XP Security 2011 - Need Help With Removal

rob5211 · April 5, 2011

Hello, yesterday evening my desktop PC (Win XP Professional SP3) got infected with "XP Security 2011", a fake AV program that has hijacked the Windows firewall among several other things.

Under normal (non-Safe) mode (user: Rob), I cannot run msconfig, regedit, System Restore, View/Create Users. I cannot turn on the Windows Firewall, and my real AV (Symantec) seems to have disappeared, along with most other items in the System Tray. I cannot run MBAM (or Spy-Bot S&D, for that matter), even with mbam.exe renamed to another name. I have no general Internet access via IE 8 or Firefox 3.6.

Task Manager (which I CAN run) indicates processes named flt.exe linked to the malware. I can kill such processes and make the malware screens temporarily disappear, but they reappear soon thereafter.

In Safe Mode (user: Admin -- not Rob), the malware is not present, and was able to run both full scans of MBAM and SpyBot S&D. I ran MBAM twice, and it found a handful of problems to correct (logs are posted below), but when I reboot in normal mode, the malware is still present. So far, MBAM has not able to remove this infection, and it's clear that the malware is somehow linked to user Rob.

This evening, I created a new user "MalAdjust" while in Safe Mode, then rebooted in normal mode with this new user. So far, the malware is not present; I started another MBAM full scan under this new user in normal mode, but so far (31 minutes and counting) it has not found any infected objects.

Any help you can provide would be most appreciated!!

Thanks. -Rob

==========================================================

First MBAM scan -- mbam-log-2011-04-03 (23-03-44).txt:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6264

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

4/3/2011 11:03:44 PM

mbam-log-2011-04-03 (23-03-44).txt

Scan type: Full scan (C:\|)

Objects scanned: 313653

Time elapsed: 43 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 6

Folders Infected: 0

Files Infected: 12

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Rob\Local Settings\Application Data\jnn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Rob\Local Settings\Application Data\jnn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Rob\Local Settings\Application Data\jnn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\Rob\local settings\application data\jnn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\documents and settings\Rob\local settings\Temp\jar_cache4756159025373658791.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\spool\prtprocs\w32x86\c31uoceiq.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

c:\documents and settings\Rob\application data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.

c:\documents and settings\Rob\application data\jsdfgs.bat (Malware.Trace) -> Quarantined and deleted successfully.

c:\documents and settings\Rob\local settings\Temp\0.41964341364192215.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

c:\documents and settings\Rob\local settings\Temp\0.2877388884204123.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

c:\documents and settings\Rob\local settings\Temp\0.6974761506986406.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

c:\documents and settings\Rob\local settings\Temp\pdfupd.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Rob\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

c:\documents and settings\Rob\Desktop\uSeRiNiT.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

c:\documents and settings\Rob\Desktop\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

==========================================================

Second MBAM scan -- mbam-log-2011-04-04 (00-19-57).txt:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6264

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

4/4/2011 12:19:57 AM

mbam-log-2011-04-04 (00-19-57).txt

Scan type: Full scan (C:\|)

Objects scanned: 313673

Time elapsed: 43 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Rob\Local Settings\Application Data\flt.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Rob\Local Settings\Application Data\flt.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Rob\Local Settings\Application Data\flt.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

==========================================================

rob5211 · April 5, 2011

Update: after running the third MBAM scan (under normal (non-Safe) mode, new user MalAdjust), it found and fixed the same 3 infections as shown in scan #2:

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Rob\Local Settings\Application Data\flt.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Rob\Local Settings\Application Data\flt.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Rob\Local Settings\Application Data\flt.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.

I have a feeling that if I switch to the original user (Rob) where the infection first happened, it will still be there. I will await a reply before proceeding with anything else...

Elise · April 5, 2011

Hi, please run the following scan from your new useraccount.

OTL

-----

Please download OTL from one of the following mirrors:

- This is THE Mirror

[*]Save it to your desktop.

[*]Double click on the icon on your desktop.

[*]Click the "Scan All Users" checkbox.

[*]Push the Quick Scan button.

[*]Two reports will open, copy and paste them in a reply here:

OTListIt.txt <-- Will be opened
Extra.txt <-- Will be minimized

rob5211 · April 5, 2011

Hello, here you go. Thanks for helping! -Rob

=======================================

OTL logfile created on: 4/5/2011 7:43:54 AM - Run 1

OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\MalAdjust\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 54.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 465.70 Gb Total Space | 181.63 Gb Free Space | 39.00% Space Free | Partition Type: NTFS

Computer Name: JANE | User Name: MalAdjust | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/05 07:42:57 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\MalAdjust\Desktop\OTL.exe

PRC - [2010/12/12 12:26:11 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe

PRC - [2010/09/13 12:48:14 | 000,097,384 | R--- | M] (Amazon.com) -- C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe

PRC - [2010/09/13 12:48:12 | 000,025,704 | R--- | M] (Amazon.com) -- C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe

PRC - [2010/05/04 12:07:22 | 000,503,080 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Update\NASvc.exe

PRC - [2010/04/02 11:18:54 | 001,185,112 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE

PRC - [2010/03/24 19:50:00 | 002,516,296 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE

PRC - [2010/03/02 20:52:00 | 000,140,640 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe

PRC - [2009/12/30 14:21:02 | 000,065,536 | ---- | M] (Lexar Media, Inc.) -- C:\WINDOWS\system32\LxrSII1s.exe

PRC - [2009/09/17 18:40:44 | 000,075,048 | ---- | M] () -- C:\Program Files\DirecTV\DirecTV\Kernel\DMP\CLDTVHNService.exe

PRC - [2009/06/03 21:59:02 | 000,103,720 | ---- | M] (CyberLink) -- C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe

PRC - [2009/02/02 02:33:18 | 000,317,440 | ---- | M] (Amazon.com) -- C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe

PRC - [2009/02/02 02:32:42 | 000,246,272 | ---- | M] (Amazon.com) -- C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

PRC - [2008/10/10 18:26:30 | 000,510,496 | ---- | M] (Fortinet Inc.) -- C:\WINDOWS\system32\FortiSslvpnDaemon.exe

PRC - [2008/06/09 10:37:44 | 000,053,392 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2008/02/05 14:29:20 | 000,054,512 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe

PRC - [2007/10/18 21:10:42 | 000,479,232 | ---- | M] (Nikon Corporation) -- C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

PRC - [2007/09/17 09:56:08 | 000,124,200 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

PRC - [2007/05/25 09:38:46 | 000,112,176 | ---- | M] (SingleClick Systems) -- C:\Program Files\Dell Network Assistant\hnm_svc.exe

PRC - [2007/05/23 18:02:36 | 000,139,264 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\pmxmiced.exe

PRC - [2006/11/08 13:01:54 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ico.exe

PRC - [2006/03/30 09:15:44 | 000,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe

PRC - [2006/03/17 06:34:30 | 000,124,656 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe

PRC - [2006/03/17 06:34:20 | 001,799,408 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe

PRC - [2006/03/17 06:34:12 | 000,030,448 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe

PRC - [2006/03/07 13:03:02 | 000,169,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

PRC - [2006/03/07 13:02:34 | 000,192,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

PRC - [2006/03/07 13:02:14 | 000,053,408 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe

PRC - [2006/02/06 12:50:24 | 001,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

PRC - [2004/06/09 14:16:08 | 000,471,040 | ---- | M] (PalmSource, Inc) -- C:\Program Files\palmOne\Hotsync.exe

PRC - [2003/05/08 11:00:58 | 000,049,152 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

PRC - [2002/10/11 08:10:00 | 000,106,560 | ---- | M] (WinZip Computing, Inc.) -- C:\Program Files\WinZip\WZQKPICK.EXE

PRC - [1999/01/13 00:49:28 | 000,056,832 | ---- | M] () -- C:\Program Files\WinBatch\System\popmenu.exe

========== Modules (SafeList) ==========

MOD - [2011/04/05 07:42:57 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\MalAdjust\Desktop\OTL.exe

MOD - [2010/08/23 09:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll

MOD - [2003/05/08 11:00:46 | 000,159,744 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE2.0\OpHookSE2.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)

SRV - [2010/09/13 12:48:12 | 000,025,704 | R--- | M] (Amazon.com) [Auto | Running] -- C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe -- (ADVService)

SRV - [2010/08/23 21:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)

SRV - [2010/05/04 12:07:22 | 000,503,080 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Update\NASvc.exe -- (NAUpdate)

