XP reboots at start up. Possible virus.

[Fright]

Hey guys.

I wasn't sure if this was the best place to post, but I'm 99% sure this is some type of virus/malware. My computer was working fine last night and I woke up and noticed microsoft security essentials said my computer needed a restart. So I went to restart my computer and now after the initial boot up it restarts and continues this cycle. As soon as the Lenovo logo is done loading and then should continue into the user sign in page it just loads into a black screen instead, sits there for about 30 seconds and then restarts. I am not able to go into safe mode or any other screen. When I press F8 it just goes to a black screen again and then restarts.

I changed the boot order to CD Rom first and then I ran chkdsk and nothing came back wrong, so this is what has me convinced that it is a virus. I have aslo tried to run recovery console but that continues to just a black screen and just sits there.

I'm thinking this may be a virus as my computer has been running rather slow lately and chkdsk has shown there are no hard drive issues. Please let me know what I can do to get my computer up and running again. Thanks!

[Elise]

Hello, first lets see if we can find out a bit more about this problem.

We Need to Diagnose Your BlueScreen

1. When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
   
2. Select "Disable Automatic Restart on System Failure", as shown here:
   
   
3. When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not. You are looking for this:
   
   

Please post me the error(s).

[Fright]

As stated in my original post, when I hit F8 it just goes to a black screen, I cannot select any options on the first picture you have posted. Any other options?

[Elise]

Ah, sorry, I thought you meant after you choose an F8 option.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer

• Run GETxPUD.exe
  
• A new folder will appear on the desktop.
  
• Open the GETxPUD folder and click on the get&burn.bat
  
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  
• Click on Start and follow the prompts to burn the image to a CD.
  
• Remove the USB & CD and insert it in the sick computer
  
• Boot the Sick computer with the CD you just burned
  
• The computer must be set to boot from the CD
  
• Gently tap F12 and choose to boot from the CD
  
• Follow the prompts
  
• A Welcome to xPUD screen will appear
  
• Press File
  
• Expand mnt
  
• sda1,2...usually corresponds to your HDD
  
• sdb1 is likely your USB
  
• Click on the folder that represents your USB drive (sdb1 ?)
  
• Press Tool at the top
  
• Choose Open Terminal
  
• Type the following and press enter:
  dd if=/dev/sda of=mbr.bin bs=512 count=1
  
• Press Enter
  
• After it has finished a file will be located on your USB drive named mbr.bin
  
• Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.
  

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

[Fright]

Ok I get all the way to typing in the command under open terminal. It seems to do something as it reads off a bunch of stuff, looks like definitions of the command I typed. It seems to stop after a few seconds, but when I remove the USB device (have used 2 already) no file seems to be saved for me to put into a zip. Is there something I'm missing? Is there a way I can type the results instead?

[Fright]

I restarted and tried it again, now after I enter the command it says

1+0 records in

1+0 records out

Still no file saved to USB.

[Fright]

Never mind. I got it to show up but I had to copy paste it into a folder in the USB. Here it is.

mbr.zip

[Elise]

• Insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.
  
• If your PC is not booting from the CD, you need to change the boot order:
  
  • Restart your PC
    
  • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    
  • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    
  • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    
  • The tab should now show your current boot order.
    If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    
  • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    

  [*]Your PC should now boot from your XP-CD.

  Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  [*]When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

  [*]When prompted to choose a windows installation, type 1 and press enter.

  [*]When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

  [*]A command prompt will open

Type fixmbr and press enter. If you get a warning about a non-standard or corrupt MBR, continue UNLESS you use drive encryption!

Type exit and press enter to restart your computer Let me know if it boots normally now.

[Fright]

I don't have a copy of Windows XP. This is my fiance's computer and she said it never came with a windows disk when she bought it. Is there a way around this or some place I could download recovery console to a disk?

[Elise]

Please use the following disk instead (since you mentioned running checkdisk, I assumed you had a disk, sorry for that).

Please download ARCDC from Artellos.com.

• Double click ARCDC.exe
  
• Follow the dialog until you see 6 options. Please pick: Windows Professional SP2 & SP3
  
• You will be prompted with a Terms of Use by Microsoft, please accept.
  
• You will see a few dos screens flash by, this is normal.
  
• Next you will be able to choose to add extra files. Select the Default Files.
  
• The last window will allow you to burn the disk using BurnCDCC
  

Your ISO is located on your desktop.

[Fright]

I found an ISO of recovery console and tried to run it, but it keeps coming up as a black screen. Yes I have changed the boot to CD ROM first and I have tried to burn the disk twice just to see if it was that, still just a black screen. It sounds like the cd is being read, but it just sits there and then stops this time with out restarting.

[Fright]

I just seen your new post. I'll try that real quick.

[Fright]

Woohoo. That worked. I assumed I wanted to run recovery console since you mentioned to earlier from the XP disk so I started that. Now it's asking what windows installation would you like to log onto?

[Elise]

Type 1 and press enter. (see also my earlier instructions).

[Fright]

Never mind. I see the instructions for the XP disk were the same.

It worked!! My computer booted up normally once I changed the boot order. Thank you thank you thank you.

Do you know what might have caused this? Also, what live malware/virus protection would you recommend? I always seem to get it no matter what I have to protect my computer!

[Elise]

I'm glad to hear that. Most likely this was a TDL4 infection (a rootkit that infects the master boot record of a drive). MSSE most likely decided to attempt to clean it, but something went wrong, resulting in a corrupt MBR, which prevented the computer from booting again.

First lets make sure everything is clean and once done, I'll give you some prevention advice.

OTL

-----

Please download OTL from one of the following mirrors:

• • This is THE Mirror
    

[*]Save it to your desktop.

[*]Double click on the icon on your desktop.

[*]Click the "Scan All Users" checkbox.

[*]Push the Quick Scan button.

[*]Two reports will open, copy and paste them in a reply here:

• OTListIt.txt <-- Will be opened
  
• Extra.txt <-- Will be minimized
  

[Fright]

OTL logfile created on: 2/3/2011 4:02:10 PM - Run 3

OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\bobbileigh\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

991.00 Mb Total Physical Memory | 292.00 Mb Available Physical Memory | 29.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 67.00% Paging File free

Paging file location(s): C:\pagefile.sys 1488 2976 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 228.49 Gb Total Space | 29.61 Gb Free Space | 12.96% Space Free | Partition Type: NTFS

Computer Name: LENOVO-B3862E77 | User Name: bobbileigh | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\bobbileigh\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\AIM7\aim.exe (AOL Inc.)

PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)

PRC - C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)

PRC - C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe ()

PRC - C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe (Motorola)

PRC - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)

PRC - c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe (Microsoft Corporation)

PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)

PRC - C:\Program Files\Common Files\Java\Java Update\jucheck.exe (Sun Microsystems, Inc.)

PRC - C:\Program Files\Belkin\F7D4101\V1\PBN.exe ()

PRC - c:\Program Files\Real\RealPlayer\realplay.exe (RealNetworks, Inc.)

PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)

PRC - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Grisoft\AVG Free\avgupsvc.exe (GRISOFT, s.r.o.)

