I must have downloaded a virus yesterday. Now, no program will run in Normal mode. I get the hourglass when mousing down to the taskbar. In Safe Mode I can perform HJT if executed from USB Stick. Can not execute Spybot S&D from USB Stick. Does nothing. Here is my HJT logfile.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:16 AM, on 1/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
G:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG Free\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG Free\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG Free\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O22 - SharedTaskScheduler: IPC Configuration Utility - IPC Configuration Utility - (no file)
O22 - SharedTaskScheduler: Windows Installer Class - {020487CC-FC04-4B1E-863F-D9801796230B} - C:\DOCUME~1\David\LOCALS~1\Temp\wndutl32.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe[/FONT]

--
End of file - 2877 bytes[/SIZE]

Hi

If you still need help with this post a fresh hjt log, please :)

Blade81, Thanks for replying. Nothing has changed. I have not been running this PC since the posting as its is virtually unusable. The HJT log is good and reflects the PC's current condition unchanged.

Ok. Then we do some cleaning :)


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Blade81, Thanks for replying.
Alas, its been initially frustrating installing the Recovery Console. I tried two different ways and was thwarted.

1. I attempted to boot straight from my Windows XP disk at startup. It definitely did something I had not ever seen before and came up with a blue screen that said Windows Setup. Then a fatal error message appeared which said: ftdisk.sys file is corrupted.

2. Then I attempted to go into SAFE mode and try to execute the Recovery Console exe file from the CD. It read it off the CD and gave me this message:

"Setup cannot continue because the version of Windows on your computer is newer than the version on the CD."

The CD says it is Windows XP Home (Version 2002). I know I am running either SP2 or SP3.

Ideas?

Hi

As said in the tutorial, you may install recovery console with an online download as well. The easiest way is to run ComboFix and allow recovery console installation when asked for permission.

Blade81,
Thanks.

If I can't make windows XP operate effectively, I am reduced to using DOS commands in SAFE MODE. I have combofix.exe on a USB stick. I am trying to copy that onto my problem computer. Where to I store Combofix.exe? The instructions say store it on your Desktop. But all I have is a C: I have copied combofix.exe off the USB stick to the affected C drive. How to I get ComboFix to execute from this location?

Hi

You can copy ComboFix.exe to root of c: drive too (c:\). To run ComboFix just go to where the file was copied in and write command ComboFix.exe :)

Blade81,
Hi. I copied it off the USB stick to c:
And I tried to execute it in SAFE Mode from C: by typing Combofix.exe and hitting enter. It does nothing. Just comes back with the c:

Hi

Before copying ComboFix to infected system rename ComboFix.exe -> CombFxx.exe. Then copy renamed file to your hard drive and try running it.

Hi Blade81,
I did as you suggested and renamed combofix to combofxx and copied to the c drive and ran it.

It started combofix and indicated it was loading it. Then it issued this message:

32788R22FWJFW\nircmd.com
X Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

Ideas?

Hi again,


Please download ***OTViewIt**** (http://oldtimer.geekstogo.com/OTViewIt.exe) by ***OldTimer**** and save it to your Desktop.
Close all applications and windows.
Double-click on the ***OTViewIt.exe****to start OTViewIt.
Place a checkmark in the blue-colored Scan All Users checkbox.
Click the blue Run Scan button.
OTViewIt will now start its scan.
When the scan is complete, two text files will be created, ***OTViewIt.Txt**** <- this one will be opened in Notepad and ***Extras.txt**** on Desktop.
Copy ***(Ctrl+A then Ctrl+C)**** and paste ***(Ctrl+V)**** the contents of ***OTViewIt.Txt**** and the Extras.txt to your post.

PS. Did AVG warn anything when you tried to run ComboFix?

Blade81, Hi. From the previous post question; No, AVG issued no statement in the running of CombFix.
Here are the results of OTViewIT:




OTViewIt logfile created on: 1/24/2009 8:40:08 PM - Run
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5700.6)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

