265213-4223227456-216994003-1009\Software\Policies\Microsoft\Internet Explorer\Recovery present

O7 - HKU\S-1-5-21-3367265213-4223227456-216994003-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()

O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()

O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()

O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()

O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O15 - HKU\S-1-5-21-3367265213-4223227456-216994003-1005\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)

O15 - HKU\S-1-5-21-3367265213-4223227456-216994003-1005\..Trusted Domains: pb.com ([bvcontp1.ct] http in Local intranet)

O15 - HKU\S-1-5-21-3367265213-4223227456-216994003-1005\..Trusted Domains: pb.com ([bvcontp1.ct] https in Trusted sites)

O15 - HKU\S-1-5-21-3367265213-4223227456-216994003-1005\..Trusted Domains: turbotax.com ([]https in Trusted sites)

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Reg Error: Key error.)

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab (CKAVWebScan Object)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)

O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} https://support.microsoft.com/OAS/ActiveX/odc.cab (Microsoft Data Collection Control)

O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} https://notesdancl1.pb.com/iNotes6W.cab (iNotes6 Class)

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab (DLM Control)

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} http://www.linkedin.com/cab/LinkedInContactFinderControl.cab (Reg Error: Key error.)

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab (EPUImageControl Class)

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab (MSN Photo Upload Tool)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137209401114 (MUWebControl Class)

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab (Reg Error: Key error.)

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab (MsnMessengerSetupDownloadControl Class)

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab (MSN Games - Installer)

O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe (Virtools WebPlayer Class)

O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_03)

O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab (CGameManagerCtrl Object)

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab (Reg Error: Key error.)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe (Virtools WebPlayer Class)

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://attwm.webex.com/client/v_mywebex-pso-attwm/webex/ieatgpc.cab (Reg Error: Key error.)

O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://usextranet.aigfpc.com/dana-cached/setup/JuniperSetupSP1.cab (JuniperSetupControlXP Class)

O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} http://fdl.msn.com/public/investor/v13/ticker.cab (MSN Money Ticker)

O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\Userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)

O28 - HKLM ShellExecuteHooks: {57B86673-276A-48B2-BAE7-C6DBB3020EB8} - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (GRISOFT s.r.o.)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2005/08/16 05:43:04 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2010/03/28 15:14:37 | 000,000,000 | -H-D | M] - C:\Automatic -- [ NTFS ]

O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun

O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe

O33 - MountPoints2\{4558ae68-0bd1-11e0-887a-00123fb2b586}\Shell - "" = AutoRun

O33 - MountPoints2\{4558ae68-0bd1-11e0-887a-00123fb2b586}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{4558ae68-0bd1-11e0-887a-00123fb2b586}\Shell\AutoRun\command - "" = J:\Photo_Viewer.exe

O33 - MountPoints2\{62407743-37d4-11e0-889e-00123fb2b586}\Shell - "" = AutoRun

O33 - MountPoints2\{62407743-37d4-11e0-889e-00123fb2b586}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{62407743-37d4-11e0-889e-00123fb2b586}\Shell\AutoRun\command - "" = F:\MI.exe

O33 - MountPoints2\{b5016471-0fc1-11e0-887e-00123fb2b586}\Shell - "" = AutoRun

O33 - MountPoints2\{b5016471-0fc1-11e0-887e-00123fb2b586}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{b5016471-0fc1-11e0-887e-00123fb2b586}\Shell\AutoRun\command - "" = J:\Photo_Viewer.exe

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/18 23:14:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Desktop\RK_Quarantine

[2012/01/18 23:13:01 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTL.exe

[2012/01/17 01:30:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth

[2012/01/16 20:25:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood

[2012/01/16 20:10:44 | 010,847,608 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Mark\Desktop\firefox.exe.exe

[2012/01/16 19:25:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Local Settings\Application Data\PCHealth

[2012/01/16 18:15:39 | 000,000,000 | ---D | C] -- C:\777d139e704704f2335f16f63ada7524

[2012/01/16 14:23:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Local Settings\Application Data\Nova Development

[2012/01/16 14:23:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Local Settings\Application Data\IdeaSoft

[2012/01/14 20:13:18 | 000,000,000 | -H-D | C] -- C:\Program Files\RADVideo

[2011/02/13 19:47:37 | 000,702,464 | -H-- | C] (Guffins) -- C:\Program Files\Uninstall Guffins.dll

[2007/11/04 18:39:42 | 000,323,584 | -H-- | C] ( ) -- C:\WINDOWS\System32\LXDChcp.dll

[2007/05/25 04:38:22 | 000,385,968 | -H-- | C] ( ) -- C:\WINDOWS\System32\lxdcih.exe

[2007/05/25 04:38:20 | 000,537,520 | -H-- | C] ( ) -- C:\WINDOWS\System32\lxdccoms.exe

[2007/05/17 09:19:57 | 000,643,072 | -H-- | C] ( ) -- C:\WINDOWS\System32\lxdcpmui.dll

[2007/05/17 09:17:22 | 001,232,896 | -H-- | C] ( ) -- C:\WINDOWS\System32\lxdcserv.dll

[2007/05/17 09:11:47 | 000,425,984 | -H-- | C] ( ) -- C:\WINDOWS\System32\lxdccomm.dll

[2007/05/17 09:10:16 | 000,585,728 | -H-- | C] ( ) -- C:\WINDOWS\System32\lxdclmpm.dll

[2007/05/17 09:08:43 | 000,397,312 | -H-- | C] ( ) -- C:\WINDOWS\System32\lxdciesc.dll

[2007/05/17 09:07:51 | 000,094,208 | -H-- | C] ( ) -- C:\WINDOWS\System32\lxdcpplc.dll

[2007/05/17 09:07:02 | 000,684,032 | -H-- | C] ( ) -- C:\WINDOWS\System32\lxdccomc.dll

[2007/05/17 09:06:32 | 000,163,840 | -H-- | C] ( ) -- C:\WINDOWS\System32\lxdcprox.dll

[2007/05/17 08:59:50 | 000,413,696 | -H-- | C] ( ) -- C:\WINDOWS\System32\lxdcinpa.dll

[2007/05/17 08:58:46 | 000,999,424 | -H-- | C] ( ) -- C:\WINDOWS\System32\lxdcusb1.dll

[2007/05/17 08:53:19 | 000,700,416 | -H-- | C] ( ) -- C:\WINDOWS\System32\lxdchbn3.dll

[5 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]

[3 C:\Documents and Settings\All Users\Documents\*.tmp files -> C:\Documents and Settings\All Users\Documents\*.tmp -> ]

[2 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[13 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/18 23:17:47 | 000,002,048 | -H-- | M] () -- C:\WINDOWS\bootstat.dat

[2012/01/18 23:16:33 | 000,111,872 | ---- | M] () -- C:\WINDOWS\System32\drivers\TrueSight.sys

[2012/01/18 22:58:18 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTL.exe

[2012/01/18 22:58:07 | 000,787,456 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\RogueKiller.exe

[2012/01/18 22:57:16 | 000,334,429 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\FSS.exe

[2012/01/18 01:30:10 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2012/01/17 10:30:09 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\SyncBack Music.job

[2012/01/16 20:44:02 | 000,002,206 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2012/01/16 20:23:17 | 1063,407,616 | -HS- | M] () -- C:\hiberfil.sys

[2012/01/16 20:01:53 | 000,000,180 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\rk-proxy.reg

[2012/01/16 19:33:12 | 010,847,608 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Mark\Desktop\firefox.exe.exe

[2012/01/16 18:04:09 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2012/01/16 18:01:59 | 000,008,070 | ---- | M] () -- C:\WINDOWS\System32\spupdsvc.inf

[2012/01/16 14:33:00 | 000,091,648 | ---- | M] () -- C:\Documents and Settings\Mark\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2012/01/16 11:07:24 | 000,000,464 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\wAbs6XSRvavIDG

[2012/01/16 11:04:41 | 000,000,296 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~wAbs6XSRvavIDG

