PDA

View Full Version : Application failed to initialize properly (0xc0000005)



ARCHellraiser
2010-03-23, 02:31
HI all,
Came here awhile ago and THANKS to your Team I was cleaned up
and all has been running Bug Free.. Except...for today..

Started my system today and received this Error Message.

Application failed to initialize properly (0xc0000005)
MSBBNET.exe

Ran S&D found 20 bugs....all were removed
Ran Malwarebytes...found 2 and were removed.

Still received error:confused:

Uninstalled Microsoft Broadband Network Utility
Tried to install from disk
When I ran Setup.exe
Got the above same error.
Application failed to initialize properly (0xc0000005)

Did back-up and ran windows update
all installed OK.

Tried to install the utility again and got the same error.:mad:

At this point i have not found anything else that will not run.
Start-up is a little slow


Running as protection:
S&D
Spyblaster
Malwarebytes
Have Microsoft recovery console installed
ERUNT
DID NOT go backwards with any utility.

As instructed ran Hijackthis find log below:

Thanks
HR


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:40 PM, on 3/22/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=%s
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadwin PrintScreen] "C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash
O4 - HKUS\S-1-5-18\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'Default user')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - .DEFAULT Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269188900343
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269188890109
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\winvnc.exe

--
End of file - 8254 bytes

ken545
2010-03-26, 13:33
Hello Ed,

Nothing jumping out at me on your log, but HJT is somewhat becoming outdated.

I want to point out that both your operating system and Internet Explorer browser are very out dated and that will let this garbage in.


No sure if this is malware related or hardware, we can run a few scans and if no malware than I can link you to a windows forum that can help you.


Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.





Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://forums.whatthetech.com/post_a4255_MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please






Download DDS by sUBs from one of the following links. Save it to your desktop.

DDS.com (http://www.techsupportforum.com/sectools/sUBs/dds)
DDS.scr (http://download.bleepingcomputer.com/sUBs/dds.scr)
DDS.pif (http://www.forospyware.com/sUBs/dds)

Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results, click no to the Optional_Scan
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control Here (http://www.bleepingcomputer.com/forums/topic114351.html)

ARCHellraiser
2010-03-27, 03:53
Thanks for responding,,

I posted right after the Error started
Application failed to initialize properly (0xc0000005)
MSBBNET.exe

i had not spent much time on the PC at that point but now there are
several things happening.
**IE will not start
** the right click on start and click on explore will not open
**Jave script will not start
** found windows firewall Off... never shut it down
** when i try to save a Doc in Word I get this error I have
never seen before.
**
Word has insufficent Memory..do you want to save it as a rescue Doc?

Followed instruction. Had Malwarebytes already Loaded Run
NO bugs found

Malwarebytes' Anti-Malware 1.44
Database version: 3919
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

3/26/2010 9:01:59 PM
mbam-log-2010-03-26 (21-01-59).txt

Scan type: Quick Scan
Objects scanned: 137236
Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Shut down router and kill protection

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 21:19:24.00 on Fri 03/26/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.509 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\Application Data\PnPDeviceMonitor\pnpdevicemon.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\DOWNLOADS\DOwnloads Firefox\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=%s
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Gadwin PrintScreen] "c:\program files\gadwin systems\printscreen\PrintScreen.exe" /nosplash
uRun: [pnpdevicemon] c:\documents and settings\administrator\application data\pnpdevicemonitor\pnpdevicemon.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Launch LGDCore] "c:\program files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Launch LCDMon] "c:\program files\logitech\g-series software\LCDMon.exe"
dRunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\regist~1.lnk - c:\program files\pinnacle\instantcddvd\sharedfiles\pixie\RegTool.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269188900343
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269188890109
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\hd0rjl1v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?hl=en&safe=off&newwindow=1&btnG=Search
FF - plugin: c:\documents and settings\administrator\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [2003-5-7 26679]
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [2001-10-4 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2003-5-27 187392]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-8-14 54752]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2002-12-13 64000]
S2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2007-5-1 6016]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]

=============== Created Last 30 ================

2010-03-26 01:39:54 0 d-----w- c:\docume~1\admini~1\applic~1\PnPDeviceMonitor
2010-03-22 23:56:49 0 d-----w- c:\program files\Trend Micro
2010-03-21 16:36:34 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-03-21 16:28:42 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-03-20 13:43:54 44544 ---ha-w- c:\windows\system32\bootnsvr.dll
2010-03-13 04:46:59 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-03-13 04:46:59 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-03-13 04:34:59 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-03-13 04:34:59 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-03-05 00:11:22 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-03-02 01:53:21 0 d-----w- c:\windows\system32\NtmsData

==================== Find3M ====================

2010-02-11 09:31:56 86016 ----a-w- c:\windows\system32\frapsvid.dll
2010-02-06 15:13:51 21840 ----atw- c:\windows\system32\SIntfNT.dll
2010-02-06 15:13:51 17212 ----atw- c:\windows\system32\SIntf32.dll
2010-02-06 15:13:51 12067 ----atw- c:\windows\system32\SIntf16.dll
2010-02-04 15:01:14 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-02-04 15:01:14 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-02-04 15:01:14 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-02-04 15:01:14 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll

============= FINISH: 21:19:41.01 ===============

tried to attach the 2nd file but the "manage attachment "
button will not work:confused: so i did not post it.

YT

ED

ken545
2010-03-27, 13:37
Just one questionable entry.

Do you know what this is , if not upload it to have it checked.

You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

C:\Documents and Settings\Administrator\Application Data\PnPDeviceMonitor\pnpdevicemon.exe <--This file

If the site is busy you can try this one

http://virusscan.jotti.org/en








Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Under the Custom Scan box paste this in


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav



Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

ARCHellraiser
2010-03-27, 17:17
Morning

Being one who needs to know I always show all files and folders hidden
and all and just checked and all were checked including show hidden files and folders.

Here is something odd.. IE would not start yesterday but today I after i clicked on it to see if it would start and it did.:confused: Closed it and tried to start
windows Explorer (start-right click) and it would not start i quickly did a restart and this program " Explorer Proxy Desktop was still running and needs to be shut down" never saw that before.

after reboot tried Explorer (start-right click) opened but the top control bar was missing (Files Edit View Fav Tools Help) closed it and tried it again won't open ...tried IE will not open so IE opens only once after reboot.

just an FYI

Followed your instructions:

Virus Total Log

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.27 -
AhnLab-V3 5.0.0.2 2010.03.27 -
AntiVir 7.10.5.241 2010.03.26 TR/Dropper.Gen
Antiy-AVL 2.0.3.7 2010.03.26 -
Authentium 5.2.0.5 2010.03.27 -
Avast 4.8.1351.0 2010.03.27 -
Avast5 5.0.332.0 2010.03.27 -
AVG 9.0.0.787 2010.03.27 -
BitDefender 7.2 2010.03.27 -
CAT-QuickHeal 10.00 2010.03.27 -
ClamAV 0.96.0.0-git 2010.03.27 -
Comodo 4403 2010.03.27 -
DrWeb 5.0.1.12222 2010.03.27 -
eSafe 7.0.17.0 2010.03.25 -
eTrust-Vet 35.2.7391 2010.03.26 -
F-Prot 4.5.1.85 2010.03.26 -
F-Secure 9.0.15370.0 2010.03.27 -
Fortinet 4.0.14.0 2010.03.27 -
GData 19 2010.03.27 -
Ikarus T3.1.1.80.0 2010.03.27 -
Jiangmin 13.0.900 2010.03.27 -
K7AntiVirus 7.10.1004 2010.03.22 -
Kaspersky 7.0.0.125 2010.03.27 -
McAfee 5932 2010.03.26 -
McAfee+Artemis 5932 2010.03.26 -
McAfee-GW-Edition 6.8.5 2010.03.27 Trojan.Dropper.Gen
Microsoft 1.5605 2010.03.27 -
NOD32 4978 2010.03.26 -
Norman 6.04.10 2010.03.27 -
nProtect 2009.1.8.0 2010.03.27 -
Panda 10.0.2.2 2010.03.26 -
PCTools 7.0.3.5 2010.03.27 -
Prevx 3.0 2010.03.27 High Risk Fraudulent Security Program
Rising 22.40.05.04 2010.03.27 -
Sophos 4.52.0 2010.03.27 -
Sunbelt 6101 2010.03.26 -
Symantec 20091.2.0.41 2010.03.27 Suspicious.Insight
TheHacker 6.5.2.0.245 2010.03.26 -
TrendMicro 9.120.0.1004 2010.03.27 PAK_Generic.001
VBA32 3.12.12.2 2010.03.27 -
ViRobot 2010.3.27.2248 2010.03.27 -
VirusBuster 5.0.27.0 2010.03.27 -
Additional information
File size: 29184 bytes
MD5...: 8ecbf0afa3ef94f3b3a78f328699536c
SHA1..: 38316a35db1783df39487eaad5fc95b975c41a2e
SHA256: 02b96a3963d8a802843167ab118a40f9842712e71f952f6425f3aed427452f3d
ssdeep: 768:wQpqiZFLvkS1Dx3QDNbajsLy30TG/9rBqGG:npFLvkS1Dx3oBaok0K7j
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10990
timedatestamp.....: 0x4bab5741 (Thu Mar 25 12:29:53 2010)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x9000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0xa000 0x7000 0x6c00 7.85 518d2b8bd7c4bb075de782cf7515e175
.rsrc 0x11000 0x1000 0x200 3.02 5d718fbc722f981a162645e101220687

( 3 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> ADVAPI32.dll: RegEnumKeyExA
> USER32.dll: GetMessageA

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
packers (Kaspersky): PE_Patch.UPX, UPX
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=374DBC6A0094A877723F00094826820041BEA1F9' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=374DBC6A0094A877723F00094826820041BEA1F9</a>
packers (F-Prot): UPX, embedded
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


OTL LOGS

OTL logfile created on: 3/27/2010 10:41:00 AM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\DOWNLOADS\DOwnloads Firefox
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 657.00 Mb Available Physical Memory | 64.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2000 3072

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 12.29 Gb Free Space | 16.49% Space Free | Partition Type: NTFS
Drive D: | 118.82 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ED-MASTER
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\DOWNLOADS\DOwnloads Firefox\OTL.exe (OldTimer Tools)
PRC - C:\Documents and Settings\Administrator\Application Data\PnPDeviceMonitor\pnpdevicemon.exe ()
PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corp.)
PRC - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
PRC - C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
PRC - C:\Program Files\UltraVNC\winvnc.exe (UltraVNC)
PRC - C:\Program Files\Logitech\G-series Software\LGDCore.exe (Logitech Inc.)
PRC - C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe (Logitech Inc.)
PRC - C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe (Logitech Inc.)
PRC - C:\Program Files\Logitech\G-series Software\LCDMon.exe (Logitech Inc.)
PRC - C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe (Lexmark International, Inc.)
PRC - C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe (Lexmark International, Inc.)