637.98 Mb Total Physical Memory | 514.33 Mb Available Physical Memory | 80.62% Memory free
2.46 Gb Paging File | 2.41 Gb Available in Paging File | 97.64% Paging File free
Paging file location(s): C:\pagefile.sys 960 1024;D:\pagefile.sys 960 1024;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 10.76 Gb Free Space | 14.44% Space Free | Partition Type: NTFS
Drive D: | 37.26 Gb Total Space | 1.38 Gb Free Space | 3.72% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 123.47 Mb Total Space | 31.26 Mb Free Space | 25.32% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SKUDLAREKFAMILY
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2004/08/04 01:56:48 | 00,388,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cmd.exe
[2009/01/24 20:14:16 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008/11/07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Stopped])
[2007/10/24 00:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2007/10/22 16:54:12 | 00,418,816 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG Free\avgamsvr.exe -- (Avg7Alrt [Auto | Stopped])
[2006/12/31 18:28:41 | 00,049,664 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG Free\avgupsvc.exe -- (Avg7UpdSvc [Auto | Stopped])
[2007/12/21 08:45:22 | 00,406,528 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG Free\avgemc.exe -- (AVGEMS [Auto | Stopped])
[2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Disabled | Stopped])
[2007/10/24 00:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2008/06/01 18:44:37 | 00,137,200 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
[2005/04/03 17:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
[2008/11/20 13:20:44 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
[2003/07/28 05:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2007/01/04 15:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Disabled | Stopped])
[2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services ==========

[2005/04/19 03:40:52 | 02,317,504 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Stopped])
[2007/10/22 16:53:57 | 00,821,856 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\system32\drivers\avg7core.sys -- (Avg7Core [System | Stopped])
[2006/12/31 18:28:47 | 00,004,224 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\system32\drivers\avg7rsw.sys -- (Avg7RsW [System | Stopped])
[2007/02/23 10:44:43 | 00,027,776 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\system32\drivers\avg7rsxp.sys -- (Avg7RsXP [System | Stopped])
[2007/12/21 08:45:25 | 00,010,760 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\system32\drivers\avgclean.sys -- (AvgClean [System | Running])
[2006/12/31 18:28:48 | 00,004,960 | ---- | M] (GRISOFT, s.r.o.) -- C:\WINDOWS\system32\drivers\avgtdi.sys -- (AvgTdi [Auto | Stopped])
[2004/08/04 00:08:21 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum [On_Demand | Stopped])
[2008/04/17 12:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
[2002/02/13 12:27:30 | 00,166,419 | ---- | M] (Conexant Systems) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2 [On_Demand | Stopped])
[2002/02/13 12:26:54 | 01,171,584 | ---- | M] (Conexant Systems) -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP [On_Demand | Stopped])
[2002/04/05 17:19:12 | 00,077,277 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm [On_Demand | Stopped])
[2005/05/16 00:30:00 | 00,016,000 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctpdusb.sys -- (Jukebox3 [On_Demand | Stopped])
[2001/10/22 15:46:42 | 00,009,855 | ---- | M] (Conexant) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk [Auto | Stopped])
[2001/08/17 08:00:04 | 00,002,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401 [On_Demand | Stopped])
[2001/08/18 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Stopped])
[2007/03/29 02:00:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [Boot | Running])
[2004/08/03 23:31:32 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139 [On_Demand | Stopped])
[2007/11/13 04:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [Auto | Stopped])
[2001/08/17 07:56:16 | 00,007,552 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\drivers\SONYPVU1.SYS -- (SONYPVU1 [On_Demand | Stopped])
[2005/03/24 11:21:22 | 00,038,937 | ---- | M] (Service & Quality Technology.) -- C:\WINDOWS\system32\drivers\Capt905c.sys -- (SQTECH905C [On_Demand | Stopped])
[2008/10/01 12:01:28 | 00,032,000 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
[2004/08/04 01:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio [On_Demand | Stopped])
[2002/02/13 12:20:46 | 00,594,032 | ---- | M] (Conexant Systems) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf [On_Demand | Stopped])
[2001/08/18 06:00:00 | 00,012,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\ws2ifsl.sys -- (WS2IFSL [Disabled | Stopped])
[2002/04/05 17:20:14 | 00,088,320 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E} [System | Stopped])
[2002/04/05 17:20:24 | 00,069,472 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand | Stopped])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=C:\windows\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"First Home Page"=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&ar=runonce&pver={SUB_PVER}&plcid={SUB_CLSID}
"Local Page"=C:\WINDOWS\System32\blank.htm
"Start Page"=http://www.emachines.com/

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomSearch"=http://red.clientapps.yahoo.com/customize/ie/defaults/cs/sbcydsl/*http://www.yahoo.com/search/ie.html

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
"@"=http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
"provider"=yaho