[2012/01/16 11:04:40 | 000,000,176 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~wAbs6XSRvavIDGr

[2012/01/16 10:21:52 | 000,456,448 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\jEGCsSWIMfSR.exe

[2012/01/09 14:29:02 | 000,438,039 | -H-- | M] () -- C:\yoga1.jpg

[2011/12/26 23:25:35 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Mark\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk

[5 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]

[3 C:\Documents and Settings\All Users\Documents\*.tmp files -> C:\Documents and Settings\All Users\Documents\*.tmp -> ]

[2 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[13 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/18 23:16:33 | 000,111,872 | ---- | C] () -- C:\WINDOWS\System32\drivers\TrueSight.sys

[2012/01/18 23:13:01 | 000,787,456 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\RogueKiller.exe

[2012/01/18 23:13:01 | 000,334,429 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\FSS.exe

[2012/01/16 20:01:53 | 000,000,180 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\rk-proxy.reg

[2012/01/16 10:55:02 | 000,000,176 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~wAbs6XSRvavIDGr

[2012/01/16 10:55:01 | 000,000,296 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~wAbs6XSRvavIDG

[2012/01/16 10:54:52 | 000,000,464 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\wAbs6XSRvavIDG

[2012/01/16 10:22:00 | 000,456,448 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\jEGCsSWIMfSR.exe

[2012/01/09 14:28:58 | 000,438,039 | -H-- | C] () -- C:\yoga1.jpg

[2011/12/15 22:29:02 | 000,001,940 | -H-- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini

[2010/04/09 19:45:57 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\Mark\Local Settings\Application Data\d3d9caps.dat

[2010/03/29 13:28:11 | 000,000,110 | -H-- | C] () -- C:\WINDOWS\{7E7D778E-121D-4BBD-BA29-FAA81B9FBD8C}_WiseFW.ini

[2010/01/30 15:42:16 | 000,060,032 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat

[2010/01/21 19:42:46 | 000,044,544 | -H-- | C] () -- C:\WINDOWS\System32\GIF89.DLL

[2009/08/14 15:04:54 | 000,163,840 | -H-- | C] () -- C:\WINDOWS\System32\unrar.dll

[2009/08/14 15:04:52 | 000,564,224 | -H-- | C] () -- C:\WINDOWS\System32\x264vfw.dll

[2009/08/14 15:04:51 | 001,559,040 | -H-- | C] () -- C:\WINDOWS\System32\xvidcore.dll

[2009/08/14 15:04:51 | 000,282,624 | -H-- | C] () -- C:\WINDOWS\System32\xvidvfw.dll

[2009/08/14 15:04:50 | 003,596,288 | -H-- | C] () -- C:\WINDOWS\System32\qt-dx331.dll

[2009/08/14 15:04:49 | 000,007,680 | -H-- | C] () -- C:\WINDOWS\System32\ff_vfw.dll

[2009/06/10 18:13:10 | 000,000,031 | -H-- | C] () -- C:\WINDOWS\bluevoda.ini

[2009/04/11 20:14:33 | 000,161,253 | -H-- | C] () -- C:\WINDOWS\Expstudio Audio Editor FREE Uninstaller.exe

[2009/01/28 21:53:12 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat

[2009/01/13 20:12:48 | 001,306,624 | -H-- | C] () -- C:\WINDOWS\System32\LENCH2644.DLL

[2008/12/25 20:43:11 | 000,002,182 | -H-- | C] () -- C:\WINDOWS\cdplayer.ini

[2008/12/25 18:33:23 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Mark\Application Data\948941

[2008/12/25 18:33:22 | 000,870,128 | ---- | C] () -- C:\Documents and Settings\Mark\Application Data\mcs.rma

[2008/11/06 17:07:28 | 000,370,032 | -H-- | C] () -- C:\WINDOWS\System32\LENCAAC.DLL

[2008/10/03 09:17:22 | 001,914,224 | -H-- | C] () -- C:\WINDOWS\System32\ltmm15.dll

[2008/04/21 18:13:58 | 000,124,264 | -H-- | C] () -- C:\WINDOWS\System32\LDECMPG22.dll

[2008/04/15 15:42:52 | 000,148,840 | -H-- | C] () -- C:\WINDOWS\System32\LDECMPG2KRN2.dll

[2008/04/14 18:37:08 | 001,885,544 | -H-- | C] () -- C:\WINDOWS\System32\LDECAAC.dll

[2007/12/05 19:17:04 | 000,000,144 | ---- | C] () -- C:\Documents and Settings\Mark\Application Data\burnaware.ini

[2007/11/28 19:29:40 | 000,000,002 | -H-- | C] () -- C:\WINDOWS\msoffice.ini

[2007/11/23 21:42:23 | 000,026,414 | ---- | C] () -- C:\Documents and Settings\Mark\Application Data\info.dat

[2007/11/14 16:15:52 | 000,357,736 | -H-- | C] () -- C:\WINDOWS\System32\LCodcCMP2.dll

[2007/11/14 16:15:38 | 000,705,896 | -H-- | C] () -- C:\WINDOWS\System32\LEncMPG42.dll

[2007/11/14 12:42:27 | 000,484,352 | -H-- | C] () -- C:\WINDOWS\System32\lame_enc.dll

[2007/11/09 06:01:59 | 000,000,164 | -H-- | C] () -- C:\WINDOWS\System32\psyswin32.dll

[2007/11/04 18:39:45 | 000,000,044 | -H-- | C] () -- C:\WINDOWS\System32\lxdcrwrd.ini

[2007/11/04 18:39:43 | 000,286,720 | -H-- | C] () -- C:\WINDOWS\System32\LXDCinst.dll

[2007/11/04 18:38:09 | 000,344,064 | -H-- | C] () -- C:\WINDOWS\System32\lxdccoin.dll

[2007/09/30 21:19:15 | 000,000,052 | -H-- | C] () -- C:\Program Files\Save Windows and Programs (No Data or Documents).BDF

[2007/09/30 21:19:15 | 000,000,052 | -H-- | C] () -- C:\Program Files\Save Data and Documents Only.BDF

[2007/09/30 21:18:59 | 000,004,872 | -H-- | C] () -- C:\WINDOWS\Ufxmaint31.exe

[2007/06/11 18:03:01 | 000,056,832 | -H-- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

[2007/06/11 18:02:49 | 000,338,944 | -H-- | C] () -- C:\WINDOWS\System32\LFFPX7.DLL

[2007/06/11 18:02:49 | 000,118,784 | -H-- | C] () -- C:\WINDOWS\System32\LFKODAK.DLL

[2007/06/11 17:59:26 | 000,512,000 | -H-- | C] () -- C:\WINDOWS\System32\InetIPLP6.dll

[2007/06/11 17:59:26 | 000,503,808 | -H-- | C] () -- C:\WINDOWS\System32\InetIPLPX.dll

[2007/06/11 17:59:26 | 000,491,520 | -H-- | C] () -- C:\WINDOWS\System32\InetIPLP5.dll

[2007/06/11 17:59:25 | 000,524,288 | -H-- | C] () -- C:\WINDOWS\System32\InetIPLA6.dll

[2007/06/11 17:59:25 | 000,516,096 | -H-- | C] () -- C:\WINDOWS\System32\InetIPLM6.dll

[2007/06/11 17:59:25 | 000,495,616 | -H-- | C] () -- C:\WINDOWS\System32\InetIPLM5.dll

[2007/06/11 17:59:25 | 000,020,480 | -H-- | C] () -- C:\WINDOWS\System32\InetIPL.dll

[2007/06/11 17:59:25 | 000,019,968 | -H-- | C] () -- C:\WINDOWS\System32\Cpuinf32.dll

[2007/06/11 17:58:46 | 000,010,240 | -H-- | C] () -- C:\WINDOWS\System32\vidx16.dll

[2007/05/23 23:04:56 | 000,208,896 | -H-- | C] () -- C:\WINDOWS\System32\lxdcgrd.dll

[2007/01/09 12:14:02 | 000,105,616 | -H-- | C] () -- C:\WINDOWS\System32\LMAMpgCnv.dll