SRV - [2009/12/30 14:21:02 | 000,065,536 | ---- | M] (Lexar Media, Inc.) [Auto | Running] -- C:\WINDOWS\system32\LxrSII1s.exe -- (LxrSII1s)

SRV - [2009/09/17 18:40:44 | 000,075,048 | ---- | M] () [Auto | Running] -- C:\Program Files\DirecTV\DirecTV\Kernel\DMP\CLDTVHNService.exe -- (CLDTVHNService)

SRV - [2009/03/16 17:45:14 | 000,059,552 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Installer) getPlus®

SRV - [2009/02/02 02:33:18 | 000,317,440 | ---- | M] (Amazon.com) [Auto | Running] -- C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe -- (Amazon Download Agent)

SRV - [2008/10/10 18:26:30 | 000,510,496 | ---- | M] (Fortinet Inc.) [Auto | Running] -- C:\WINDOWS\system32\FortiSslvpnDaemon.exe -- (FortiSslvpnDaemon)

SRV - [2008/06/09 10:37:44 | 000,053,392 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)

SRV - [2007/05/25 09:38:46 | 000,112,176 | ---- | M] (SingleClick Systems) [Auto | Running] -- C:\Program Files\Dell Network Assistant\hnm_svc.exe -- (hnmsvc)

SRV - [2006/03/30 09:15:44 | 000,096,341 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)

SRV - [2006/03/17 06:34:24 | 000,115,952 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)

SRV - [2006/03/17 06:34:20 | 001,799,408 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)

SRV - [2006/03/17 06:34:12 | 000,030,448 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)

SRV - [2006/03/07 13:03:02 | 000,169,632 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)

SRV - [2006/03/07 13:02:34 | 000,192,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)

SRV - [2006/02/23 11:41:02 | 002,045,632 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate)

SRV - [2006/02/06 12:50:24 | 001,160,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)

SRV - [2006/01/24 20:06:58 | 000,214,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)

========== Driver Services (SafeList) ==========

DRV - [2011/04/01 01:00:00 | 001,393,144 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110401.002\NAVEX15.SYS -- (NAVEX15)

DRV - [2011/04/01 01:00:00 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110401.002\NAVENG.SYS -- (NAVENG)

DRV - [2010/07/22 04:37:29 | 000,108,480 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AnyDVD.sys -- (AnyDVD)

DRV - [2010/06/17 01:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)

DRV - [2010/05/28 01:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)

DRV - [2009/12/30 11:36:56 | 000,063,448 | ---- | M] (Lexar Media, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LxrSII1d.sys -- (LxrSII1d)

DRV - [2009/09/17 18:40:52 | 000,119,792 | ---- | M] (Cyberlink Corp.) [Kernel | Auto | Running] -- C:\Program Files\DirecTV\DirecTV\Kernel\DMP\ntk_dtv.sys -- (ntk_dtv)

DRV - [2008/10/10 18:26:32 | 000,036,384 | ---- | M] (Fortinet Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pppop.sys -- (pppop)

DRV - [2008/04/20 13:15:41 | 000,016,694 | ---- | M] (PalmSource, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)

DRV - [2008/01/02 11:13:12 | 000,987,904 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)

DRV - [2008/01/02 11:13:12 | 000,731,136 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)

DRV - [2008/01/02 11:13:12 | 000,268,032 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)

DRV - [2007/07/22 13:27:12 | 004,424,704 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)

DRV - [2007/06/01 11:41:00 | 000,018,432 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pmxmouse.sys -- (pmxmouse)

DRV - [2007/05/24 14:56:00 | 000,014,336 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pmxusblf.sys -- (pmxusblf)

DRV - [2006/12/18 17:01:20 | 000,012,672 | ---- | M] (SingleClick Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\packet.sys -- (Packet)

DRV - [2006/08/18 11:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)

DRV - [2006/08/18 11:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)

DRV - [2006/08/18 11:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)

DRV - [2006/08/18 11:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)

DRV - [2006/08/18 11:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)

DRV - [2006/08/18 11:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)

DRV - [2006/08/18 11:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)

DRV - [2006/08/18 11:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)

DRV - [2006/08/11 08:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)

DRV - [2006/08/11 08:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)

DRV - [2006/08/02 11:45:32 | 000,114,560 | ---- | M] (Mars Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mr7910.sys -- (mr7910)

DRV - [2006/02/06 12:50:22 | 000,389,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)

DRV - [2006/01/31 13:29:20 | 000,107,696 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)

DRV - [2006/01/24 20:06:36 | 000,195,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)

DRV - [2006/01/24 20:06:32 | 000,024,768 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)

DRV - [2005/12/19 20:41:58 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)

DRV - [2005/12/19 20:41:56 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)

DRV - [2004/07/19 09:41:48 | 000,016,512 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (Aspi32)

DRV - [2003/09/19 16:45:48 | 000,021,248 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2706065477-1034120459-467431141-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415

IE - HKU\S-1-5-21-2706065477-1034120459-467431141-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb

IE - HKU\S-1-5-21-2706065477-1034120459-467431141-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080415

IE - HKU\S-1-5-21-2706065477-1034120459-467431141-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {C9761C39-2000-4CD6-A94E-6DB3A823FD89}:1.9.1

FF - HKLM\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/07/11 18:13:43 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\extensions\\{C9761C39-2000-4CD6-A94E-6DB3A823FD89}: C:\Documents and Settings\Rob\Local Settings\Application Data\{C9761C39-2000-4CD6-A94E-6DB3A823FD89} [2010/09/29 16:57:26 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/01/13 22:10:44 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/12 12:26:16 | 000,000,000 | ---D | M]

[2011/04/04 19:10:06 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\MalAdjust\Application Data\Mozilla\Extensions

[2011/04/04 21:23:06 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\MalAdjust\Application Data\Mozilla\Firefox\Profiles\2yh775pc.default\extensions

[2011/04/04 21:23:06 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\MalAdjust\Application Data\Mozilla\Firefox\Profiles\2yh775pc.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2011/04/03 11:02:48 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2010/09/29 16:57:26 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\ROB\LOCAL SETTINGS\APPLICATION DATA\{C9761C39-2000-4CD6-A94E-6DB3A823FD89}

[2008/12/14 15:54:47 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF

[2009/07/11 18:13:43 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\PROGRAM FILES\REAL\REALPLAYER\BROWSERRECORD

O1 HOSTS File: ([2010/03/07 00:16:05 | 000,380,253 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 www.007guard.com

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 008i.com

O1 - Hosts: 127.0.0.1 www.008k.com

O1 - Hosts: 127.0.0.1 008k.com

O1 - Hosts: 127.0.0.1 www.00hq.com

O1 - Hosts: 127.0.0.1 00hq.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 www.0scan.com

O1 - Hosts: 127.0.0.1 0scan.com

O1 - Hosts: 127.0.0.1 1000gratisproben.com

O1 - Hosts: 127.0.0.1 www.1000gratisproben.com

O1 - Hosts: 127.0.0.1 1001namen.com

O1 - Hosts: 127.0.0.1 www.1001namen.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 www.100sexlinks.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.10sek.com

O1 - Hosts: 127.0.0.1 www.1-2005-search.com

O1 - Hosts: 127.0.0.1 1-2005-search.com

O1 - Hosts: 13102 more lines...

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - File not found

O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)

O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)

O2 - BHO: (Nero Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)

O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()

O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)

O3 - HKLM\..\Toolbar: (Nero Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)

O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

O3 - HKU\S-1-5-21-2706065477-1034120459-467431141-1006\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)

O3 - HKU\S-1-5-21-2706065477-1034120459-467431141-1006\..\Toolbar\WebBrowser: (Nero Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)

O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe (Amazon.com)

O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)

O4 - HKLM..\Run: [CanonSolutionMenuEx] C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE (CANON INC.)

O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)

O4 - HKLM..\Run: [CLMLServer] C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)

O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )

O4 - HKLM..\Run: [Google Desktop Search] File not found

O4 - HKLM..\Run: [iJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe (CANON INC.)

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [OpwareSE2] C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe (ScanSoft, Inc.)

O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)

O4 - HKLM..\Run: [PMX Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.)

O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)

O4 - HKLM..\Run: [updateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKLM..\Run: [uVS12 Preload] C:\Program Files\Corel\Corel VideoStudio 12\uvPL.exe (Corel TW Corp.)