========== Modules (SafeList) ==========

MOD - C:\DOWNLOADS\DOwnloads Firefox\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\bootnsvr.dll ()
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (fsssvc) -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe (Microsoft Corporation)
SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corp.)
SRV - (CVPND) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
SRV - (winvnc) -- C:\Program Files\UltraVNC\winvnc.exe (UltraVNC)


========== Driver Services (SafeList) ==========

DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (fssfltr) -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys (Microsoft Corporation)
DRV - (MQAC) -- C:\WINDOWS\system32\drivers\mqac.sys (Microsoft Corporation)
DRV - (CVPNDRVA) -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys (Cisco Systems, Inc.)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\alcxwdm.sys (Realtek Semiconductor Corp.)
DRV - (DNE) -- C:\WINDOWS\system32\drivers\dne2000.sys (Deterministic Networks, Inc.)
DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)
DRV - (RMCAST) -- C:\WINDOWS\system32\drivers\rmcast.sys (Microsoft Corporation)
DRV - (AmdPPM) -- C:\WINDOWS\system32\drivers\AmdPPM.sys (Advanced Micro Devices)
DRV - (CVirtA) -- C:\WINDOWS\system32\drivers\CVirtA.sys (Cisco Systems, Inc.)
DRV - (nvatabus) -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys (NVIDIA Corporation)
DRV - (MarvinBus) -- C:\WINDOWS\system32\drivers\MarvinBus.sys (Pinnacle Systems GmbH)
DRV - (nvata) -- C:\WINDOWS\system32\DRIVERS\nvata.sys (NVIDIA Corporation)
DRV - (nvnforce) Service for NVIDIA(R) nForce(TM) -- C:\WINDOWS\system32\drivers\nvapu.sys (NVIDIA Corporation)
DRV - (nvax) Service for NVIDIA(R) nForce(TM) -- C:\WINDOWS\system32\drivers\nvax.sys (NVIDIA Corporation)
DRV - (vnccom) -- C:\WINDOWS\system32\drivers\vnccom.SYS (RDV Soft)
DRV - (vncdrv) -- C:\WINDOWS\system32\drivers\vncdrv.sys (RDV Soft)
DRV - (LMouFlt2) -- C:\WINDOWS\system32\drivers\LMouFlt2.Sys (Logitech, Inc.)
DRV - (L8042pr2) -- C:\WINDOWS\system32\drivers\L8042pr2.Sys (Logitech, Inc.)
DRV - (vobiw) -- C:\WINDOWS\system32\drivers\vobIW.sys (VOB Computersysteme GmbH)
DRV - (VOBID) -- C:\WINDOWS\system32\DRIVERS\vobid.sys (Pinnacle Systems)
DRV - (Sentinel) -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS (Rainbow Technologies, Inc.)
DRV - (SNTNLUSB) -- C:\WINDOWS\system32\drivers\SNTNLUSB.SYS (Rainbow Technologies Inc.)
DRV - (cdrdrv) -- C:\WINDOWS\system32\drivers\Cdrdrv.sys (VOB Computersysteme GmbH)
DRV - (ASAPIW2K) -- C:\WINDOWS\system32\drivers\asapiW2k.sys (VOB Computersysteme GmbH)
DRV - (vobcom) -- C:\WINDOWS\system32\drivers\vobcom.sys (VOB Computersysteme GmbH)
DRV - (Aspi32) -- C:\WINDOWS\system32\drivers\aspi32.sys (Adaptec)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll ()
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chrf-i3752"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-i3752"
FF - prefs.js..browser.startup.homepage: "http://home.jzip.com"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/26 21:04:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/25 19:51:06 | 000,000,000 | ---D | M]