PRC - C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)

PRC - C:\Program Files\Microsoft ActiveSync\rapimgr.exe (Microsoft Corporation)

PRC - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (Symantec Corporation)

PRC - C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe (Lenovo Group Limited)

PRC - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe (Lenovo Group Limited)

PRC - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe (Lenovo Group Limited)

PRC - C:\Program Files\Common Files\Lenovo\Logger\logmon.exe ()

PRC - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe ()

PRC - c:\Program Files\Lenovo\System Update\SUService.exe ( )

PRC - C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE (Lenovo Group Limited)

PRC - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe (Diskeeper Corporation)

PRC - C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe (Diskeeper Corporation)

PRC - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe ()

PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)

PRC - C:\WINDOWS\system32\ico.exe (Primax Electronics Ltd.)

PRC - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe ()

PRC - C:\WINDOWS\system32\FSRremoS.EXE ()

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\bobbileigh\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)

MOD - C:\WINDOWS\system32\msvbvm60.dll (Microsoft Corporation)

MOD - C:\WINDOWS\system32\dinput.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (rpcapd) Remote Packet Capture Protocol v.0 (experimental) -- File not found

SRV - (KodakCCS) -- File not found

SRV - (AppMgmt) -- File not found

SRV - (MotoConnect Service) -- C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe ()

SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)

SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)

SRV - (WLANBelkinService) -- C:\Program Files\Belkin\F7D4101\V1\wlansrv.exe ()

SRV - (getPlusHelper) getPlus® -- C:\Program Files\NOS\bin\getPlus_Helper.dll (NOS Microsystems Ltd.)

SRV - (AVGEMS) -- C:\Program Files\Grisoft\AVG Free\avgemc.exe (GRISOFT, s.r.o.)

SRV - (Avg7Alrt) -- C:\Program Files\Grisoft\AVG Free\avgamsvr.exe (GRISOFT, s.r.o.)

SRV - (Avg7UpdSvc) -- C:\Program Files\Grisoft\AVG Free\avgupsvc.exe (GRISOFT, s.r.o.)

SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE (Symantec Corporation)

SRV - (Automatic LiveUpdate Scheduler) -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (Symantec Corporation)

SRV - (TVT Scheduler) -- C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe (Lenovo Group Limited)

SRV - (TVT Backup Service) -- C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe (Lenovo Group Limited)

SRV - (ThinkVantage Registry Monitor Service) -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe ()

SRV - (SUService) -- c:\Program Files\Lenovo\System Update\SUService.exe ( )

SRV - (PsaSrv) -- C:\WINDOWS\system32\psasrv.exe ()

SRV - (Diskeeper) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe (Diskeeper Corporation)

SRV - (lxcf_device) -- C:\WINDOWS\System32\lxcfcoms.exe ( )

SRV - (Belkin Wireless USB Network Adapter Service) -- C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe ()

SRV - (MSSQL$SONY_MEDIAMGR) -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (Microsoft Corporation)

SRV - (SQLAgent$SONY_MEDIAMGR) -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (MpKsl0e103f17) -- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AD443F8E-7B6D-47C4-90F0-35F9BC1992B6}\MpKsl0e103f17.sys (Microsoft Corporation)

DRV - (MpKsl70a2501f) -- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AD443F8E-7B6D-47C4-90F0-35F9BC1992B6}\MpKsl70a2501f.sys (Microsoft Corporation)

DRV - (PSI) -- C:\WINDOWS\system32\drivers\psi_mf.sys (Secunia)

DRV - (psadd) -- C:\WINDOWS\system32\drivers\psadd.sys (Lenovo)

DRV - (BCMH43XX) -- C:\WINDOWS\system32\drivers\bcmwlhigh5.sys (Broadcom Corporation)

DRV - (nm) -- C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation)

DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)

DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)

DRV - (AvgClean) -- C:\WINDOWS\System32\Drivers\avgclean.sys (GRISOFT, s.r.o.)

DRV - (usbsermpt) -- C:\WINDOWS\system32\drivers\usbsermpt.sys (Microsoft Corporation)

DRV - (Avg7Core) -- C:\WINDOWS\System32\Drivers\avg7core.sys (GRISOFT, s.r.o.)

DRV - (xusb21) -- C:\WINDOWS\system32\drivers\xusb21.sys (Microsoft Corporation)

DRV - (Avg7RsXP) -- C:\WINDOWS\System32\Drivers\avg7rsxp.sys (GRISOFT, s.r.o.)

DRV - (vsdatant) -- C:\WINDOWS\system32\vsdatant.sys (Zone Labs, LLC)

DRV - (sptd) -- C:\WINDOWS\system32\drivers\sptd.sys (Duplex Secure Ltd.)

DRV - (AvgTdi) -- C:\WINDOWS\System32\Drivers\avgtdi.sys (GRISOFT, s.r.o.)

DRV - (Avg7RsW) -- C:\WINDOWS\System32\Drivers\avg7rsw.sys ()

DRV - (pmem) -- C:\WINDOWS\system32\drivers\pmemnt.sys (Microsoft Corporation)

DRV - (tvtfilter) -- C:\WINDOWS\system32\drivers\tvtfilter.sys (Lenovo)

DRV - (TVTPktFilter) -- C:\WINDOWS\system32\drivers\tvtpktfilter.sys (Lenovo Group Limited)

DRV - (smi2) -- C:\Program Files\SMI2\smi2.sys (IBM Corp.)

DRV - (HSFHWBS2) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys (Conexant Systems, Inc.)

DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)

DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)

DRV - (ADIHdAudAddService) -- C:\WINDOWS\system32\drivers\ADIHdAud.sys (Analog Devices, Inc.)

DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)

DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)

DRV - (iaStor) -- C:\WINDOWS\system32\DRIVERS\iaStor.sys (Intel Corporation)

DRV - (RT73) -- C:\WINDOWS\system32\drivers\rt73.sys (Ralink Technology, Corp.)

DRV - (HdAudAddService) -- C:\WINDOWS\system32\drivers\Hdaudio.sys (Windows ® Server 2003 DDK provider)

DRV - (USBCM) -- C:\WINDOWS\system32\drivers\Sacm2A.sys ( )

DRV - (pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)

DRV - (Iviaspi) -- C:\WINDOWS\system32\drivers\iviaspi.sys (InterVideo, Inc.)

DRV - (pelusblf) -- C:\WINDOWS\system32\drivers\PELUSBLF.SYS (Primax Electronics Ltd.)

DRV - (pelmouse) -- C:\WINDOWS\system32\drivers\PELMOUSE.SYS (Primax Electronics Ltd.)

DRV - (WIBUKEY) -- C:\WINDOWS\system32\drivers\Wibukey.sys (WIBU-SYSTEMS AG)

DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)

DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)

DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)

DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)

DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)

DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)

DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)

DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)

DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)

DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)

DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)

DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)

DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)

DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)

DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)

DRV - (G400) -- C:\WINDOWS\system32\drivers\G400m.sys (Matrox Graphics Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-296326354-2807299508-1748536991-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKU\S-1-5-21-296326354-2807299508-1748536991-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-296326354-2807299508-1748536991-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-21-296326354-2807299508-1748536991-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.facebook.com"

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7

FF - prefs.js..extensions.enabledItems: {EAA8183D-4C08-43C4-8103-FE3DD862B05E}:1.9.1

FF - prefs.js..network.proxy.http: "127.0.0.1"

FF - prefs.js..network.proxy.http_port: 5577

FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"

FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{EAA8183D-4C08-43C4-8103-FE3DD862B05E}: C:\Documents and Settings\bobbileigh\Local Settings\Application Data\{EAA8183D-4C08-43C4-8103-FE3DD862B05E} [2010/12/27 15:40:08 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/13 18:05:37 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/11 22:51:55 | 000,000,000 | ---D | M]