O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Amazon Unbox.lnk = C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe (Amazon.com)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe (PalmSource, Inc)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PopMenu exe.lnk = C:\Program Files\WinBatch\System\popmenu.exe ()

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe (Yahoo! Inc.)

O4 - Startup: C:\Documents and Settings\Rob\Start Menu\Programs\Startup\WinTidy.lnk = C:\Program Files\WinTidy\WinTidy.exe (Ziff Davis Media, Inc.)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-2706065477-1034120459-467431141-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O15 - HKU\S-1-5-21-2706065477-1034120459-467431141-1006\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} http://apps.corel.com/nos_dl_manager/plugin/IEGetPlugin.cab (get_atlcom Class)

O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab (Creative Software AutoUpdate)

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {B0882EB7-81A5-4A11-8D45-71888F973933} https://65.214.187.52:10443/sslvpn.cab (fortisslvpn Class)

O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} http://support.dell.com/systemprofiler/DellSystemLite.CAB (DellSystemLite.Scanner)

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)

O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)

O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)

O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab (Creative Software AutoUpdate Support Package)

O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} http://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0 (DigWebHelper Class)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.1.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)

O22 - SharedTaskScheduler: {1984DD45-52CF-49cd-AB77-18F378FEA264} - FencesShellExt - C:\Program Files\Fences\FencesMenu.dll (Stardock)

O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2004/08/11 15:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/05 07:42:57 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\MalAdjust\Desktop\OTL.exe

[2011/04/04 21:23:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\My Documents\Downloads

[2011/04/04 21:21:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\My Documents\TurboTax

[2011/04/04 21:21:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\Intuit

[2011/04/04 21:21:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Intuit

[2011/04/04 19:14:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\CyberLink

[2011/04/04 19:09:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\Mozilla

[2011/04/04 19:09:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Mozilla

[2011/04/04 19:09:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Adobe

[2011/04/04 19:08:49 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\MalAdjust\PrivacIE

[2011/04/04 19:08:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Canon Easy-WebPrint EX

[2011/04/04 18:56:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Malwarebytes

[2011/04/04 18:55:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Ipswitch

[2011/04/04 18:54:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Google

[2011/04/04 18:54:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\AskToolbar

[2011/04/04 18:54:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Ulead Systems

[2011/04/04 18:53:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\HotSync

[2011/04/04 18:53:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\My Documents\Palm OS Desktop

[2011/04/04 18:53:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\Power2Go

[2011/04/04 18:52:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Real

[2011/04/04 18:52:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\Symantec

[2011/04/04 18:52:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Stardock

[2011/04/04 18:52:26 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\MalAdjust\IETldCache

[2011/04/04 18:51:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Start Menu\Programs\Internet Explorer

[2011/04/04 18:50:48 | 000,000,000 | --SD | C] -- C:\Documents and Settings\MalAdjust\Application Data\Microsoft

[2011/04/04 18:50:48 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\MalAdjust\Application Data

[2011/04/04 18:50:48 | 000,000,000 | R--D | C] -- C:\Documents and Settings\MalAdjust\Favorites

[2011/04/04 18:50:48 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\MalAdjust\Cookies

[2011/04/04 18:50:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Macromedia

[2011/04/04 18:50:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\InstallShield

[2011/04/04 18:50:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Application Data\Identities

[2011/04/04 18:50:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\Google

[2011/04/04 18:50:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Desktop

[2011/04/04 18:50:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\BVRP Software

[2011/04/04 18:50:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\ApplicationHistory

[2011/04/04 18:50:47 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\MalAdjust\SendTo

[2011/04/04 18:50:47 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\MalAdjust\Recent

[2011/04/04 18:50:47 | 000,000,000 | R--D | C] -- C:\Documents and Settings\MalAdjust\Start Menu\Programs\Startup

[2011/04/04 18:50:47 | 000,000,000 | R--D | C] -- C:\Documents and Settings\MalAdjust\Start Menu

[2011/04/04 18:50:47 | 000,000,000 | R--D | C] -- C:\Documents and Settings\MalAdjust\My Documents\My Videos

[2011/04/04 18:50:47 | 000,000,000 | R--D | C] -- C:\Documents and Settings\MalAdjust\My Documents\My Pictures

[2011/04/04 18:50:47 | 000,000,000 | R--D | C] -- C:\Documents and Settings\MalAdjust\My Documents\My Music

[2011/04/04 18:50:47 | 000,000,000 | R--D | C] -- C:\Documents and Settings\MalAdjust\My Documents

[2011/04/04 18:50:47 | 000,000,000 | R--D | C] -- C:\Documents and Settings\MalAdjust\Start Menu\Programs\Accessories

[2011/04/04 18:50:47 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\MalAdjust\Templates

[2011/04/04 18:50:47 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\MalAdjust\PrintHood

[2011/04/04 18:50:47 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\MalAdjust\NetHood

[2011/04/04 18:50:47 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\MalAdjust\Local Settings

[2011/04/04 18:50:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Start Menu\Programs\Utilities

[2011/04/04 18:50:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\SingleClick Systems

[2011/04/04 18:50:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\Roxio

[2011/04/04 18:50:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\PowerDVD DX

[2011/04/04 18:50:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\My Documents\My Google Gadgets

[2011/04/04 18:50:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\Microsoft

[2011/04/04 18:50:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Start Menu\Programs\Dell Accessories

[2011/04/04 18:50:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}

[2011/03/06 14:45:39 | 000,090,112 | ---- | C] (MindVision Software) -- C:\WINDOWS\unvise32.exe

[2011/03/06 14:45:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Quicken WillMaker Plus 2011

[2011/03/06 14:45:27 | 000,000,000 | ---D | C] -- C:\Program Files\Quicken WillMaker Plus 2011

[2011/03/06 14:32:09 | 004,199,768 | ---- | C] (Amyuni Technologies

http://www.amyuni.com) -- C:\WINDOWS\System32\cdintf400.dll

[2011/03/06 14:32:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Quicken 2011

[61 C:\*.tmp files -> C:\*.tmp -> ]

[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/05 07:42:57 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\MalAdjust\Desktop\OTL.exe

[2011/04/05 07:40:43 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\MalAdjust\Desktop\MS Office Outlook 2003.lnk

[2011/04/05 07:25:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2011/04/05 07:01:00 | 000,000,230 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job

[2011/04/04 21:25:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2011/04/04 21:23:00 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\MalAdjust\Desktop\Mozilla Firefox.lnk

[2011/04/04 21:11:49 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\MalAdjust\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk

[2011/04/04 20:53:00 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI

[2011/04/04 20:47:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2011/04/04 20:47:20 | 2145,566,720 | -HS- | M] () -- C:\hiberfil.sys

[2011/04/04 18:56:51 | 000,445,700 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2011/04/04 18:56:51 | 000,072,780 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2011/04/04 18:54:02 | 000,000,132 | ---- | M] () -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\fusioncache.dat

[2011/04/04 18:53:12 | 000,001,674 | ---- | M] () -- C:\Documents and Settings\MalAdjust\Desktop\CyberLink Power2Go.lnk

[2011/04/04 18:53:08 | 000,001,540 | ---- | M] () -- C:\Documents and Settings\MalAdjust\Desktop\Customize Fences.lnk

[2011/04/04 18:52:26 | 000,000,779 | ---- | M] () -- C:\Documents and Settings\MalAdjust\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

[2011/04/04 18:51:05 | 000,000,782 | ---- | M] () -- C:\Documents and Settings\MalAdjust\Desktop\Windows Media Player.lnk

[2011/04/04 17:53:30 | 000,016,612 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\muui32clp1xb41do30186g73wxfgt8irp431q23v6s78nf

[2011/04/03 22:00:21 | 000,709,456 | ---- | M] () -- C:\WINDOWS\is-SS5P4.exe

[2011/04/03 22:00:21 | 000,010,562 | ---- | M] () -- C:\WINDOWS\is-SS5P4.msg

[2011/04/03 22:00:21 | 000,000,399 | ---- | M] () -- C:\WINDOWS\is-SS5P4.lst

[2011/03/21 19:40:48 | 3862,011,904 | ---- | M] () -- C:\DVDVOLUME.ISO

[2011/03/12 21:17:07 | 000,016,686 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3782553494

[2011/03/12 09:48:17 | 000,015,328 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3452207138

[2011/03/06 14:32:01 | 000,000,154 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI

[61 C:\*.tmp files -> C:\*.tmp -> ]

[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/04 22:07:17 | 000,002,521 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Desktop\MS Office Outlook 2003.lnk

[2011/04/04 21:23:00 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Desktop\Mozilla Firefox.lnk

[2011/04/04 21:11:49 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk

[2011/04/04 18:54:02 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Local Settings\Application Data\fusioncache.dat

[2011/04/04 18:53:08 | 000,001,540 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Desktop\Customize Fences.lnk

[2011/04/04 18:52:26 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Start Menu\Programs\Internet Explorer

[2011/04/04 18:51:05 | 000,000,788 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Start Menu\Programs\Windows Media Player.lnk

[2011/04/04 18:51:05 | 000,000,782 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Desktop\Windows Media Player.lnk

[2011/04/04 18:50:50 | 000,000,779 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

[2011/04/04 18:50:50 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

[2011/04/04 18:50:49 | 000,266,556 | ---- | C] () -- C:\Documents and Settings\MalAdjust\BD=1

[2011/04/04 18:50:49 | 000,001,674 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Desktop\CyberLink Power2Go.lnk

[2011/04/04 18:50:48 | 000,001,503 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Start Menu\Programs\Remote Assistance.lnk

[2011/04/04 18:50:48 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\MalAdjust\Start Menu\Programs\Outlook Express.lnk

[2011/04/04 18:49:58 | 2145,566,720 | -HS- | C] () -- C:\hiberfil.sys

[2011/04/03 22:00:21 | 000,709,456 | ---- | C] () -- C:\WINDOWS\is-SS5P4.exe

[2011/04/03 22:00:21 | 000,010,562 | ---- | C] () -- C:\WINDOWS\is-SS5P4.msg

[2011/04/03 22:00:21 | 000,000,399 | ---- | C] () -- C:\WINDOWS\is-SS5P4.lst

[2011/04/03 18:17:18 | 000,016,612 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\muui32clp1xb41do30186g73wxfgt8irp431q23v6s78nf

[2011/03/21 19:36:30 | 3862,011,904 | ---- | C] () -- C:\DVDVOLUME.ISO

[2011/03/12 21:15:06 | 000,016,686 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3782553494

[2011/03/11 18:41:12 | 000,015,328 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3452207138

[2011/02/06 15:57:04 | 004,997,704 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

[2010/09/29 16:57:28 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Erodeguyoyamuzag.dat

[2010/09/29 16:57:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Bvucipabusaxupet.bin

[2010/07/17 21:06:00 | 000,000,040 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib

[2010/02/07 14:17:29 | 000,002,077 | ---- | C] () -- C:\WINDOWS\cdplayer.ini

[2010/01/03 14:13:56 | 000,000,154 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI

[2009/08/07 10:54:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI

[2009/07/26 14:57:43 | 000,209,040 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll

[2009/07/26 14:57:43 | 000,204,944 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll

[2009/07/26 14:57:43 | 000,196,752 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll

[2009/07/26 14:57:43 | 000,196,752 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll

[2009/07/26 14:57:43 | 000,192,656 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll

[2009/07/26 14:57:43 | 000,024,720 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll

[2009/06/18 23:12:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat

[2009/05/03 23:34:43 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2008/12/28 17:24:34 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Images

[2008/12/28 17:24:34 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT

[2008/12/28 17:24:34 | 000,000,012 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Internet Services

[2008/12/20 13:33:18 | 000,000,120 | ---- | C] () -- C:\WINDOWS\marscam.ini

[2008/11/06 09:37:32 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll

[2008/11/06 09:33:02 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll

[2008/09/19 10:48:32 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll

[2008/09/19 10:48:32 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\uninscpw.exe

[2008/04/26 22:36:30 | 000,000,039 | ---- | C] () -- C:\WINDOWS\ulead32.ini

[2008/04/26 12:50:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI

[2008/04/26 11:49:06 | 000,494,080 | ---- | C] () -- C:\WINDOWS\System32\mp3tsshx.dll

[2008/04/25 09:14:17 | 000,000,175 | ---- | C] () -- C:\WINDOWS\wetest.ini

[2008/04/20 14:41:30 | 000,000,036 | ---- | C] () -- C:\WINDOWS\iltwain.ini

[2008/04/20 14:41:29 | 000,000,056 | ---- | C] () -- C:\WINDOWS\Addrfixr.ini

[2008/04/20 14:40:55 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\DYMOCFG.DLL

[2008/04/20 14:40:54 | 000,005,563 | ---- | C] () -- C:\WINDOWS\System32\dymourl.ini

[2008/04/20 14:23:40 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS7L.DLL

[2008/04/20 14:22:04 | 000,000,532 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI

[2008/04/19 21:49:55 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2008/04/19 12:45:38 | 000,001,526 | ---- | C] () -- C:\WINDOWS\pw4.ini

[2008/04/19 09:43:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI

[2008/04/15 10:00:33 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2008/04/15 09:57:36 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL

[2008/04/15 09:57:36 | 000,000,188 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2008/04/15 09:53:34 | 000,303,104 | ---- | C] () -- C:\WINDOWS\System32\FontZoom.exe

[2008/04/15 09:53:34 | 000,131,066 | ---- | C] () -- C:\WINDOWS\System32\DellPM.ini

[2008/04/15 09:35:19 | 000,876,544 | ---- | C] () -- C:\WINDOWS\System32\TEACico2.dll

[2008/04/15 09:34:37 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe

[2008/04/15 09:33:21 | 000,001,124 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

[2006/11/07 02:25:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[2006/09/16 21:36:50 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll

[2006/09/16 21:36:50 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll

[2005/10/24 11:13:58 | 000,066,560 | RHS- | C] () -- C:\WINDOWS\MOTA113.exe

[2005/10/13 21:27:00 | 000,422,400 | RHS- | C] () -- C:\WINDOWS\x2.64.exe

[2005/07/14 12:31:20 | 000,027,648 | RHS- | C] () -- C:\WINDOWS\System32\AVSredirect.dll

[2005/06/21 22:37:42 | 000,045,568 | RHS- | C] () -- C:\WINDOWS\System32\cygz.dll

[2005/05/13 17:12:00 | 000,217,073 | RHS- | C] () -- C:\WINDOWS\meta4.exe

[2005/02/28 13:16:22 | 000,240,128 | RHS- | C] () -- C:\WINDOWS\System32\x.264.exe

[2004/08/11 15:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini

[2004/08/11 15:19:30 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat

[2004/08/11 15:12:14 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2004/08/11 15:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

[2004/08/11 15:07:24 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2004/08/11 15:06:43 | 000,305,216 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2004/08/11 15:00:30 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat

[2004/08/11 15:00:28 | 000,445,700 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat

[2004/08/11 15:00:28 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat

[2004/08/11 15:00:28 | 000,072,780 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat

[2004/08/11 15:00:28 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat

[2004/08/11 15:00:27 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

[2004/08/11 15:00:26 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin

[2004/08/11 15:00:24 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

[2004/08/11 15:00:19 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat

[2004/08/11 15:00:19 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin

[2004/08/11 15:00:12 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat

[2004/08/11 15:00:04 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin

[2003/01/29 17:39:40 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\dcfft2.dll

[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

[2002/03/16 17:00:00 | 000,007,420 | ---- | C] () -- C:\WINDOWS\UA000106.DLL

========== LOP Check ==========

[2010/10/26 21:12:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Stardock

[2011/02/27 14:47:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Amazon

[2008/04/19 20:02:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund Software

[2010/12/14 21:11:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Canon IJ Network Tool

[2008/04/19 13:01:31 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ

[2010/12/14 22:03:08 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJEGV

[2010/12/14 21:08:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJMSetup

[2010/12/14 21:58:57 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJScan

[2010/12/14 21:07:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJWSpt

[2010/08/21 14:58:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cisco Systems

[2008/04/20 13:23:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DataViz

[2008/12/28 17:24:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EnterNHelp

[2008/04/20 13:16:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HotSync

[2009/07/26 14:57:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InterVideo

[2008/12/28 17:25:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nikon

[2010/01/07 23:34:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft

[2008/04/15 09:58:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SingleClick Systems

[2010/07/17 21:06:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SlySoft

[2010/05/02 16:48:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc

[2009/06/03 22:37:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir

[2008/04/20 14:22:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanWizard

[2008/04/15 09:58:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft

[2011/02/07 22:06:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2009/08/23 11:59:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems

[2008/12/28 17:24:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ultima_T15

[2008/04/26 12:23:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YAHOO

[2008/06/21 16:17:22 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{68D98ECE-8350-4B76-A666-6DAA2183091C}

[2010/05/17 21:19:58 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{A87EB928-0C6C-4071-AEF1-59E32BAEDF1B}

[2010/10/26 21:02:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\AskToolbar

[2011/04/04 19:08:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MalAdjust\Application Data\Canon Easy-WebPrint EX

[2011/04/04 18:53:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MalAdjust\Application Data\HotSync

[2011/04/04 18:52:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MalAdjust\Application Data\Stardock

[2011/04/04 18:54:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MalAdjust\Application Data\Ulead Systems

[2008/05/15 22:35:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\Amazon

[2010/07/17 23:19:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\AskToolbar

[2010/12/14 21:58:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\Canon

[2010/12/14 21:08:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\Canon Easy-WebPrint EX

[2011/03/12 21:08:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\Eye-Fi

[2010/08/07 18:10:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\fi.eye.center.E430518E652B889A80EC0E8A6E532C09FF36DF62.1

[2009/06/20 14:56:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\GetRightToGo

[2008/04/20 13:15:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\HotSync

[2008/04/20 13:21:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\Leadertech

[2008/12/28 17:29:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\Nikon

[2011/03/06 14:45:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\Nolo

[2008/06/21 16:20:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\RiffTrax

[2008/04/20 14:22:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\ScanSoft

[2010/05/17 21:20:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\Stardock

[2009/07/26 15:07:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rob\Application Data\Ulead Systems

[2011/04/05 07:01:00 | 000,000,230 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:62E2D794

< End of report >

========================================================================================================

OTL Extras logfile created on: 4/5/2011 7:43:54 AM - Run 1

OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\MalAdjust\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 54.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 465.70 Gb Total Space | 181.63 Gb Free Space | 39.00% Space Free | Partition Type: NTFS

Computer Name: JANE | User Name: MalAdjust | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-2706065477-1034120459-467431141-1006\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

"10421:UDP" = 10421:UDP:*:Enabled:SingleClick Discovery Protocol

"10426:UDP" = 10426:UDP:*:Enabled:SingleClick ICC

"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" = C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX -- (CyberLink Corp.)

"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" = C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program -- (CyberLink Corp.)

"C:\Program Files\DirecTV\DirecTV\DIRECTV2PC.exe" = C:\Program Files\DirecTV\DirecTV\DIRECTV2PC.exe:*:Enabled:DIRECTV2PC -- (DIRECTV Corp.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" = C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX -- (CyberLink Corp.)

"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" = C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program -- (CyberLink Corp.)

"C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe" = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox -- (Yahoo! Inc.)

"C:\Program Files\Eye-Fi\Eye-Fi Manager.exe" = C:\Program Files\Eye-Fi\Eye-Fi Manager.exe:*:Enabled:Eye-Fi Manager

"C:\Program Files\Dell Network Assistant\ezi_hnm2.exe" = C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:*:Enabled:Dell Network Assistant -- (SingleClick Systems)

"C:\Documents and Settings\Rob\Application Data\U3\0000186265711886\0DE4F643-C398-46ec-9339-2362F2311932\Exec\Skype.exe" = C:\Documents and Settings\Rob\Application Data\U3\0000186265711886\0DE4F643-C398-46ec-9339-2362F2311932\Exec\Skype.exe:*:Enabled:Skype

"C:\WINDOWS\system32\fxsclnt.exe" = C:\WINDOWS\system32\fxsclnt.exe:*:Enabled:Microsoft Fax Console -- (Microsoft Corporation)

"C:\Program Files\Eye-Fi\Helper\EyeFiHelper.exe" = C:\Program Files\Eye-Fi\Helper\EyeFiHelper.exe:*:Enabled:Eye-Fi Helper -- (Eye-Fi, Inc.)

"C:\Documents and Settings\Rob\Application Data\U3\0000187FC570F5FE\0DE4F643-C398-46ec-9339-2362F2311932\Exec\Skype.exe" = C:\Documents and Settings\Rob\Application Data\U3\0000187FC570F5FE\0DE4F643-C398-46ec-9339-2362F2311932\Exec\Skype.exe:*:Enabled:Skype -- ()

"C:\Program Files\DirecTV\DirecTV\DIRECTV2PC.exe" = C:\Program Files\DirecTV\DirecTV\DIRECTV2PC.exe:*:Enabled:DIRECTV2PC -- (DIRECTV Corp.)

"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0240BDFB-2995-4A3F-8C96-18D41282B716}" = Dell Network Assistant

"{034B16A2-86DA-8498-632F-E24A4B512FD5}" = Eye-Fi Center

"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools

"{05BDC796-3451-4F81-B91D-E98F7ADA76C2}" = TurboTax 2010 WinPerTaxSupport

"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data

"{10CD364B-FFCC-48BE-B469-B9622A033075}" = Fences

"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG6100_series" = Canon MG6100 series MP Drivers

"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter

"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer

"{1882D3BE-8B8F-4EA3-9414-EB06CD5B9CD8}" = Modem Diagnostics Tool

"{18A8E78B-9EF2-496E-B310-BCD8E4C1DAB3}" = iSEEK AnswerWorks English Runtime

"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate

"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer

"{2436F2A8-4B7E-4B6C-AE4E-604C84AA6A4F}" = Nero Core Components 10

"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java 6 Update 17

"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation

"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc

"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager

"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6

"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java 6 Update 5

"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java 6 Update 7

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module

"{360EDFB0-EAA2-012B-AD16-000000000000}" = TurboTax 2009 wcaiper

"{3782EC09-4000-475E-8A59-9CABD6F03B4C}" = TurboTax 2010 WinPerFedFormset

"{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset

"{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine

"{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport

"{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper

"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting

"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker

"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go

"{44734179-8A79-4DEE-BB08-73037F065543}" = Apple Mobile Device Support

"{448E2D77-E504-4221-B2C2-93646B344729}" = Mouse Suite for Desktop Computers

"{459E93B6-150E-45d5-8D4B-45C66FC035FE}" = getPlus® for Corel

"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR

"{479F8C12-576B-4A58-AB78-4B70F7012AA8}" = DIRECTV2PC Playback Advisor

"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour

"{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin

"{4F2FCCCF-29F3-44B9-886F-6D16F8417522}" = TurboTax 2010 wrapper

"{523B2B1B-D8DB-4B41-90FF-C4D799E2758A}" = Nero ControlCenter 10 Help (CHM)

"{5404E185-BD7C-4A72-ABD0-91A411A05726}" = Ulead VideoStudio 6 SE DVD

"{54A4839E-87F8-4BD1-9682-A349E9943F0A}" = Amazon Unbox Video

"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool

"{5B30AA25-BF39-4BE4-8FEE-51938BAB214D}" = TurboTax 2008 wcaiper

"{5FE545A1-D215-4216-9189-E7B39C9D1CC1}" = Quicken 2011

"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy

"{65BB0407-4CC8-4DC7-952E-3EEFDF05602A}" = Nero Update

"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler

"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{6DFB899F-17A2-48F0-A533-ED8D6866CF38}" = Nero Control Center 10

"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset

"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762

"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.12.0

"{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}" = OmniPage SE 2.0

"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec

"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable

"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio

"{842BEE12-CCCB-43F4-ABAF-CBA6DFE2583D}" = Nero BurnLite 10

"{85309D89-7BE9-4094-BB17-24999C6118FC}" = ArcSoft PhotoStudio 5.5

"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar

"{86EF9FC4-F209-4520-B7E1-C7FF0EEBDFFF}" = Adobe Audition 1.5

"{87FF0E39-8490-4EB4-A557-FF12F712EF7E}" = TurboTax 2010 wcaiper

"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin

"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player

"{8F194222-199F-11D6-B163-AA8310157D2E}" = SAPI51forSayPad

"{91E30409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003

"{94673EFC-6EF6-4CB1-8FFC-78F4C0203A0C}" = Eye-Fi Helper 3.2

"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime

"{9F70BF98-003C-491D-81FC-FF9792206AF0}" = iTunes

"{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}" = Symantec AntiVirus

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A34DCE59-0003-0000-0387-3F8A9926B752}" = FortiClient SSL VPN v3.0.387