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.emachines.com

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = 127.0.0.1

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.emachines.com

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = 127.0.0.1

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=http://www.emachines.com

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-236263764-972670786-3454122357-500\SOFTWARE\Microsoft\Internet Explorer\Main]
"First Home Page"=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&ar=runonce&pver={SUB_PVER}&plcid={SUB_CLSID}
"Local Page"=C:\WINDOWS\System32\blank.htm
"Start Page"=http://www.emachines.com/

[HKEY_USERS\S-1-5-21-236263764-972670786-3454122357-500\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomSearch"=http://red.clientapps.yahoo.com/customize/ie/defaults/cs/sbcydsl/*http://www.yahoo.com/search/ie.html

[HKEY_USERS\S-1-5-21-236263764-972670786-3454122357-500\Software\Microsoft\Internet Explorer\SearchURL]
"@"=http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
"provider"=yaho

[HKEY_USERS\S-1-5-21-236263764-972670786-3454122357-500\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-236263764-972670786-3454122357-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (0 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP (GRISOFT, s.r.o.)
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
"UpdateWin"=C:\WINDOWS\system32\ALSNDMGRv.exe ()

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"=C:\PROGRA~1\Grisoft\AVG Free\avgw.exe /RUNONCE (GRISOFT, s.r.o.)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"=C:\PROGRA~1\Grisoft\AVG Free\avgw.exe /RUNONCE (GRISOFT, s.r.o.)

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"=C:\PROGRA~1\Grisoft\AVG Free\avgw.exe /RUNONCE (GRISOFT, s.r.o.)

========== (O4) RunServices Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"UpdateWin"=C:\WINDOWS\system32\ALSNDMGRv.exe ()

========== (O4) Startup Folders ==========

[2008/07/07 12:14:40 | 00,282,624 | ---- | M] (Eastman Kodak Company) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
File not found -- C:\Documents and Settings\Emily.SKUDLAREKFAMILY\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoCDBurning"=0
"NoSetActiveDesktop"=1
"NoActiveDesktopChanges"=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=1
"DisableRegistryTools"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-236263764-972670786-3454122357-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

========== (O8) IE Context Menu Extensions ==========

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2008/10/13 11:29:28 | 10,351,944 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2008/10/13 11:29:28 | 10,351,944 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-236263764-972670786-3454122357-500\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: Reg Error: Key does not exist or could not be opened. File not found

========== (O9) IE Extensions ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{6224f700-cba3-4071-b251-47cb894244cd} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{E023F504-0C5A-4750-A1E7-A9046DEA8A21} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{6224f700-cba3-4071-b251-47cb894244cd} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{E023F504-0C5A-4750-A1E7-A9046DEA8A21} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{6224f700-cba3-4071-b251-47cb894244cd} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{E023F504-0C5A-4750-A1E7-A9046DEA8A21} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found

[HKEY_USERS\S-1-5-21-236263764-972670786-3454122357-500\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{6224f700-cba3-4071-b251-47cb894244cd} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{E023F504-0C5A-4750-A1E7-A9046DEA8A21} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
40 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
40 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
42 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
42 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
93 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-236263764-972670786-3454122357-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
40 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab -- Java Plug-in 1.6.0_07
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab -- Reg Error: Key does not exist or could not be opened.
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab -- Java Plug-in 1.6.0_07
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab -- Java Plug-in 1.6.0_07
Microsoft XML Parser for Java: file://C:\WINDOWS\Java\classes\xmldso.cab -- Reg Error: Key does not exist or could not be opened.

========== (O22) Shared Task Scheduler ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{020487CC-FC04-4B1E-863F-D9801796230B}" (HKLM) = Windows Installer Class -- C:\Documents and Settings\David\Local Settings\Temp\wndutl32.dll ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"IPC Configuration Utility" (HKLM) = IPC Configuration Utility -- Reg Error: Key does not exist or could not be opened. File not found

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}" (HKLM) -- C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2002/08/01 18:16:11 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

