Threated With Disconnect - Infection!

MaxArk68 · Dec 15, 2010

Hi All ...

Oh boy am I in a heap of trouble.
My ISP advised me that my internet connection is showing abnormal activity similar to spamming abnd has advised that if my computer isn't cleaned, my service will be disconnected until it is.

I have done a recent AVG scan with updated definitions, as well as numerous other scans ... Spybot (which turned out no results), online Pandascan, and EmiSoft Anti-Malware.

AVG Reports this:

"C:\Mozilla Firefox\firefox.exe (2460):\memory_0a520000";"Virus found Win32/PEPatch";"Object is inaccessible."
"C:\Mozilla Firefox\firefox.exe (2460):\memory_0a510000";"Virus found Win32/PEPatch";"Object is inaccessible."
"C:\Mozilla Firefox\firefox.exe (2460):\memory_0a4e0000";"Virus found Win32/PEPatch";"Object is inaccessible."
"C:\Mozilla Firefox\firefox.exe (2460):\memory_0a4d0000";"Virus found Win32/PEPatch";"Object is inaccessible."
"C:\Mozilla Firefox\firefox.exe (2460):\memory_0a4c0000";"Virus found Win32/PEPatch";"Object is inaccessible."
"C:\Mozilla Firefox\firefox.exe (2460):\memory_0a4a0000";"Virus found Win32/PEPatch";"Object is inaccessible."
"C:\Mozilla Firefox\firefox.exe (2460):\memory_0a490000";"Virus found Win32/PEPatch";"Object is inaccessible."
"C:\Mozilla Firefox\firefox.exe (2460):\memory_0a430000";"Virus found Win32/PEPatch";"Object is inaccessible."
"C:\Mozilla Firefox\firefox.exe (2460):\memory_0a410000";"Virus found Win32/PEPatch";"Object is inaccessible."
"C:\Mozilla Firefox\firefox.exe (2460):\memory_0a400000";"Virus found Win32/PEPatch";"Object is inaccessible."
"C:\Mozilla Firefox\firefox.exe (2460):\memory_0a3f0000";"Virus found Win32/PEPatch";"Object is inaccessible."
"C:\Mozilla Firefox\firefox.exe (2460)";"Virus found Win32/PEPatch";""

Augh! I don't know what to do.

Jenn

DSTM (Dougie) · Dec 15, 2010

Hi Jenn.Welcome to CHF.

Our Malware Specialist will help you clean your OS.

Please follow the instructions carefully in this link, and post Logs in your next reply.

Looks more complicated than it really is.

http://computerhelpf...e-removal-help/

starbuck · Dec 16, 2010

Hi Jenn,

I'll just add a quick reply here so that i get a notification of any reply you add.
Please follow the instructions in the link given and i'll take a look for you.

MaxArk68 · Dec 16, 2010

Thank you soooo much for being here to offer your support and advice ....
I've followed the directions provided, I think, successfully and I present to you the information from the logs requested.
I anxiously await further direction, but not without again saying thank you.

(BTW ... if it matters, the procedures that were conducted were done remotely using TeamViewer software)

Jenn

GMER Report
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-16 21:58:53
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-6 ST380815AS rev.4.AAB
Running: 9jkwecis.exe; Driver: C:\DOCUME~1\Pc\LOCALS~1\Temp\fwtyraod.sys

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF764387E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7643BFE]

---- User code sections - GMER 1.0.15 ----

.text C:\Mozilla Firefox\firefox.exe[3792] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Mozilla Firefox\plugin-container.exe[3952] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10402342 C:\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

MBAM Scan Report
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5339

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/16/2010 7:06:03 PM
mbam-log-2010-12-16 (19-06-03).txt

Scan type: Full scan (C:\|)
Objects scanned: 205063
Time elapsed: 44 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OTL.txt
OTL logfile created on: 12/16/2010 7:48:05 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Pc\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,013.00 Mb Total Physical Memory | 426.00 Mb Available Physical Memory | 42.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 63.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 56.89 Gb Free Space | 76.35% Space Free | Partition Type: NTFS

Computer Name: PC-7029A0E7E2D6 | User Name: Pc | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Pc\My Documents\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Security\Emsisoft Anti-Malware\a2service.exe (Emsi Software GmbH)
PRC - C:\Security\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Security\AVG\AVG9\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Security\AVG\AVG9\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Security\AVG\AVG9\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Security\AVG\AVG9\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Security\AVG\AVG9\avgemc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Security\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\iWin Games\iWinTrusted.exe (iWin Inc.)
PRC - C:\Program Files\TeamViewer\Version5\TeamViewer.exe (TeamViewer GmbH)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
PRC - C:\Documents and Settings\Pc\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe (Pelmorex Media Inc.)
PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
PRC - C:\Security\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\LG Soft India\forteManager\bin\Monitor.exe ()
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Pc\My Documents\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
MOD - C:\Program Files\TeamViewer\Version5\TV.dll (TeamViewer GmbH)

========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (a2AntiMalware) -- C:\Security\Emsisoft Anti-Malware\a2service.exe (Emsi Software GmbH)
SRV - (avg9emc) -- C:\Security\AVG\AVG9\avgemc.exe (AVG Technologies CZ, s.r.o.)
SRV - (avg9wd) -- C:\Security\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (iWinTrusted) -- C:\Program Files\iWin Games\iWinTrusted.exe (iWin Inc.)
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (FXDrv32) -- D:\FXDrv32.sys File not found
DRV - (a2acc) -- C:\Security\Emsisoft Anti-Malware\a2accx86.sys (Emsi Software GmbH)
DRV - (AvgTdiX) -- C:\WINDOWS\system32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgLdx86) -- C:\WINDOWS\system32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86) -- C:\WINDOWS\system32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (pavboot) -- C:\WINDOWS\system32\drivers\pavboot.sys (Panda Security, S.L.)
DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation )
DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)
DRV - (LGII2CDevice) -- C:\Program Files\LG Soft India\forteManager\bin\PII2CDriver.sys ()
DRV - (LGDDCDevice) -- C:\Program Files\LG Soft India\forteManager\bin\I2CDriver.sys ()
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (BANTExt) -- C:\WINDOWS\System32\Drivers\BANTExt.sys ()
DRV - (irsir) -- C:\WINDOWS\system32\drivers\irsir.sys (Microsoft Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.cogeco.ca/cable/on/en/mycogeco/home.html"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.872
FF - prefs.js..extensions.enabledItems: {98e34367-8df7-42b4-837b-20b892ff0849}:1.6
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=mcafee&p="