"{A525E00B-6609-442E-9DCD-64453C233E8D}" = TurboTax 2010 WinPerReleaseEngine

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder

"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter

"{AB627AF2-9C7E-4DBD-816B-3B2646B81E89}" = Nero BurnLite 10

"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0

"{AD88355B-A4E0-4DA1-BAC3-EA4FEA930691}" = Ipswitch WS_FTP Professional 2007

"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder

"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter

"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper

"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport

"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy

"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player

"{BA4DF4C3-196E-4128-969A-00996B5A46F8}" = Canon MP500

"{BDFE199D-E889-4BB6-BECB-C4BDF5700849}" = Documents To Go

"{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}" = Canon PhotoRecord

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C4B3A7F9-5CD8-4608-B623-689CA3604A08}" = RiffTrax DVD Player

"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime

"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE

"{C8CE30F9-CBD0-43B1-BFD3-B18F55A48827}" = Calendar Creator 10

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{CE636486-7E13-4051-9067-AFC4E1B8F54E}" = ArcSoft ShowBiz DVD 2

"{CF0C0E58-2C1A-4645-85FC-D3DF9686EF60}" = Mp3-Tag Studio 3.01

"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center

"{D45E8C45-B601-4A80-AFD8-E16338744DE1}" = ArcSoft Panorama Maker 4

"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime

"{DC3065BF-95B4-42C5-B47D-0B713CDA75D0}" = Creative Zen Vision M

"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center

"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect

"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp

"{E8617EA7-DBC7-48A2-8FF5-F9D699BD581A}" = Attachmate Reflection for Secure IT Client 7.0

"{E9757890-7EC5-46C8-99AB-B00F07B6525C}" = Nikon Transfer

"{E9B10AA5-E5F6-4DEF-A435-FB20704AF1E8}" = DIRECTV2PC

"{EC3B8CA2-49B8-4D38-BE9C-ABD0F6029168}" = Yahoo! Music Jukebox

"{F0FDF9C9-1DDC-401F-B638-36F1CAE8A875}" = VideoStudio

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{FF8157AA-F640-45BD-B7C2-BAA1016B267A}" = palmOne

"Adobe AIR" = Adobe AIR

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.3

"AnyDVD" = AnyDVD

"CAL" = Canon Camera Access Library

"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX

"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX

"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX

"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder

"Canon MG6100 series User Registration" = Canon MG6100 series User Registration

"Canon_IJ_Network_Scan_UTILITY" = Canon IJ Network Scan Utility

"Canon_IJ_Network_UTILITY" = Canon IJ Network Tool

"CanonMyPrinter" = Canon My Printer

"CanonSolutionMenuEX" = Canon Solution Menu EX

"Cisco Connect" = Cisco Connect

"CNXT_MODEM_PCI_HSF" = Conexant D850 PCI V.92 Modem

"Cool Edit Pro 2.0" = Cool Edit Pro 2.0

"Creative Removable Disk Manager" = Creative Removable Disk Manager

"CSCLIB" = Canon Camera Support Core Library

"CutePDF Writer Installation" = CutePDF Writer 2.5

"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters

"DVD Shrink_is1" = DVD Shrink 3.2

"DYMO Label Software" = DYMO Label Software

"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint

"Easy-WebPrint" = Easy-WebPrint

"Easy-WebPrint EX" = Canon Easy-WebPrint EX

"EOS Utility" = Canon Utilities EOS Utility

"Fences" = Fences

"fi.eye.center.E430518E652B889A80EC0E8A6E532C09FF36DF62.1" = Eye-Fi Center

"FLV to AVI MPEG WMV 3GP MP4 iPod Converter_is1" = FLV to AVI MPEG WMV 3GP MP4 iPod Converter 5.2.0603

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"ie8" = Windows Internet Explorer 8

"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go

"InstallShield_{479F8C12-576B-4A58-AB78-4B70F7012AA8}" = DIRECTV2PC Playback Advisor

"InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin

"InstallShield_{54A4839E-87F8-4BD1-9682-A349E9943F0A}" = Amazon Unbox Video

"InstallShield_{E9B10AA5-E5F6-4DEF-A435-FB20704AF1E8}" = DIRECTV2PC

"InstallShield_{F0FDF9C9-1DDC-401F-B638-36F1CAE8A875}" = Corel VideoStudio 12

"LiveUpdate" = LiveUpdate 3.0 (Symantec Corporation)

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX

"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)

"MP Navigator EX 4.0" = Canon MP Navigator EX 4.0

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"NVIDIA Drivers" = NVIDIA Drivers

"PC Magazine's WinTidy_is1" = WinTidy 1.0.11

"PhotoStitch" = Canon Utilities PhotoStitch

"Procomm Plus" = Procomm Plus 4.60

"Quicken WillMaker Plus 2011" = Quicken WillMaker Plus 2011

"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX

"Readerware" = Readerware

"RealPlayer 6.0" = RealPlayer

"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX

"RiffTrax DVD Player" = RiffTrax DVD Player

"RSecureClient" = Attachmate Reflection for Secure IT Client 7.0

"Scott's Space Invaders_is1" = Scott's Space Invaders v 1.9

"SearchAssist" = SearchAssist

"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4

"ST6UNST #1" = SayPad

"SUPER

Elise · April 5, 2011

Please rerun OTL and click the NONE button. After that, copy/paste the following text into the "custom scan/fix" field and click Run Scan. Post me the resulting log.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList /s

rob5211 · April 5, 2011

Here you go, the results of the custom scan... -Rob

===============================

OTL logfile created on: 4/5/2011 8:45:28 AM - Run 2

OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\MalAdjust\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 56.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 465.70 Gb Total Space | 181.61 Gb Free Space | 39.00% Space Free | Partition Type: NTFS

Computer Name: JANE | User Name: MalAdjust | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList >

"ProfilesDirectory" = %SystemDrive%\Documents and Settings -- [2011/04/04 18:50:46 | 000,000,000 | ---D | M]

"DefaultUserProfile" = Default User

"AllUsersProfile" = All Users

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2706065477-1034120459-467431141-1005]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2706065477-1034120459-467431141-1006]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2706065477-1034120459-467431141-500]

< End of report >

Elise · April 5, 2011

Hi, can you please tell me the name of the infected user account?

Also, please rerun the script (see previous post, I added a switch so subkey's will be listed as well).

rob5211 · April 5, 2011

Hi, the name of the infected account is Rob.

I will be away from the infected PC until I get home from work in about 7 hours, but I am having someone follow up here during the day so we can keep this moving. She will be continuing with your latest instruction in a little later today.

KRISTEN: if it's not clear, what we want to do next is repeat Elise's last instruction with a slight change, as follows:

Please rerun OTL (click the OTL icon on the desktop) and click the NONE button. After that, copy/paste the following text into the "custom scan/fix" field: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList /s

(IMPORTANT: include the /s switch on the end of the command -- this is the change from the previous scan.)

...then click Run Scan. Post the resulting log (using copy/paste) to this forum. Call me with any questions on this process!

Thanks to both of you! -Rob

Elise · April 5, 2011

Okay Rob, thats fine with me.