AUTOEXEC.BAT []
[2002/08/01 18:16:11 | 00,000,000 | ---- | M] () -- D:\AUTOEXEC.BAT -- [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[2009/01/24 20:36:51 | 00,422,912 | ---- | C] (OldTimer Tools) -- C:\OTViewIt.exe
[2009/01/22 23:41:39 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW
[2009/01/22 23:41:23 | 03,043,013 | ---- | C] () -- C:\ComboFXX.exe
[2009/01/19 11:17:31 | 03,043,013 | ---- | C] () -- C:\ComboFix.exe
[2009/01/10 01:37:43 | 00,282,112 | ---- | C] () -- C:\WINDOWS\runsql.exe
[2009/01/10 01:34:54 | 00,201,728 | ---- | C] () -- C:\WINDOWS\odb.exe
[2009/01/10 01:34:38 | 00,000,109 | -HS- | C] () -- C:\WINDOWS\System32\1220700532.dat
[2009/01/10 01:34:23 | 00,041,472 | RHS- | C] () -- C:\WINDOWS\System32\ALSNDMGRv.exe
[2009/01/10 01:33:52 | 00,417,280 | ---- | C] () -- C:\WINDOWS\System32\a.exe
[2009/01/01 14:51:25 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2009/01/01 14:51:16 | 00,000,000 | ---D | C] -- C:\Program Files\4Di

========== Files - Modified Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009/01/24 20:35:18 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/01/24 20:35:10 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/01/24 20:14:16 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\OTViewIt.exe
[2009/01/19 00:45:22 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/01/19 00:27:38 | 03,043,013 | ---- | M] () -- C:\ComboFXX.exe
[2009/01/19 00:27:38 | 03,043,013 | ---- | M] () -- C:\ComboFix.exe
[2009/01/10 01:37:54 | 00,000,109 | -HS- | M] () -- C:\WINDOWS\System32\1220700532.dat
[2009/01/10 01:37:05 | 00,282,112 | ---- | M] () -- C:\WINDOWS\runsql.exe
[2009/01/10 01:33:59 | 00,201,728 | ---- | M] () -- C:\WINDOWS\odb.exe
[2009/01/10 01:33:59 | 00,041,472 | RHS- | M] () -- C:\WINDOWS\System32\ALSNDMGRv.exe
[2009/01/10 01:33:55 | 00,417,280 | ---- | M] () -- C:\WINDOWS\System32\a.exe
[2009/01/10 01:22:42 | 00,000,408 | ---- | M] () -- C:\WINDOWS\tasks\Norton Security Scan for David.job
[2009/01/07 20:04:32 | 00,366,592 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mb
[2009/01/05 23:00:01 | 00,000,842 | ---- | M] () -- C:\WINDOWS\tasks\Weekly Backup.job
[2009/01/03 23:16:00 | 00,000,878 | ---- | M] () -- C:\WINDOWS\tasks\Backup Pictures.job
[2009/01/01 14:51:25 | 00,000,000 | ---- | M] () -- C:\WINDOWS\PROTOCOL.INI
[2008/12/30 19:04:52 | 00,661,504 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mbb
< End of report >











Here is Extras.txt

OTViewIt Extras logfile created on: 1/24/2009 8:40:08 PM - Run
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5700.6)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

637.98 Mb Total Physical Memory | 514.33 Mb Available Physical Memory | 80.62% Memory free
2.46 Gb Paging File | 2.41 Gb Available in Paging File | 97.64% Paging File free
Paging file location(s): C:\pagefile.sys 960 1024;D:\pagefile.sys 960 1024;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 10.76 Gb Free Space | 14.44% Space Free | Partition Type: NTFS
Drive D: | 37.26 Gb Total Space | 1.38 Gb Free Space | 3.72% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 123.47 Mb Total Space | 31.26 Mb Free Space | 25.32% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SKUDLAREKFAMILY
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = Reg Error: Value does not exist or could not be read.] -- Reg Error: Key does not exist or could not be opened. File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=1
"FirewallDisableNotify"=1
"UpdatesDisableNotify"=1
"AntiVirusOverride"=0
"FirewallOverride"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2004/08/04 01:56:56 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2006/07/06 02:49:52 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2004/08/04 01:56:56 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
File not found -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:TrueVector Service
[2001/10/12 20:36:42 | 04,102,275 | ---- | M] () -- C:\Sierra\Empire Earth\Empire Earth.exe:*:Enabled:Empire Earth
[2000/07/28 15:33:14 | 02,555,949 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Games\Age of Empires II\EMPIRES2.ICD:*:Enabled:Age of Empires II
File not found -- C:\Program Files\Abacast\Abaclient.exe:*:Enabled:Abaclient
File not found -- C:\Sierra\Empire Earth - The Art of Conquest\EE-AOC.exe:*:Disabled:EE-AOC
File not found -- C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger
File not found -- C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
[2006/07/06 02:49:52 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5
[2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
[2008/10/17 07:44:07 | 00,514,560 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG Free\avginet.exe:*:Enabled:avginet.exe
[2007/10/22 16:54:12 | 00,418,816 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG Free\avgamsvr.exe:*:Enabled:avgamsvr.exe
[2008/10/17 07:44:05 | 00,590,848 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG Free\avgcc.exe:*:Enabled:avgcc.exe
[2007/12/21 08:45:22 | 00,406,528 | ---- | M] (GRISOFT, s.r.o.) -- C:\Program Files\Grisoft\AVG Free\avgemc.exe:*:Enabled:avgemc.exe
[2007/07/26 14:59:44 | 00,147,456 | ---- | M] (Lime Wire, LLC) -- C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
[2006/11/03 01:17:27 | 00,010,800 | ---- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader
[2005/09/19 16:53:45 | 08,571,392 | ---- | M] (Ensemble Studios) -- C:\Program Files\Microsoft Games\Age of Empires III\age3.exe:*:Enabled:Age of Empires 3
[2008/07/07 12:14:40 | 00,282,624 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare
[2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
[2008/11/20 13:20:48 | 14,294,824 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] -- C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