[2010/12/05 00:19:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\bobbileigh\Application Data\Mozilla\Extensions

[2010/12/05 00:19:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\bobbileigh\Application Data\Mozilla\Firefox\Profiles\u4rcmdu5.default\extensions

[2011/01/30 23:26:55 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2010/06/27 17:47:20 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

[2010/02/17 22:43:15 | 000,000,000 | ---D | M] (Move Media Player) -- C:\DOCUMENTS AND SETTINGS\BOBBILEIGH\APPLICATION DATA\MOVE NETWORKS

[2010/12/27 15:40:08 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\BOBBILEIGH\LOCAL SETTINGS\APPLICATION DATA\{EAA8183D-4C08-43C4-8103-FE3DD862B05E}

[2010/06/27 17:47:06 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF

[2010/06/27 17:47:05 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

[2007/03/06 18:53:21 | 000,024,576 | ---- | M] (RealNetworks) -- C:\Program Files\Mozilla Firefox\plugins\npgcplug.dll

[2005/12/05 22:31:00 | 000,114,688 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npmozax.dll

[2005/04/27 14:10:49 | 000,102,400 | ---- | M] (RealNetworks) -- C:\Program Files\Mozilla Firefox\plugins\npracplug.dll

O1 HOSTS File: ([2010/12/21 00:36:27 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)

O4 - HKLM..\Run: [DiskeeperSystray] C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe (Diskeeper Corporation)

O4 - HKLM..\Run: [iSUSPM Startup] c:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)

O4 - HKLM..\Run: [iSUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)

O4 - HKLM..\Run: [LPManager] C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE (Lenovo Group Limited)

O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.)

O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)

O4 - HKLM..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe (Lenovo Group Limited)

O4 - HKU\S-1-5-21-296326354-2807299508-1748536991-1006..\Run: [AIM] C:\Program Files\AIM7\aim.exe (AOL Inc.)

O4 - HKU\S-1-5-21-296326354-2807299508-1748536991-1006..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)

O4 - HKU\S-1-5-21-296326354-2807299508-1748536991-1006..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe (Trend Micro Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Play Wireless USB Adapter Utility.lnk = C:\Program Files\Belkin\F7D4101\V1\PBN.exe ()

O4 - Startup: C:\Documents and Settings\bobbileigh\Start Menu\Programs\Startup\Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe (Secunia)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-296326354-2807299508-1748536991-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-296326354-2807299508-1748536991-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-296326354-2807299508-1748536991-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-21-296326354-2807299508-1748536991-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)

O9 - Extra Button: System Update - {DA320635-F48C-4613-8325-D75A933C549E} - C:\Program Files\Lenovo\System Update\sulauncher.exe ()

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab (Windows Live Safety Center Base Module)

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)

O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Documents and Settings\bobbileigh\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\bobbileigh\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/04/29 23:36:18 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/02/03 16:01:44 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\bobbileigh\Desktop\OTL.exe

[2011/01/28 22:25:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bobbileigh\Desktop\Mixfortheroad

[2011/01/10 08:26:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bobbileigh\Desktop\Paul_Wall-Politics_As_Usual-2011-FiH

[2011/01/06 17:18:53 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\bobbileigh\Recent

[2007/03/06 18:53:25 | 000,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll

[2007/02/03 17:25:41 | 001,183,744 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfserv.dll

[2007/02/03 17:25:41 | 001,134,592 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfusb1.dll

[2007/02/03 17:25:41 | 000,155,648 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfprox.dll

[2007/02/03 17:25:40 | 000,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfpplc.dll

[2007/02/03 17:25:39 | 000,704,512 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfcomc.dll

[2007/02/03 17:25:39 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfcomm.dll

[2007/02/03 17:25:38 | 000,483,328 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcflmpm.dll

[2006/11/25 18:18:56 | 000,015,429 | R--- | C] ( ) -- C:\WINDOWS\System32\drivers\Sacm2A.sys

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/02/03 16:01:29 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\bobbileigh\Desktop\OTL.exe

[2011/02/03 15:59:46 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2011/02/03 15:55:42 | 000,050,257 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml

[2011/02/03 15:54:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2011/02/03 15:54:16 | 1038,790,656 | -HS- | M] () -- C:\hiberfil.sys

[2011/02/03 15:31:30 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2011/01/30 22:46:19 | 000,002,425 | ---- | M] () -- C:\Documents and Settings\bobbileigh\Desktop\Paint Shop Pro 7.lnk

[2011/01/28 03:02:24 | 000,041,043 | ---- | M] () -- C:\Documents and Settings\bobbileigh\Desktop\adda0565e9ffb13033a33d952517103c.jpg

[2011/01/28 02:20:28 | 000,164,986 | ---- | M] () -- C:\Documents and Settings\bobbileigh\Desktop\VonMax_VM4_51710_LG.jpg

[2011/01/27 12:59:52 | 000,053,248 | ---- | M] () -- C:\Documents and Settings\bobbileigh\Desktop\Matts Resume.doc

[2011/01/26 01:46:04 | 000,287,085 | ---- | M] () -- C:\Documents and Settings\bobbileigh\Desktop\testgrille.jpg

[2011/01/26 01:30:45 | 000,091,388 | ---- | M] () -- C:\Documents and Settings\bobbileigh\Desktop\chargerpics025.jpg

[2011/01/25 16:49:19 | 001,014,550 | ---- | M] () -- C:\Documents and Settings\bobbileigh\Desktop\2011-01-25_16-30-58_979.jpg

[2011/01/25 16:47:47 | 001,207,876 | ---- | M] () -- C:\Documents and Settings\bobbileigh\Desktop\2011-01-25_16-31-06_895.jpg

[2011/01/25 16:47:27 | 001,018,063 | ---- | M] () -- C:\Documents and Settings\bobbileigh\Desktop\2011-01-25_16-31-15_153.jpg

[2011/01/25 11:37:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2011/01/22 22:44:38 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\bobbileigh\Desktop\ArenaSeason5.xls

[2011/01/13 12:47:43 | 000,012,990 | ---- | M] () -- C:\Documents and Settings\bobbileigh\Desktop\438.gif

[2011/01/13 03:05:02 | 000,000,175 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI

[2011/01/12 23:31:08 | 000,088,576 | ---- | M] () -- C:\Documents and Settings\bobbileigh\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2011/01/11 00:43:21 | 000,002,457 | ---- | M] () -- C:\Documents and Settings\bobbileigh\Desktop\HiJackThis.lnk

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/28 03:02:24 | 000,041,043 | ---- | C] () -- C:\Documents and Settings\bobbileigh\Desktop\adda0565e9ffb13033a33d952517103c.jpg

[2011/01/28 02:20:27 | 000,164,986 | ---- | C] () -- C:\Documents and Settings\bobbileigh\Desktop\VonMax_VM4_51710_LG.jpg

[2011/01/27 12:59:51 | 000,053,248 | ---- | C] () -- C:\Documents and Settings\bobbileigh\Desktop\Matts Resume.doc

[2011/01/26 01:44:10 | 000,287,085 | ---- | C] () -- C:\Documents and Settings\bobbileigh\Desktop\testgrille.jpg

[2011/01/26 01:30:44 | 000,091,388 | ---- | C] () -- C:\Documents and Settings\bobbileigh\Desktop\chargerpics025.jpg

[2011/01/25 16:49:18 | 001,014,550 | ---- | C] () -- C:\Documents and Settings\bobbileigh\Desktop\2011-01-25_16-30-58_979.jpg