FF - HKLM\software\mozilla\Firefox\Extensions\\{98e34367-8df7-42b4-837b-20b892ff0849}: C:\Program Files\iWin Games\firefox\ [2010/07/11 06:49:15 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Security\AVG\AVG9\Firefox [2010/11/25 18:39:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Mozilla Firefox\components [2010/12/11 22:15:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Mozilla Firefox\plugins [2010/12/11 22:15:52 | 000,000,000 | ---D | M]

[2009/08/16 23:04:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Mozilla\Extensions
[2010/12/16 18:14:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Mozilla\Firefox\Profiles\wnjw9bx8.default\extensions
[2010/04/27 19:40:01 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Pc\Application Data\Mozilla\Firefox\Profiles\wnjw9bx8.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

O1 HOSTS File: ([2004/08/06 16:16:38 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Security\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [a-squared] C:\Security\Emsisoft Anti-Malware\a2guard.exe (Emsi Software GmbH)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Security\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Security\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [WeatherEye] C:\Documents and Settings\Pc\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe (Pelmorex Media Inc.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\sECURITY\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\forteManager.lnk = C:\Program Files\LG Soft India\forteManager\bin\Monitor.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file:///C:/Program%20Files/Vacation%20Quest%20-%20The%20Hawaiian%20Islands/Images/stg_drm.ocx (SpinTop DRM Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250491454734 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.226.1.93 24.226.10.193 24.226.10.194 24.226.1.94
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Security\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Pc\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Pc\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/12 05:35:44 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902053519425536)

========== Files/Folders - Created Within 30 Days ==========

[2010/12/16 18:19:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Application Data\Malwarebytes
[2010/12/16 18:19:24 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/16 18:19:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/12/16 18:19:21 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/12/16 18:13:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Pc\Desktop\ERUNT
[2010/12/16 05:51:14 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2010/12/16 05:50:17 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2010/12/15 18:32:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/12/15 17:59:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Pc\My Documents\Anti-Malware
[2010/12/15 05:28:12 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2010/12/15 05:27:11 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2010/12/11 05:59:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Perfect-Tree
[2010/12/05 00:13:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/11/18 10:12:44 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\isign32.dll

========== Files - Modified Within 30 Days ==========

[2010/12/16 19:34:01 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/12/16 18:19:25 | 000,000,733 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/16 18:09:30 | 069,002,259 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/12/16 18:00:30 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/12/16 18:00:02 | 000,000,874 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/12/16 18:00:02 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/12/16 17:59:55 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/12/15 20:59:08 | 000,026,852 | ---- | M] () -- C:\Documents and Settings\Pc\Desktop\Spybot - Search & Destroy scan report.tif
[2010/12/15 20:54:30 | 000,003,412 | ---- | M] () -- C:\Documents and Settings\Pc\My Documents\12-15-10AVG.csv
[2010/12/15 19:57:50 | 000,000,245 | -HS- | M] () -- C:\boot.ini
[2010/12/15 08:24:19 | 000,137,256 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/12/15 08:17:36 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/12/11 22:15:53 | 000,001,432 | ---- | M] () -- C:\Documents and Settings\Pc\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/12/11 22:15:53 | 000,001,414 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/12/05 00:12:02 | 000,001,546 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\More Great Games.lnk
[2010/12/05 00:04:28 | 000,001,596 | ---- | M] () -- C:\Documents and Settings\Pc\Application Data\Microsoft\Internet Explorer\Quick Launch\Game Manager.lnk
[2010/12/05 00:04:28 | 000,001,578 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Game Manager.lnk
[2010/11/29 17:42:18 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/11/29 17:42:06 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/11/29 01:25:31 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/11/29 01:11:08 | 000,000,425 | ---- | M] () -- C:\Documents and Settings\Pc\Desktop\Facebook (2).url
[2010/11/21 02:26:36 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/11/21 02:25:41 | 000,000,178 | ---- | M] () -- C:\Documents and Settings\Pc\Desktop\More SpinTop Games.url
[2010/11/18 10:12:44 | 000,081,920 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\isign32.dll
[2010/11/18 10:12:44 | 000,081,920 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\isign32.dll

========== Files Created - No Company Name ==========

[2010/12/16 18:19:25 | 000,000,733 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/15 20:59:06 | 000,026,852 | ---- | C] () -- C:\Documents and Settings\Pc\Desktop\Spybot - Search & Destroy scan report.tif
[2010/12/15 20:54:30 | 000,003,412 | ---- | C] () -- C:\Documents and Settings\Pc\My Documents\12-15-10AVG.csv
[2010/12/11 22:15:53 | 000,001,432 | ---- | C] () -- C:\Documents and Settings\Pc\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/12/11 22:15:53 | 000,001,414 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/12/05 00:12:02 | 000,001,546 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\More Great Games.lnk
[2010/12/05 00:04:28 | 000,001,596 | ---- | C] () -- C:\Documents and Settings\Pc\Application Data\Microsoft\Internet Explorer\Quick Launch\Game Manager.lnk
[2010/12/05 00:04:28 | 000,001,578 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Game Manager.lnk
[2010/11/29 01:11:08 | 000,000,425 | ---- | C] () -- C:\Documents and Settings\Pc\Desktop\Facebook (2).url
[2009/09/03 07:15:30 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\CNMVS58.DLL
[2009/09/03 07:07:47 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/17 01:01:07 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2009/08/17 00:57:41 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v5016.dll
[2009/08/16 23:10:47 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2009/08/15 22:39:03 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Pc\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/15 21:55:25 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4885.dll
[2009/08/11 22:23:49 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll

========== LOP Check ==========

[2010/09/26 06:16:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alawar Stargaze
[2010/08/06 07:35:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/02/14 06:23:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Big Fish Games
[2010/02/28 07:06:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Casual Box
[2010/01/15 23:49:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cateia Games
[2009/12/30 06:23:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Christmasville
[2010/01/25 04:01:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EscapeTheMuseum2
[2010/10/31 05:18:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Flood Light Games
[2010/06/20 04:04:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Floodlight Games
[2010/10/31 05:18:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FloodLightGames
[2010/09/11 05:22:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GameHouse
[2010/02/18 22:39:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Gamers Digital
[2009/12/14 06:50:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Gogii
[2010/02/12 23:13:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HideAndSecret3
[2010/03/27 05:46:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\incredible express
[2010/02/02 08:04:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IntDreams
[2010/01/21 03:02:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Intenium
[2009/08/26 22:57:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iWin Games
[2010/02/17 04:08:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\JollyBear
[2009/09/03 08:37:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ludia
[2010/04/21 23:22:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Merscom
[2010/12/05 00:17:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/02/09 06:42:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Million
[2009/11/19 06:26:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Oberon Media
[2010/12/11 05:59:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Perfect-Tree
[2010/09/25 04:24:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2010/01/26 02:58:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayPond
[2009/11/28 07:09:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PoBros
[2010/02/11 07:37:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SugarGames
[2010/12/13 07:59:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/04/11 05:48:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Top Evidence
[2010/01/27 04:24:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Valusoft
[2009/09/03 08:14:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2009/08/17 00:24:39 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
[2010/01/30 03:08:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\2monkeys
[2010/10/07 02:31:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Artifex Mundi
[2009/10/16 23:02:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Awem
[2010/01/29 04:13:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Azuaz Games
[2010/03/23 03:37:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\AzuazGames
[2010/02/23 02:18:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Big Fish Games
[2010/08/14 05:31:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Boolat Games
[2010/06/03 07:34:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Boomzap
[2009/12/28 01:05:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\BrokenHearts
[2009/08/17 00:33:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/09/10 06:00:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Dekovir
[2010/02/17 00:14:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Enki Games
[2010/03/06 04:01:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\ERS G-Studio
[2010/09/13 02:28:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\ERS Game Studios
[2010/02/26 06:42:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Flood Light Games
[2010/06/20 04:04:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Floodlight Games
[2010/10/31 05:18:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\FloodLightGames
[2009/12/29 03:49:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Friday's games
[2010/03/05 06:19:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Frogwares
[2010/05/25 22:46:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Fugazo
[2010/02/10 02:06:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\funkitron
[2010/09/11 05:22:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\GameHouse
[2010/04/13 03:09:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\GameInvest
[2010/02/18 22:39:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Gamers Digital
[2010/04/30 23:59:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Go-Go Gourmet Chef of the Year
[2010/05/12 05:50:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Gold Casual Games
[2009/11/06 04:49:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\HdO Adventure
[2010/02/22 04:47:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\LaJangada
[2009/08/21 08:23:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Leadertech
[2009/09/03 08:37:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Ludia
[2010/02/20 02:28:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Meridian93
[2010/04/21 23:22:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Merscom
[2010/07/13 05:34:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\My Games
[2010/01/22 06:37:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\MysteryStudio
[2010/11/13 06:31:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Namco
[2010/01/31 07:11:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\OtherSide Realm of Eons
[2010/02/02 08:05:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Pirateville
[2010/09/25 04:24:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\PlayFirst
[2009/11/28 04:27:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Playrix Entertainment
[2009/11/28 07:09:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\PoBros
[2010/05/08 23:16:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Pogo Games
[2010/03/18 03:07:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\QB9
[2010/03/09 03:35:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Silverback Productions
[2009/09/08 05:22:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\SpinTop
[2010/01/23 07:20:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\SpinTop Games
[2010/03/18 05:56:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Sudden Games
[2010/08/06 08:02:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\TeamViewer
[2010/01/20 03:39:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\TheFixerUpper
[2010/01/23 03:03:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\TitanicMystery
[2010/04/11 05:48:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Top Evidence
[2010/01/27 04:24:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Valusoft
[2010/03/12 07:26:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Pc\Application Data\Winv1001
[2010/11/29 01:25:31 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2010/12/16 18:00:02 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2004/08/03 21:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/08/16 23:10:26 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/08/16 23:10:26 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/03 21:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/08/16 23:10:26 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/08/16 23:10:26 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 21:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/03 18:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
[2004/08/03 21:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/03 20:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/03 20:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/03 20:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2010/11/05 16:34:11 | 000,347,136 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2010/11/05 16:34:11 | 000,214,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E944EED9
@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BE7A0841
@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:54F509D4
@Alternate Data Stream - 98 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CE89EC6F
@Alternate Data Stream - 98 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:86240745
@Alternate Data Stream - 98 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:77A023CE
@Alternate Data Stream - 96 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:971C465E
@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP853F961
@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:66160CBE
@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5A99DEB7
@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0F2BA284
@Alternate Data Stream - 151 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:860D9052
@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FAB64002
@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\TEMPE875C30
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP373CB5C
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AF4D7176
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7CC16245
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6D73F267
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4BFE8B22
@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F1020F9B
@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CEDA49F4
@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1807741D
@Alternate Data Stream - 144 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7ACDD583
@Alternate Data Stream - 144 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7867C00C
@Alternate Data Stream - 144 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6CFD36EA
@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:721C42E8
@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0479E312
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BDBE6E37
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2D3E25B5
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2AEB42F1
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users\Application Data\TEMPF0DB8AB
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users\Application Data\TEMPCC862FF
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C5CE2DF6
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:56EE2CAF
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:50F94E7B
@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:94124B85
@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7965CDCE
@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:51EFAA18
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E6BA54F4
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP57855C9
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP0ED9DB7
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C48A983C
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AF9BF410
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7EF59135
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2A27E0C5
@Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CDC1B76E
@Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7FD199E4
@Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2CC3B9D1
@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMPDA2D0EB
@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ACBFC561
@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:891DBAFE
@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:46B38AB3
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EE459A42
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6348AC97
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F878F14A
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B7C6AAAB
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:61B54B15
@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:94213A87
@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6017A808
@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4A448DB2
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP6BEA85D
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A724744F
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:62EBE39C
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:13AAA187
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:04FDFCF6
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:04F67B3D
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8C08E7E
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4B2D6B94
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:439A20A3
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:115FA012
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B4F0E275
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5080697C
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:433D3C5D
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP1BCFD4A
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:90C12AC3
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:864881BF
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:53DF4438
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F0E0213B
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EF258AD5
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMPE07EBE7
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB21167F
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4A2D1995
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FECD2924
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMPFC179F0
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5FFC2819
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3B9582E0
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3325D6E9
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8C8DBFC0
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4A7D5964
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:30D56838
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0A74923C
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CFAE7666
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2DF54B62
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CF6A6C8A
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B77C5DEF
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B64F7263
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A774141A
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5795E8B2
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:57777E90
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:43A7A7AD
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:32C53B21
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:26233902
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:19823AC6
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0E341035
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EDF6588A
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5F8486EE
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E5946EFF
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:980AF986
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:91DEEE71
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:91FDFB7B
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8F09BC2E
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8D3E85F9
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7A032A04
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3B4F28B0
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1DCEDB1E
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0441DB7A
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9B7E8561
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8DED4A5E
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2A6BF249
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CA408490
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CA0CE093
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C552BEDE
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A0CB43B2
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4CEC0A38
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2BDCFAD6
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:15606AA7
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP41AB8D0
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E7071A3A
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5F869815
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1898E06D
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F0A3E54E
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9C31E38F
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2A4723E0
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F216755A
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BBE07C18
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:81D20369
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2E426A1F
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FFA09FC6
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:343BD036
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CAB5D296
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C2EDE671
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:862ED89E
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5B6F7F60
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1A93A9C0
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6407DD2D
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7C72DC93
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2D5907B8
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:172EB9B5
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BEAB1922
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B8D05F1B
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:583CBBD2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:44F23DBB
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2F40CED0
@Alternate Data Stream - 107 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:50F1E014
@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C3284F67
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP35663D1
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8D6DC04C
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7C60A173
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A91EC54E
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7F24D3D8
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:204C7BBB
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6AF0C155
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6E7D2424
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5848893E