[2009/08/29 11:12:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/03/26 21:30:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hd0rjl1v.default\extensions
[2009/08/29 11:13:39 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hd0rjl1v.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/10/18 08:16:35 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hd0rjl1v.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
[2010/01/26 22:05:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hd0rjl1v.default\extensions\browserhighlighter@ebay.com
[2010/03/26 21:30:30 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/01/31 10:42:16 | 000,377,048 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 13022 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Smart-Shopper) - {4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E} - C:\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll (SmartShopper Networks)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O4 - HKLM..\Run: [Launch LCDMon] C:\Program Files\Logitech\G-series Software\LCDMon.exe (Logitech Inc.)
O4 - HKLM..\Run: [Launch LGDCore] C:\Program Files\Logitech\G-series Software\LGDCore.exe (Logitech Inc.)
O4 - HKLM..\Run: [Lexmark X1100 Series] C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [MsmqIntCert] C:\WINDOWS\System32\mqrt.dll (Microsoft Corporation)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKCU..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)
O4 - HKCU..\Run: [pnpdevicemon] C:\Documents and Settings\Administrator\Application Data\PnPDeviceMonitor\pnpdevicemon.exe ()
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe (Pinnacle Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll (SmartShopper Networks)
O9 - Extra Button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll (SmartShopper Networks)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKCU\..Trusted Domains: //@install.mar@ ([]msni in My Computer)
O15 - HKCU\..Trusted Domains: //@mail.mar@ ([]msni in Local intranet)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269188900343 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269188890109 (MUWebControl Class)
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab (NVIDIA Smart Scan)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/30 15:35:18 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2002/08/06 17:21:42 | 000,000,025 | R--- | M] () - D:\Autorun.inf -- [ CDFS ]
O33 - MountPoints2\{53d35542-f71e-11db-b1bc-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{53d35542-f71e-11db-b1bc-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{53d35542-f71e-11db-b1bc-806d6172696f}\Shell\AutoRun\command - "" = D:\setup.exe -- [2002/08/06 17:41:08 | 000,131,072 | R--- | M] (Microsoft Corporation)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: dplaover - (C:\WINDOWS\system32\bootnsvr.dll) - C:\WINDOWS\system32\bootnsvr.dll ()
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/04/30 15:34:51 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/03/26 21:44:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\jZip
[2010/03/26 21:30:22 | 000,000,000 | ---D | C] -- C:\Program Files\Smart-Shopper
[2010/03/26 21:30:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Smart-Shopper
[2010/03/26 21:30:01 | 000,000,000 | ---D | C] -- C:\Program Files\jZip
[2010/03/25 21:39:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\PnPDeviceMonitor
[2010/03/22 19:56:49 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/03/21 12:28:42 | 000,015,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll.mui
[2010/03/20 11:25:33 | 000,000,000 | ---D | C] -- C:\Avenger
[2010/03/18 23:58:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows Server
[2010/03/13 00:46:59 | 000,014,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdhid.sys
[2010/03/13 00:46:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Logitech
[2010/03/13 00:46:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Logitech
[2010/03/13 00:34:59 | 000,021,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hidserv.dll
[2010/03/01 21:53:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/01/12 00:18:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/10/10 17:25:02 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/08/11 23:43:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Xfire
[2007/04/30 15:38:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/04/30 15:37:49 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2007/04/30 15:37:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/27 10:36:49 | 000,000,670 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to OTL.exe.lnk
[2010/03/27 10:34:29 | 008,126,464 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/03/27 10:34:10 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Microsoft Word.lnk
[2010/03/27 10:15:37 | 000,539,556 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/27 10:15:37 | 000,454,652 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/27 10:15:37 | 000,075,338 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/27 10:10:49 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/27 10:10:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/26 21:57:45 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/03/26 21:45:30 | 000,004,252 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Attach.zip
[2010/03/26 21:45:30 | 000,004,252 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Attach.zip
[2010/03/26 21:30:23 | 000,000,153 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Emoticons for your messenger!.url
[2010/03/26 21:30:18 | 000,000,626 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\jZip.lnk
[2010/03/26 19:53:14 | 000,000,716 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to ATF-Cleaner.exe.lnk
[2010/03/26 19:35:52 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Rescued document 6.doc
[2010/03/25 22:44:27 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Rescued document 7.doc
[2010/03/25 22:43:30 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Rescued document 5.doc
[2010/03/25 00:13:13 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Mike.doc
[2010/03/25 00:12:50 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Rescued document 4.doc
[2010/03/25 00:12:44 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Rescued document 3.doc
[2010/03/25 00:12:38 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Rescued document 2.doc
[2010/03/24 22:44:49 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/23 22:35:05 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Arc2.doc
[2010/03/23 22:34:34 | 000,023,552 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Rescued document 1.doc
[2010/03/23 21:14:12 | 000,000,550 | ---- | M] () -- C:\WINDOWS\lexstat.ini
[2010/03/23 20:59:31 | 000,002,207 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Steam.lnk
[2010/03/22 22:03:30 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Rescued document.doc
[2010/03/22 21:33:23 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/22 21:33:23 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/03/22 21:33:23 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/22 20:33:50 | 000,000,074 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Application failed to initialize properly (0xc0000005) - Safer-Networking Forums.URL
[2010/03/22 20:01:32 | 000,000,836 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to HijackThis.exe.lnk
[2010/03/22 19:56:49 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2010/03/21 13:30:18 | 000,000,233 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Help with removal..Application failed to initialize - Safer-Networking Forums.url
[2010/03/21 12:46:20 | 000,188,200 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/21 12:42:11 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/03/20 13:25:09 | 000,002,217 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/03/20 09:43:54 | 000,044,544 | -H-- | M] () -- C:\WINDOWS\System32\bootnsvr.dll
[2010/03/18 20:21:07 | 000,033,792 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\T%20A%20197%20enthaply%20calculator(1).xls
[2010/03/15 23:50:37 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\http.doc
[2010/03/15 23:18:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/03/13 11:37:48 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\GAME Start at around.doc
[2010/03/07 04:22:02 | 000,029,184 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\URL SAMPLES.doc
[2010/03/07 03:32:00 | 000,000,456 | ---- | M] () -- C:\WINDOWS\tasks\Driver Robot.job
[2010/03/06 10:06:25 | 000,050,688 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\AvP pic.doc
[2010/03/04 20:11:22 | 000,041,872 | ---- | M] () -- C:\WINDOWS\System32\xfcodec.dll
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/27 10:36:49 | 000,000,670 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to OTL.exe.lnk
[2010/03/26 21:45:58 | 000,004,252 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Attach.zip
[2010/03/26 21:45:30 | 000,004,252 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Attach.zip
[2010/03/26 21:30:23 | 000,076,407 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Smiley.ico
[2010/03/26 21:30:23 | 000,000,153 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Emoticons for your messenger!.url
[2010/03/26 21:30:18 | 000,000,626 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\jZip.lnk
[2010/03/26 19:53:14 | 000,000,716 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to ATF-Cleaner.exe.lnk
[2010/03/26 19:35:52 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Rescued document 6.doc
[2010/03/25 22:44:27 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Rescued document 7.doc
[2010/03/25 22:43:30 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Rescued document 5.doc
[2010/03/25 00:13:13 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Mike.doc
[2010/03/25 00:12:50 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Rescued document 4.doc
[2010/03/25 00:12:44 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Rescued document 3.doc
[2010/03/25 00:12:38 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Rescued document 2.doc
[2010/03/23 22:35:05 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Arc2.doc
[2010/03/23 22:34:34 | 000,023,552 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Rescued document 1.doc
[2010/03/22 22:03:30 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Rescued document.doc
[2010/03/22 20:33:50 | 000,000,074 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Application failed to initialize properly (0xc0000005) - Safer-Networking Forums.URL
[2010/03/22 20:01:32 | 000,000,836 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to HijackThis.exe.lnk
[2010/03/22 19:56:49 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2010/03/21 13:29:37 | 000,000,233 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Help with removal..Application failed to initialize - Safer-Networking Forums.url
[2010/03/20 09:43:54 | 000,044,544 | -H-- | C] () -- C:\WINDOWS\System32\bootnsvr.dll
[2010/03/18 20:21:07 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\T%20A%20197%20enthaply%20calculator(1).xls
[2010/03/15 23:50:36 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\http.doc
[2010/03/13 11:37:48 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\GAME Start at around.doc
[2010/03/06 10:06:25 | 000,050,688 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\AvP pic.doc
[2010/03/04 20:11:22 | 000,041,872 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2010/02/14 13:00:28 | 000,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2010/02/14 12:21:32 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2009/12/24 22:57:18 | 000,005,052 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\xqkcebzs.dik
[2009/10/18 11:14:12 | 000,237,568 | R--- | C] () -- C:\WINDOWS\System32\qtmlClient.dll
[2009/10/18 11:14:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Graffiti5.2Pin.ini
[2009/09/07 23:32:37 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2009/09/03 23:20:53 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/27 20:23:34 | 000,138,240 | ---- | C] () -- C:\WINDOWS\System32\Viasetup.dll
[2009/08/18 23:54:58 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2009/08/14 15:40:01 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/08/14 02:16:18 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2009/08/14 02:16:18 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2009/08/14 02:16:18 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2009/01/29 13:54:16 | 000,004,819 | ---- | C] () -- C:\WINDOWS\PlainEnglish.INI
[2009/01/29 13:49:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\CmdLine.INI
[2009/01/28 19:12:56 | 000,002,473 | ---- | C] () -- C:\WINDOWS\PINPOINT.INI
[2009/01/28 16:19:31 | 000,806,912 | ---- | C] () -- C:\WINDOWS\System32\rvctl.dll
[2009/01/13 12:29:00 | 000,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2009/01/13 12:28:44 | 000,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2008/10/15 18:54:36 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\ASPRTMM0.DLL
[2008/02/08 17:13:44 | 000,319,488 | ---- | C] () -- C:\WINDOWS\System32\LS3Renderer.dll
[2007/05/14 11:13:20 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\rview.dll
[2007/05/03 18:30:24 | 000,000,369 | ---- | C] () -- C:\WINDOWS\ListView.INI
[2007/05/01 09:47:55 | 000,000,080 | ---- | C] () -- C:\WINDOWS\Continuum.INI
[2007/05/01 09:18:32 | 000,000,565 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/05/01 09:06:45 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\Lfkodak.dll
[2007/05/01 09:06:44 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2007/05/01 09:06:41 | 000,145,408 | ---- | C] () -- C:\WINDOWS\System32\Bclw32.dll
[2006/01/02 09:54:37 | 000,000,550 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2006/01/02 09:54:26 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbkvs.dll
[2006/01/02 09:54:25 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\LXBKLCNP.DLL
[2006/01/02 09:54:14 | 000,000,266 | ---- | C] () -- C:\WINDOWS\System32\lxbkcoin.ini
[2002/02/27 17:28:16 | 000,138,752 | ---- | C] () -- C:\WINDOWS\System32\MASE32.DLL
[2002/02/27 17:28:16 | 000,057,856 | ---- | C] () -- C:\WINDOWS\System32\MASD32.DLL
[2002/02/27 17:28:14 | 000,196,096 | ---- | C] () -- C:\WINDOWS\System32\MACD32.DLL
[2002/02/27 17:28:14 | 000,136,192 | ---- | C] () -- C:\WINDOWS\System32\MAMC32.DLL
[2002/02/27 17:28:14 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\MA32.DLL

========== LOP Check ==========

[2009/08/18 23:12:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Blitware
[2010/02/06 18:13:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Facebook
[2009/08/09 06:30:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\GetRightToGo
[2010/02/19 23:14:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\NCH Swift Sound
[2010/03/25 21:39:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\PnPDeviceMonitor
[2009/10/18 11:14:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\proDAD
[2009/12/02 23:54:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Radmin
[2009/10/15 20:57:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Recordpad
[2010/03/26 21:35:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Smart-Shopper
[2006/01/02 09:56:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2009/10/15 20:49:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2009/08/09 06:30:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2009/10/18 10:58:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle
[2009/10/18 10:58:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle Studio Plus
[2009/10/18 11:03:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle Studio Ultimate
[2009/10/18 10:58:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Studio 12
[2007/05/01 09:47:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TAC
[2010/03/26 21:21:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/03/07 03:32:00 | 000,000,456 | ---- | M] () -- C:\WINDOWS\Tasks\Driver Robot.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2004/08/04 00:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2004/08/04 00:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2004/08/04 00:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: IASTOR.SYS >
[2005/12/17 17:42:04 | 000,874,240 | ---- | M] (Intel Corporation) MD5=309C4D86D989FB1FCF64BD30DC81C51B -- C:\WINDOWS\OEMDIR\iastor.sys

< MD5 for: LOGEVENT.DLL >
[2004/08/04 00:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\logevent.dll

< MD5 for: NETLOGON.DLL >
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\SoftwareDistribution\Download\fbdd9f75315c1cf9ff63f37aaca267d3\sp2qfe\netlogon.dll
[2004/08/04 00:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2004/08/04 00:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2004/08/04 00:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: NVATA.SYS >
[2005/08/18 16:52:06 | 000,093,568 | ---- | M] (NVIDIA Corporation) MD5=0344AA9113DC16EEC379F4652020849D -- C:\Backup\MB\IDE\NVATA.SYS
[2006/07/14 14:55:34 | 000,105,088 | R--- | M] (NVIDIA Corporation) MD5=7D960340BE5B0E008BB94E4C3B991339 -- C:\WINDOWS\system32\ReinstallBackups\0018\DriverFiles\nvata.sys
[2005/05/17 17:45:08 | 000,092,800 | R--- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\system32\drivers\nvata.sys
[2005/05/17 17:45:08 | 000,092,800 | R--- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\nvata.sys
[2005/05/17 17:45:08 | 000,092,800 | R--- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\nvata.sys
[2005/05/17 17:45:08 | 000,092,800 | R--- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\system32\ReinstallBackups\0017\DriverFiles\nvata.sys
[2005/05/17 17:45:08 | 000,092,800 | R--- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\system32\ReinstallBackups\0025\DriverFiles\nvata.sys
[2005/05/17 17:45:08 | 000,092,800 | R--- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\system32\ReinstallBackups\0026\DriverFiles\nvata.sys

< MD5 for: NVATABUS.SYS >
[2005/08/18 16:52:06 | 000,093,568 | ---- | M] (NVIDIA Corporation) MD5=0344AA9113DC16EEC379F4652020849D -- C:\Backup\MB\SATA\NVATABUS.SYS
[2005/12/17 17:42:22 | 000,093,568 | ---- | M] (NVIDIA Corporation) MD5=0344AA9113DC16EEC379F4652020849D -- C:\WINDOWS\OEMDIR\nvatabus.sys
[2005/12/17 17:42:22 | 000,093,568 | ---- | M] (NVIDIA Corporation) MD5=0344AA9113DC16EEC379F4652020849D -- C:\WINDOWS\system32\drivers\nvatabus.sys