Kristen, just let me know in case any of the instructions are unclear or give you problems.

rob5211 · April 5, 2011

Here's the log from the latest scan. -Kristen

OTL logfile created on: 4/5/2011 12:54:11 PM - Run 3

OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\MalAdjust\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 58.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 86.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 465.70 Gb Total Space | 181.60 Gb Free Space | 39.00% Space Free | Partition Type: NTFS

Computer Name: JANE | User Name: MalAdjust | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList /s >

"ProfilesDirectory" = %SystemDrive%\Documents and Settings -- [2011/04/04 18:50:46 | 000,000,000 | ---D | M]

"DefaultUserProfile" = Default User

"AllUsersProfile" = All Users

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18]

"Flags" = 12

"State" = 0

"RefCount" = 1

"Sid" = 01 01 00 00 00 00 00 05 12 00 00 00 [binary data]

"ProfileImagePath" = %systemroot%\system32\config\systemprofile -- [2010/03/12 21:00:33 | 000,000,000 | ---D | M]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19]

"ProfileImagePath" = %SystemDrive%\Documents and Settings\LocalService -- [2010/10/26 21:02:03 | 000,000,000 | -HSD | M]

"Sid" = 01 01 00 00 00 00 00 05 13 00 00 00 [binary data]

"Flags" = 9

"State" = 0

"CentralProfile" =

"ProfileLoadTimeLow" = 2011901126

"ProfileLoadTimeHigh" = 30143394

"RefCount" = 3

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20]

"ProfileImagePath" = %SystemDrive%\Documents and Settings\NetworkService -- [2004/08/11 15:20:16 | 000,000,000 | -HSD | M]

"Sid" = 01 01 00 00 00 00 00 05 14 00 00 00 [binary data]

"Flags" = 9

"State" = 0

"CentralProfile" =

"ProfileLoadTimeLow" = 2007213626

"ProfileLoadTimeHigh" = 30143394

"RefCount" = 2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2706065477-1034120459-467431141-1005]

"ProfileImagePath" = %SystemDrive%\Documents and Settings\Rob -- [2011/02/06 14:41:42 | 000,000,000 | ---D | M]

"Sid" = 01 05 00 00 00 00 00 05 15 00 00 00 45 48 4B A1 0B 6D A3 3D E5 6E DC 1B ED 03 00 00 [binary data]

"Flags" = 0

"State" = 256

"CentralProfile" =

"ProfileLoadTimeLow" = -1462415868

"ProfileLoadTimeHigh" = 30143132

"RefCount" = 1

"RunLogonScriptSync" = 0

"OptimizedLogonStatus" = 11

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2706065477-1034120459-467431141-1006]

"ProfileImagePath" = %SystemDrive%\Documents and Settings\MalAdjust -- [2011/04/04 19:08:49 | 000,000,000 | ---D | M]

"Sid" = 01 05 00 00 00 00 00 05 15 00 00 00 45 48 4B A1 0B 6D A3 3D E5 6E DC 1B EE 03 00 00 [binary data]

"Flags" = 0

"State" = 256

"CentralProfile" =

"ProfileLoadTimeLow" = -2057441170

"ProfileLoadTimeHigh" = 30143394

"RefCount" = 3

"RunLogonScriptSync" = 0

"OptimizedLogonStatus" = 11

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2706065477-1034120459-467431141-500]

"ProfileImagePath" = %SystemDrive%\Documents and Settings\Administrator -- [2010/10/26 21:12:41 | 000,000,000 | ---D | M]

"Sid" = 01 05 00 00 00 00 00 05 15 00 00 00 45 48 4B A1 0B 6D A3 3D E5 6E DC 1B F4 01 00 00 [binary data]

"Flags" = 0

"State" = 256

"CentralProfile" =

"ProfileLoadTimeLow" = -73098874

"ProfileLoadTimeHigh" = 30143393

"RefCount" = 0

"RunLogonScriptSync" = 0

"OptimizedLogonStatus" = 11

< End of report >

Elise · April 5, 2011

Hi Kristen,

Now that I know the SID of the infected useraccount, please run the following as a custom scan (same as last time, just the script is different). That will show us any hijacked values.

HKEY_USERS\S-1-5-21-2706065477-1034120459-467431141-1005\software\classes\.exe /s

rob5211 · April 5, 2011

Here is the log from the latest custom scan. -Kristen

OTL logfile created on: 4/5/2011 3:58:47 PM - Run 4

OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\MalAdjust\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 56.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 465.70 Gb Total Space | 181.59 Gb Free Space | 38.99% Space Free | Partition Type: NTFS

Computer Name: JANE | User Name: MalAdjust | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========

< HKEY_USERS\S-1-5-21-2706065477-1034120459-467431141-1005\software\classes\.exe /s >

< End of report >

Elise · April 6, 2011

Hi again,

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
```
:regfind
flt.exe
```
Click the Look button to start the scan. Note, this scan can take a while to complete
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

rob5211 · April 6, 2011

Hello, the SystemLook scan ran very quickly -- only a few seconds. Here's the results.

Thanks, -Rob

==================================

SystemLook 04.09.10 by jpshortstuff

Log created at 23:10 on 05/04/2011 by MalAdjust

Administrator - Elevation successful

========== regfind ==========

Searching for "flt.exe"

No data found.

-= EOF =-

Elise · April 6, 2011

Can you rename combofix.exe to combofix.com and then try to execute it from the Rob account?

rob5211 · April 6, 2011

OK, but I'm not familiar with combofix.exe and I don't think it's been downloaded yet. I just googled it and see that it is another tool to find/fix malware, but we've not done that yet, and I've not used it previously. I just searched my C: drive to be sure, and did not find it anywhere.

Should I first download combofix.exe, then rename it to combofix.com, then try to execute it from the Rob account? Do you have a link for it?

Thanks. -Rob

rob5211 · April 6, 2011

I found the download for combofix at combofix.org. I presume I should download it, then proceed as you requested (rename to combofix.com, then try to execute it from the Rob account). Yes?

Elise · April 6, 2011

I'm so sorry, I see I didn't instruct you to run it yet (happens when I post in a hurry... :blink: ). Please see below. Combofix.org is not affiliated in any way to combofix.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
Double click on Combofix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

rob5211 · April 6, 2011

No problem, thanks for the clarification.

So, to be clear: do you want me to first run combofix.exe in the new account (user name MalAdjust, the one I'm currently using without any problems) and see the results of that BEFORE I rename it to combofix.com and try to run it in the Rob account (where I'm having the problems)?

Or do you want me to immediately rename and try running it in the Rob account?

Thanks. -Rob

Elise · April 6, 2011

The latter. The problem is located in the Rob userprofile, which is not active and thus will not be scanned by Combofix.

rob5211 · April 6, 2011

OK, got it. Renaming and attempting to run combofix.com from Rob now...

rob5211 · April 6, 2011

I'm having a problem: I can start combofix.com while in the Rob user account, but it soon reports that I need to shutdown the Symantec AV. I understand why, but because of the infection, the Symantec icon is not in the System Tray, and I don't know how to turn it off. Combofix says it will have unpredictable results/may cause system damage if it is run while the AV is still running.

I tried googling to figure out the applicable process(es) to kill in the Task Manager, but it's not at all clear which process(es) to kill, and whether or not the infection will even let me kill it/them.

How about this: would it be OK to run combofix.com in the Rob account in Safe Mode? (Assuming that the AV is not running in Safe Mode?) While in Safe Mode for user MalAdjust, it seems that Symantec AV is NOT running -- some of the processes that I think are part of the AV (DefWatcher.exe, ccEvtMgr.exe, ccSetMgr.exe) are not appearing in Task Manager, and there's no AV icon in the System Tray).

So it seems Safe Mode in Rob will likely get me past combofix's complaint about Symantec AV running, but here's another concern: while logged into user Rob (whether Safe or Normal Mode), I do not have general Internet access (using IE or Firefox). Would that cause a problem with combofix? Does it need Internet access to do its job? I see that it may need to install the Windows Recovery Console -- does it need to get it via the Internet?

Please advise!

Thanks! -Rob

Elise · April 6, 2011

Yes, run it in the Rob account in Safe mode. If CF still says that Symantec is running, ignore the warning and continue.

rob5211 · April 6, 2011

Alrighty then! CF ran successfully in Safe Mode (user Rob). (It did still complain that Symantec was running.)

Here are the results. BTW, it's quite late, and I'm thinking of stopping for now and resuming in the morning (er, later this morning!) but if you're still on now and think you'll want me to check something very soon, I can stay on longer...let me know.

I have rebooted in normal mode, user MalAdjust. I'm tempted to check things out in user Rob, but will await your instructions.