[2011/01/25 16:47:51 | 001,207,876 | ---- | C] () -- C:\Documents and Settings\bobbileigh\Desktop\2011-01-25_16-31-06_895.jpg

[2011/01/25 16:47:26 | 001,018,063 | ---- | C] () -- C:\Documents and Settings\bobbileigh\Desktop\2011-01-25_16-31-15_153.jpg

[2011/01/22 05:23:42 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\bobbileigh\Desktop\ArenaSeason5.xls

[2011/01/13 12:48:19 | 000,012,990 | ---- | C] () -- C:\Documents and Settings\bobbileigh\Desktop\438.gif

[2011/01/11 01:16:26 | 1038,790,656 | -HS- | C] () -- C:\hiberfil.sys

[2010/12/19 01:50:29 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll

[2010/12/11 23:49:16 | 000,000,175 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI

[2010/05/23 18:05:00 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\bobbileigh\Local Settings\Application Data\housecall.guid.cache

[2010/03/02 20:16:24 | 000,016,030 | -HS- | C] () -- C:\Documents and Settings\bobbileigh\Local Settings\Application Data\6ENTSxRMA8c1v3wk4Gosy8f4p7

[2010/03/02 20:10:24 | 000,011,264 | -HS- | C] () -- C:\Documents and Settings\bobbileigh\Local Settings\Application Data\U4E5P2rdp

[2010/03/02 19:57:21 | 000,013,132 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\U4E5P2rdp

[2009/12/10 01:11:19 | 000,292,864 | ---- | C] () -- C:\Program Files\ogi7888l.exe

[2009/11/11 08:44:10 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini

[2009/10/06 00:13:30 | 030,925,707 | -HS- | C] () -- C:\WINDOWS\System32\acelpdecs.sys

[2009/10/04 15:02:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\1031r.sys

[2008/03/14 21:55:59 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\bobbileigh\Application Data\$_hpcst$.hpc

[2007/05/26 19:55:23 | 000,077,895 | ---- | C] () -- C:\WINDOWS\System32\unibus_tcutil.dll

[2007/03/23 00:19:23 | 000,088,576 | ---- | C] () -- C:\Documents and Settings\bobbileigh\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2007/02/03 17:25:42 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxcfvs.dll

[2006/12/26 22:49:40 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll

[2006/12/26 22:48:25 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll

[2006/12/26 22:48:25 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll

[2006/12/26 22:48:25 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll

[2006/12/19 02:10:48 | 000,001,359 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

[2006/12/14 20:52:37 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2006/12/14 20:42:55 | 000,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll

[2006/12/10 22:38:12 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\bobbileigh\Application Data\PFP120JPR.{PB

[2006/12/10 22:38:12 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\bobbileigh\Application Data\PFP120JCM.{PB

[2006/11/26 10:33:47 | 000,004,224 | ---- | C] () -- C:\WINDOWS\System32\drivers\avg7rsw.sys

[2006/11/26 10:22:53 | 000,006,580 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys

[2006/11/26 10:22:53 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\E59962D3AE.sys

[2006/11/25 21:18:17 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini

[2006/11/25 20:11:25 | 000,000,518 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\tvt_userinfo.ini

[2006/11/25 19:38:13 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\B11gUSB.dll

[2006/11/25 19:38:12 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll

[2006/11/25 18:18:56 | 000,053,693 | R--- | C] () -- C:\WINDOWS\UNDPX2A.sys

[2006/11/25 18:01:43 | 000,000,133 | ---- | C] () -- C:\Documents and Settings\bobbileigh\Local Settings\Application Data\fusioncache.dat

[2006/10/13 18:07:49 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2006/10/13 17:53:12 | 000,028,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys

[2006/10/13 17:50:32 | 000,000,970 | ---- | C] () -- C:\WINDOWS\WININIT.INI

[2006/10/13 17:49:03 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll

[2006/10/13 17:49:03 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll

[2006/10/13 17:49:03 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll

[2006/10/13 17:49:03 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll

[2006/10/13 17:49:03 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll

[2006/10/13 17:49:03 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll

[2006/10/13 17:44:37 | 000,005,528 | ---- | C] () -- C:\WINDOWS\System32\Setup2k.ini

[2006/10/13 17:44:37 | 000,000,296 | ---- | C] () -- C:\WINDOWS\System32\presetup.ini

[2006/10/13 17:44:36 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\FSRremoC.DLL

[2006/10/13 17:38:03 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll

[2006/10/13 17:38:03 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll

[2006/10/13 17:38:03 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll

[2006/10/13 17:38:03 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll

[2006/10/13 17:38:03 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll

[2006/07/26 20:05:58 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll

[2006/04/30 00:05:41 | 000,004,670 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

[2006/04/29 23:48:13 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini

[2006/04/29 23:11:32 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\ir50_32.dll

[2006/04/29 23:11:32 | 000,338,432 | ---- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll

[2006/04/29 23:11:32 | 000,200,192 | ---- | C] () -- C:\WINDOWS\System32\ir50_qc.dll

[2006/04/29 23:11:32 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll

[2006/04/29 23:11:32 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\ir41_qc.dll

[2006/04/29 16:24:50 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2006/11/25 20:13:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.LENOVO-B3862E77\Application Data\Lenovo

[2006/10/13 18:06:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.LENOVO-B3862E77\Application Data\ThinkVantage

[2008/10/01 18:31:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore

[2010/12/11 22:35:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AIM

[2007/06/10 18:54:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Aliasworlds

[2009/12/13 19:53:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Artist Colony

[2009/11/08 20:27:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg7

[2010/12/11 21:43:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\bImBg06301

[2009/11/08 20:27:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Borland

[2007/12/04 20:06:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software

[2009/01/18 15:50:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DivoGames

[2007/02/22 16:11:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\element5

[2007/08/27 17:49:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Escape From Paradise

[2008/08/23 14:01:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FreshGames

[2007/11/15 18:49:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Fugazo

[2007/06/04 12:07:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GameHouse

[2009/03/09 17:31:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Gogii

[2009/11/08 21:19:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft

[2007/09/10 15:15:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HipSoft

[2007/03/05 21:04:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InterVideo

[2009/03/15 14:16:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iWin Games

[2007/11/02 16:25:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Legacy Interactive

[2009/11/08 20:39:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lenovo

[2008/06/07 20:10:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ludia

[2009/09/24 19:21:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Merscom

[2007/12/13 19:59:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MumboJumbo

[2007/06/29 16:34:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Oberon Games

[2010/03/18 14:01:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst

[2010/03/13 22:11:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sandlot Games

[2009/03/16 16:33:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Shockwave

[2009/02/15 10:39:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SugarGames

[2010/03/18 14:14:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2008/01/31 20:05:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Valusoft

[2010/06/27 17:27:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint

[2009/11/08 21:19:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Zylom

[2006/11/25 23:13:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\acccore

[2009/11/09 14:22:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Aim

[2008/08/11 23:08:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Alien Skin

[2010/03/13 22:09:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Amazon

[2009/11/08 20:27:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\AVG7

[2009/11/08 20:22:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\BitTorrent

[2010/01/15 17:14:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\BlamGames

[2009/03/23 13:50:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Burdaloo

[2009/12/08 18:57:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\DNA

[2009/03/07 21:44:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\EleFun Games

[2010/03/13 22:10:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\eMusic

[2007/10/14 12:58:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\funkitron