< End of report >

Extras.tx
OTL Extras logfile created on: 12/16/2010 7:48:05 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Pc\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,013.00 Mb Total Physical Memory | 426.00 Mb Available Physical Memory | 42.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 63.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 56.89 Gb Free Space | 76.35% Space Free | Partition Type: NTFS

Computer Name: PC-7029A0E7E2D6 | User Name: Pc | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabledxpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- File not found
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\iWin Games\iWinGames.exe" = C:\Program Files\iWin Games\iWinGames.exe:*:Enabled:iWin Games application. -- (iWin Inc.)
"C:\Program Files\iWin Games\WebUpdater.exe" = C:\Program Files\iWin Games\WebUpdater.exe:*:Enabled:iWin Games updater. -- ()
"C:\Security\AVG\AVG9\avgemc.exe" = C:\Security\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Security\AVG\AVG9\avgupd.exe" = C:\Security\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Security\AVG\AVG9\avgnsx.exe" = C:\Security\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\TeamViewer\Version5\TeamViewer.exe" = C:\Program Files\TeamViewer\Version5\TeamViewer.exe:*:Enabled:Teamviewer Remote Control Application -- (TeamViewer GmbH)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{171E6C1E-B5FC-11DF-B115-005056C00008}" = Google Earth Plug-in
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{237329C7-B3D6-4BC2-8BF4-CE9D5A5205B4}" = Classic Games Galore
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java(TM) 6 Update 22
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.1
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{DA6FAB8D-E87A-4E8E-A3D3-B7B9F479C725}" = forteManager
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agatha Christie - Death on the NileJust For Fun Games" = Agatha Christie - Death on the NileJust For Fun Games
"Agatha Christie - Peril at End HouseJust For Fun Games" = Agatha Christie - Peril at End HouseJust For Fun Games
"Agatha Christie Dead Mans Folly % CompanyName%" = Agatha Christie Dead Mans Folly % CompanyName%
"AVG9Uninstall" = AVG Free 9.0
"Belarc Advisor" = Belarc Advisor 8.1
"BFGC" = Big Fish Games: Game Manager
"Big City Adventure San Francisco" = Big City Adventure San Francisco (remove only)
"CANONBJ_Deinstall_CNMCP58.DLL" = Canon i560
"Double Play Family Feud and Family Feud II_is1" = Double Play Family Feud and Family Feud II
"Dr. Lynch: Grave Secrets" = Dr. Lynch: Grave Secrets (remove only)
"Dream Day Wedding % CompanyName%" = Dream Day Wedding % CompanyName%
"Dream Sleuth" = Dream Sleuth (remove only)
"Emsisoft Anti-Malware_is1" = Emsisoft Anti-Malware 5.1
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"Hidden Magic" = Hidden Magic (remove only)
"Hidden Wonders of the Depths" = Hidden Wonders of the Depths (remove only)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"iWinArcade" = iWin Games (remove only)
"Mah Jong Quest" = Mah Jong Quest (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Nora Roberts Vision In White 1.00" = Nora Roberts Vision In White 1.00
"Pirateville" = Pirateville (remove only)
"PJ Pride Pet Detective" = PJ Pride Pet Detective (remove only)
"Righteous Kill 2" = Righteous Kill 2 (remove only)
"SCRABBLE" = SCRABBLE
"TeamViewer 5" = TeamViewer 5
"The Hidden Object Show 2" = The Hidden Object Show 2 (remove only)
"Tropico Jong_is1" = Tropico Jong
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"WeatherEye" = WeatherEye

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/12/2010 10:13:55 AM | Computer Name = PC-7029A0E7E2D6 | Source = Windows Live Messenger | ID = 1000
Description =

Error - 10/30/2010 8:46:59 AM | Computer Name = PC-7029A0E7E2D6 | Source = MsiInstaller | ID = 10005
Description = Product: Java Runtime Environment -- Internal Error 2753. ytb.exe

Error - 11/9/2010 8:35:41 AM | Computer Name = PC-7029A0E7E2D6 | Source = Windows Live Messenger | ID = 1000
Description =

Error - 11/11/2010 10:38:30 AM | Computer Name = PC-7029A0E7E2D6 | Source = Windows Live Messenger | ID = 1000
Description =

Error - 11/15/2010 11:29:51 AM | Computer Name = PC-7029A0E7E2D6 | Source = Windows Live Messenger | ID = 1000
Description =

Error - 11/21/2010 9:49:08 AM | Computer Name = PC-7029A0E7E2D6 | Source = Windows Live Messenger | ID = 1000
Description =

Error - 11/22/2010 8:53:02 AM | Computer Name = PC-7029A0E7E2D6 | Source = Windows Live Messenger | ID = 1000
Description =

Error - 11/28/2010 10:32:48 AM | Computer Name = PC-7029A0E7E2D6 | Source = Windows Live Messenger | ID = 1000
Description =

Error - 12/1/2010 11:16:25 AM | Computer Name = PC-7029A0E7E2D6 | Source = Windows Live Messenger | ID = 1000
Description =

Error - 12/13/2010 11:16:57 AM | Computer Name = PC-7029A0E7E2D6 | Source = Application Error | ID = 1000
Description = Faulting application familyfeud.exe, version 0.0.0.0, faulting module
libpng1.dll, version 1.0.8.0, fault address 0x0000dfc6.

[ System Events ]
Error - 11/13/2010 11:46:34 PM | Computer Name = PC-7029A0E7E2D6 | Source = W32Time | ID = 39452706
Description = The time service has detected that the system time needs to be changed
by -54503 seconds. The time service will not change the system time by more than
-54000 seconds. Verify that your time and time zone are correct, and that the time
source time.windows.com (ntp.m|0x1|24.141.246.124:123->207.46.232.182:123) is working
properly.