[2007/01/09 12:13:54 | 000,191,632 | -H-- | C] () -- C:\WINDOWS\System32\LEncAACKrn.dll

[2007/01/08 17:15:56 | 000,408,720 | -H-- | C] () -- C:\WINDOWS\System32\LEncMPG4Krn.dll

[2007/01/08 17:15:56 | 000,175,248 | -H-- | C] () -- C:\WINDOWS\System32\LENCMPG2KRN2.dll

[2007/01/08 17:15:56 | 000,162,960 | -H-- | C] () -- C:\WINDOWS\System32\LENCMPG22.dll

[2007/01/08 17:15:54 | 001,264,784 | -H-- | C] () -- C:\WINDOWS\System32\LEncH2643.dll

[2007/01/07 19:36:59 | 000,000,248 | -H-- | C] () -- C:\WINDOWS\HCWBlast.ini

[2007/01/07 19:36:37 | 000,065,536 | -H-- | C] () -- C:\WINDOWS\System32\dmcrypto.dll

[2007/01/07 19:34:21 | 000,003,349 | -H-- | C] () -- C:\WINDOWS\HCWPNP.INI

[2007/01/07 18:20:44 | 000,001,356 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

[2006/12/09 17:16:24 | 000,000,035 | -H-- | C] () -- C:\WINDOWS\A4W.INI

[2006/12/09 17:15:51 | 000,000,040 | -H-- | C] () -- C:\WINDOWS\phbase.ini

[2006/12/09 17:15:10 | 000,000,572 | -H-- | C] () -- C:\WINDOWS\maxlink.ini

[2006/12/09 17:14:15 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\OP70.INI

[2006/12/09 17:13:11 | 000,001,290 | -H-- | C] () -- C:\WINDOWS\pstudio.ini

[2006/12/09 17:13:11 | 000,000,011 | -H-- | C] () -- C:\WINDOWS\album.ini

[2006/08/08 08:10:31 | 000,000,370 | -H-- | C] () -- C:\WINDOWS\PowerReg.dat

[2006/08/08 08:09:23 | 000,000,087 | -H-- | C] () -- C:\WINDOWS\encore_launcher.ini

[2006/07/25 12:14:18 | 000,021,840 | -H-- | C] () -- C:\WINDOWS\System32\SIntfNT.dll

[2006/07/25 12:14:18 | 000,017,212 | -H-- | C] () -- C:\WINDOWS\System32\SIntf32.dll

[2006/07/25 12:14:18 | 000,012,067 | -H-- | C] () -- C:\WINDOWS\System32\SIntf16.dll

[2006/07/25 12:14:08 | 000,000,310 | -H-- | C] () -- C:\WINDOWS\EReg515.dat

[2006/06/24 20:04:16 | 000,000,292 | -H-- | C] () -- C:\WINDOWS\EReg077.dat

[2006/06/24 18:24:35 | 000,000,108 | -H-- | C] () -- C:\WINDOWS\TLCAPPS.INI

[2006/05/17 21:47:12 | 000,040,960 | -H-- | C] () -- C:\WINDOWS\System32\lxdcvs.dll

[2006/04/14 07:33:14 | 000,000,231 | -H-- | C] () -- C:\WINDOWS\SIERRA.INI

[2006/04/04 16:29:25 | 000,000,036 | -H-- | C] () -- C:\WINDOWS\webica.ini

[2006/03/05 21:02:28 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\iPlayer.INI

[2006/01/19 20:25:57 | 000,091,648 | ---- | C] () -- C:\Documents and Settings\Mark\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2006/01/15 18:47:12 | 000,032,397 | -H-- | C] () -- C:\WINDOWS\SGTBox.INI

[2006/01/07 13:28:57 | 000,000,063 | -H-- | C] () -- C:\WINDOWS\mdm.ini

[2006/01/03 10:01:14 | 000,000,471 | -H-- | C] () -- C:\WINDOWS\RRK32.INI

[2006/01/03 09:57:47 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\SETUP32.INI

[2006/01/02 18:58:28 | 000,008,704 | -H-- | C] () -- C:\WINDOWS\System32\CNMVS7D.DLL

[2005/12/11 12:06:58 | 000,001,095 | -H-- | C] () -- C:\WINDOWS\disney.ini

[2005/12/11 12:02:37 | 000,000,581 | -H-- | C] () -- C:\WINDOWS\ka.ini

[2005/12/09 10:55:54 | 000,001,502 | -H-- | C] () -- C:\WINDOWS\hegames.ini

[2005/12/05 20:31:57 | 000,210,944 | -H-- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL

[2005/12/05 20:31:57 | 000,040,129 | -H-- | C] () -- C:\WINDOWS\iccsigs.dat

[2005/12/05 20:31:57 | 000,000,149 | -H-- | C] () -- C:\WINDOWS\KPCMS.INI

[2005/12/05 20:20:36 | 000,000,376 | -H-- | C] () -- C:\WINDOWS\ODBC.INI

[2005/12/05 20:01:31 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\OpPrintServer.INI

[2005/12/02 20:34:37 | 000,000,016 | -H-- | C] () -- C:\WINDOWS\popcinfo.dat

[2005/12/01 20:44:53 | 000,004,184 | -H-- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys

[2005/12/01 20:44:53 | 000,000,104 | RHS- | C] () -- C:\WINDOWS\System32\712D88B994.sys

[2005/12/01 19:21:14 | 000,000,165 | -H-- | C] () -- C:\WINDOWS\Quicken.ini

[2005/12/01 19:00:51 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Mark\Local Settings\Application Data\fusioncache.dat

[2005/11/23 03:02:50 | 000,000,061 | -H-- | C] () -- C:\WINDOWS\smscfg.ini

[2005/11/23 02:58:09 | 000,098,304 | -H-- | C] () -- C:\WINDOWS\System32\PdeSrv2p.dll

[2005/11/23 02:58:08 | 000,270,848 | -H-- | C] () -- C:\WINDOWS\unwise.exe

[2005/11/23 02:54:29 | 000,000,784 | -H-- | C] () -- C:\WINDOWS\WinInit.Ini

[2005/11/23 02:52:04 | 000,000,335 | -H-- | C] () -- C:\WINDOWS\nsreg.dat

[2005/11/23 02:28:30 | 000,049,152 | -H-- | C] () -- C:\WINDOWS\setpwrcg.exe

[2005/11/23 02:28:10 | 000,000,392 | -H-- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

[2005/08/16 05:48:31 | 000,002,048 | -H-- | C] () -- C:\WINDOWS\bootstat.dat

[2005/08/16 05:38:45 | 000,021,640 | -H-- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2005/08/16 05:37:24 | 000,001,793 | -H-- | C] () -- C:\WINDOWS\System32\fxsperf.ini

[2005/08/16 05:33:38 | 000,004,161 | -H-- | C] () -- C:\WINDOWS\ODBCINST.INI

[2005/08/16 05:27:59 | 000,257,456 | -H-- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2005/08/16 05:18:35 | 000,004,569 | -H-- | C] () -- C:\WINDOWS\System32\secupd.dat

[2005/08/16 05:18:33 | 000,443,202 | -H-- | C] () -- C:\WINDOWS\System32\perfh009.dat

[2005/08/16 05:18:33 | 000,272,128 | -H-- | C] () -- C:\WINDOWS\System32\perfi009.dat

[2005/08/16 05:18:33 | 000,072,276 | -H-- | C] () -- C:\WINDOWS\System32\perfc009.dat

[2005/08/16 05:18:33 | 000,028,626 | -H-- | C] () -- C:\WINDOWS\System32\perfd009.dat

[2005/08/16 05:18:32 | 000,004,627 | -H-- | C] () -- C:\WINDOWS\System32\oembios.dat

[2005/08/16 05:18:30 | 013,107,200 | -H-- | C] () -- C:\WINDOWS\System32\oembios.bin

[2005/08/16 05:18:28 | 000,000,741 | -H-- | C] () -- C:\WINDOWS\System32\noise.dat