< MD5 for: NVGTS.SYS >
[2008/08/18 18:54:52 | 000,145,952 | ---- | M] (NVIDIA Corporation) MD5=37954CD1D0AFC11BECD149F7C3EC88C2 -- C:\Documents and Settings\Administrator\Application Data\Blitware\DriverRobot\downloads\d9c4a57b918754ecdaf6de1aa782a0b5\NVIDIAnForceMCP78_Chipset_V1524_XPVista\NVIDIAnForceMCP78_Chipset_V1524_XPVista\1524_XP32\IDE\WinXP\sataraid\nvgts.sys
[2008/08/18 18:54:52 | 000,145,952 | ---- | M] (NVIDIA Corporation) MD5=37954CD1D0AFC11BECD149F7C3EC88C2 -- C:\Documents and Settings\Administrator\Application Data\Blitware\DriverRobot\downloads\d9c4a57b918754ecdaf6de1aa782a0b5\NVIDIAnForceMCP78_Chipset_V1524_XPVista\NVIDIAnForceMCP78_Chipset_V1524_XPVista\Disk\RAID\XP\nvgts.sys
[2008/08/18 18:54:52 | 000,145,952 | ---- | M] (NVIDIA Corporation) MD5=37954CD1D0AFC11BECD149F7C3EC88C2 -- C:\DRIVERS_MASTER\NVIDIAnForceMCP78_Chipset_V1524_XPVista\1524_XP32\IDE\WinXP\sataraid\nvgts.sys
[2008/08/18 18:54:52 | 000,145,952 | ---- | M] (NVIDIA Corporation) MD5=37954CD1D0AFC11BECD149F7C3EC88C2 -- C:\DRIVERS_MASTER\NVIDIAnForceMCP78_Chipset_V1524_XPVista\Disk\RAID\XP\nvgts.sys
[2008/08/18 17:54:52 | 000,145,952 | ---- | M] (NVIDIA Corporation) MD5=37954CD1D0AFC11BECD149F7C3EC88C2 -- C:\NVIDIA\nForceWinXPInt\20.09\IDE\WinXP\sataraid\nvgts.sys
[2008/08/18 18:54:24 | 000,145,952 | ---- | M] (NVIDIA Corporation) MD5=EA98BFE4931BD13D747D647C1859796E -- C:\Documents and Settings\Administrator\Application Data\Blitware\DriverRobot\downloads\d9c4a57b918754ecdaf6de1aa782a0b5\NVIDIAnForceMCP78_Chipset_V1524_XPVista\NVIDIAnForceMCP78_Chipset_V1524_XPVista\1524_XP32\IDE\WinXP\sata_ide\nvgts.sys
[2008/08/18 18:54:24 | 000,145,952 | ---- | M] (NVIDIA Corporation) MD5=EA98BFE4931BD13D747D647C1859796E -- C:\Documents and Settings\Administrator\Application Data\Blitware\DriverRobot\downloads\d9c4a57b918754ecdaf6de1aa782a0b5\NVIDIAnForceMCP78_Chipset_V1524_XPVista\NVIDIAnForceMCP78_Chipset_V1524_XPVista\Disk\AHCI\XP\nvgts.sys
[2008/08/18 18:54:24 | 000,145,952 | ---- | M] (NVIDIA Corporation) MD5=EA98BFE4931BD13D747D647C1859796E -- C:\DRIVERS_MASTER\NVIDIAnForceMCP78_Chipset_V1524_XPVista\1524_XP32\IDE\WinXP\sata_ide\nvgts.sys
[2008/08/18 18:54:24 | 000,145,952 | ---- | M] (NVIDIA Corporation) MD5=EA98BFE4931BD13D747D647C1859796E -- C:\DRIVERS_MASTER\NVIDIAnForceMCP78_Chipset_V1524_XPVista\Disk\AHCI\XP\nvgts.sys
[2008/08/18 17:54:24 | 000,145,952 | ---- | M] (NVIDIA Corporation) MD5=EA98BFE4931BD13D747D647C1859796E -- C:\NVIDIA\nForceWinXPInt\20.09\IDE\WinXP\sata_ide\nvgts.sys

< MD5 for: NVRD32.SYS >
[2008/08/18 18:58:42 | 000,133,152 | ---- | M] (NVIDIA Corporation) MD5=7894FFC354DDD5A0600BC112FFEC2DD0 -- C:\Documents and Settings\Administrator\Application Data\Blitware\DriverRobot\downloads\d9c4a57b918754ecdaf6de1aa782a0b5\NVIDIAnForceMCP78_Chipset_V1524_XPVista\NVIDIAnForceMCP78_Chipset_V1524_XPVista\1524_Vista32\IDE\WinVista\sataraid\nvrd32.sys
[2008/08/18 18:58:42 | 000,133,152 | ---- | M] (NVIDIA Corporation) MD5=7894FFC354DDD5A0600BC112FFEC2DD0 -- C:\Documents and Settings\Administrator\Application Data\Blitware\DriverRobot\downloads\d9c4a57b918754ecdaf6de1aa782a0b5\NVIDIAnForceMCP78_Chipset_V1524_XPVista\NVIDIAnForceMCP78_Chipset_V1524_XPVista\Disk\RAID\Vista32\nvrd32.sys
[2008/08/18 18:58:42 | 000,133,152 | ---- | M] (NVIDIA Corporation) MD5=7894FFC354DDD5A0600BC112FFEC2DD0 -- C:\DRIVERS_MASTER\NVIDIAnForceMCP78_Chipset_V1524_XPVista\1524_Vista32\IDE\WinVista\sataraid\nvrd32.sys
[2008/08/18 18:58:42 | 000,133,152 | ---- | M] (NVIDIA Corporation) MD5=7894FFC354DDD5A0600BC112FFEC2DD0 -- C:\DRIVERS_MASTER\NVIDIAnForceMCP78_Chipset_V1524_XPVista\Disk\RAID\Vista32\nvrd32.sys
[2008/08/18 18:54:52 | 000,133,152 | ---- | M] (NVIDIA Corporation) MD5=BEF704AA9E17D176A46DDF77C6A52194 -- C:\Documents and Settings\Administrator\Application Data\Blitware\DriverRobot\downloads\d9c4a57b918754ecdaf6de1aa782a0b5\NVIDIAnForceMCP78_Chipset_V1524_XPVista\NVIDIAnForceMCP78_Chipset_V1524_XPVista\1524_XP32\IDE\WinXP\sataraid\nvrd32.sys
[2008/08/18 18:54:52 | 000,133,152 | ---- | M] (NVIDIA Corporation) MD5=BEF704AA9E17D176A46DDF77C6A52194 -- C:\Documents and Settings\Administrator\Application Data\Blitware\DriverRobot\downloads\d9c4a57b918754ecdaf6de1aa782a0b5\NVIDIAnForceMCP78_Chipset_V1524_XPVista\NVIDIAnForceMCP78_Chipset_V1524_XPVista\Disk\RAID\XP\nvrd32.sys
[2008/08/18 18:54:52 | 000,133,152 | ---- | M] (NVIDIA Corporation) MD5=BEF704AA9E17D176A46DDF77C6A52194 -- C:\DRIVERS_MASTER\NVIDIAnForceMCP78_Chipset_V1524_XPVista\1524_XP32\IDE\WinXP\sataraid\nvrd32.sys
[2008/08/18 18:54:52 | 000,133,152 | ---- | M] (NVIDIA Corporation) MD5=BEF704AA9E17D176A46DDF77C6A52194 -- C:\DRIVERS_MASTER\NVIDIAnForceMCP78_Chipset_V1524_XPVista\Disk\RAID\XP\nvrd32.sys
[2008/08/18 17:54:52 | 000,133,152 | ---- | M] (NVIDIA Corporation) MD5=BEF704AA9E17D176A46DDF77C6A52194 -- C:\NVIDIA\nForceWinXPInt\20.09\IDE\WinXP\sataraid\nvrd32.sys

< MD5 for: NVSTOR32.SYS >
[2008/08/18 18:58:42 | 000,145,952 | ---- | M] (NVIDIA Corporation) MD5=2A0CC26D67B38460CC7563BC8313C1D6 -- C:\Documents and Settings\Administrator\Application Data\Blitware\DriverRobot\downloads\d9c4a57b918754ecdaf6de1aa782a0b5\NVIDIAnForceMCP78_Chipset_V1524_XPVista\NVIDIAnForceMCP78_Chipset_V1524_XPVista\1524_Vista32\IDE\WinVista\sataraid\nvstor32.sys
[2008/08/18 18:58:42 | 000,145,952 | ---- | M] (NVIDIA Corporation) MD5=2A0CC26D67B38460CC7563BC8313C1D6 -- C:\Documents and Settings\Administrator\Application Data\Blitware\DriverRobot\downloads\d9c4a57b918754ecdaf6de1aa782a0b5\NVIDIAnForceMCP78_Chipset_V1524_XPVista\NVIDIAnForceMCP78_Chipset_V1524_XPVista\Disk\RAID\Vista32\nvstor32.sys
[2008/08/18 18:58:42 | 000,145,952 | ---- | M] (NVIDIA Corporation) MD5=2A0CC26D67B38460CC7563BC8313C1D6 -- C:\DRIVERS_MASTER\NVIDIAnForceMCP78_Chipset_V1524_XPVista\1524_Vista32\IDE\WinVista\sataraid\nvstor32.sys
[2008/08/18 18:58:42 | 000,145,952 | ---- | M] (NVIDIA Corporation) MD5=2A0CC26D67B38460CC7563BC8313C1D6 -- C:\DRIVERS_MASTER\NVIDIAnForceMCP78_Chipset_V1524_XPVista\Disk\RAID\Vista32\nvstor32.sys
[2008/08/18 18:58:16 | 000,145,952 | ---- | M] (NVIDIA Corporation) MD5=8EE374B6FB3CB2BB8D70395218B464A5 -- C:\Documents and Settings\Administrator\Application Data\Blitware\DriverRobot\downloads\d9c4a57b918754ecdaf6de1aa782a0b5\NVIDIAnForceMCP78_Chipset_V1524_XPVista\NVIDIAnForceMCP78_Chipset_V1524_XPVista\1524_Vista32\IDE\WinVista\sata_ide\nvstor32.sys
[2008/08/18 18:58:16 | 000,145,952 | ---- | M] (NVIDIA Corporation) MD5=8EE374B6FB3CB2BB8D70395218B464A5 -- C:\Documents and Settings\Administrator\Application Data\Blitware\DriverRobot\downloads\d9c4a57b918754ecdaf6de1aa782a0b5\NVIDIAnForceMCP78_Chipset_V1524_XPVista\NVIDIAnForceMCP78_Chipset_V1524_XPVista\Disk\AHCI\Vista32\nvstor32.sys
[2008/08/18 18:58:16 | 000,145,952 | ---- | M] (NVIDIA Corporation) MD5=8EE374B6FB3CB2BB8D70395218B464A5 -- C:\DRIVERS_MASTER\NVIDIAnForceMCP78_Chipset_V1524_XPVista\1524_Vista32\IDE\WinVista\sata_ide\nvstor32.sys
[2008/08/18 18:58:16 | 000,145,952 | ---- | M] (NVIDIA Corporation) MD5=8EE374B6FB3CB2BB8D70395218B464A5 -- C:\DRIVERS_MASTER\NVIDIAnForceMCP78_Chipset_V1524_XPVista\Disk\AHCI\Vista32\nvstor32.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 00:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2004/08/04 00:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
[2004/08/04 00:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll

< MD5 for: VIAMRAID.SYS >
[2005/12/17 17:42:26 | 000,060,928 | ---- | M] (VIA Technologies inc,.ltd) MD5=0363E216E4EB5052969C96608934DBDE -- C:\WINDOWS\OEMDIR\viamraid.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/09/29 22:20:58 | 000,442,368 | ---- | M] (Advanced Micro Devices, Inc.)[b] Unable to obtain MD5 -- C:\WINDOWS\system32\ATIDEMGX.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2007/04/30 09:25:15 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007/04/30 09:25:15 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007/04/30 09:25:15 | 000,888,832 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >

ARCHellraiser
2010-03-27, 17:21
2Nd page of above post



OTL EXTRAS

OTL Extras logfile created on: 3/27/2010 10:41:00 AM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\DOWNLOADS\DOwnloads Firefox
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 657.00 Mb Available Physical Memory | 64.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2000 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 12.29 Gb Free Space | 16.49% Space Free | Partition Type: NTFS
Drive D: | 118.82 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ED-MASTER
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Xfire\Xfire.exe" = C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire -- (Xfire Inc.)
"C:\Program Files\Fox\Aliens vs. Predator 2\AVP2Serv.exe" = C:\Program Files\Fox\Aliens vs. Predator 2\AVP2Serv.exe:*:Enabled:AVP2 Stand-Alone Server -- (Monolith Productions Inc.)
"C:\Program Files\Fox\Aliens vs. Predator 2\lithtech.exe" = C:\Program Files\Fox\Aliens vs. Predator 2\lithtech.exe:*:Enabled:Client -- ()
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\Fox\Aliens vs. Predator 2\AVP2TFServ.exe" = C:\Program Files\Fox\Aliens vs. Predator 2\AVP2TFServ.exe:*:Enabled:AVP2 Stand-Alone Server -- (Monolith Productions Inc.)
"C:\Program Files\Pinnacle\Studio 12\Programs\RM.exe" = C:\Program Files\Pinnacle\Studio 12\Programs\RM.exe:*:Enabled:Render Manager -- (Pinnacle Systems)
"C:\Program Files\Pinnacle\Studio 12\Programs\Studio.exe" = C:\Program Files\Pinnacle\Studio 12\Programs\Studio.exe:*:Enabled:Studio -- (Pinnacle Systems)
"C:\Program Files\Pinnacle\Studio 12\Programs\umi.exe" = C:\Program Files\Pinnacle\Studio 12\Programs\umi.exe:*:Enabled:umi -- (Pinnacle Systems)
"C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\Program Files\Steam\steamapps\common\aliens vs predator demo\AvP.exe" = C:\Program Files\Steam\steamapps\common\aliens vs predator demo\AvP.exe:*:Enabled:Aliens vs Predator Demo -- (Sega Europe Limited)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00030409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Small Business
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{06053AB3-B607-B752-3252-4A2EA9E9761E}" = CCC Help Dutch
"{0B4A8658-43F1-50CA-AF30-C67E3AE2C9ED}" = CCC Help Greek
"{0CC61470-D776-2353-D5CB-C7BC20204863}" = CCC Help Finnish
"{12655AB3-9285-A2F0-5BBC-C5C45E4D718C}" = CCC Help Czech
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{1A36CF15-DF66-4756-9482-A9ABF3DDACE6}_is1" = Driver Robot 1.1.0.4
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = PowerStarter
"{1FF713E1-FE5E-4AD0-9C8C-B2E877846B45}" = Catalyst Control Center - Branding
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{24700C01-3A72-29D4-001B-6EE6BF71EB5E}" = CCC Help Korean
"{26262388-95BF-58B0-CD46-A8F957BB67BF}" = Catalyst Control Center Graphics Full Existing
"{262BF2CD-601D-4F43-919C-4B00B1D1F338}" = Boris Graffiti
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 17
"{2FB418AB-562D-43B4-BA0D-9282AAD8C207}" = Logitech G-series Keyboard Software
"{329376FB-FB6C-C587-F483-07E3418456F5}" = ccc-utility
"{33A38A8B-9E1E-BCBB-EA87-CE797EC75080}" = CCC Help Chinese Traditional
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35343FF7-939B-401A-87B3-FF90A5123D88}" = Microsoft XML Parser and SDK
"{369EEB32-64D1-F22A-1B2C-A3E81582E767}" = CCC Help Japanese
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3EF79591-BF16-4CF8-8FF0-D8AD968228B1}" = Aliens vs. Predator 2
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FCD8F30-057D-C96F-AEF4-B0D77DE9730C}" = CCC Help Portuguese
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 4.0
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{46605BDE-7F82-DB0F-7906-3279A7E639BE}" = Catalyst Control Center Localization All
"{480A8E00-D808-7D79-977B-CEBBB3BEB409}" = CCC Help French
"{48C7FD10-D6AD-8EE0-2E8E-0480C4EEB1BD}" = Catalyst Control Center HydraVision Full
"{5081528F-5DD5-49BA-8213-9A6A13502497}" = Sentinel System Driver 5.41.1 (32-bit)
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{5809E7CF-4DCF-11D4-9875-00105ACE7734}" = Logitech MouseWare 9.79.1
"{5CA7ABC3-5F89-3A1D-A113-046EA4C7FCEB}" = ccc-core-static
"{5EB90C06-964F-4195-B83E-BD7E55C88415}" = Pinnacle Video Driver
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{68E1BAC6-F79F-43C4-AF03-A89F53F748D3}" = Microsoft XML Parser
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6F77AD48-BA04-F868-2D04-FC1BFF5E00BA}" = Catalyst Control Center Graphics Light
"{75F9640C-DE21-40AF-92E2-06DFD821C7EE}" = TAC Video Layout Control
"{788907C5-C83B-9785-A1F0-67050017324E}" = CCC Help Spanish
"{7F5F1767-88C6-CBFC-5DD3-D853343FD5AE}" = CCC Help German
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84DE3702-3262-BE38-27E8-5ED423D803C6}" = CCC Help Chinese Standard
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{87F54A80-158E-436C-9B09-FFFD27F81BD4}" = Community Clips from Microsoft Office Labs
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{95053B5A-42E0-830E-85BD-733FAFC28BA7}" = ccc-core-preinstall
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9B40D533-4F38-893D-EE5A-17226104BBC2}" = Skins
"{9C9CEB9D-53FD-49A7-85D2-FE674F72F24E}" = Microsoft Search Enhancement Pack
"{9E78C42C-4FF9-4F41-BBC4-BF872606E79D}_is1" = Driver Robot 1.1.0.13
"{A08CB73B-5DEA-185D-5D98-2230004D75ED}" = CCC Help Danish
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A22D91C3-E7BD-CBEE-7CDC-DE4C42FA27B7}" = CCC Help Hungarian
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A8A7ACEF-A7AF-4129-9BC1-4F33A4C31EEC}" = Pinnacle InstantCD/DVD Suite
"{A8AD990E-355A-4413-8647-A9B168978423}_is1" = UltraVNC v1.0.2
"{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}" = Wizard101
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.5
"{AC76BA86-7AD7-1033-7B44-A81300000003}_814" = KB408682
"{AD0DD974-ADC2-8C10-DFA6-C1203A6E5106}" = CCC Help Polish
"{B014F739-B305-5319-D996-6612BD60ED74}" = CCC Help Swedish
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C570CAF4-D734-5412-C842-9AB150803074}" = Catalyst Control Center Core Implementation
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D01F5B2C-2776-6C46-441C-E819C08DF4FF}" = CCC Help Turkish
"{D041EB9E-890A-4098-8F94-51DA194AC72A}" = Pinnacle Studio 12
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D1696920-9794-4BBC-8A30-7A88763DE5A2}" = ABBYY FineReader 5.0 Sprint
"{D1860E6E-520E-4380-8433-E58E8F88B473}" = Pinnacle Studio 12 Ultimate Plugins
"{D2FCA53F-F568-D08A-458F-F7C9769A30ED}" = CCC Help Norwegian
"{D5A9B7C0-8751-11D8-9D75-000129760D75}" = MediaShow 3.0
"{D5E4F342-4ED4-489E-B0EC-0391248FB774}" = ATECH FLASH PRO-9
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{D89B70AB-CF91-36A4-8658-FACA3AF6A654}" = Catalyst Control Center Graphics Previews Common
"{DF1274DC-02D4-B2D7-6197-5D24E1EF84B1}" = CCC Help Thai
"{E000D42E-5842-20A6-EEB1-6DED8C2746C5}" = CCC Help Italian
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E7679B31-21F5-4AAE-1620-0DFACF702325}" = Catalyst Control Center Graphics Full New
"{EC6CD724-3D9F-11D5-80D7-00104BD1A098}" = Continuum
"{EEAA3E5E-1296-45AD-A59E-5D63F604867D}" = Radmin Viewer 3.3
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F3C1DE9E-5E16-4BA9-B854-7B53A45E3579}" = Cisco Systems VPN Client 5.0.05.0290
"{F45298E5-0083-426F-A668-1A2C5F04B8A0}" = FaxTools
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F83491F9-7CDF-46A7-9994-9E002CE5CE75}" = CCC Help Russian
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FDE409B1-1FF3-DC39-083E-C0F4ED496D5E}" = CCC Help English
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0.1" = Adobe Photoshop 7.0.1
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"All ATI Software" = ATI - Software Uninstall Utility
"Ask Toolbar_is1" = Ask Toolbar
"ATI Display Driver" = ATI Display Driver
"Audacity_is1" = Audacity 1.2.6
"EPISUITE SDK 5.1" = EPISUITE SDK Redistribution
"ERUNT_is1" = ERUNT 1.1j
"ESET Online Scanner" = ESET Online Scanner v3
"ExpressBurn" = Express Burn
"ExpressRip" = Express Rip
"Fraps" = Fraps (remove only)
"Gadwin PrintScreen" = Gadwin PrintScreen
"HijackThis" = HijackThis 2.0.2
"jZip" = jZip
"Lexmark X1100 Series" = Lexmark X1100 Series
"Magic Bullet Looks Studio" = Magic Bullet Looks Studio
"Magic ISO Maker v5.5 (build 0276)" = Magic ISO Maker v5.5 (build 0276)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MixPad" = MixPad Audio Mixer
"Mozilla Firefox (3.5.8)" = Mozilla Firefox (3.5.8)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"NVIDIA Drivers" = NVIDIA Drivers
"proDAD-Vitascene-1.0" = proDAD Vitascene 1.0
"Recordpad" = RecordPad Sound Recorder
"Smart-Shopper" = SmartShopper
"SpywareBlaster_is1" = SpywareBlaster 4.2
"Steam App 34200" = Aliens vs Predator Demo
"Switch" = Switch Sound File Converter
"Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2
"WavePad" = WavePad Sound Editor
"WIC" = Windows Imaging Component
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xfire" = Xfire (remove only)
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Facebook Plug-In" = Facebook Plug-In