Error - 11/21/2010 2:16:12 PM | Computer Name = PC-7029A0E7E2D6 | Source = W32Time | ID = 39452706
Description = The time service has detected that the system time needs to be changed
by -54510 seconds. The time service will not change the system time by more than
-54000 seconds. Verify that your time and time zone are correct, and that the time
source time.windows.com (ntp.m|0x1|24.141.246.124:123->207.46.197.32:123) is working
properly.

Error - 12/12/2010 11:33:20 PM | Computer Name = PC-7029A0E7E2D6 | Source = W32Time | ID = 39452706
Description = The time service has detected that the system time needs to be changed
by -54527 seconds. The time service will not change the system time by more than
-54000 seconds. Verify that your time and time zone are correct, and that the time
source time.windows.com (ntp.m|0x1|24.141.246.124:123->207.46.197.32:123) is working
properly.

Error - 12/16/2010 9:49:24 PM | Computer Name = PC-7029A0E7E2D6 | Source = Service Control Manager | ID = 7031
Description = The Lavasoft Ad-Aware Service service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 5000
milliseconds: Restart the service.

Error - 12/16/2010 9:49:36 PM | Computer Name = PC-7029A0E7E2D6 | Source = Service Control Manager | ID = 7031
Description = The AVG Free WatchDog service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 0 milliseconds:
Restart the service.

Error - 12/16/2010 9:49:36 PM | Computer Name = PC-7029A0E7E2D6 | Source = Service Control Manager | ID = 7034
Description = The iWinTrusted service terminated unexpectedly. It has done this
1 time(s).

Error - 12/16/2010 9:49:36 PM | Computer Name = PC-7029A0E7E2D6 | Source = Service Control Manager | ID = 7034
Description = The SeaPort service terminated unexpectedly. It has done this 1 time(s).

Error - 12/16/2010 9:49:36 PM | Computer Name = PC-7029A0E7E2D6 | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 12/16/2010 9:49:38 PM | Computer Name = PC-7029A0E7E2D6 | Source = Service Control Manager | ID = 7034
Description = The AVG Free E-mail Scanner service terminated unexpectedly. It has
done this 1 time(s).

Error - 12/16/2010 9:49:58 PM | Computer Name = PC-7029A0E7E2D6 | Source = Service Control Manager | ID = 7031
Description = The Emsisoft Anti-Malware 5.0 - Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
0 milliseconds: Restart the service.

< End of report >

starbuck · Feb 3, 2014

Hi Jenn,

Let's clean up a few entries and then take a closer look.

Step 1
Please disable Spybot S&D’s TeaTimer protection, because it is known to interfere with our fixes.
You can enable it again after you're clean.
Open Spybot and click on 'Mode' then click 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.

Reboot the computer.

Step 2
Double click on OTL.exe to run it.
Copy the lines in bold below. (make sure that :Otl is on the first line )

:Otl
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E944EED9
@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BE7A0841
@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:54F509D4
@Alternate Data Stream - 98 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CE89EC6F
@Alternate Data Stream - 98 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:86240745
@Alternate Data Stream - 98 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:77A023CE
@Alternate Data Stream - 96 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:971C465E
@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP853F961
@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:66160CBE
@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5A99DEB7
@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0F2BA284
@Alternate Data Stream - 151 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:860D9052
@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FAB64002
@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\TEMPE875C30
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP373CB5C
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AF4D7176
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7CC16245
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6D73F267
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4BFE8B22
@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F1020F9B
@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CEDA49F4
@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1807741D
@Alternate Data Stream - 144 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7ACDD583
@Alternate Data Stream - 144 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7867C00C
@Alternate Data Stream - 144 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6CFD36EA
@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:721C42E8
@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0479E312
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BDBE6E37
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2D3E25B5
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2AEB42F1
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users\Application Data\TEMPF0DB8AB
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users\Application Data\TEMPCC862FF
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C5CE2DF6
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:56EE2CAF
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:50F94E7B
@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:94124B85
@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7965CDCE
@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:51EFAA18
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E6BA54F4
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP57855C9
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP0ED9DB7
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C48A983C
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AF9BF410
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7EF59135
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2A27E0C5
@Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CDC1B76E
@Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7FD199E4
@Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2CC3B9D1
@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMPDA2D0EB
@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ACBFC561
@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:891DBAFE
@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:46B38AB3
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EE459A42
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6348AC97
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F878F14A
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B7C6AAAB
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:61B54B15
@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:94213A87
@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6017A808
@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4A448DB2
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP6BEA85D
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A724744F
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:62EBE39C
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:13AAA187
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:04FDFCF6
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:04F67B3D
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8C08E7E
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4B2D6B94
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:439A20A3
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:115FA012
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B4F0E275
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5080697C
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:433D3C5D
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP1BCFD4A
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:90C12AC3
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:864881BF
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:53DF4438
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F0E0213B
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EF258AD5
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMPE07EBE7
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB21167F
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4A2D1995
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FECD2924
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMPFC179F0
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5FFC2819
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3B9582E0
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3325D6E9
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8C8DBFC0
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4A7D5964
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:30D56838
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0A74923C
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CFAE7666
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2DF54B62
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CF6A6C8A
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B77C5DEF
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B64F7263
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A774141A
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5795E8B2
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:57777E90
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:43A7A7AD
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:32C53B21
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:26233902
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:19823AC6
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0E341035
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EDF6588A
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5F8486EE
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E5946EFF
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:980AF986
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:91DEEE71
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:91FDFB7B
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8F09BC2E
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8D3E85F9
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7A032A04
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3B4F28B0
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1DCEDB1E
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0441DB7A
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9B7E8561
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8DED4A5E
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2A6BF249
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CA408490
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CA0CE093
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C552BEDE
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A0CB43B2
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4CEC0A38
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2BDCFAD6
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:15606AA7
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP41AB8D0
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E7071A3A
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5F869815
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1898E06D
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F0A3E54E
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9C31E38F
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2A4723E0
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F216755A
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BBE07C18
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:81D20369
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2E426A1F
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FFA09FC6
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:343BD036
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CAB5D296
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C2EDE671
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:862ED89E
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5B6F7F60
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1A93A9C0
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6407DD2D
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7C72DC93
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2D5907B8
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:172EB9B5
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BEAB1922
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B8D05F1B
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:583CBBD2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:44F23DBB
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2F40CED0
@Alternate Data Stream - 107 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:50F1E014
@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C3284F67
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP35663D1
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8D6DC04C
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7C60A173
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A91EC54E
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7F24D3D8
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:204C7BBB
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6AF0C155
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6E7D2424
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5848893E

:Files
ipconfig /flushdns /c

:commands
[emptytemp]
[purity]
[RESETHOSTS]
[EMPTYFLASH]

Return to OTL,

right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.