[2007/07/15 15:53:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Gamelab

[2007/12/22 20:01:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Home Sweet Home

[2008/09/06 21:33:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Home Sweet Home 2

[2007/03/05 21:00:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Intervideo

[2007/03/03 19:29:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\iWin

[2009/11/08 20:23:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Jane s Hotel

[2007/05/30 15:29:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Jasc

[2006/12/14 16:55:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Leadertech

[2010/06/27 17:44:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Lenovo

[2008/06/07 20:10:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Ludia

[2008/02/23 15:50:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Magic Seeds

[2009/09/24 19:21:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Merscom

[2007/06/06 17:51:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\MysteryStudio

[2010/01/08 19:13:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Octoshape

[2008/11/21 20:55:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Pi Eye Games

[2010/03/18 14:01:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\PlayFirst

[2007/10/31 19:36:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Pogo Games

[2007/06/28 01:36:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Publish Providers

[2007/06/07 09:31:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Sandlot Games

[2007/10/13 18:44:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\SecondLife

[2009/03/16 16:33:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Shockwave

[2009/12/19 00:29:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Skinux

[2007/06/28 01:35:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Sony

[2006/10/13 18:06:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\ThinkVantage

[2008/01/31 20:05:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\Valusoft

[2009/02/24 17:34:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bobbileigh\Application Data\ViquaSoft

[2006/11/25 20:13:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Lenovo

[2006/10/13 18:06:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\ThinkVantage

[2006/11/26 10:33:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\AVG7

[2009/11/08 20:27:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\matt\Application Data\AVG7

[2010/06/27 17:44:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\matt\Application Data\Lenovo

[2011/01/06 12:32:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\matt\Application Data\Skinux

[2006/10/13 18:06:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\matt\Application Data\ThinkVantage

[2007/09/03 07:12:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\AVG7

[2010/03/12 08:43:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Skinux

[2011/02/03 15:59:46 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========

< End of report >

[Fright]

I do not see a extra.txt

[Elise]

Rerun OTL, click the NONE button, then change the value under Extra Registry to "use safelist" and click Run Scan. Extra.txt should now be created.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on Combofix.exe and follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

[Fright]

OTL Extras logfile created on: 2/4/2011 2:25:53 AM - Run 4

OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\bobbileigh\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

991.00 Mb Total Physical Memory | 397.00 Mb Available Physical Memory | 40.00% Memory free

2.00 Gb Paging File | 1.00 Gb Available in Paging File | 63.00% Paging File free

Paging file location(s): C:\pagefile.sys 1488 2976 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 228.49 Gb Total Space | 29.91 Gb Free Space | 13.09% Space Free | Partition Type: NTFS

Computer Name: LENOVO-B3862E77 | User Name: bobbileigh | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusOverride" = 0

"FirewallOverride" = 0

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10244:TCP" = 10244:TCP:LocalSubNet:Enabled:Zune Network Sharing Service

"10285:UDP" = 10285:UDP:LocalSubNet:Enabled:Zune Network Sharing Service

"10286:UDP" = 10286:UDP:LocalSubNet:Enabled:Zune Network Sharing Service

"10287:UDP" = 10287:UDP:LocalSubNet:Enabled:Zune Network Sharing Service

"10288:UDP" = 10288:UDP:LocalSubNet:Enabled:Zune Network Sharing Service

"10289:UDP" = 10289:UDP:LocalSubNet:Enabled:Zune Network Sharing Service

"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

"10244:TCP" = 10244:TCP:LocalSubNet:Enabled:Zune Network Sharing Service

"10285:UDP" = 10285:UDP:LocalSubNet:Enabled:Zune Network Sharing Service

"10286:UDP" = 10286:UDP:LocalSubNet:Enabled:Zune Network Sharing Service

"10287:UDP" = 10287:UDP:LocalSubNet:Enabled:Zune Network Sharing Service

"10288:UDP" = 10288:UDP:LocalSubNet:Enabled:Zune Network Sharing Service

"10289:UDP" = 10289:UDP:LocalSubNet:Enabled:Zune Network Sharing Service

"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

"67:UDP" = 67:UDP:*:Enabled:DHCP Discovery Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)

"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)

"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)

"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Grisoft\AVG Free\avginet.exe" = C:\Program Files\Grisoft\AVG Free\avginet.exe:*:Enabled:avginet.exe -- (GRISOFT, s.r.o.)

"C:\Program Files\Grisoft\AVG Free\avgamsvr.exe" = C:\Program Files\Grisoft\AVG Free\avgamsvr.exe:*:Enabled:avgamsvr.exe -- (GRISOFT, s.r.o.)

"C:\Program Files\Grisoft\AVG Free\avgcc.exe" = C:\Program Files\Grisoft\AVG Free\avgcc.exe:*:Enabled:avgcc.exe -- (GRISOFT, s.r.o.)

"C:\Program Files\Grisoft\AVG Free\avgemc.exe" = C:\Program Files\Grisoft\AVG Free\avgemc.exe:*:Enabled:avgemc.exe -- (GRISOFT, s.r.o.)

"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- (America Online, Inc.)

"C:\WINDOWS\system32\rtcshare.exe" = C:\WINDOWS\system32\rtcshare.exe:*:Enabled:RTC App Sharing -- (Microsoft Corporation)

"C:\Program Files\NetMeeting\conf.exe" = C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows

[Elise]

Please run also combofix and post me the log (see my last post for instructions).

[Fright]

ComboFix 11-01-31.02 - bobbileigh 02/04/2011 15:27:07.11.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.546 [GMT -6:00]

Running from: c:\documents and settings\bobbileigh\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Enabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\bobbileigh\Application Data\Adobe\AdobeUpdate .exe

c:\documents and settings\bobbileigh\Application Data\Adobe\plugs

c:\windows\system32\twunk_32.exe

c:\windows\system32\Drivers\avg7rsw.sys . . . is infected!! . . . Failed to find a valid replacement.

.

((((((((((((((((((((((((( Files Created from 2011-01-04 to 2011-02-04 )))))))))))))))))))))))))))))))

.

2011-02-04 20:48 . 2011-02-04 20:48 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4FB9178F-7D71-4EE3-B8A3-2178E0D6419A}\MpKsl410873b0.sys

2011-02-03 22:05 . 2011-01-13 09:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4FB9178F-7D71-4EE3-B8A3-2178E0D6419A}\mpengine.dll

2011-01-06 18:32 . 2011-01-06 18:32 -------- d-----w- c:\documents and settings\matt\Local Settings\Application Data\ArcSoft

2011-01-06 18:32 . 2011-01-06 18:32 -------- d-----w- c:\documents and settings\matt\Application Data\Skinux

2011-01-06 18:31 . 2011-01-06 18:31 -------- d-----w- c:\documents and settings\matt\Application Data\ArcSoft

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-01-13 09:41 . 2010-03-14 03:16 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2010-12-27 21:56 . 2010-12-27 21:56 388096 ----a-r- c:\documents and settings\bobbileigh\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-12-21 00:09 . 2009-12-06 06:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-21 00:08 . 2009-12-06 06:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-12 04:09 . 2010-12-12 04:09 134 ----a-w- c:\windows\system32\drivers\etc\hosts-perm.bat

2010-11-29 23:38 . 2010-11-29 23:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-11-29 23:38 . 2010-11-29 23:38 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-11-18 18:12 . 2006-04-30 05:32 81920 ------w- c:\windows\system32\isign32.dll

2010-11-09 14:52 . 2006-04-30 05:11 249856 ----a-w- c:\windows\system32\odbc32.dll

2009-12-10 07:11 . 2009-12-10 07:11 292864 ----a-w- c:\program files\ogi7888l.exe

2007-03-07 00:53 . 2007-03-07 00:53 774144 ------w- c:\program files\RngInterstitial.dll

.