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/7/2010 12:52:28 PM | Computer Name = ED-MASTER | Source = Application Hang | ID = 1002
Description = Hanging application AvP.exe, version 1.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/7/2010 12:54:13 PM | Computer Name = ED-MASTER | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3642, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/7/2010 12:54:14 PM | Computer Name = ED-MASTER | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3642, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/14/2010 2:28:54 AM | Computer Name = ED-MASTER | Source = Application Error | ID = 1000
Description = Faulting application lithtech.exe, version 1.0.0.1, faulting module
cshell.dll, version 0.0.0.0, fault address 0x00112947.

Error - 2/14/2010 2:44:18 AM | Computer Name = ED-MASTER | Source = Application Error | ID = 1000
Description = Faulting application lithtech.exe, version 1.0.0.1, faulting module
cshell.dll, version 0.0.0.0, fault address 0x00112947.

Error - 3/15/2010 9:54:22 PM | Computer Name = ED-MASTER | Source = Application Hang | ID = 1002
Description = Hanging application explorer.exe, version 6.0.2900.3156, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/15/2010 9:54:24 PM | Computer Name = ED-MASTER | Source = Application Hang | ID = 1001
Description = Fault bucket 452615105.

Error - 3/20/2010 10:42:16 AM | Computer Name = ED-MASTER | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting
module unknown, version 0.0.0.0, fault address 0x0040e844.

Error - 3/26/2010 9:09:22 PM | Computer Name = ED-MASTER | Source = Application Error | ID = 1000
Description = Faulting application spybotsd.exe, version 1.6.2.46, faulting module
kernel32.dll, version 5.1.2600.3541, fault address 0x00012a6b.

Error - 3/26/2010 9:44:25 PM | Computer Name = ED-MASTER | Source = Application Error | ID = 1000
Description = Faulting application jzip.exe, version 1.3.0.0, faulting module jzip.exe,
version 1.3.0.0, fault address 0x0008baf6.

[ System Events ]
Error - 3/22/2010 9:31:35 PM | Computer Name = ED-MASTER | Source = Service Control Manager | ID = 7001
Description = The vnccom service depends on the vncdrv service which failed to start
because of the following error: %%1058

Error - 3/22/2010 9:44:57 PM | Computer Name = ED-MASTER | Source = Service Control Manager | ID = 7001
Description = The vnccom service depends on the vncdrv service which failed to start
because of the following error: %%1058

Error - 3/23/2010 12:32:31 AM | Computer Name = ED-MASTER | Source = Service Control Manager | ID = 7001
Description = The vnccom service depends on the vncdrv service which failed to start
because of the following error: %%1058

Error - 3/23/2010 8:48:09 PM | Computer Name = ED-MASTER | Source = Service Control Manager | ID = 7001
Description = The vnccom service depends on the vncdrv service which failed to start
because of the following error: %%1058

Error - 3/24/2010 10:44:52 PM | Computer Name = ED-MASTER | Source = Service Control Manager | ID = 7001
Description = The vnccom service depends on the vncdrv service which failed to start
because of the following error: %%1058

Error - 3/25/2010 8:50:52 PM | Computer Name = ED-MASTER | Source = Service Control Manager | ID = 7001
Description = The vnccom service depends on the vncdrv service which failed to start
because of the following error: %%1058

Error - 3/26/2010 7:27:03 PM | Computer Name = ED-MASTER | Source = Service Control Manager | ID = 7001
Description = The vnccom service depends on the vncdrv service which failed to start
because of the following error: %%1058

Error - 3/26/2010 7:45:46 PM | Computer Name = ED-MASTER | Source = Service Control Manager | ID = 7001
Description = The vnccom service depends on the vncdrv service which failed to start
because of the following error: %%1058

Error - 3/26/2010 7:51:00 PM | Computer Name = ED-MASTER | Source = Service Control Manager | ID = 7001
Description = The vnccom service depends on the vncdrv service which failed to start
because of the following error: %%1058

Error - 3/27/2010 10:11:31 AM | Computer Name = ED-MASTER | Source = Service Control Manager | ID = 7001
Description = The vnccom service depends on the vncdrv service which failed to start
because of the following error: %%1058


< End of report >


Off to work..Thanks

Ed

ken545
2010-03-27, 18:46
Looks like that file is bad, OTL is pretty extensive, going to take me a bit to look it over, in the mean time lets run Combofix, it may or may not remove that file, lets see

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

ARCHellraiser
2010-03-27, 20:19
Had recovery consol already installed from the last time you were were on this system.

OK here they are:

ComboFix 10-03-26.02 - Administrator 03/27/2010 13:58:48.8.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.552 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
The following files were disabled during the run:
c:\windows\system32\bootnsvr.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server
c:\program files\AskSearch\bin\DeFAultsearch.dll
c:\program files\Smart-Shopper
c:\program files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll
c:\program files\Smart-Shopper\cs\antiphishing\antiphishing.html
c:\program files\Smart-Shopper\cs\antiphishing\phishAlert.gif
c:\program files\Smart-Shopper\cs\antiphishing\x.gif
c:\program files\Smart-Shopper\cs\antiphishing\xActive.gif
c:\program files\Smart-Shopper\Uninst.exe
c:\windows\system32\SIntf16.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-27 to 2010-03-27 )))))))))))))))))))))))))))))))
.

2010-03-27 01:44 . 2010-03-27 01:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\jZip
2010-03-27 01:30 . 2010-03-27 17:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Smart-Shopper
2010-03-27 01:30 . 2010-03-27 01:30 -------- d-----w- c:\program files\jZip
2010-03-26 01:39 . 2010-03-27 17:03 10752 ----a-w- c:\documents and settings\Administrator\Application Data\PnPDeviceMonitor\hko.dll
2010-03-26 01:39 . 2010-03-26 01:39 29184 ----a-w- c:\documents and settings\Administrator\Application Data\PnPDeviceMonitor\pnpdevicemon.exe
2010-03-26 01:39 . 2010-03-26 01:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\PnPDeviceMonitor
2010-03-22 23:56 . 2010-03-22 23:56 -------- d-----w- c:\program files\Trend Micro
2010-03-21 16:36 . 2004-08-04 04:56 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-03-20 13:43 . 2010-03-20 13:43 44544 ----a-w- c:\windows\system32\bootnsvr.dll.vir
2010-03-13 04:46 . 2004-08-04 03:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-03-13 04:46 . 2004-08-04 03:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-03-13 04:46 . 2010-03-13 04:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Logitech
2010-03-13 04:46 . 2010-03-13 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2010-03-13 04:34 . 2004-08-04 05:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-03-13 04:34 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-03-05 00:11 . 2010-03-05 00:11 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-03-02 01:53 . 2010-03-02 01:53 -------- d-----w- c:\windows\system32\NtmsData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-27 17:53 . 2009-09-27 05:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-26 01:56 . 2009-08-12 03:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Xfire
2010-03-26 01:56 . 2009-08-12 03:42 -------- d-----w- c:\program files\Xfire
2010-03-24 00:59 . 2010-02-05 02:25 -------- d-----w- c:\program files\Steam
2010-03-20 21:27 . 2009-08-22 15:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-03-20 20:05 . 2009-08-22 15:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2010-03-13 04:46 . 2009-08-19 02:04 -------- d-----w- c:\program files\Logitech
2010-03-07 14:42 . 2009-09-27 05:20 -------- d-----w- c:\program files\SpywareBlaster
2010-02-20 03:14 . 2009-10-16 00:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\NCH Swift Sound
2010-02-14 20:22 . 2009-08-17 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-14 16:21 . 2010-02-14 16:21 -------- d-----w- c:\program files\Realtek Sound Manager
2010-02-14 16:21 . 2010-02-14 16:21 -------- d-----w- c:\program files\AvRack
2010-02-14 16:21 . 2010-02-14 16:21 -------- d-----w- c:\program files\Realtek AC97
2010-02-14 16:09 . 2010-02-14 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-02-14 16:06 . 2009-08-14 15:50 -------- d-----w- c:\program files\ATI Technologies
2010-02-14 15:51 . 2010-02-14 15:51 5393432 ----a-w- c:\documents and settings\Administrator\Application Data\Blitware\DriverRobot\updates\1.2.0.5\DriverRobot_Setup.exe
2010-02-14 15:51 . 2009-08-19 03:12 -------- d-----w- c:\program files\Driver Robot
2010-02-11 09:31 . 2010-02-11 09:31 86016 ----a-w- c:\windows\system32\frapsvid.dll
2010-02-06 22:13 . 2010-02-06 22:13 50354 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\uninstall.exe
2010-02-06 22:13 . 2010-02-06 22:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Facebook
2010-02-06 15:13 . 2009-08-14 06:16 21840 ----atw- c:\windows\system32\SIntfNT.dll
2010-02-06 15:13 . 2009-08-14 06:16 17212 ----atw- c:\windows\system32\SIntf32.dll
2010-02-04 15:01 . 2010-02-14 20:37 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-02-04 15:01 . 2010-02-14 20:37 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-02-04 15:01 . 2010-02-14 20:37 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-02-04 15:01 . 2010-02-14 20:37 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_1.dll
2010-01-31 14:43 . 2009-09-22 10:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-31 14:42 . 2009-09-13 15:54 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 21:07 . 2009-09-22 10:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-09-22 10:14 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:14 . 2004-08-04 03:14 352640 ----a-w- c:\windows\system32\drivers\srv.sys
.