Click the red Run Fix button.

OTL will reboot your system once the fix has completed.

After the reboot, you may need to double click OTL to launch the program and retrieve the log.

Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

if you lose the report, there will be a copy here:
C:\_OTL\MovedFiles

Step 3
ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Then reinstall it again afterwards.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

This is an example, you may rename ComboFix to anything you want.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
For more information read:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Then:

Double click on Combo-Fix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If running Vista, you may not see this screen

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

In your next reply, please submit:
Otl fix report
Combofix.txt

Thanks.

MaxArk68 · Dec 20, 2010

Thank you so much Starbuck for your continued support. I so appreciate it.
I hope I did everything correct. I continue to have my internet connection unplugged until we can figure this mess out.
Here are the two logs requested:

OTL

processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:E944EED9 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:BE7A0841 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:54F509D4 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:CE89EC6F deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:86240745 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:77A023CE deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:971C465E deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP853F961 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:66160CBE deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5A99DEB7 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:0F2BA284 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:860D9052 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:FAB64002 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMPE875C30 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP373CB5C deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:AF4D7176 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:7CC16245 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:6D73F267 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:4BFE8B22 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:F1020F9B deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:CEDA49F4 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:1807741D deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:7ACDD583 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:7867C00C deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:6CFD36EA deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:721C42E8 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:0479E312 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:BDBE6E37 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:2D3E25B5 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:2AEB42F1 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMPF0DB8AB deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMPCC862FF deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:C5CE2DF6 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:56EE2CAF deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:50F94E7B deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:94124B85 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:7965CDCE deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:51EFAA18 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:E6BA54F4 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP57855C9 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP0ED9DB7 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:C48A983C deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:AF9BF410 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:7EF59135 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:2A27E0C5 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:CDC1B76E deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:7FD199E4 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:2CC3B9D1 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMPDA2D0EB deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:ACBFC561 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:891DBAFE deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:46B38AB3 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:EE459A42 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:6348AC97 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:F878F14A deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:B7C6AAAB deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:61B54B15 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:94213A87 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:6017A808 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:4A448DB2 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP6BEA85D deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A724744F deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:62EBE39C deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:13AAA187 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:04FDFCF6 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:04F67B3D deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A8C08E7E deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:4B2D6B94 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:439A20A3 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:115FA012 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:B4F0E275 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5080697C deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:433D3C5D deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP1BCFD4A deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:90C12AC3 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:864881BF deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:53DF4438 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:F0E0213B deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:EF258AD5 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMPE07EBE7 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:CB21167F deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:4A2D1995 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:FECD2924 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMPFC179F0 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5FFC2819 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:3B9582E0 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:3325D6E9 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:8C8DBFC0 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:4A7D5964 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:30D56838 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:0A74923C deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:CFAE7666 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:2DF54B62 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:CF6A6C8A deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:B77C5DEF deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:B64F7263 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A774141A deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5795E8B2 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:57777E90 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:43A7A7AD deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:32C53B21 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:26233902 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:19823AC6 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:0E341035 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:EDF6588A deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5F8486EE deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:E5946EFF deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:980AF986 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:91DEEE71 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:91FDFB7B deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:8F09BC2E deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:8D3E85F9 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:7A032A04 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:3B4F28B0 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:1DCEDB1E deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:0441DB7A deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:9B7E8561 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:8DED4A5E deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:2A6BF249 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:CA408490 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:CA0CE093 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:C552BEDE deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A0CB43B2 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:4CEC0A38 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:2BDCFAD6 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:15606AA7 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP41AB8D0 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:E7071A3A deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5F869815 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:1898E06D deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:F0A3E54E deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:9C31E38F deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:2A4723E0 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:F216755A deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:BBE07C18 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:81D20369 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:2E426A1F deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:FFA09FC6 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:343BD036 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:CAB5D296 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:C2EDE671 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:862ED89E deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5B6F7F60 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:1A93A9C0 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:6407DD2D deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:7C72DC93 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:2D5907B8 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:172EB9B5 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:BEAB1922 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:B8D05F1B deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:583CBBD2 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:44F23DBB deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:2F40CED0 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:50F1E014 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:C3284F67 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP35663D1 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:8D6DC04C deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:7C60A173 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A91EC54E deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:7F24D3D8 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:204C7BBB deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:6AF0C155 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:6E7D2424 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5848893E deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Pc\My Documents\Downloads\cmd.bat deleted successfully.
C:\Documents and Settings\Pc\My Documents\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Pc
->Temp folder emptied: 593892 bytes
->Temporary Internet Files folder emptied: 1274054 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 46119538 bytes
->Flash cache emptied: 456 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 96113 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 46.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYFLASH]

User: All Users

User: Default User

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService

User: Pc
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.17.3 log created on 12202010_134255

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

COMBOFIX

ComboFix 10-12-20.01 - Pc 12/20/2010 14:27:33.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.554 [GMT -8:00]
Running from: c:\documents and settings\Pc\Desktop\pkComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\iWin Games\iWinGamesHookIE.dll

.
((((((((((((((((((((((((( Files Created from 2010-11-20 to 2010-12-20 )))))))))))))))))))))))))))))))
.

2010-12-20 21:42 . 2010-12-20 21:42 -------- d-----w- C:\_OTL
2010-12-17 02:19 . 2010-12-17 02:19 -------- d-----w- c:\documents and settings\Pc\Application Data\Malwarebytes
2010-12-17 02:19 . 2010-12-17 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-17 02:19 . 2010-11-30 01:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-17 02:19 . 2010-11-30 01:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-16 13:51 . 2009-06-30 18:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-12-16 13:50 . 2010-12-16 13:50 -------- d-----w- c:\program files\Panda Security
2010-12-15 13:28 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 13:27 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-11 13:59 . 2010-12-11 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Perfect-Tree
2010-12-05 08:13 . 2010-12-05 08:17 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2009-08-12 13:32 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:34 . 2004-08-04 04:56 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34 . 2004-08-04 04:56 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34 . 2004-08-04 04:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34 . 2004-08-04 04:56 17408 ----a-w- c:\windows\system32\corpol.dll
2010-11-03 12:25 . 2004-08-04 02:59 389120 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-07 00:17 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 04:56 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 03:17 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WeatherEye"="c:\documents and settings\Pc\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-10-27 718232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-19 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-19 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-19 150040]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-11 16861184]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
forteManager.lnk - c:\program files\LG Soft India\forteManager\bin\Monitor.exe [2009-12-25 1687552]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\security\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [12/16/2010 5:51 AM 28552]
R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [7/7/2010 12:50 PM 176408]
R3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [12/25/2009 8:15 PM 18432]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/1/2009 4:42 AM 135664]
S3 FXDrv32;FXDrv32;\??\d:\fxdrv32.sys --> d:\FXDrv32.sys [?]
S3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [12/25/2009 8:15 PM 14336]
.
Contents of the 'Scheduled Tasks' folder