========== HKEY_CURRENT_USER Protocol Defaults ==========


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-21-236263764-972670786-3454122357-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2005/09/20 11:33:58 | 00,843,984 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2005/09/20 11:33:58 | 00,843,984 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2005/09/20 11:33:58 | 00,843,984 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2000/04/19 17:47:36 | 00,520,117 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (ms-itss:{0A9007C0-4076-11D3-8789-0000F8105754} (HKLM) [Microsoft Infotech Storage Protocol for IE 4.0])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/03/14 12:10:22 | 07,255,384 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} (HKLM) [Data Page Pluggable Protocol mso-offdap Handler])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/05/10 12:45:34 | 08,069,464 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2007/04/19 12:57:40 | 00,046,432 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03EDED24-8375-407D-A721-4643D9768BE1}"=kgchlwn
"{073F22CE-9A5B-4A40-A604-C7270AC6BF34}"=ESSSONIC
"{0D2E80C8-0875-43EB-9623-47118E2DFBCA}"=Quicken 2007
"{10798AE3-DCBB-43C3-9C93-C23512427E25}"=The Sims Deluxe Edition
"{11F3F858-4131-4FFA-A560-3FE282933B6E}"=kgchday
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}"=ESSPCD
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}"=Adobe AIR
"{2447500B-22D7-47BD-9B13-1A927F43A267}"=Empire Earth
"{2604C0F9-BFD3-4BA0-9EB5-22537C648F03}"=MobileMe Control Panel
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}"=essvatgt
"{318AB667-3230-41B5-A617-CB3BF748D371}"=iTunes
"{3248F0A8-6813-11D6-A77B-00B0D0150000}"=J2SE Runtime Environment 5.0
"{3248F0A8-6813-11D6-A77B-00B0D0150060}"=J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150070}"=J2SE Runtime Environment 5.0 Update 7
"{3248F0A8-6813-11D6-A77B-00B0D0160020}"=Java(TM) 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}"=Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160070}"=Java(TM) 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{3FADAA19-E595-44CA-A072-58B6B0851768}"=Norton Security Scan
"{42938595-0D83-404D-9F73-F8177FDD531A}"=ESScore
"{4537EA4B-F603-4181-89FB-2953FC695AB1}"=netbrdg
"{4767A7DE-5B5E-4F91-B122-3CD67CC0C5A0}"=Photosynth
"{5316DFC9-CE99-4458-9AB3-E8726EDE0210}"=skin0001
"{5C74694C-A687-E3EB-FF18-B018D4A76ECD}"=Adobe Media Player
"{605A4E39-613C-4A12-B56F-DEFBE6757237}"=SHASTA
"{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}"=fflink
"{619B8475-0F48-41B7-A370-5147F7092989}"=Virtual Earth 3D (Beta)
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}"=Windows Genuine Advantage v1.3.0254.0
"{643EAE81-920C-4931-9F0B-4B343B225CA6}"=ESSBrwr
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}"=PowerDVD
"{693C08A7-9E76-43FF-B11E-9A58175474C4}"=kgckids
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}"=Apple Software Update
"{69A83D99-D41B-4396-BCC4-3DCB77DFFED0}"=WebIQ Technology Engine
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}"=Windows Backup Utility
"{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}"=Age of Empires III
"{8338BA06-E527-491B-9400-F51708FEE695}"=iPod for Windows 2005-11-17
"{8943CE61-53BD-475E-90E1-A580869E98A2}"=staticcr
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}"=Microsoft Silverlight
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}"=Bonjour
"{8A502E38-29C9-49FA-BCFA-D727CA062589}"=ESSTOOLS
"{8A708DD8-A5E6-11D4-A706-000629E95E20}"=Intel(R) Extreme Graphics Driver Software
"{8A8664E1-84C8-4936-891C-BC1F07797549}"=kgcvday
"{8DC42D05-680B-41B0-8878-6C14D24602DB}"=QuickTime
"{8E92D746-CD9F-4B90-9668-42B74C14F765}"=ESSini
"{900A92BA-19EF-4A34-86CF-7B6C85BDD971}"=VC_MergeModuleToMSI
"{90120000-0020-0409-0000-0000000FF1CE}"=Compatibility Pack for the 2007 Office system
"{907B4640-266B-4A21-92FB-CD1A86CD0F63}"=RollerCoaster Tycoon 3
"{91517631-A9F3-4B7C-B482-43E0068FD55A}"=ESSgui
"{91E30409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{999D43F4-9709-4887-9B1A-83EBB15A8370}"=VPRINTOL