Thanks. -Rob

=========================================================================

ComboFix 11-04-05.02 - Rob 04/06/2011 2:28.1.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1695 [GMT -7:00]

Running from: C:\ComboFix.com

AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Rob\Local Settings\Application Data\{C9761C39-2000-4CD6-A94E-6DB3A823FD89}

c:\documents and settings\Rob\Local Settings\Application Data\{C9761C39-2000-4CD6-A94E-6DB3A823FD89}\chrome.manifest

c:\documents and settings\Rob\Local Settings\Application Data\{C9761C39-2000-4CD6-A94E-6DB3A823FD89}\chrome\content\_cfg.js

c:\documents and settings\Rob\Local Settings\Application Data\{C9761C39-2000-4CD6-A94E-6DB3A823FD89}\chrome\content\overlay.xul

c:\documents and settings\Rob\Local Settings\Application Data\{C9761C39-2000-4CD6-A94E-6DB3A823FD89}\install.rdf

c:\documents and settings\Rob\Local Settings\Application Data\flt.exe

c:\documents and settings\Rob\Local Settings\Application Data\qev.exe

c:\documents and settings\Rob\WINDOWS

C:\LOG10.tmp

C:\LOG104.tmp

C:\LOG110.tmp

C:\LOG123D.tmp

C:\LOG145.tmp

C:\LOG161.tmp

C:\LOG171E.tmp

C:\LOG186.tmp

C:\LOG1A6.tmp

C:\LOG1B.tmp

C:\LOG1B3.tmp

C:\LOG1B5B.tmp

C:\LOG1B8.tmp

C:\LOG202.tmp

C:\LOG20B.tmp

C:\LOG234.tmp

C:\LOG25.tmp

C:\LOG250.tmp

C:\LOG256.tmp

C:\LOG261.tmp

C:\LOG265.tmp

C:\LOG2CE.tmp

C:\LOG2D.tmp

C:\LOG3.tmp

C:\LOG300.tmp

C:\LOG33.tmp

C:\LOG337.tmp

C:\LOG39B.tmp

C:\LOG3FC.tmp

C:\LOG40D.tmp

C:\LOG450.tmp

C:\LOG467.tmp

C:\LOG4B5.tmp

C:\LOG50C.tmp

C:\LOG55.tmp

C:\LOG56.tmp

C:\LOG59F.tmp

C:\LOG5A1.tmp

C:\LOG5F.tmp

C:\LOG613.tmp

C:\LOG678.tmp

C:\LOG70B.tmp

C:\LOG712.tmp

C:\LOG7AE.tmp

C:\LOG7C.tmp

C:\LOG838.tmp

C:\LOG89B.tmp

C:\LOG8BB.tmp

C:\LOG957.tmp

C:\LOG9A5.tmp

C:\LOG9BB.tmp

C:\LOG9E1.tmp

C:\LOGAC.tmp

C:\LOGC4.tmp

C:\LOGC42.tmp

C:\LOGCC2.tmp

C:\LOGD3E.tmp

C:\LOGE68.tmp

C:\LOGEE.tmp

C:\LOGF26.tmp

C:\LOGF6.tmp

c:\windows\system32\rnaph.dll

c:\windows\UA000106.DLL

.

((((((((((((((((((((((((( Files Created from 2011-03-06 to 2011-04-06 )))))))))))))))))))))))))))))))

.

2011-04-05 01:50 . 2011-04-05 02:08 -------- d-----w- c:\documents and settings\MalAdjust

2011-04-04 05:00 . 2011-04-04 05:00 709456 ----a-w- c:\windows\is-SS5P4.exe

2011-04-04 04:58 . 2011-04-04 04:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2011-04-04 02:23 . 2011-04-04 02:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ipswitch

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-01-21 14:44 . 2004-08-11 22:00 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2004-08-11 22:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2005-05-14 00:12 217073 --sha-r- c:\windows\meta4.exe

2005-10-24 18:13 66560 --sha-r- c:\windows\MOTA113.exe

2005-10-14 04:27 422400 --sha-r- c:\windows\x2.64.exe

2005-10-08 02:14 308224 --sha-r- c:\windows\system32\avisynth.dll

2005-07-14 19:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll

2005-06-26 22:32 616448 --sha-r- c:\windows\system32\cygwin1.dll

2005-06-22 05:37 45568 --sha-r- c:\windows\system32\cygz.dll

2004-01-25 07:00 70656 --sha-r- c:\windows\system32\i420vfw.dll

2006-04-27 17:24 2945024 --sha-r- c:\windows\system32\Smab.dll

2005-02-28 20:16 240128 --sha-r- c:\windows\system32\x.264.exe

2004-01-25 07:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2011-02-02 02:17 1487240 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-02 1487240]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-15 68856]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

"AnyDVD"="c:\program files\AnyDVD\AnyDVDtray.exe" [2010-07-27 4455360]

"Eye-Fi"="c:\program files\Eye-Fi\Helper\EyeFiHelper.exe" [2010-10-27 3760320]

"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2009-08-24 2684200]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-28 8429568]

"PMX Daemon"="ICO.EXE" [2006-11-08 49152]

"RTHDCPL"="RTHDCPL.EXE" [2007-07-22 16132608]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-14 16384]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]

"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]

"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-02-02 246272]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-12 198160]

"UVS12 Preload"="c:\program files\Corel\Corel VideoStudio 12\uvPL.exe" [2008-06-09 397456]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296]

"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]

"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-03-03 140640]

"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]

"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]

.

c:\documents and settings\Rob\Start Menu\Programs\Startup\

WinTidy.lnk - c:\program files\WinTidy\WinTidy.exe [2001-10-8 585216]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

Amazon Unbox.lnk - c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2010-9-13 97384]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-4-15 49152]

HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]

Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

PopMenu exe.lnk - c:\program files\WinBatch\System\popmenu.exe [1999-1-13 56832]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-4-26 106560]

ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Fences\FencesMenu.dll" [2009-10-02 128360]

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk

backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^Startup^palmOne Registration.lnk]

path=c:\documents and settings\Rob\Start Menu\Programs\Startup\palmOne Registration.lnk

backup=c:\windows\pss\palmOne Registration.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2008-06-02 18:13 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]

2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=

"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Eye-Fi\\Helper\\EyeFiHelper.exe"=

"c:\\Documents and Settings\\Rob\\Application Data\\U3\\0000187FC570F5FE\\0DE4F643-C398-46ec-9339-2362F2311932\\Exec\\Skype.exe"=

"c:\\Program Files\\DirecTV\\DirecTV\\DIRECTV2PC.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol

"10426:UDP"= 10426:UDP:SingleClick ICC

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.

R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [4/19/2008 9:31 AM 18432]

R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [4/19/2008 9:31 AM 14336]

R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [11/3/2006 5:31 PM 36384]

S2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2/19/2009 10:56 PM 317440]

S2 CLDTVHNService;CLDTVHNService;c:\program files\DirecTV\DirecTV\Kernel\DMP\CLDTVHNService.exe [9/17/2009 6:40 PM 75048]

S2 FortiSslvpnDaemon;FortiClient SSL VPN;c:\windows\system32\FortiSslvpnDaemon.exe [4/19/2008 1:10 PM 510496]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 7:00 PM 135664]

S2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2/9/2011 1:45 PM 63448]

S2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [5/4/2010 12:07 PM 503080]

S2 ntk_dtv;ntk_dtv;c:\program files\DirecTV\DirecTV\Kernel\DMP\ntk_dtv.sys [9/17/2009 6:40 PM 119792]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/28/2010 8:01 PM 102448]

S3 getPlus® Installer;getPlus® Installer;c:\program files\NOS\bin\getPlus_HelperSvc.exe [7/11/2009 6:17 PM 59552]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MDMXSDK

*NewlyCreated* - PXHELP20

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:00]

.

2011-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:00]

.

2011-04-06 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

- c:\program files\Ask.com\UpdateTask.exe [2011-02-02 02:17]

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: intuit.com\ttlc

TCP: {42AE4EF0-0BDA-41EC-932F-EDDB11EEBAFC} = 208.67.220.220,208.67.222.222

DPF: {B0882EB7-81A5-4A11-8D45-71888F973933} - hxxps://65.214.187.52:10443/sslvpn.cab

DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB

FF - ProfilePath - c:\documents and settings\Rob\Application Data\Mozilla\Firefox\Profiles\tuymetb4.default\

FF - prefs.js: browser.startup.homepage - about:blank

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\Real\RealPlayer\browserrecord

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Nero Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

HKCU-Run-LxrAutorun - c:\documents and settings\Rob\Local Settings\Application Data\Lexar Media\LxrAutorun.exe

HKLM-Run-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

MSConfigStartUp-Pzagariwitat - c:\windows\aruqocub.dll

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-06 02:32

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Completion time: 2011-04-06 02:33:58

ComboFix-quarantined-files.txt 2011-04-06 09:33

.

Pre-Run: 198,842,318,848 bytes free

Post-Run: 198,901,067,776 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 5ED358A292187B24ABD0A8A7673506CC

Elise · April 6, 2011

Hi again, looks like that did the trick.

Please let me know how things are running after the following scan. Its 1 PM here, so I'm online for the next few hours, but you can just do the steps when you have time.

CF-SCRIPT

-------------

We need to execute a CF-script.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

XP Security 2011 - Need Help With Removal

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information