2010-12-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-01 12:42]

2010-12-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-01 12:42]

2010-12-20 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\micros~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Pc\Application Data\Mozilla\Firefox\Profiles\wnjw9bx8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.cogeco.ca/cable/on/en/mycogeco/home.html
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: iWinGames Plugin: {98e34367-8df7-42b4-837b-20b892ff0849} - c:\program files\iWin Games\firefox
FF - user.js: yahoo.homepage.dontask - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-20 14:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-492894223-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:8f,04,57,1f,60,26,3f,c9,9a,7b,d6,80,56,15,b3,78,e1,78,e9,11,66,38,80,
79,51,fd,db,9a,c8,2d,33,30,13,d5,fc,17,c8,ee,3d,c0,65,0e,a3,9c,68,ef,28,53,\
"??"=hex:c6,a5,a4,46,2c,03,16,89,df,bd,b3,92,63,93,47,cf
.
Completion time: 2010-12-20 14:31:42
ComboFix-quarantined-files.txt 2010-12-20 22:31

Pre-Run: 61,542,682,624 bytes free
Post-Run: 61,518,422,016 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" oexecute=optin /fastdetect
[spybotsd]
timeout.old=30

- - End Of File - - 4B3C47E42BFB412873353CB67125A222

*&* Jenn *&*

starbuck · Dec 24, 2010

Hi MaxArk68,

I hope I did everything correct.
Click to expand...

Everything looks good.

I continue to have my internet connection unplugged until we can figure this mess out.
Click to expand...

Connect the system back to the internet:
Change the passwords for any email accounts that you have ..... just to be on the safe side.

I'd like you to do an ESET OnlineScan

You may find it beneficial to close your resident AV program before running the scan.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

Click the button.

For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer.
Save it to your desktop.

Double click on the icon on your desktop.

Check

Click the button.

Accept any security warnings from your browser.

Check

Click the Start button.

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, push

Click , and save the file to your desktop using a unique name, such as ESETScan.
Include the contents of this report in your next reply.

Click the button.

Click

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Thanks.

MaxArk68 · Jan 3, 2011

Happy New Year Starbuck ...
I followed your latest direction ...

starbuck said: ↑

Hi MaxArk68,

Include the contents of this report in your next reply.

Thanks.
Click to expand...

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=636f69556f68a14e88df16f52b84d343
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-01-03 12:04:34
# local_time=2011-01-02 07:04:34 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1032 16777173 100 94 0 36346382 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=78899
# found=0
# cleaned=0
# scan_time=3083

Thank you for your continued support.

Jenn

MaxArk68 · Jan 6, 2011

Hmmm ... I am still getting notices of email abuse from my ISP and threats of disconnection until it can be proven my computer is virus free. I guess the next step is to regrettably reformat and reinstall. :-(

I haven't been able to change my password to my email account because of a technical issue with my ISP that is preventing me from accessing my account information to change my password. Becuase they are observing unusual email activity, are they saying it's from my computer specifically, or could it be from someone else's computer using my email account information?

starbuck · Jan 8, 2011

Hi MaxArk68,

I am still getting notices of email abuse from my ISP and threats of disconnection until it can be proven my computer is virus free.
Click to expand...

This is one strange ISP.
How can they prove your system is virus free?
Have they asked you to run any scans and show them the results?

I haven't been able to change my password to my email account because of a technical issue with my ISP that is preventing me from accessing my account information to change my password. Becuase they are observing unusual email activity
Click to expand...

Get in touch with them and tell them that the problem is theirs.
How can you stop the emails if you are not allowed to change your passwords??

I guess the next step is to regrettably reformat and reinstall
Click to expand...

This won't alter any email hacking of your accounts.

The virus scans are showing everything as normal now, but this email account hacking is a different thing entirely.
The only way to prevent it is to change the passwords or get your ISP to delete your email account and set you a new one.

Failing that, i'd consider changing ISPs.

BeeCeeBee · Jan 8, 2011

I am going to interject here and ask one basic question that may have already been answered. Are you certain that this is actually coming from your ISP? If so, I agree, dump them. Also please tell us who they are so we can all avoid them in the future.

MaxArk68 · Jan 11, 2011

Hi Starbuck,

starbuck said: ↑

This is one strange ISP.
How can they prove your system is virus free?
Have they asked you to run any scans and show them the results?
Click to expand...

An update ...
How can they prove my system is virus free? They can't. They have to take my word I guess. I have had a friend that encountered a similar fate and she needed verification from a technician as proof. Yes ... they have asked to have results of scans forwarded to them. Thy have sent an exhaustive email of suggested steps ...
- scan with their online virus scan, a spin-off of F-Secure Online which, unlike all the other many scans performed, found w/32/Malware!Gemini. I'm assuming it was a false positive as it didn't match any signs and symptoms common with it, and the file to check wasn't even existent on my system.
- scan with Pandascan Online, which came up with the Palladium virus in addition to tracking cookies
- download and scan using an application called "Stinger", which came up negative
- suggested ESET and Malwarebytes ... which you beat them to it

Get in touch with them and tell them that the problem is theirs.
How can you stop the emails if you are not allowed to change your passwords??
Click to expand...

Finally did that and someone helpful found the problem. And yes ... it was theirs. For some reason they had the account password reminder (I couldn't remember my password) email forwarding address wrong, so the reminder notices were never being sent. I could never get into my online account to change the password. This hasn ow been finally done, however, they claim that changing the password won't stop the effects of the virus. (I guess they figure that the same sort of activity can't be symptomatic of a hacked email account, and only a virus on the user's computer. That is why I asked that last question on my previous email to see if spamming activity has to come form my computer.

The virus scans are showing everything as normal now, but this email account hacking is a different thing entirely.
Click to expand...

That is the words I want to hear!! LOL I am going to resume normal operation and see what comes about with the anticipated clean computer and changed email password.

A couple parting questions? How can one trust anti-virus, malware software scans when each one presents different results? How did my email account get compromised ... was it the results of a virus, or did I somehow unknowingly leak it out?