((((((((((((((((((((((((((((( SnapShot_2010-12-18_18.12.23 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll

+ 2007-11-07 07:19 . 2007-11-07 07:19 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90kor.dll

+ 2007-11-07 07:19 . 2007-11-07 07:19 47104 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90jpn.dll

+ 2007-11-07 07:19 . 2007-11-07 07:19 59392 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90ita.dll

+ 2007-11-07 07:19 . 2007-11-07 07:19 60416 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90fra.dll

+ 2007-11-07 07:19 . 2007-11-07 07:19 59392 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90esp.dll

+ 2007-11-07 07:19 . 2007-11-07 07:19 59392 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90esn.dll

+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90enu.dll

+ 2007-11-07 07:19 . 2007-11-07 07:19 60928 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90deu.dll

+ 2007-11-07 07:19 . 2007-11-07 07:19 41984 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90cht.dll

+ 2007-11-07 07:19 . 2007-11-07 07:19 41472 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90chs.dll

+ 2007-11-07 04:51 . 2007-11-07 04:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a\mfcm90u.dll

+ 2007-11-07 04:51 . 2007-11-07 04:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a\mfcm90.dll

+ 2011-02-04 21:23 . 2011-02-04 21:23 16384 c:\windows\temp\Perflib_Perfdata_728.dat

+ 2011-02-04 21:23 . 2011-02-04 21:23 16384 c:\windows\temp\Perflib_Perfdata_5a4.dat

+ 2009-07-07 19:15 . 2010-12-22 07:50 35412 c:\windows\system32\Restore\rstrlog.dat

+ 2010-12-19 07:50 . 2008-12-11 19:26 60273 c:\windows\system32\pthreadGC2.dll

+ 2006-07-28 12:10 . 2009-12-21 20:42 15616 c:\windows\system32\mot_ci.dll

+ 2010-12-19 07:50 . 2008-12-18 01:22 57344 c:\windows\system32\ff_vfw.dll

+ 2010-12-19 07:44 . 2010-06-18 21:09 23936 c:\windows\system32\DRVSTORE\motport_4F4CBE1DF24686697EA24297424DF8E347630C56\motport.sys

+ 2010-12-19 07:44 . 2010-04-01 20:31 23424 c:\windows\system32\DRVSTORE\motousbnet_770BC1026CC54C2F3EBB8D43C100E1BE013A9284\Motousbnet.sys

+ 2010-12-19 07:44 . 2009-05-08 17:56 42752 c:\windows\system32\DRVSTORE\motodrv_9E3D9A40BFFF73BAD5B052681D43BC931352E639\motodrv.sys

+ 2010-12-19 07:44 . 2009-12-21 20:42 15616 c:\windows\system32\DRVSTORE\motodrv_9E3D9A40BFFF73BAD5B052681D43BC931352E639\mot_ci.dll

+ 2010-12-19 07:44 . 2009-07-10 19:01 25856 c:\windows\system32\DRVSTORE\motoandroi_281A0D1CF14FCFFB1B61021B981311BFDC53E1D2\motoandroid.sys

+ 2010-12-19 07:44 . 2010-06-18 21:09 23936 c:\windows\system32\DRVSTORE\motmodem_339FBB9A886D234C861F36407D0E4F9AF978E6CD\motmodem.sys

+ 2010-12-19 07:44 . 2010-06-18 20:41 19968 c:\windows\system32\DRVSTORE\motccgp_7B90A2F86B8D63041DA9D597F8E5A9C44922CD15\motccgp.sys

+ 2006-04-30 05:10 . 2010-08-17 13:17 58880 c:\windows\system32\dllcache\spoolsv.exe

- 2010-08-17 13:17 . 2010-08-17 13:17 58880 c:\windows\system32\dllcache\spoolsv.exe

+ 2010-06-24 08:10 . 2011-01-06 09:01 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll

- 2010-06-24 08:10 . 2010-09-29 08:01 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll

+ 2010-12-19 07:43 . 2010-12-19 07:43 85182 c:\windows\Installer\{7BB493F6-1E56-4748-B3A3-D7B1FB6EE2FE}\_7A8DFDDA16A557B2C4B697.exe

+ 2010-12-19 07:44 . 2010-01-26 01:56 9472 c:\windows\system32\DRVSTORE\motusbdevi_E42DBACAEBCECEBA9A8B12194BB5736D07B623F9\motusbdevice.sys

+ 2010-12-19 07:44 . 2007-11-02 21:51 6400 c:\windows\system32\DRVSTORE\motousbnet_770BC1026CC54C2F3EBB8D43C100E1BE013A9284\motswch.sys

+ 2010-12-19 07:44 . 2009-01-29 23:11 6016 c:\windows\system32\DRVSTORE\motousbnet_770BC1026CC54C2F3EBB8D43C100E1BE013A9284\motfilt.sys

+ 2010-12-19 07:44 . 2007-11-02 21:51 6400 c:\windows\system32\DRVSTORE\motccgp_7B90A2F86B8D63041DA9D597F8E5A9C44922CD15\motswch.sys

+ 2010-12-19 07:44 . 2009-01-29 23:18 8320 c:\windows\system32\DRVSTORE\motccgp_7B90A2F86B8D63041DA9D597F8E5A9C44922CD15\motccgpfl.sys

+ 2010-12-19 07:43 . 2010-12-19 07:43 7278 c:\windows\Installer\{7BB493F6-1E56-4748-B3A3-D7B1FB6EE2FE}\_6FEFF9B68218417F98F549.exe

+ 2010-12-19 07:43 . 2010-12-19 07:43 7278 c:\windows\Installer\{7BB493F6-1E56-4748-B3A3-D7B1FB6EE2FE}\_1C4C258407FCD759F84E91.exe

+ 2009-07-12 06:02 . 2009-07-12 06:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll

+ 2007-11-07 07:19 . 2007-11-07 07:19 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_312cf0e9\atl90.dll

+ 2010-12-19 07:44 . 2009-03-02 15:00 103552 c:\windows\system32\DRVSTORE\Moser_D7089C7835F0E7ECEC244A670740F4C8336E0FA1\Mousbser.sys

+ 2010-12-19 07:44 . 2009-03-02 15:00 103552 c:\windows\system32\DRVSTORE\Momdm_D7089C7835F0E7ECEC244A670740F4C8336E0FA1\Mousbser.sys

+ 2010-11-09 14:52 . 2010-11-09 14:52 249856 c:\windows\system32\dllcache\odbc32.dll

+ 2010-11-09 14:52 . 2010-11-09 14:52 102400 c:\windows\system32\dllcache\msjro.dll

+ 2010-11-09 14:52 . 2010-11-09 14:52 200704 c:\windows\system32\dllcache\msadox.dll

+ 2010-11-09 14:52 . 2010-11-09 14:52 180224 c:\windows\system32\dllcache\msadomd.dll

+ 2010-11-09 14:52 . 2010-11-09 14:52 536576 c:\windows\system32\dllcache\msado15.dll

+ 2010-11-09 14:52 . 2010-11-09 14:52 143360 c:\windows\system32\dllcache\msadco.dll