[2005/08/16 05:18:23 | 000,673,088 | -H-- | C] () -- C:\WINDOWS\System32\mlang.dat

[2005/08/16 05:18:23 | 000,046,258 | -H-- | C] () -- C:\WINDOWS\System32\mib.bin

[2005/08/16 05:18:15 | 000,218,003 | -H-- | C] () -- C:\WINDOWS\System32\dssec.dat

[2005/08/16 05:18:08 | 000,001,804 | -H-- | C] () -- C:\WINDOWS\System32\dcache.bin

[2005/08/05 15:01:54 | 000,239,104 | -H-- | C] () -- C:\WINDOWS\System32\psisdecd.dll

[2005/04/19 17:02:18 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\px.ini

[2004/02/10 01:51:06 | 000,053,248 | -H-- | C] () -- C:\WINDOWS\System32\UCMfg.exe

[2002/07/24 05:04:24 | 000,024,576 | -H-- | C] () -- C:\WINDOWS\System32\lhtool.exe

[2001/10/08 21:54:34 | 000,045,056 | -H-- | C] () -- C:\WINDOWS\System32\ucinst32.dll

[1999/01/22 16:46:58 | 000,065,536 | -H-- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2010/12/31 12:26:51 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software

[2009/08/06 07:36:54 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Applications

[2006/01/02 18:58:18 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ

[2011/01/08 10:46:18 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common

[2005/08/16 21:54:52 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\DIGStream

[2010/01/18 23:13:13 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Disney Interactive

[2009/12/19 10:59:54 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData

[2008/12/25 20:42:29 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\FreeRIP

[2007/11/28 20:18:51 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft

[2008/10/19 19:13:02 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Juniper Networks

[2010/03/29 13:25:03 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Leapfrog

[2006/01/15 20:31:53 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Otto

[2007/08/26 12:59:31 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst

[2009/12/01 21:15:02 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Radica

[2011/03/27 11:37:19 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\STOIK

[2009/08/14 15:20:17 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2009/11/22 13:57:40 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\VideoMach

[2008/04/26 08:05:38 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint

[2010/11/06 17:08:53 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Western Digital

[2010/04/18 16:38:07 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

[2010/01/30 14:47:57 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

[2008/11/20 20:44:57 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Amie\Application Data\Canon

[2011/08/28 10:25:13 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Amie\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

[2012/01/16 10:30:25 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Amie\Application Data\Dropbox

[2010/06/22 20:54:30 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Amie\Application Data\Facebook

[2010/07/15 22:01:16 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Amie\Application Data\FreeBurner

[2010/06/29 10:51:42 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Amie\Application Data\ICAClient

[2009/08/02 17:44:16 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Amie\Application Data\Juniper Networks

[2006/01/20 17:58:29 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Amie\Application Data\Leadertech

[2008/02/07 22:28:47 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Amie\Application Data\LinkedIn

[2005/12/02 20:00:56 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Amie\Application Data\MSNInstaller

[2008/02/04 09:11:05 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Amie\Application Data\Ulead Systems

[2007/12/23 14:28:11 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Amie\Application Data\Viewpoint

[2010/11/06 20:09:21 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Amie\Application Data\Western Digital

[2007/01/15 19:07:54 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Amie\Application Data\WinPatrol

[2008/08/19 13:38:28 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Lili\Application Data\Aim

[2010/11/04 16:36:55 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Lili\Application Data\Canon

[2009/11/04 11:15:46 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Lili\Application Data\FooPetsDesktop.E1A59F4315F58433140DC6A108B4F20995854275.1

[2010/06/30 09:36:09 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Lili\Application Data\ICAClient

[2005/12/16 10:07:20 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Lili\Application Data\MSNInstaller

[2007/08/26 12:59:31 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Lili\Application Data\PlayFirst

[2006/03/18 08:49:50 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Lili\Application Data\School Zone Preferences

[2007/12/03 17:30:08 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Lili\Application Data\WinPatrol

[2010/06/30 18:59:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Acapela Group

[2007/11/05 11:42:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Aim

[2010/12/31 11:56:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Audacity

[2009/08/14 14:59:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Broad Intelligence

[2011/11/07 12:09:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Canon

[2010/06/12 13:53:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\FreeBurner

[2009/03/24 09:28:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\FUJIFILM

[2006/04/04 16:46:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\ICAClient

[2005/12/16 21:10:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Juniper Networks

[2005/12/02 20:39:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Leadertech

[2007/11/04 18:55:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Lexmark Productivity Studio

[2005/12/01 20:58:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\MSNInstaller

[2006/01/15 20:31:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Otto

[2007/11/11 16:42:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Ulead Systems

[2007/12/23 11:08:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Viewpoint

[2010/11/06 17:09:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Western Digital

[2007/01/14 19:53:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\WinPatrol

[2010/06/30 19:03:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Xtranormal

[2008/07/01 12:51:50 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Nate\Application Data\Aim

[2010/01/13 15:34:51 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Nate\Application Data\GetRightToGo

[2008/01/01 17:54:30 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Nate\Application Data\WinPatrol

[2012/01/16 20:25:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stupid Virus\Application Data\WinPatrol

[2012/01/18 01:30:10 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

[2012/01/17 10:30:09 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\Tasks\SyncBack Music.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4240575B

@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C4532973

@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:512B5648

< End of report >

OTL Extras;

OTL Extras logfile created on: 1/18/2012 11:22:16 PM - Run 1

OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Mark\Desktop

Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.07 Mb Total Physical Memory | 490.65 Mb Available Physical Memory | 48.38% Memory free

2.38 Gb Paging File | 1.75 Gb Available in Paging File | 73.20% Paging File free

Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 69.82 Gb Total Space | 5.63 Gb Free Space | 8.06% Space Free | Partition Type: NTFS

Drive N: | 74.52 Gb Total Space | 4.63 Gb Free Space | 6.22% Space Free | Partition Type: NTFS

Computer Name: D1FWGW81 | User Name: Mark | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-3367265213-4223227456-216994003-1005\SOFTWARE\Classes\<extension>]

.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" %*

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [FinePix] -- "C:\Program Files\FinePixViewer\FinePixViewer.exe" "%1" (FUJIFILM Corporation.)

Directory [FinePixPrint] -- "C:\Program Files\FinePixViewer\FinePixViewer.exe" /p "%1" (FUJIFILM Corporation.)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Lexmark 1300 Series\lxdcamon.exe" = C:\Program Files\Lexmark 1300 Series\lxdcamon.exe:*:Disabled:Device Monitor Application -- ()

"C:\Documents and Settings\Amie\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServ.exe" = C:\Documents and Settings\Amie\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServ.exe:*:Enabled:dsTermServ Module -- (Juniper Networks)

"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- (America Online, Inc.)

"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax

"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager

"C:\WINDOWS\system32\lxdccoms.exe" = C:\WINDOWS\system32\lxdccoms.exe:*:Enabled:Lexmark Communications System -- ( )

"C:\Program Files\SopCast\SopCast.exe" = C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application

"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdcpswx.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdcpswx.exe:*:Enabled: -- ()

"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdcjswx.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdcjswx.exe:*:Enabled: -- ()

"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdctime.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdctime.exe:*:Enabled: -- (Lexmark International, Inc.)

"C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe" = C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting -- (Microsoft Corporation)

"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager

"C:\Program Files\Intel\Createshare\VideoPhone\VP50.exe" = C:\Program Files\Intel\Createshare\VideoPhone\VP50.exe:*:Enabled:Intel® Video Phone Container

"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()

"C:\Documents and Settings\Lili\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Lili\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)

"C:\Program Files\Microsoft LifeCam\LifeCam.exe" = C:\Program Files\Microsoft LifeCam\LifeCam.exe:*:Enabled:LifeCam.exe -- (Microsoft Corporation)

"C:\Program Files\Microsoft LifeCam\LifeEnC2.exe" = C:\Program Files\Microsoft LifeCam\LifeEnC2.exe:*:Enabled:LifeEnC2.exe -- (Microsoft Corporation)

"C:\Program Files\Microsoft LifeCam\LifeExp.exe" = C:\Program Files\Microsoft LifeCam\LifeExp.exe:*:Enabled:LifeExp.exe -- (Microsoft Corporation)

"C:\Program Files\Microsoft LifeCam\LifeTray.exe" = C:\Program Files\Microsoft LifeCam\LifeTray.exe:*:Enabled:LifeTray.exe -- (Microsoft Corporation)

"C:\Documents and Settings\Amie\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\Amie\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- (Dropbox, Inc.)