Thank you sooooooo very much for all your help. I will admit this has been the most supportive and reliable forum I have visited for help. The people were kind, patient and you knew your stuff. I appreciate you helped with a payment only of a simple thank you.

BeeCeeBee · Jan 11, 2011

I appreciate you helped with a payment only of a simple thank you.
Click to expand...

There is no "simple" thank you! Every one we receive is treasured. Please feel free not to make a problem your only reason for being here.

starbuck · Jan 11, 2011

Hi Max,

scan with their online virus scan, a spin-off of F-Secure Online which, unlike all the other many scans performed, found w/32/Malware!Gemini. I'm assuming it was a false positive as it didn't match any signs and symptoms common with it, and the file to check wasn't even existent on my system.
Click to expand...

It may have been a false positive or the file may have been on the system in some form.
The reason i say ... in some form, is that when we remove files from your system, they are not exactly removed.
They are moved to a quarantine folder belonging to that particular program.
eg: anything removed by Combofix is moved to the 'Qoobox'.
anything removed by OTL is moved to: 'OTL\MovedFiles' folder.
So it's possible another scan may find these files and flag them up ...... it all depends on the file path that their scan found the file in.
Malware can also be backed up in your Restore points.
All these folders are cleared out and removed when we finish the cleaning.
The reason we leave them until the end is that a file may be removed by accident ..... so we still have the option of replacing them.

download and scan using an application called "Stinger", which came up negative
Click to expand...

Not really surprising .... Stinger has been out dated for a long time.

A couple parting questions? How can one trust anti-virus, malware software scans when each one presents different results?
Click to expand...

This happens because each program searches in different ways and looks for different things.
Plus some programs are designed to search for specific malware types.
This is why we use more than one program to search for things.

But i do have to say that i would never recommend AVG as an AV.
You read all the time about false positives, not doing what it's meant to, AVG trying to force you to upgrade to the full paid for version.
I'd never have it on any of my systems.
My recommended AV's are in the cleanup speech.

How did my email account get compromised ... was it the results of a virus, or did I somehow unknowingly leak it out?
Click to expand...

It may have been a bit of both, or the info may have been achieved another way.
You read all the time about companies getting hacked and members passwords etc being stolen.
That's why it's best to change them every so often.

Hope this answers some of your questions.

Let's finish off and remove everything now.

Step 1
Restart MBAM.
Click on the Quarantine tab
Make sure everything is selected and then click Delete All.
Close MBAM.

Step 2

Please double-click OTL.exe to run it.

You should see a CleanUp! button, press that button,

This will remove any programs we have asked you to download along with there associated folders.. plus itself.

Note:
MBAM will not be removed

Step 3
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

Go to Start > Programs > Accessories > System Tools and click "System Restore".

Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

Then go to Start > Run and type: Cleanmgr

Click "OK".

Select the drive for cleaning then click OK (usually 'C' drive)

Click the "More Options" Tab.

Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

To find out how you may have been infected....read this topic:
So how did i get infected?

Not all of the following information will be applicable to you, but it's still best to read it all.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Use an AntiVirus Software

Avira AntiVir ....installation guide Here

Avast free

Bitdefender Free

MS Security Essentials ... see note* ...installation guide Here

Note*:
Upon installation MS Security Essentials will check that your OS is a legal copy.

Only install one AntiVirus program

Update your AntiVirus Software regularly

Use a 3rd party Firewall

Online Armor Free

ZoneAlarm ...Important note below

Outpost Firewall Free

Sunbelt Personal Firewall

NOTE: If choosing Zone Alarm be aware that the free version also installs ZoneAlarm Spy Blocker. It is recommended however that you UNcheck this option.

Only install one software Firewall

Some 3rd party Firewalls will turn off the windows firewall when they are installed.
It's always best to check that the Windows Firewall is turned off:

How to turn off Windows Firewall:
Start ... Control Panel ...click on 'Classic View'.
now select Windows Firewall.
When the Windows Firewall box opens, put a tick against .. Off (not recommended) and then click Ok

Scan regularly with a 'Stand Alone' Anti-Malware scanner:
Installing another scanner that you can run once or twice a week is always beneficial.
Something like:
Malwarebytes Anti-Malware
SUPERAntiSypware
Remember to update these programs each time before running.
You can install more than one of these if you only run them as stand alone programs.

Use an alternative browser:
Some excellent alternatives to MS Internet Explorer are:

Firefox
For added security, add the NoScript extension to this browser:
Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks
also consider adding:
WOT - Safe Browsing Tool

Web of Trust warns you about risky sites that cheat customers, deliver malware or send spam. Millions of members of the WOT community rate sites based on their experience, giving you an extra layer of protection when browsing or searching the Web.
Btw: you don't have to make a contribution.

Opera

They offer better security, more stability, and better speed.

Keep a backup of your registry
Keeping a regular backup of your registry will help when something goes wrong.
Use a program like:
Erunt

A full tutorial on how to set up and use Erunt can be found here:
Erunt tutorial

Keep your system clean of temp files etc, using a 'Cleaner':

Cleaners are programs that will help to clean out your:
Windows temp files
Current user temp files
Cookies
Temporary Internet flies
Browser history
Recycle bin
Etc.......
In other words.... all the rubbish that you accumalate over the course of your browsing and day to day usage of your pc.
Programs like:
CCleaner
TFC by OldTimer
ATF Cleaner

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using and installing SpywareBlaster

Update all your 'Security' programs regularly - Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

Safe surfing.

Log in or Sign up

Threated With Disconnect - Infection!

MaxArk68

DSTM (Dougie) Registered Members

starbuck Rest In Peace Pete Administrator

MaxArk68

starbuck Rest In Peace Pete Administrator

MaxArk68

starbuck Rest In Peace Pete Administrator

MaxArk68

MaxArk68

starbuck Rest In Peace Pete Administrator

BeeCeeBee ADMINISTRATOR IN MEMORY

MaxArk68

BeeCeeBee ADMINISTRATOR IN MEMORY

starbuck Rest In Peace Pete Administrator

Share This Page

Log in or Sign up

Threated With Disconnect - Infection!

MaxArk68

DSTM (Dougie) Registered Members

starbuck Rest In Peace Pete Administrator

MaxArk68

starbuck Rest In Peace Pete Administrator

MaxArk68

starbuck Rest In Peace Pete Administrator

MaxArk68

MaxArk68

starbuck Rest In Peace Pete Administrator

BeeCeeBee ADMINISTRATOR IN MEMORY

MaxArk68

BeeCeeBee ADMINISTRATOR IN MEMORY

starbuck Rest In Peace Pete Administrator

Share This Page

Useful Searches