"{9BD54685-1496-46A5-AB62-357CD140ED8B}"=kgcinvt
"{A1588373-1D86-4D44-86C9-78ABD190F9CC}"=kgcmove
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}"=Microsoft Visual C++ 2005 Redistributable
"{AC76BA86-7AD7-1033-7B44-A81200000003}"=Adobe Reader 8.1.2
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}"=ESSCDBK
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}"=OfotoXMI
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}"=CCScore
"{B508B3F1-A24A-32C0-B310-85786919EF28}"=Microsoft .NET Framework 2.0 Service Pack 1
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}"=Kodak EasyShare software
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}"=SFR
"{E18B549C-5D15-45DA-8D8F-8FD2BD946344}"=kgcbaby
"{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}"=tooltips
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}"=Apple Mobile Device Support
"{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}"=kgcbase
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}"=SKINXSDK
"{F8D0829C-9C6F-11D3-8080-00C04FA329AA}"=Microsoft Works 6.0
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}"=WIRELESS
"{FB08F381-6533-4108-B7DD-039E11FBC27E}"=Realtek AC'97 Audio
"{FCC3BD6A-F118-475D-8748-7EE08EA0AF56}"=HDView for Internet Explorer
"{FCDB1C92-03C6-4C76-8625-371224256091}"=ESSPDock
"Adobe AIR"=Adobe AIR
"Adobe Flash Player ActiveX"=Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player"=Adobe Shockwave Player 11
"Age of Empires 2.0"=Microsoft Age of Empires II
"Age of Empires Gold 1.0"=Microsoft Age of Empires Gold
"AIM_6"=AIM 6
"AMAT"=Army Men(TM) - Air Tactics(TM)
"AVG7Uninstall"=AVG Free Edition
"AXIS Media Control Embedded"=AXIS Media Control Embedded
"BigFix"=BigFix
"CCleaner"=CCleaner (remove only)
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F00&SUBSYS_8D8B155D"=Conexant SoftK56 Modem(M)
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1"=Adobe Media Player
"Creative Jukebox Driver"=Creative Jukebox Driver
"getPlus(R)_ocx"=getPlus(R)_ocx
"Greensaver"=Greensaver
"Higher Score on the ACT_is1"=Higher Score on the ACT
"Higher Score on the SAT/PSAT_is1"=Higher Score on the SAT/PSAT
"HijackThis"=HijackThis 2.0.2
"History Explorer"=History Explorer
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"InstallShield_{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}"=Age of Empires III
"InstallShield_{8338BA06-E527-491B-9400-F51708FEE695}"=iPod for Windows 2005-11-17
"InterActual Player"=InterActual Player
"JRE 1.3.1_02"=Java 2 Runtime Environment Standard Edition v1.3.1_02
"LimeWire"=LimeWire 4.14.0
"Mozilla Firefox (3.0.4)"=Mozilla Firefox (3.0.4)
"MS Access 97 SP2"=MS Access 97 SP2
"MSCompPackV1"=Microsoft Compression Client Pack 1.0 for Windows XP
"MSTTS"=Microsoft Text-to-Speech Engine 4.0 (English)
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"NSSSetup.{3FADAA19-E595-44CA-A072-58B6B0851768}"=Norton Security Scan (Symantec Corporation)
"Pharaoh"=Pharaoh
"Picasa2"=Picasa 2
"PowerDVDPlayer"=Power DVD Player 2.0
"RealPlayer 6.0"=RealPlayer
"RollerCoaster Tycoon Setup"=Roll
"SBC.MCCInstall"=AT&T Self Support Tool
"SCRABBLE"=SCRABBLE
"Spybot - Search & Destroy_is1"=Spybot - Search & Destroy 1.5.2.20
"SpywareBlaster_is1"=SpywareBlaster v3.5.1
"The Game Of Life"=The Game Of Life
"Theme Park World"=Theme Park World
"Theory Test Testing CD-ROM 2002"=Theory Test Testing CD-ROM 2002
"Titanic"=Titanic
"TomTom HOME"=TomTom HOME
"ViewpointMediaPlayer"=Viewpoint Media Player
"WIC"=Windows Imaging Component
"Winamp"=Winamp (remove only)
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"Windows Media Player"=Windows Media Player 11
"Windows XP Service Pack"=Windows XP Service Pack 2
"WMFDist11"=Windows Media Format 11 runtime
"wmp11"=Windows Media Player 11
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/23/2008 11:04:59 AM | Computer Name = SKUDLAREKFAMILY | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.5700.6, faulting module
mshtml.dll, version 7.0.5700.6, fault address 0x000d86cb.