------- Sigcheck -------

[-] 2005-12-17 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-07-17 21:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]
"pnpdevicemon"="c:\documents and settings\Administrator\Application Data\PnPDeviceMonitor\pnpdevicemon.exe" [2010-03-26 29184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="mqrt.dll" [2009-06-25 177152]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-03-28 57344]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-30 61440]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2005-11-02 1110079]
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2005-11-02 188928]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlhr"="c:\windows\System32\AdvPack.Dll" [2004-08-04 99840]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Registration-INSDVD.lnk - c:\program files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe [2002-9-26 245760]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Broadband Networking.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk
backup=c:\windows\pss\Microsoft Broadband Networking.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadwin PrintScreen]
2008-12-09 11:08 495616 ----a-w- c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IW ControlCenter]
2003-03-12 15:56 836096 ----a-w- c:\program files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2003-12-17 13:50 19968 ------w- c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
2003-05-28 20:37 394240 ----a-w- c:\windows\system32\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
2003-05-28 20:37 394240 ----a-w- c:\windows\system32\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recordpad]
2009-10-16 00:49 913412 ----a-w- c:\program files\NCH Swift Sound\Recordpad\recordpad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 00:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\shicoxp]
2003-10-13 13:05 45056 ----a-w- c:\windows\shicoxp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-02-21 13:24 1217872 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VOBID]
2003-03-31 21:59 147968 ----a-w- c:\program files\Pinnacle\InstantCDDVD\InstantDrive\InstantDrive.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
2006-06-18 19:56 712704 ----a-w- c:\program files\UltraVNC\winvnc.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
dplaover REG_SZ c:\windows\system32\bootnsvr.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Fox\\Aliens vs. Predator 2\\AVP2Serv.exe"=
"c:\\Program Files\\Fox\\Aliens vs. Predator 2\\lithtech.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Fox\\Aliens vs. Predator 2\\AVP2TFServ.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator demo\\AvP.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [5/7/2003 4:36 PM 26679]
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [10/4/2001 11:53 AM 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [5/27/2003 12:12 PM 187392]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [12/13/2002 6:33 PM 64000]
S2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [5/1/2007 8:44 AM 6016]
.
Contents of the 'Scheduled Tasks' folder

2010-03-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hd0rjl1v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

AddRemove-Smart-Shopper - c:\program files\Smart-Shopper\Uninst.exe
AddRemove-{1A36CF15-DF66-4756-9482-A9ABF3DDACE6}_is1 - c:\program files\Driver Robot\1.1.0.4\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-27 14:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-03-27 14:05:27
ComboFix-quarantined-files.txt 2010-03-27 18:05
ComboFix2.txt 2009-09-27 05:57

Pre-Run: 13,034,020,864 bytes free
Post-Run: 13,022,023,680 bytes free

- - End Of File - - 11C387D6CCF08EB6C7A94BF2C6326960




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:10 PM, on 3/27/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Gadwin PrintScreen] "C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash
O4 - HKCU\..\Run: [pnpdevicemon] C:\Documents and Settings\Administrator\Application Data\PnPDeviceMonitor\pnpdevicemon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'Default user')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - .DEFAULT Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269188900343
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269188890109
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\winvnc.exe

--
End of file - 8174 bytes

ken545
2010-03-27, 20:34
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File:




File::
c:\documents and settings\Administrator\Application Data\PnPDeviceMonitor\hko.dll
c:\documents and settings\Administrator\Application Data\PnPDeviceMonitor\pnpdevicemon.exe
c:\windows\system32\bootnsvr.dll.vir

Folder::
c:\documents and settings\Administrator\Application Data\Smart-Shopper
c:\documents and settings\Administrator\Application Data\PnPDeviceMonitor

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pnpdevicemon"=-


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

ARCHellraiser
2010-03-27, 23:45
Did as instructed log below

FYI..CmboFix had this message when it started:

"Parasites Found at C:\windows\system32\bootnsvr.dll
Please write down for the future if needed.


ComboFix 10-03-26.02 - Administrator 03/27/2010 17:31:25.9.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.669 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript .txt

FILE ::
"c:\documents and settings\Administrator\Application Data\PnPDeviceMonitor\hko.dll"
"c:\documents and settings\Administrator\Application Data\PnPDeviceMonitor\pnpdevicemon.exe"
"c:\windows\system32\bootnsvr.dll.vir"
.
The following files were disabled during the run:
c:\windows\system32\bootnsvr.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\PnPDeviceMonitor
c:\documents and settings\Administrator\Application Data\PnPDeviceMonitor\hko.dll
c:\documents and settings\Administrator\Application Data\PnPDeviceMonitor\pnpdevicemon.exe
c:\documents and settings\Administrator\Application Data\Smart-Shopper
c:\documents and settings\Administrator\Application Data\Smart-Shopper\cs\Config.xml
c:\documents and settings\Administrator\Application Data\Smart-Shopper\cs\db\Aliases.dbs
c:\documents and settings\Administrator\Application Data\Smart-Shopper\cs\db\Sites.dbs
c:\documents and settings\Administrator\Application Data\Smart-Shopper\cs\dwld\WhiteList.xip
c:\documents and settings\Administrator\Application Data\Smart-Shopper\cs\report\aggr_storage.xml
c:\documents and settings\Administrator\Application Data\Smart-Shopper\cs\report\send_storage.xml
c:\documents and settings\Administrator\Application Data\Smart-Shopper\cs\res1\WhiteList.dbs
c:\windows\system32\bootnsvr.dll.vir

.
((((((((((((((((((((((((( Files Created from 2010-02-27 to 2010-03-27 )))))))))))))))))))))))))))))))
.

2010-03-27 01:44 . 2010-03-27 01:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\jZip
2010-03-27 01:30 . 2010-03-27 01:30 -------- d-----w- c:\program files\jZip
2010-03-22 23:56 . 2010-03-22 23:56 -------- d-----w- c:\program files\Trend Micro
2010-03-21 16:36 . 2004-08-04 04:56 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-03-13 04:46 . 2004-08-04 03:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-03-13 04:46 . 2004-08-04 03:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-03-13 04:46 . 2010-03-13 04:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Logitech
2010-03-13 04:46 . 2010-03-13 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2010-03-13 04:34 . 2004-08-04 05:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-03-13 04:34 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-03-05 00:11 . 2010-03-05 00:11 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-03-02 01:53 . 2010-03-02 01:53 -------- d-----w- c:\windows\system32\NtmsData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-27 21:21 . 2009-09-27 05:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-26 01:56 . 2009-08-12 03:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Xfire
2010-03-26 01:56 . 2009-08-12 03:42 -------- d-----w- c:\program files\Xfire
2010-03-24 00:59 . 2010-02-05 02:25 -------- d-----w- c:\program files\Steam
2010-03-20 21:27 . 2009-08-22 15:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-03-20 20:05 . 2009-08-22 15:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2010-03-13 04:46 . 2009-08-19 02:04 -------- d-----w- c:\program files\Logitech
2010-03-07 14:42 . 2009-09-27 05:20 -------- d-----w- c:\program files\SpywareBlaster
2010-02-20 03:14 . 2009-10-16 00:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\NCH Swift Sound
2010-02-14 20:22 . 2009-08-17 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-14 16:21 . 2010-02-14 16:21 -------- d-----w- c:\program files\Realtek Sound Manager
2010-02-14 16:21 . 2010-02-14 16:21 -------- d-----w- c:\program files\AvRack
2010-02-14 16:21 . 2010-02-14 16:21 -------- d-----w- c:\program files\Realtek AC97
2010-02-14 16:09 . 2010-02-14 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-02-14 16:06 . 2009-08-14 15:50 -------- d-----w- c:\program files\ATI Technologies
2010-02-14 15:51 . 2010-02-14 15:51 5393432 ----a-w- c:\documents and settings\Administrator\Application Data\Blitware\DriverRobot\updates\1.2.0.5\DriverRobot_Setup.exe
2010-02-14 15:51 . 2009-08-19 03:12 -------- d-----w- c:\program files\Driver Robot
2010-02-11 09:31 . 2010-02-11 09:31 86016 ----a-w- c:\windows\system32\frapsvid.dll
2010-02-06 22:13 . 2010-02-06 22:13 50354 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\uninstall.exe
2010-02-06 22:13 . 2010-02-06 22:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Facebook
2010-02-06 15:13 . 2009-08-14 06:16 21840 ----atw- c:\windows\system32\SIntfNT.dll
2010-02-06 15:13 . 2009-08-14 06:16 17212 ----atw- c:\windows\system32\SIntf32.dll
2010-02-04 15:01 . 2010-02-14 20:37 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-02-04 15:01 . 2010-02-14 20:37 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-02-04 15:01 . 2010-02-14 20:37 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-02-04 15:01 . 2010-02-14 20:37 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_1.dll
2010-01-31 14:43 . 2009-09-22 10:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-31 14:42 . 2009-09-13 15:54 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 21:07 . 2009-09-22 10:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-09-22 10:14 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:14 . 2004-08-04 03:14 352640 ----a-w- c:\windows\system32\drivers\srv.sys
.