"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"__KITTY_LUV___is1" = Kitty Luv v1.8

"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium

"{009435FA-9011-4C36-AE7C-CCC9669E7875}" = Windows Media Format 11 SDK

"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player

"{05BDC796-3451-4F81-B91D-E98F7ADA76C2}" = TurboTax 2010 WinPerTaxSupport

"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data

"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA

"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up

"{1696C54E-599A-4BA2-9941-BB70C4727887}" = Xtranormal State - Voicepack-English-UK-Daniel

"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}" = Google Earth

"{1EBEC42C-5E3F-4077-933B-411E33A0C3A4}" = Motorola Driver Installation 4.6.0

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD Plus

"{232DB76D-4751-41A9-9EC2-CDC0DAC1FAB6}" = WD SmartWare

"{24ED4D80-8294-11D5-96CD-0040266301AD}" = FinePixViewer Ver.4.3

"{2515BF88-E42E-4AFA-A8E7-DF272762589B}" = Microsoft Office Live Meeting 2007

"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java 6 Update 20

"{29988DC6-9C4A-49B2-AC86-5C380B29ADB9}_is1" = Loaris Trojan Remover 1.2

"{299FC1D1-2FA7-F925-2003-4283726AA8CD}" = FooPets Desktop

"{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005

"{3205A978-4A7A-403B-A4B9-D48E6BAFB73B}" = WinPatrol

"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page

"{3782EC09-4000-475E-8A59-9CABD6F03B4C}" = TurboTax 2010 WinPerFedFormset

"{467A3BF8-4C87-4E68-835C-CE5318C157C2}" = Xtranormal State - Voicepack-English-US-Tom

"{49C09E32-B9FD-4EDC-9152-9BC0CC618A13}" = GetDataBack Data Recovery

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4F1CECBC-670F-4daa-81D6-944B12450917}" = DIGReqEx

"{4F2FCCCF-29F3-44B9-886F-6D16F8417522}" = TurboTax 2010 wrapper

"{501451DE-5808-4599-B544-8BD0915B6B24}_is1" = FreeRIP v3.091

"{548EEA8E-8299-497F-8057-811D2D7097DC}" = Dell Support 3.1

"{5490882C-6961-11D5-BAE5-00E0188E010B}" = FUJIFILM USB Driver

"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime

"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool

"{5CF6EEE9-86B1-3DB6-A07C-8F6C079C39BA}" = Google Talk Plugin

"{5DF68560-292A-11D5-99D1-00010256D40E}" = DV Studio3

"{5E8858EC-6B09-4939-99F2-5678073A0327}" = Microsoft Office Live Meeting 2005

"{5FC7AB5C-61FC-42DF-A923-5139BCF10D42}" = Microsoft LifeCam

"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon

"{6304CCF6-3343-4DA5-96B6-84B3A644B93B}" = USB Driver for Panasonic DVC

"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0

"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.5

"{6C1E7AA1-44E9-446D-AAB2-0DE6D9EFEAB1}" = Safari

"{6DEEA6A7-AC84-4C08-9944-E06E08DF98B4}" = TurboTax 2010 wctiper

"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable

"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03

"{7452472E-FC85-4AEB-8B67-24C63ECCF5C8}" = LeapFrog Leapster2 Plugin

"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{779DECD7-E072-4B56-9B6B-BEB5973EEEB5}" = MobileMe Control Panel

"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com

"{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}" = Modem Event Monitor

"{7C105657-8AB6-4B3A-94C5-449F5EA13344}" = UCreate Games and Artimation

"{7C5B4583-7CBF-4289-B195-03B553959DEA}" = VoiceOver Kit

"{7E7D778E-121D-4BBD-BA29-FAA81B9FBD8C}" = LeapFrog Connect

"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper

"{81D62C32-0984-11D3-86CD-00105AD33021}" = Caere Scan Manager 5.1

"{838A22DF-81CA-4452-9BDD-A1745224D960}" = Xtranormal State - Voicepack-English-UK-Serena

"{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}" = Intel® PROSet for Wired Connections

"{853A4763-6643-4604-8D64-28BDD8925F4C}" = Apple Application Support

"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

"{86D28491-78AB-445C-A507-6F3FA81D7611}" = Canon iP6600D Memory Card Utility

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver

"{8EC4F64D-92E4-4274-9495-4C887D49DEC3}" = Xtranormal State

"{901A0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Outlook 2002

"{912536C4-273C-416F-B42C-BBC5B72114D7}" = Xtranormal State - Voicepack-English-US-Samantha

"{9496E9E4-F20A-11D4-8EAA-00062973342B}" = Intel® Create & Share® Software

"{94B099F1-8BC9-4BF1-B044-54F529EE8096}" = iKITMovieDemo

"{98E7E8A0-F859-11D4-B231-0050DACD394D}" = Disney's Winnie the Pooh Toddler

"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders

"{99F0545E-D93D-481D-8088-7F50FD76DE55}" = Scrapbooks Plus

"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

"{A0383B7D-81A2-49D3-BE06-C0FD9EFB9DFC}" = Corel Painter IX

"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender

"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A525E00B-6609-442E-9DCD-64453C233E8D}" = TurboTax 2010 WinPerReleaseEngine

"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5

"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio

"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1

"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy

"{B3BC9DB1-0B0A-48B0-B86B-EA77CAA7F800}" = Microsoft Corporation

"{B5C314F7-928B-44E3-A8A3-169648B1077D}" = Xtranormal State - SoundPack-Starter Kit

"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call

"{BEAD39CD-901D-4267-8B8B-EAA83CB4B70D}" = Pivot Stickfigure Animator

"{BEB03A1A-1EB6-48EB-9985-8B97315EE5C0}" = RemoteCapture 2.7.0

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C2E4B5BD-32DB-4817-A060-341AB17C3F90}" = Bonjour

"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update

"{C769B501-2BE8-46ed-9E69-118F008A0917}" = DIGOpt

"{C975D391-7BF6-44A0-A4FF-EDF3CFD88F68}" = ArcSoft MediaImpression for Kodak

"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus® for Adobe

"{D28CB048-A0AB-4F98-909F-69F3F25AA87D}" = Xtranormal State - Showpak-Playgoz-Preview

"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime

"{DDC5B3E0-C656-4070-9CF0-E592EC60AD42}" = MotoConnect

"{E05C1807-0FAA-4C17-81DF-C8C96489D363}" = First Steps

"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager

"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series

"{E67EDCA1-18E1-4136-ABF6-D21F2A129A46}" = Avatar - The Last Airbender

"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks

"{ED2A3C11-3EA8-4380-B59C-F2C1832731B0}" = Quicken 2009

"{EF0DD8B7-471C-463B-A298-6066C2FABAF5}" = File Viewer Utility 1.2

"{F2AB2488-A0BF-4A9B-98A9-A88CF20FD2FF}" = Meeting Manager for Internet Explorer

"{F59A9E08-A6A4-4ACF-91F2-D0344956C30B}" = iTunes

"{FC762EAA-069E-47F4-87C3-8C944A4E7B49}" = EASEUS Data Recovery Wizard 3.0

"3DGroove" = OTOY

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin

"Adobe Illustrator 9.0" = Adobe Illustrator 9.0

"Adobe Photoshop 5.0 Limited Edition" = Adobe Photoshop 5.0 Limited Edition

"Adobe Shockwave Player" = Adobe Shockwave Player

"Adobe SVG Viewer" = Adobe SVG Viewer

"AOL Instant Messenger" = AOL Instant Messenger

"Audacity 1.3 Beta_is1" = Audacity 1.3.12

"Audacity_is1" = Audacity 1.2.6

"AVGAntiSpyware75" = AVG Anti-Spyware 7.5

"Backup To DVD/CD_is1" = Backup To DVD/CD version 5.1

"Blue's Treasure Hunt" = Blue's Treasure Hunt

"BlueVoda_Website_Builder_1.0" = BlueVoda Website Builder 10.2m

"CAL" = Canon Camera Access Library

"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX

"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX

"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX

"Canon ScanGear Toolbox CS" = Canon ScanGear Toolbox CS 2.2

"CANONBJ_Deinstall_CNMCP7D.DLL" = Canon iP6600D

"Charter" = Charter Pipeline Professor

"Charter Automated Solution Controls Installation_is1" = Charter Solution Controls Installation