+ 2010-12-20 09:00 . 2010-12-20 09:00 195584 c:\windows\Installer\792f0f9.msi

+ 2010-12-19 07:51 . 2010-12-19 07:51 228352 c:\windows\Installer\2262462.msi

+ 2010-12-19 07:43 . 2010-12-19 07:43 212480 c:\windows\Installer\2262457.msi

+ 2007-11-07 07:19 . 2007-11-07 07:19 1162744 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a\mfc90u.dll

+ 2007-11-07 07:19 . 2007-11-07 07:19 1156600 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a\mfc90.dll

+ 2010-12-19 07:44 . 2008-03-27 23:49 1112288 c:\windows\system32\DRVSTORE\motusbdevi_E42DBACAEBCECEBA9A8B12194BB5736D07B623F9\wdfcoinstaller01007.dll

+ 2010-12-19 07:44 . 2008-03-27 23:49 1112288 c:\windows\system32\DRVSTORE\motport_4F4CBE1DF24686697EA24297424DF8E347630C56\wdfcoinstaller01007.dll

+ 2010-12-19 07:44 . 2008-03-27 23:49 1112288 c:\windows\system32\DRVSTORE\motousbnet_770BC1026CC54C2F3EBB8D43C100E1BE013A9284\wdfcoinstaller01007.dll

+ 2010-12-19 07:44 . 2008-03-27 23:49 1112288 c:\windows\system32\DRVSTORE\motoandroi_281A0D1CF14FCFFB1B61021B981311BFDC53E1D2\wdfcoinstaller01007.dll

+ 2010-12-19 07:44 . 2008-03-27 23:49 1112288 c:\windows\system32\DRVSTORE\motmodem_339FBB9A886D234C861F36407D0E4F9AF978E6CD\wdfcoinstaller01007.dll

+ 2010-12-19 07:44 . 2008-03-27 23:49 1112288 c:\windows\system32\DRVSTORE\motccgp_7B90A2F86B8D63041DA9D597F8E5A9C44922CD15\wdfcoinstaller01007.dll

+ 2010-12-27 21:56 . 2010-12-27 21:56 1094656 c:\windows\Installer\ac7b9.msi

+ 2010-12-12 05:45 . 2011-01-13 09:01 37403080 c:\windows\system32\MRT.exe

+ 2011-01-06 09:00 . 2011-01-06 09:00 20304384 c:\windows\Installer\caf408b.msp

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AIM"="c:\program files\AIM7\aim.exe" [2010-12-07 4320600]

"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2010-03-26 388096]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 49152]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-07-15 503808]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"LPManager"="c:\progra~1\Lenovo\LENOVO~2\LPMGR.exe" [2006-07-03 110592]

"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-11 198160]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-02 7557120]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\bobbileigh\Start Menu\Programs\Startup\

Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2010-7-21 965176]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-26 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]

Play Wireless USB Adapter Utility.lnk - c:\program files\Belkin\F7D4101\V1\PBN.exe [2009-11-25 110592]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

2006-01-11 01:01 106496 ------w- c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2008-01-15 09:22 267048 ------w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services]

2009-01-08 13:44 70936 ----a-w- c:\documents and settings\bobbileigh\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=

"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=

"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=

"c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\rtcshare.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Last.fm\\LastFM.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\ThinkVantage\\AMSG\\Amsg.exe"=

"c:\\WINDOWS\\system32\\FSRremoS.EXE"=

"c:\\Program Files\\Grisoft\\AVG Free\\avgupsvc.exe"=

"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Documents and Settings\\bobbileigh\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=

"c:\\Program Files\\AIM7\\aim.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"67:UDP"= 67:UDP:DHCP Discovery Service

R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [6/24/2010 1:34 PM 91456]

R2 smi2;smi2;c:\program files\SMI2\smi2.sys [7/14/2006 4:55 PM 3968]

S1 MpKsl70a2501f;MpKsl70a2501f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AD443F8E-7B6D-47C4-90F0-35F9BC1992B6}\MpKsl70a2501f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AD443F8E-7B6D-47C4-90F0-35F9BC1992B6}\MpKsl70a2501f.sys [?]

S2 WLANBelkinService;Belkin WLAN service;c:\program files\Belkin\F7D4101\V1\wlansrv.exe [12/28/2009 4:25 PM 36864]

S3 BCMH43XX;N+ Wireless USB Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [11/6/2009 7:26 AM 642432]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys --> c:\windows\system32\DRIVERS\motodrv.sys [?]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [7/7/2010 8:05 AM 14904]

S3 PsSdk30;PsSdk30;\??\c:\windows\system32\Drivers\PsSdk30.drv --> c:\windows\system32\Drivers\PsSdk30.drv [?]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/14/2006 10:04 PM 639224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2011-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2011-02-04 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 02:40]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5577

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

FF - ProfilePath - c:\documents and settings\bobbileigh\Application Data\Mozilla\Firefox\Profiles\u4rcmdu5.default\

FF - prefs.js: browser.startup.homepage - www.facebook.com

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 5577

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: XULRunner: {EAA8183D-4C08-43C4-8103-FE3DD862B05E} - c:\documents and settings\bobbileigh\Local Settings\Application Data\{EAA8183D-4C08-43C4-8103-FE3DD862B05E}

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\bobbileigh\Application Data\Move Networks

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-04 15:47

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD2500JS-08NCB1 rev.10.02E01 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-e

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86AAAEC5]<<

c:\docume~1\BOBBIL~1\LOCALS~1\Temp\catchme.sys

_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x85e48872; SUB DWORD [EBP-0x4], 0x85e4812e; PUSH EDI; CALL 0xffffffffffffdf33; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86F57AB8]

3 CLASSPNP[0xF7580FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000007d[0x86FDE2D8]

5 ACPI[0xF7417620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86FC5030]

[0x86CFD4C0] -> IRP_MJ_CREATE -> 0x86AAAEC5

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

\Device\Ide\IdeDeviceP2T0L0-e -> \??\IDE#DiskWDC_WD2500JS-08NCB1_____________________10.02E01#5&1e8838a0&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x86AAAAEA

user & kernel MBR OK

sectors 488397166 (+255): user != kernel

Warning: possible TDL3 rootkit infection !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet022\Services\PsSdk30]

"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk30.drv"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2011-02-04 15:53:34

ComboFix-quarantined-files.txt 2011-02-04 21:53

ComboFix2.txt 2010-12-24 07:33

ComboFix3.txt 2010-12-21 06:43

ComboFix4.txt 2010-12-18 18:15

ComboFix5.txt 2011-02-04 08:33

Pre-Run: 32,060,919,808 bytes free

Post-Run: 32,067,661,824 bytes free

- - End Of File - - 12A8916DD62DC2B4A52880A3ABF5172D

[Elise]

First of all, please download AVG Remover and run it. After that, run the following script.

CF-SCRIPT

-------------

We need to execute a CF-script.