------- Sigcheck -------

[-] 2005-12-17 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-03-27_18.03.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-27 21:19 . 2010-03-27 21:19 16384 c:\windows\temp\Perflib_Perfdata_16c.dat
+ 2002-08-29 12:00 . 2010-03-27 21:23 75338 c:\windows\system32\perfc009.dat
- 2002-08-29 12:00 . 2010-03-27 17:07 75338 c:\windows\system32\perfc009.dat
+ 2002-08-29 12:00 . 2010-03-27 21:23 454652 c:\windows\system32\perfh009.dat
- 2002-08-29 12:00 . 2010-03-27 17:07 454652 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-07-17 21:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="mqrt.dll" [2009-06-25 177152]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-03-28 57344]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-30 61440]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2005-11-02 1110079]
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2005-11-02 188928]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlhr"="c:\windows\System32\AdvPack.Dll" [2004-08-04 99840]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Registration-INSDVD.lnk - c:\program files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe [2002-9-26 245760]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Broadband Networking.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk
backup=c:\windows\pss\Microsoft Broadband Networking.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadwin PrintScreen]
2008-12-09 11:08 495616 ----a-w- c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IW ControlCenter]
2003-03-12 15:56 836096 ----a-w- c:\program files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2003-12-17 13:50 19968 ------w- c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
2003-05-28 20:37 394240 ----a-w- c:\windows\system32\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
2003-05-28 20:37 394240 ----a-w- c:\windows\system32\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recordpad]
2009-10-16 00:49 913412 ----a-w- c:\program files\NCH Swift Sound\Recordpad\recordpad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 00:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\shicoxp]
2003-10-13 13:05 45056 ----a-w- c:\windows\shicoxp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-02-21 13:24 1217872 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VOBID]
2003-03-31 21:59 147968 ----a-w- c:\program files\Pinnacle\InstantCDDVD\InstantDrive\InstantDrive.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
2006-06-18 19:56 712704 ----a-w- c:\program files\UltraVNC\winvnc.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
dplaover REG_SZ c:\windows\system32\bootnsvr.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Fox\\Aliens vs. Predator 2\\AVP2Serv.exe"=
"c:\\Program Files\\Fox\\Aliens vs. Predator 2\\lithtech.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Fox\\Aliens vs. Predator 2\\AVP2TFServ.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator demo\\AvP.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [5/7/2003 4:36 PM 26679]
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [10/4/2001 11:53 AM 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [5/27/2003 12:12 PM 187392]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [12/13/2002 6:33 PM 64000]
S2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [5/1/2007 8:44 AM 6016]
.
Contents of the 'Scheduled Tasks' folder

2010-03-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hd0rjl1v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-27 17:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-03-27 17:37:22
ComboFix-quarantined-files.txt 2010-03-27 21:37
ComboFix2.txt 2010-03-27 18:05
ComboFix3.txt 2009-09-27 05:57

Pre-Run: 13,052,157,952 bytes free
Post-Run: 13,022,433,280 bytes free

- - End Of File - - 46F6FA5CFFCCC8899177C67EC0976999

ken545
2010-03-28, 00:06
Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:


:file
bootnsvr.dll



Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

ARCHellraiser
2010-03-28, 01:12
did it results below

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:11 on 27/03/2010 by Administrator (Administrator - Elevation successful)

========== file ==========

bootnsvr.dll - Unable to find/read file.

-=End Of File=-

ken545
2010-03-28, 01:48
My bad, try it this way

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:


:file
c:\windows\system32\bootnsvr.dll

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

ARCHellraiser
2010-03-28, 03:19
NP:)
disabled all firewalls just in case

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 20:17 on 27/03/2010 by Administrator (Administrator - Elevation successful)

========== file ==========

c:\windows\system32\bootnsvr.dll - Unable to find/read file.

-=End Of File=-

ken545
2010-03-28, 03:49
Lets run this online virus scanner and see what it finds

Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

ARCHellraiser
2010-03-28, 09:40
Morning Ran On Line Scanner Log below

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=f3f4ea1f6737e14998f3fee40a88c61c
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-03-28 03:13:29
# local_time=2010-03-27 11:13:29 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 349617 349617 0 0
# compatibility_mode=8192 67108863 100 0 15908402 15908402 0 0
# scanned=63263
# found=13
# cleaned=13
# scan_time=7782
C:\DOWNLOADS\DOwnloads Firefox\jZipV1c.exe a variant of Win32/Adware.Toolbar.Shopper.AA application (deleted - quarantined) 00000000000000000000000000000000 C
C:\DOWNLOADS\NEW DRIVERS\1.3_to_1.5.zip probably a variant of Win32/Genetik trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\DOWNLOADS\NEW SERVER DRIVERS\jZipV1c.exe a variant of Win32/Adware.Toolbar.Shopper.AA application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Fox\Aliens vs. Predator 2\gslist.exe probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\[4]-Submit_2010-03-27_17.31.21.zip Win32/PSW.Papras.AW trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll.vir a variant of Win32/Adware.Toolbar.Shopper.AA application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E8C97C42-2711-4945-B781-C17D3D4E92AD}\RP2\A0000089.exe probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E8C97C42-2711-4945-B781-C17D3D4E92AD}\RP9\A0000809.dll Win32/PSW.Papras.AW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E8C97C42-2711-4945-B781-C17D3D4E92AD}\RP9\A0000825.dll a variant of Win32/Adware.Toolbar.Shopper.AA application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E8C97C42-2711-4945-B781-C17D3D4E92AD}\RP9\A0000959.dll Win32/PSW.Papras.AW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E8C97C42-2711-4945-B781-C17D3D4E92AD}\RP9\A0001270.exe a variant of Win32/Adware.Toolbar.Shopper.AA application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E8C97C42-2711-4945-B781-C17D3D4E92AD}\RP9\A0001271.exe a variant of Win32/Adware.Toolbar.Shopper.AA application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E8C97C42-2711-4945-B781-C17D3D4E92AD}\RP9\A0001272.exe probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

ken545
2010-03-28, 15:21
Removed a few things, mostly backups of what Combofix removed and in your System Restore Program

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.


Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.


Reboot your computer

Turn ON System Restore.


Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.


Create a new Restore Point <-- Very Important


Go to Start> All Programs> Assesories> System Tools> System Restore and create a New Restore Point

System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it



We will get rid of all Combofix removed when we are done. How are things running now ??

ARCHellraiser
2010-03-28, 15:37
Morning New restore point created..

We will get rid of all Combofix removed when we are done. How are things running now ?? ----> AWESOME !!!:bigthumb::bigthumb::bigthumb:
Boot up faster than i remember in a long time.
Page load Very quick.. IE starts, Explorer starts
did not try a java script run yet..

Just tried to click on the (more button) under the icons ----> did not open

Have not tried to reload anything to see if original
problem is corrected

ken545
2010-03-29, 02:07
Great,

Sorry but I was tied up all day an not online.

Just tried to click on the (more button) under the icons ----> did not open <, Not following you on this one


Let me know how all is running when your done updating

ARCHellraiser
2010-03-30, 05:32
NP it was Sunday..WE all need personal time...

Loaded the Broadband router Software that started this whole thing..
NO errors loaded just fine.. tied into network all fine, even print sharing..

Loaded updated from Java load fine, both loaded with surprising speed.:eek:

Everything from the outside LQQK great.

so looks like you wiped out this bug....:)

what's next..???

also I know I'm behind on Windows updates..I hesitate in going to Service Pak 3 because of all the issues, and I'm running IE 6..
some advise..

Ed

ARCHellraiser
2010-03-30, 05:37
O and yes.. In the Message post screen when you are creating a message and you can insert icons in your post there is a little word [more] in the bottom left
corner that shows the rest of the 84 icons..
When I click on it nothing happens??
Just pointing it out...don't know if it has anything to do with my system or the forum..




Ed

ken545
2010-03-30, 11:37
Morning Ed,

Glad things are back to normal for you, a kinky computer can be very frustrating

More <--Got ya now :)

SP3 <-- When this first came out there where bugs that caused issues with some ( not all ) systems but it was fixed a long time ago, there are important updates in SP3 that will help secure your computer.


IE 6 <--They had a mock funeral for this last month, its a very unsecure browser, you should update to IE8, it will be part of windows updates when you run it.



Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.






How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



Safe Surfn
Ken

ARCHellraiser
2010-03-31, 06:52
ALL cleaned up:eek:

Will install SP3 and keep fingers crossed.

Don't know how to thank you for your time...

will do finial post after update.

Thanks Again

Ed

ARCHellraiser
2010-04-02, 04:27
Evening Ken,

To my surprise SP3 loaded without a single problem.. :eek::eek:
IE6 has left the building.....!!!!!
all that worry
for not...

Thanks Again...

Ed

ken545
2010-04-02, 12:54
Thats great Ed,

I knew it would go smoothly .

Take Care,

Ken :)

ken545
2010-04-05, 11:52
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.