"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com

"Coupon Printer for Windows4.0" = Coupon Printer for Windows

"Coupon Printer for Windows5.0.0.1" = Coupon Printer for Windows

"Coupons.com Toolbar" = Coupons.com Toolbar

"CSCLIB" = Canon Camera Support Core Library

"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver

"Dell File Manager" = Dell DJ Explorer

"DPP" = Canon Utilities Digital Photo Professional 2.2

"DVD Identifier_is1" = DVD Identifier

"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint

"Easy-WebPrint" = Easy-WebPrint

"EmeraldQFE2" = Windows Media Player 10 Hotfix [see EmeraldQFE2 for more information]

"EOS Utility" = Canon Utilities EOS Utility

"ERUNT_is1" = ERUNT 1.1j

"Expstudio Audio Editor FREE" = Expstudio Audio Editor FREE

"FooPetsDesktop.E1A59F4315F58433140DC6A108B4F20995854275.1" = FooPets Desktop

"Free Easy Burner_is1" = Free Easy Burner V 4.0

"FREE Hi-Q Recorder_is1" = FREE Hi-Q Recorder 1.9

"HijackThis" = HijackThis 2.0.2

"InstallShield_{6304CCF6-3343-4DA5-96B6-84B3A644B93B}" = USB Driver for Panasonic DVC

"InstallShield_{BEB03A1A-1EB6-48EB-9985-8B97315EE5C0}" = Canon Utilities RemoteCapture 2.7

"InstallShield_{EF0DD8B7-471C-463B-A298-6066C2FABAF5}" = Canon Utilities File Viewer Utility 1.2

"Intel® 537EP V9x DF PCI Modem" = Intel® 537EP V9x DF PCI Modem

"InterActual Player" = InterActual Player

"IrfanView" = IrfanView (remove only)

"JSTD2001" = JumpStart Toddlers 2001

"Kaspersky Online Scanner" = Kaspersky Online Scanner

"KLiteCodecPack_is1" = K-Lite Codec Pack 3.4.5 Full

"LAME for Audacity_is1" = LAME v3.98.2 for Audacity

"Leapster2Plugin" = Use the entry named LeapFrog Connect to uninstall (LeapFrog Leapster2 Plugin)

"Lexmark 1300 Series" = Lexmark 1300 Series

"Magic M4A to MP3 Converter_is1" = Magic M4A to MP3 Converter 3.72

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"MetaFrame Presentation Server Web Client for Win32" = MetaFrame Presentation Server Web Client for Win32

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Mozilla Firefox 9.0.1 (x86 en-US)" = Mozilla Firefox 9.0.1 (x86 en-US)

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"MSNINST" = MSN

"MVApplication1" = Memorex exPressit Label Design Studio

"N360" = Norton 360

"PhotoRecord" = Canon PhotoRecord

"PhotoStitch" = Canon Utilities PhotoStitch

"PROSet" = Intel® PRO Network Connections Drivers

"Protection Portfolio" = Protection Portfolio 1.0

"RADVideo" = RAD Video Tools

"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX

"Reader Rabbit Kindergarten" = Reader Rabbit Kindergarten

"Reader Rabbit Preschool" = Reader Rabbit Preschool

"RealPlayer 6.0" = RealPlayer Basic

"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX

"Rhapsody" = Rhapsody

"RRTW32.EXE" = Reader Rabbit's Toddler

"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4

"SpywareBlaster_is1" = SpywareBlaster v3.5.1

"Stylin' Studio_is1" = Stylin' Studio v1.0

"SyncBack_is1" = SyncBack

"TurboTax 2010" = TurboTax 2010

"U.B. Funkeys" = U.B. Funkeys

"UnityWebPlayer" = Unity Web Player

"UPCShell" = LeapFrog Connect

"VideoMach" = VideoMach

"Viewpoint Manager" = Viewpoint Manager (Remove Only)

"Virtools3DLifePlayer" = Virtools 3D Life Player

"WebCyberCoach_wtrb" = WebCyberCoach 3.2 Dell

"WIC" = Windows Imaging Component

"Windows Media Encoder 9" = Windows Media Encoder 9 Series

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"WMV9_VCM" = Microsoft Windows Media Video 9 VCM

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== Last 10 Event Log Errors ==========

Error: Unable to start EventLog service!

< End of report >

Link to post
Share on other sites

Run Rogur Killer again > Choose 1 to scan the system

Then choose 2 to delete

Post the log.

---------------------------

Next.......

Please do this:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    IE - HKU\S-1-5-21-3367265213-4223227456-216994003-1009\..\URLSearchHook: {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - No CLSID value found
    O3 - HKU\S-1-5-21-3367265213-4223227456-216994003-1005\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-3367265213-4223227456-216994003-1005\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
    O4 - HKLM..\Run: [EleFunAnimatedWallpaper] File not found
    O4 - HKU\S-1-5-21-3367265213-4223227456-216994003-1009..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" File not found
    O4 - Startup: C:\Documents and Settings\Amie\Start Menu\Programs\Startup\Dropbox.lnk = File not found
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_03)
    O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
    [2012/01/16 11:07:24 | 000,000,464 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\wAbs6XSRvavIDG
    [2012/01/16 11:04:41 | 000,000,296 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~wAbs6XSRvavIDG
    [2012/01/16 11:04:40 | 000,000,176 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~wAbs6XSRvavIDGr
    [2012/01/16 10:21:52 | 000,456,448 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\jEGCsSWIMfSR.exe
    :Commands
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

-----------------------

Last........

Please download and run the Bitdefender Bootkit Removal Tool 32-bit version

http://www.malwareci...ction-1238.html

It runs very quickly, let me know if it find anything.

MrC

Link to post
Share on other sites

OK here you go.

RogueKiller V6.2.4 [01/12/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: Mark [Admin rights]

Mode: Scan -- Date : 01/19/2012 18:07:03

¤¤¤ Bad processes: 1 ¤¤¤

[sUSP PATH] cnmsr8z.dll -- C:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon MX310 series Printer\LanguageModules\0409\cnmsr8z.dll -> KILLED [TermProc]

¤¤¤ Registry Entries: 3 ¤¤¤

[PROXY FF] 37qlj6z6.default\ :0 -> FOUND

[HJPOL] HKLM\[...]\System : DisableTaskMgr (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

127.0.0.1 ad.a8.net

127.0.0.1 asy.a8ww.net

127.0.0.1 a9rhiwa.cn #[Google.Warning]

127.0.0.1 www.a9rhiwa.cn

127.0.0.1 acezip.net #[siteAdvisor.acezip.net]

127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]

127.0.0.1 phpadsnew.abac.com

127.0.0.1 a.abnad.net

127.0.0.1 b.abnad.net

127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]

127.0.0.1 d.abnad.net

127.0.0.1 e.abnad.net

127.0.0.1 t.abnad.net

127.0.0.1 z.abnad.net

127.0.0.1 banners.absolpublisher.com

127.0.0.1 tracking.absolstats.com

127.0.0.1 adv.abv.bg

127.0.0.1 bimg.abv.bg

127.0.0.1 www2.a-counter.kiev.ua

[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++

--- User ---

[MBR] b06e73c66339463180a39c4c9d62e582

[bSP] bbcdba4976219ebf1709000fd9b570dd : MBR Code unknown

Partition table:

0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 41 Mo

1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 80325 | Size: 74965 Mo

2 - [XXXXXX] FAT32 [HIDDEN!] Offset (sectors): 146496735 | Size: 4984 Mo

User = LL1 ... OK!