[ Application Events ]
Error - 8/23/2008 11:04:59 AM | Computer Name = SKUDLAREKFAMILY | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.5700.6, faulting module
mshtml.dll, version 7.0.5700.6, fault address 0x000d86cb.

[ System Events ]
Error - 1/23/2009 1:40:21 AM | Computer Name = SKUDLAREKFAMILY | Source = Service Control Manager | ID = 7001
Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 1/23/2009 1:40:21 AM | Computer Name = SKUDLAREKFAMILY | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 1/23/2009 1:40:21 AM | Computer Name = SKUDLAREKFAMILY | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Avg7Core Avg7RsW Avg7RsXP Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss Tcpip

Error - 1/23/2009 1:45:29 AM | Computer Name = SKUDLAREKFAMILY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 1/24/2009 10:36:03 PM | Computer Name = SKUDLAREKFAMILY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 1/24/2009 10:36:35 PM | Computer Name = SKUDLAREKFAMILY | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 1/24/2009 10:36:35 PM | Computer Name = SKUDLAREKFAMILY | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD Networking Support
Environment service which failed to start because of the following error: %%31

Error - 1/24/2009 10:36:35 PM | Computer Name = SKUDLAREKFAMILY | Source = Service Control Manager | ID = 7001
Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 1/24/2009 10:36:35 PM | Computer Name = SKUDLAREKFAMILY | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 1/24/2009 10:36:35 PM | Computer Name = SKUDLAREKFAMILY | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Avg7Core Avg7RsW Avg7RsXP Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss Tcpip


< End of report >

Hi

Sorry you had to wait for a reply so long. Email notifications didn't work and my topic tracking showed this topic as I had made latest post.


IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.


LimeWire


I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

C:\Program Files\LimeWire

Empty Recycle Bin.

After that:


We need to execute an OTMoveIt3 script
Please download OTMoveIt3 by OldTimer (http://oldtimer.geekstogo.com/OTMoveIt3.exe) and save it to your desktop.
Double click theOTMoveIt3 icon on your desktop.
Paste the following code under the Paste Fix Here area. Do not include the word
Code
.

:Files
C:\Program Files\LimeWire
C:\WINDOWS\system32\ALSNDMGRv.exe
C:\WINDOWS\runsql.exe
C:\WINDOWS\odb.exe
C:\WINDOWS\System32\1220700532.dat
C:\WINDOWS\System32\a.exe

:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateWin"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"UpdateWin"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{020487CC-FC04-4B1E-863F-D9801796230B}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"IPC Configuration Utility"=-

Push the large MoveIt button.
OTMI3 may ask to reboot the machine. Please do so if asked.
Copy/Paste the contents under the Results line here in your next reply with a fresh OTViewIt.txt contents.
If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Download GMER (http://www.gmer.net/gmer.zip) and save it your desktop:
Extract it to your desktop and double-click GMER.exe
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.