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
  

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5577

Firefox::
FF - ProfilePath - c:\documents and settings\bobbileigh\Application Data\Mozilla\Firefox\Profiles\u4rcmdu5.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 5577
FF - Ext: XULRunner: {EAA8183D-4C08-43C4-8103-FE3DD862B05E} - c:\documents and settings\bobbileigh\Local Settings\Application Data\{EAA8183D-4C08-43C4-8103-FE3DD862B05E}

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[Fright]

ComboFix 11-01-31.02 - bobbileigh 02/04/2011 16:46:05.12.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.545 [GMT -6:00]

Running from: c:\documents and settings\bobbileigh\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\bobbileigh\Desktop\CFScript.txt

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\bobbileigh\Local Settings\Application Data\{EAA8183D-4C08-43C4-8103-FE3DD862B05E}

c:\documents and settings\bobbileigh\Local Settings\Application Data\{EAA8183D-4C08-43C4-8103-FE3DD862B05E}\chrome.manifest

c:\documents and settings\bobbileigh\Local Settings\Application Data\{EAA8183D-4C08-43C4-8103-FE3DD862B05E}\chrome\content\_cfg.js

c:\documents and settings\bobbileigh\Local Settings\Application Data\{EAA8183D-4C08-43C4-8103-FE3DD862B05E}\chrome\content\overlay.xul

c:\documents and settings\bobbileigh\Local Settings\Application Data\{EAA8183D-4C08-43C4-8103-FE3DD862B05E}\install.rdf

c:\windows\system32\Drivers\avg7rsw.sys . . . is infected!! . . . Failed to find a valid replacement.

.

((((((((((((((((((((((((( Files Created from 2011-01-04 to 2011-02-04 )))))))))))))))))))))))))))))))

.

2011-02-04 20:48 . 2011-02-04 20:48 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4FB9178F-7D71-4EE3-B8A3-2178E0D6419A}\MpKsl410873b0.sys

2011-02-03 22:05 . 2011-01-13 09:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4FB9178F-7D71-4EE3-B8A3-2178E0D6419A}\mpengine.dll

2011-01-06 18:32 . 2011-01-06 18:32 -------- d-----w- c:\documents and settings\matt\Local Settings\Application Data\ArcSoft

2011-01-06 18:32 . 2011-01-06 18:32 -------- d-----w- c:\documents and settings\matt\Application Data\Skinux

2011-01-06 18:31 . 2011-01-06 18:31 -------- d-----w- c:\documents and settings\matt\Application Data\ArcSoft

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-01-13 09:41 . 2010-03-14 03:16 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2010-12-27 21:56 . 2010-12-27 21:56 388096 ----a-r- c:\documents and settings\bobbileigh\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-12-21 00:09 . 2009-12-06 06:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-21 00:08 . 2009-12-06 06:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-12 04:09 . 2010-12-12 04:09 134 ----a-w- c:\windows\system32\drivers\etc\hosts-perm.bat

2010-11-29 23:38 . 2010-11-29 23:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-11-29 23:38 . 2010-11-29 23:38 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-11-18 18:12 . 2006-04-30 05:32 81920 ------w- c:\windows\system32\isign32.dll

2010-11-09 14:52 . 2006-04-30 05:11 249856 ----a-w- c:\windows\system32\odbc32.dll

2009-12-10 07:11 . 2009-12-10 07:11 292864 ----a-w- c:\program files\ogi7888l.exe

2007-03-07 00:53 . 2007-03-07 00:53 774144 ------w- c:\program files\RngInterstitial.dll

.

((((((((((((((((((((((((((((( SnapShot_2011-02-04_21.47.50 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-02-04 22:41 . 2011-02-04 22:41 16384 c:\windows\temp\Perflib_Perfdata_598.dat

+ 2011-02-04 22:41 . 2011-02-04 22:41 16384 c:\windows\temp\Perflib_Perfdata_39c.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AIM"="c:\program files\AIM7\aim.exe" [2010-12-07 4320600]

"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2010-03-26 388096]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 49152]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-07-15 503808]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"LPManager"="c:\progra~1\Lenovo\LENOVO~2\LPMGR.exe" [2006-07-03 110592]

"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-11 198160]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-02 7557120]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\bobbileigh\Start Menu\Programs\Startup\

Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2010-7-21 965176]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-26 113664]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]

Play Wireless USB Adapter Utility.lnk - c:\program files\Belkin\F7D4101\V1\PBN.exe [2009-11-25 110592]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

2006-01-11 01:01 106496 ------w- c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2008-01-15 09:22 267048 ------w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services]

2009-01-08 13:44 70936 ----a-w- c:\documents and settings\bobbileigh\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=

"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=

"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=

"c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\rtcshare.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Last.fm\\LastFM.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\ThinkVantage\\AMSG\\Amsg.exe"=

"c:\\WINDOWS\\system32\\FSRremoS.EXE"=

"c:\\Program Files\\Grisoft\\AVG Free\\avgupsvc.exe"=

"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Documents and Settings\\bobbileigh\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=

"c:\\Program Files\\AIM7\\aim.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"67:UDP"= 67:UDP:DHCP Discovery Service

R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [6/24/2010 1:34 PM 91456]

R2 smi2;smi2;c:\program files\SMI2\smi2.sys [7/14/2006 4:55 PM 3968]

S1 MpKsl70a2501f;MpKsl70a2501f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AD443F8E-7B6D-47C4-90F0-35F9BC1992B6}\MpKsl70a2501f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AD443F8E-7B6D-47C4-90F0-35F9BC1992B6}\MpKsl70a2501f.sys [?]

S2 WLANBelkinService;Belkin WLAN service;c:\program files\Belkin\F7D4101\V1\wlansrv.exe [12/28/2009 4:25 PM 36864]

S3 BCMH43XX;N+ Wireless USB Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [11/6/2009 7:26 AM 642432]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys --> c:\windows\system32\DRIVERS\motodrv.sys [?]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [7/7/2010 8:05 AM 14904]

S3 PsSdk30;PsSdk30;\??\c:\windows\system32\Drivers\PsSdk30.drv --> c:\windows\system32\Drivers\PsSdk30.drv [?]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/14/2006 10:04 PM 639224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2011-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2011-02-04 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 02:40]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

FF - ProfilePath - c:\documents and settings\bobbileigh\Application Data\Mozilla\Firefox\Profiles\u4rcmdu5.default\

FF - prefs.js: browser.startup.homepage - www.facebook.com

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\bobbileigh\Application Data\Move Networks

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-04 17:06

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD2500JS-08NCB1 rev.10.02E01 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-e

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86A9EEC5]<<

c:\docume~1\BOBBIL~1\LOCALS~1\Temp\catchme.sys

_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x85e48872; SUB DWORD [EBP-0x4], 0x85e4812e; PUSH EDI; CALL 0xffffffffffffdf33; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86F57AB8]

3 CLASSPNP[0xF7580FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000007d[0x86F7DF18]

5 ACPI[0xF7417620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86FC5030]

[0x86BC8C60] -> IRP_MJ_CREATE -> 0x86A9EEC5

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

\Device\Ide\IdeDeviceP2T0L0-e -> \??\IDE#DiskWDC_WD2500JS-08NCB1_____________________10.02E01#5&1e8838a0&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x86A9EAEA

user & kernel MBR OK

sectors 488397166 (+255): user != kernel

Warning: possible TDL3 rootkit infection !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet022\Services\PsSdk30]

"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk30.drv"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2011-02-04 17:12:06

ComboFix-quarantined-files.txt 2011-02-04 23:11

ComboFix2.txt 2011-02-04 21:53

ComboFix3.txt 2010-12-24 07:33

ComboFix4.txt 2010-12-21 06:43

ComboFix5.txt 2011-02-04 22:33

Pre-Run: 32,066,396,160 bytes free

Post-Run: 32,052,183,040 bytes free

- - End Of File - - CE01657F670D0D921579479622EEFC9E

[Fright]

Now the bar where the start button is all grey, like the older version of Windows. I'm assuming there's more to do, so I'll just wait for your reply before I jump the gun lol. Just thought I'd let you know.