User != LL2 ... KO!

--- LL2 ---

[MBR] de5b23b5d87475d0281791499ed5b35a

[bSP] bbcdba4976219ebf1709000fd9b570dd : MBR Code unknown

Partition table:

0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 41 Mo

1 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 80325 | Size: 74965 Mo

2 - [XXXXXX] FAT32 [HIDDEN!] Offset (sectors): 146496735 | Size: 4984 Mo

3 - [ACTIVE] NTFS [HIDDEN!] Offset (sectors): 156232125 | Size: 9 Mo

Finished : << RKreport[2].txt >>

RKreport[1].txt ; RKreport[2].txt

After delete;

RogueKiller V6.2.4 [01/12/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: Mark [Admin rights]

Mode: Remove -- Date : 01/19/2012 18:07:37

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 3 ¤¤¤

[PROXY FF] 37qlj6z6.default\ :0 -> NOT REMOVED, USE PROXYFIX

[HJPOL] HKLM\[...]\System : DisableTaskMgr (1) -> DELETED

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

127.0.0.1 ad.a8.net

127.0.0.1 asy.a8ww.net

127.0.0.1 a9rhiwa.cn #[Google.Warning]

127.0.0.1 www.a9rhiwa.cn

127.0.0.1 acezip.net #[siteAdvisor.acezip.net]

127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]

127.0.0.1 phpadsnew.abac.com

127.0.0.1 a.abnad.net

127.0.0.1 b.abnad.net

127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]

127.0.0.1 d.abnad.net

127.0.0.1 e.abnad.net

127.0.0.1 t.abnad.net

127.0.0.1 z.abnad.net

127.0.0.1 banners.absolpublisher.com

127.0.0.1 tracking.absolstats.com

127.0.0.1 adv.abv.bg

127.0.0.1 bimg.abv.bg

127.0.0.1 www2.a-counter.kiev.ua

[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++

--- User ---

[MBR] b06e73c66339463180a39c4c9d62e582

[bSP] bbcdba4976219ebf1709000fd9b570dd : MBR Code unknown

Partition table:

0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 41 Mo

1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 80325 | Size: 74965 Mo

2 - [XXXXXX] FAT32 [HIDDEN!] Offset (sectors): 146496735 | Size: 4984 Mo

User = LL1 ... OK!

User != LL2 ... KO!

--- LL2 ---

[MBR] de5b23b5d87475d0281791499ed5b35a

[bSP] bbcdba4976219ebf1709000fd9b570dd : MBR Code unknown

Partition table:

0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 41 Mo

1 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 80325 | Size: 74965 Mo

2 - [XXXXXX] FAT32 [HIDDEN!] Offset (sectors): 146496735 | Size: 4984 Mo

3 - [ACTIVE] NTFS [HIDDEN!] Offset (sectors): 156232125 | Size: 9 Mo

Finished : << RKreport[3].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

OTL;

All processes killed

========== OTL ==========

Registry key HKEY_USERS\S-1-5-21-3367265213-4223227456-216994003-1009\Software\Microsoft\Internet Explorer\URLSearchHooks not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}\ not found.

Registry value HKEY_USERS\S-1-5-21-3367265213-4223227456-216994003-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.

Registry value HKEY_USERS\S-1-5-21-3367265213-4223227456-216994003-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}\ not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\EleFunAnimatedWallpaper deleted successfully.

Registry key HKEY_USERS\S-1-5-21-3367265213-4223227456-216994003-1009\Software\Microsoft\Windows\CurrentVersion\Run not found.

C:\Documents and Settings\Amie\Start Menu\Programs\Startup\Dropbox.lnk moved successfully.

Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.

C:\Documents and Settings\All Users\Application Data\wAbs6XSRvavIDG moved successfully.

C:\Documents and Settings\All Users\Application Data\~wAbs6XSRvavIDG moved successfully.

C:\Documents and Settings\All Users\Application Data\~wAbs6XSRvavIDGr moved successfully.

C:\Documents and Settings\All Users\Application Data\jEGCsSWIMfSR.exe moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Amie

->Temp folder emptied: 52775609 bytes

->Temporary Internet Files folder emptied: 402 bytes

->Java cache emptied: 35072216 bytes

->Flash cache emptied: 4553218 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 41044 bytes

User: Lili

->Temp folder emptied: 27307603 bytes

->Temporary Internet Files folder emptied: 6270320 bytes

->Java cache emptied: 77241021 bytes

->FireFox cache emptied: 64088219 bytes

->Flash cache emptied: 630605 bytes

User: LocalService

->Temp folder emptied: 65984 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 348 bytes

User: Mark

->Temp folder emptied: 29711486 bytes

->Temporary Internet Files folder emptied: 459154 bytes

->Java cache emptied: 4799927 bytes

->FireFox cache emptied: 43681059 bytes

->Flash cache emptied: 870963 bytes

User: Nate

->Temp folder emptied: 5635420 bytes

->Temporary Internet Files folder emptied: 402 bytes

->Java cache emptied: 33679189 bytes

->FireFox cache emptied: 78891754 bytes

->Flash cache emptied: 107940 bytes

User: NetworkService

->Temp folder emptied: 1401226 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: Stupid Virus

->Temp folder emptied: 1806180 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 41044 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 19569 bytes

%systemroot%\System32 .tmp files removed: 7260275 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 81920 bytes

Windows Temp folder emptied: 17598685 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 151972546 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 4287066727 bytes

Total Files Cleaned = 4,705.00 mb

OTL by OldTimer - Version 3.2.31.0 log created on 01192012_181715

Files\Folders moved on Reboot...

C:\WINDOWS\temp\Perflib_Perfdata_11c.dat moved successfully.

Registry entries deleted on Reboot...

Bootkit found Rootkit.MBR.Sst.B

Thanks

Link to post
Share on other sites

Bootkit found Rootkit.MBR.Sst.B

This is what Bitdefender Bootkit Removal Tool found??

--------------------------

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

MrC

Link to post
Share on other sites

Yes, that's what Bidefender found.

Here's the ComboFix.txt

ComboFix 12-01-19.02 - Mark 01/19/2012 23:02:20.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.518 [GMT -5:00]

Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe

AV: Norton 360 *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\cfp.exe

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\All Users\Documents\~WRL2035.tmp

c:\documents and settings\All Users\Documents\~WRL2360.tmp

c:\documents and settings\All Users\Documents\~WRL3118.tmp

c:\documents and settings\All Users\SPL16.tmp

c:\documents and settings\All Users\SPL17.tmp

c:\documents and settings\All Users\SPLA2.tmp

c:\documents and settings\All Users\SPLC.tmp

c:\documents and settings\All Users\SPLE.tmp

c:\documents and settings\Lili\WINDOWS

c:\documents and settings\Mark\Recent\Thumbs.db

c:\documents and settings\Mark\WINDOWS

c:\program files\GuffinsEI

c:\program files\GuffinsEI\Installr\3.bin\NPu4EISb.dll

c:\program files\GuffinsEI\Installr\3.bin\u4EIPlug.dll

c:\program files\GuffinsEI\Installr\3.bin\u4EZSETP.dll

c:\windows\kb913800.exe

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_I386P

-------\Legacy_MSSECURITY1.209.4

.

.

((((((((((((((((((((((((( Files Created from 2011-12-20 to 2012-01-20 )))))))))))))))))))))))))))))))

.

.