Thanks Blade81.

I didn't know I had LimeWire installed. We have teenagers in the house.

I have to do all this from the command prompt because I can only run in SAFE MODE. I couldn't paste your OTMOVEIT suggetions but rather had to type them in and I must have made a couple errors. And I have to make a couple iterations of running OTMoveIT.

Here are the results:

========== FILES ==========
c:\Program Files\LimeWire\root\magnet10 moved successfully.
c:\Program Files\LimeWire\root moved successfully.
c:\Program Files\LimeWire\lib moved successfully.
c:\Program Files\LimeWire\.NetworkShare moved successfully.
c:\Program Files\LimeWire moved successfully.
c:\Windows\system32\ALSNDMGRv.exe moved successfully.
c:\windows\runsql.exe moved successfully.
c:\windows\odb.exe moved successfully.
c:\windows\system32\1220700532.dat moved successfully.
c:\windows\system32\a.exe moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\\UpdateWin deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\\UPDATEWIN deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURENTVERSION\POLICIES\SYSTEM not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURENTVERSION\POLICIES\SYSTEM not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHAREDTASKSCHEDULER\\{020487CC-FC04-4B1E-863F-D9801796230B} deleted successfully.
Unable to delete registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}\ .
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHAREDTASKSCHEDULER\\IPC CONFIGURATION UTILITY deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01302009_233843

========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM\\DisableTaskMgr deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01302009_234653

========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM\\DisableRegistryTools deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01302009_234936


I will post the GMER log in a seperate post due to size.

Blade81,

GMER log was way too big to post. I also couldn't add it as an attachment.
What should I do with this file?

Blade81,
I couldn't follow your GMER suggestions completely because GMER in SAFE MODE didn't seem to present a Show ALL box to select. It may have cause me to create a huge GMER log file.

Hi

Let's try following.


1. Move Combo-Fix.exe file (note renamed name) to root of C: drive (C:\). That way we can access it on every account.

2. Try running ComboFix thru in safe mode with command prompt. Here are steps to follow (print/save these since you won't be able to access them while in safe mode):
Press F8 before Windows' loading screen and select safe mode with command prompt -option.
Then write following commands (I assume you moved Combo-Fix.exe to C: root):
cd\
Combo-Fix.exe


When ComboFix reboots select safe mode with command prompt again so that ComboFix will finish there.

After ComboFix has finished (hopefully) successfully reboot into normal mode if possible and post back ComboFix log & a fresh hjt log.

Hi, I renamed ComboFix and executed it from c: I received the same messge as before:

32788R22FWJFW\nircmd.com
X Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.


Is there some way to reset the registry and OS without wiping the whole c drive?

Is there some way to reset the registry and OS without wiping the whole c drive?
Hi

I'm afraid that's the only proper way to do mentioned things.

Anyway, let's see a fresh OTViewIt log. Also, could you archive that GMER log into zip file and then send it as an attachment together with your reply?

Here is the GMER log zipped.

Hi,

Here is the GMER log zipped.

Hi

Could you post a fresh otviewit log (otviewit.txt) contents too?

Blade81,
I will get that OTViewIt log posted.
However, maybe there is a whole different path to take here than trying to clean this PCs operating system of this virus.

This PC has two drives in it. I am booting up now from the C drive. What about the possiblity of doing the following:
1. Loading XP onto the D drive.
2. Booting up from the D drive.
3. Copying over important contents like music and family pictures from C to D.
4. Formatting C


Would that be a faster path to getting rid of this virus?

Hi

I believe that would be good (and the safest) way to tackle the issue :)

Blade81,
Hi. Thanks. OK, its always easier to define the concept than it is to actually pull it off.

If I am only running in Safe Mode, how would I install XP on D?
And how would I force the PC to boot from D?

Hi,

Do you have two physical hard drives or is space on one divided into two parts? If you have two physical drives then I recommend making the D: drive your primary drive.

You'll have to reboot using your OS media and then do normal XP installation using D: drive as target drive.

Blade81,

Yes, I have two different physical drives.
How do I make the D: drive primary?

Hi,

Probably the easiest way would be to switch cable from drive c: to drive d: and vice versa. Since this coming operation isn't actually malware related and we're dealing only that kind of issues here I recommend you ask at http://forums.pcpitstop.com for example. Those have areas for also other than malware related issues there :)

Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.