2012-01-20 06:53 . 2012-01-20 06:53 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{6C2F9413-B0FE-45E3-8F51-E9C23E0EC650}\offreg.dll

2012-01-20 06:50 . 2012-01-06 04:19 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{6C2F9413-B0FE-45E3-8F51-E9C23E0EC650}\mpengine.dll

2012-01-20 01:10 . 2012-01-20 01:10 309320 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys

2012-01-19 23:17 . 2012-01-19 23:17 -------- d-----w- C:\_OTL

2012-01-19 04:16 . 2012-01-19 23:07 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys

2012-01-17 06:30 . 2012-01-17 06:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

2012-01-17 01:23 . 2012-01-17 01:23 -------- d-----w- c:\documents and settings\Stupid Virus

2012-01-17 00:25 . 2012-01-17 00:25 -------- d-----w- c:\documents and settings\Mark\Local Settings\Application Data\PCHealth

2012-01-16 23:15 . 2012-01-16 23:15 -------- d-----w- C:\777d139e704704f2335f16f63ada7524

2012-01-16 19:23 . 2012-01-16 19:23 -------- d-----w- c:\documents and settings\Mark\Local Settings\Application Data\Nova Development

2012-01-16 19:23 . 2012-01-16 19:23 -------- d-----w- c:\documents and settings\Mark\Local Settings\Application Data\IdeaSoft

2012-01-15 01:13 . 2012-01-15 01:13 -------- d--h--w- c:\program files\RADVideo

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-12-10 20:24 . 2009-12-04 00:53 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-23 13:25 . 2005-08-16 10:18 1859584 ---h--w- c:\windows\system32\win32k.sys

2011-11-21 10:47 . 2007-01-15 01:20 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll

2011-11-18 12:35 . 2005-08-16 10:18 60416 ---h--w- c:\windows\system32\packager.exe

2011-11-15 19:29 . 2009-10-02 18:34 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-11-11 16:12 . 2011-11-11 16:12 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-01 20:35 . 2005-08-16 10:18 667136 ---ha-w- c:\windows\system32\wininet.dll

2011-11-01 20:35 . 2005-08-16 10:18 61952 ---h--w- c:\windows\system32\tdc.ocx

2011-11-01 20:35 . 2005-08-16 10:18 81920 ---h--w- c:\windows\system32\ieencode.dll

2011-11-01 16:07 . 2005-08-16 10:18 1288704 ---ha-w- c:\windows\system32\ole32.dll

2011-11-01 15:02 . 2005-08-16 10:18 369664 ---h--w- c:\windows\system32\html.iec

2011-10-28 05:31 . 2005-08-16 10:18 33280 ---h--w- c:\windows\system32\csrsrv.dll

2011-10-25 13:37 . 2005-08-16 10:18 2148864 ---h--w- c:\windows\system32\ntoskrnl.exe

2011-10-25 12:52 . 2004-08-04 04:59 2027008 ---h--w- c:\windows\system32\ntkrnlpa.exe

2011-02-10 21:35 . 2011-02-14 00:47 702464 ---ha-w- c:\program files\Uninstall Guffins.dll

2011-12-21 07:24 . 2011-12-27 04:25 121816 ---ha-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-11-23 26112]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"PDUiP6600DMon"="c:\program files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [2005-05-25 69632]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]

"lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-04-30 20480]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2006-10-01 255552]

"SS_MW"="c:\program files\Radica\Stylin' Studio\SS_MW.exe" [2008-04-26 524288]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]

"ArcSoft MediaImpression Monitor"="c:\program files\Kodak\MediaImpression\ArcMonitor.exe" [2010-12-15 80448]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

.

c:\documents and settings\Mark\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"AOL ACS"=2 (0x2)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=

"c:\\Documents and Settings\\Amie\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\WINDOWS\\system32\\lxdccoms.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcpswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcjswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdctime.exe"=

"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

"c:\\Documents and Settings\\Lili\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=

"c:\\Documents and Settings\\Amie\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0404000.00C\symds.sys [10/11/2011 6:39 PM 328752]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0404000.00C\symefa.sys [10/11/2011 6:39 PM 173176]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20111210.003\BHDrvx86.sys [12/14/2011 5:57 PM 819320]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0404000.00C\cchpx86.sys [10/11/2011 6:39 PM 485512]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0404000.00C\ironx86.sys [10/11/2011 6:39 PM 116784]

R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]

R2 N360;Norton 360;c:\program files\Norton 360\Norton 360\Engine\4.4.0.12\ccsvchst.exe [10/11/2011 6:39 PM 126400]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]

R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [2/13/2011 8:12 PM 36224]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/14/2011 11:01 AM 106104]

R3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [1/7/2007 7:33 PM 472644]

S3 ICam7fil;Intel® CS431 Audio Filter Driver;c:\windows\system32\drivers\icam7fil.sys [6/11/2007 5:56 PM 19640]

S3 Icam7USB;Intel® PC Camera CS431;c:\windows\system32\drivers\ICAM7D2.SYS [6/11/2007 5:57 PM 158848]

S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20111216.001\IDSXpx86.sys [12/16/2011 6:29 PM 356280]

S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2/23/2011 5:42 PM 30576]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [11/6/2010 5:08 PM 11520]

S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [2/13/2011 8:12 PM 134912]

S4 lxdcCATSCustConnectService;lxdcCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdcserv.exe [5/25/2007 4:38 AM 99248]

S4 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [5/30/2011 9:16 PM 91456]

S4 NetFxUpdate_v1.0.3705;Microsoft .NET Framework v1.0.3705 Update;c:\windows\Microsoft.NET\Framework\v1.0.3705\netfxupdate.exe [9/29/2004 6:11 PM 82976]

S4 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/16/2005 5:18 AM 14336]

S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/23/2007 2:32 PM 24652]

S4 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [11/13/2009 10:28 AM 110592]

S4 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 7:58 AM 20480]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

*Deregistered* - ArcRec

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

.

Contents of the 'Scheduled Tasks' folder

.

2012-01-20 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

2012-01-17 c:\windows\Tasks\SyncBack Music.job

- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2010-11-17 20:42]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://login.passport.net/uilogin.srf?lc=1033&id=6528

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

Trusted Zone: intuit.com\ttlc

Trusted Zone: pb.com\bvcontp1.ct

Trusted Zone: turbotax.com

TCP: DhcpNameServer = 192.168.2.1

FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\37qlj6z6.default\

FF - prefs.js: browser.startup.homepage - hxxp://my.msn.com/default.armx?lc=1033&id=6528

FF - prefs.js: network.proxy.type - 1

.

- - - - ORPHANS REMOVED - - - -

.

ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)

SafeBoot-AVG Anti-Spyware Driver

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-01-20 07:11

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]

"ImagePath"="\"c:\program files\Norton 360\Norton 360\Engine\4.4.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Norton 360\Engine\4.4.0.12\diMaster.dll\" /prefetch:1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(1300)

c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\lxdccoms.exe

c:\windows\system32\DRIVERS\WtSrv.exe

c:\windows\ehome\mcrdsvc.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\system32\wscntfy.exe

c:\windows\stsystra.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2012-01-20 07:22:04 - machine was rebooted

ComboFix-quarantined-files.txt 2012-01-20 12:22

.

Pre-Run: 10,988,998,656 bytes free

Post-Run: 12,806,094,848 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 592AFAC4FE6E6AFFCE9D3AECD0968748

Link to post
Share on other sites

Actually, looking through the PC, there are a lot of files that are missing, programs too. Any thoughts as to where those might have gone?

EDIT

I think I found them, it seems the malware checked Read-only and Hidden on a lot of our files. Does this make sense?

Link to post
Share on other sites

Yes that's what the malware does, see my post below for solutions:

http://forums.malwar...ndpost&p=518733

------------------------------------------

You have out of date Java on the system:

Java™ 6 Update 20

Java 2 Runtime Environment, SE v1.4.2_03

Older versions are vulnerable to malware.

Go to your control panels add/remove programs and uninstall all and any Java found.

Then download and run JavaRa to clear out any left-overs, info here

Then download and install the latest version: Version 6 Update 30

http://www.java.com/...load/manual.jsp <---latest version

http://www.java.com/...d/installed.jsp <---verify your Java

-----------------------------------------

Please Uninstall ComboFix:

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

---------------------------------

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any questions...please post back.

Take a look at My Preventive Maintenance to avoid being infected again.

If I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.