Infected with Multiple Things

Caroll · May 29, 2011

Thank you in advance.

So it appears that my computer has managed to get infected with a quite a few nasty bits of malware. A majority of my icons are hidden as well not letting me connect to the internet I've tried to fend most of it off but I'm pretty alien in the area.

Also, while I run a scan with S&D, it ask to reboot and scan. It halts scanning and doesn't resume unless I click "No". If I click "Yes" then it just reboots as soon as the scan finishes. Even when most of the issues that were supposedly fixed just appear again when scanning. It appears every time when S&D is at "90450/793042: Fraud.InternetSecurity2011".

DDS Log:

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Run by FISH at 14:13:25 on 2011-05-29
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.622 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
F:\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
BHO: c:\windows\system32\nb8yt0vy.dll: {24a123c3-a500-99bd-a120-04b53a2c8952} - c:\windows\system32\nb8yt0vy.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
STS: c:\windows\system32\nb8yt0vy.dll: {24a123c3-a500-99bd-a120-04b53a2c8952} - c:\windows\system32\nb8yt0vy.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\fish\application data\mozilla\firefox\profiles\gsbrydu4.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US

fficial
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z006&form=ZGAADF&q=
FF - component: c:\documents and settings\fish\application data\mozilla\firefox\profiles\gsbrydu4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\fish\application data\mozilla\firefox\profiles\gsbrydu4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\documents and settings\fish\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: tektek.org GaiaOnline Toolbar 2.1: {0df7b3bb-9581-44bb-835f-061a29ec8a46} - %profile%\extensions\{0df7b3bb-9581-44bb-835f-061a29ec8a46}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: BlockSite: {dd3d7613-0246-469d-bc65-2a3cc1668adc} - %profile%\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
FF - Ext: Easy Youtube Video Downloader: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} - %profile%\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.brc - BRI/1
.
============= SERVICES / DRIVERS ===============
.
S1 MpKsl48409f78;MpKsl48409f78;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f1658268-739d-4510-8fe5-5431c252117a}\mpksl48409f78.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f1658268-739d-4510-8fe5-5431c252117a}\MpKsl48409f78.sys [?]
S1 MpKsl568832de;MpKsl568832de;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{171a7cfc-87ea-4816-b40c-8064a87763e5}\mpksl568832de.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{171a7cfc-87ea-4816-b40c-8064a87763e5}\MpKsl568832de.sys [?]
S1 MpKsl5c86842c;MpKsl5c86842c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9def27fe-ed8b-4a55-b077-bce6bb053895}\mpksl5c86842c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9def27fe-ed8b-4a55-b077-bce6bb053895}\MpKsl5c86842c.sys [?]
S1 MpKsl5ca919e2;MpKsl5ca919e2;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f1658268-739d-4510-8fe5-5431c252117a}\mpksl5ca919e2.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f1658268-739d-4510-8fe5-5431c252117a}\MpKsl5ca919e2.sys [?]
S1 MpKslaec9657b;MpKslaec9657b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{171a7cfc-87ea-4816-b40c-8064a87763e5}\mpkslaec9657b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{171a7cfc-87ea-4816-b40c-8064a87763e5}\MpKslaec9657b.sys [?]
S1 MpKslc27ffded;MpKslc27ffded;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f8efa619-099a-445e-afc6-f43b93ffb054}\mpkslc27ffded.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f8efa619-099a-445e-afc6-f43b93ffb054}\MpKslc27ffded.sys [?]
S1 MpKsldae9533d;MpKsldae9533d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{188e21a2-6228-4bfe-adac-7198788516c4}\mpksldae9533d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{188e21a2-6228-4bfe-adac-7198788516c4}\MpKsldae9533d.sys [?]
S2 srv218;srv218;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-3-21 38224]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva375;XDva375;\??\c:\windows\system32\xdva375.sys --> c:\windows\system32\XDva375.sys [?]
S3 XDva385;XDva385;\??\c:\windows\system32\xdva385.sys --> c:\windows\system32\XDva385.sys [?]
.
=============== Created Last 30 ================
.
2011-05-18 03:50:02 0 ----a-w- c:\windows\Txozofoyeje.bin
2011-05-18 03:49:50 -------- d-----w- c:\documents and settings\fish\local settings\application data\{3ADFE71B-53EC-42F8-8A2C-3845783D84D7}
2011-05-18 03:47:46 -------- d-----w- c:\documents and settings\fish\application data\557585D252B73FCE8AED58180034268F
2011-05-18 03:47:39 50000 ----a-w- c:\windows\system32\zetj7n.dll
2011-05-18 03:47:31 50000 ----a-w- c:\windows\system32\nb8yt0vy.dll
2011-05-11 01:45:26 -------- d-----w- c:\documents and settings\fish\local settings\application data\Deployment
2011-05-11 01:42:20 -------- d-----w- c:\program files\SystemRequirementsLab
2011-05-11 00:32:59 -------- d-----w- c:\documents and settings\fish\application data\DAEMON Tools Lite
2011-05-11 00:32:59 -------- d-----w- c:\documents and settings\all users\application data\DAEMON Tools Lite
2011-05-10 05:08:52 -------- d-----w- c:\documents and settings\all users\application data\Last.fm
2011-05-10 05:07:56 -------- d-----w- c:\documents and settings\fish\local settings\application data\Last.fm
2011-05-10 05:07:48 -------- d-----w- c:\program files\Last.fm
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JD-75MSA3 rev.10.01E04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86F276F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f2da10]; MOV EAX, [0x86f2da8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86F6DAB8]
3 CLASSPNP[0xF7512FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006b[0x86FCE1F8]
5 ACPI[0xF73A9620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86F70D98]
\Driver\atapi[0x86F158E8] -> IRP_MJ_CREATE -> 0x86F276F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x86F2753B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 14:14:53.28 ===============

ken545 · May 30, 2011

:snwelcome:

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Your infected with a ROOTKIT

Please download TDSSKiller.zip

Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan
- Only if Malicious objects are found then ensure Cure is selected
- Then click Continue > Reboot now
Copy and paste the log in your next reply
- A copy of the log will be saved automatically to the root of the drive (typically C:\)

Caroll · May 31, 2011

2011/05/30 22:20:18.0875 2396 TDSS rootkit removing tool 2.5.3.0 May 25 2011 07:09:24
2011/05/30 22:20:18.0921 2396 ================================================================================
2011/05/30 22:20:18.0921 2396 SystemInfo:
2011/05/30 22:20:18.0921 2396
2011/05/30 22:20:18.0921 2396 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/30 22:20:18.0921 2396 Product type: Workstation
2011/05/30 22:20:18.0921 2396 ComputerName: BELINDA
2011/05/30 22:20:18.0921 2396 UserName: FISH
2011/05/30 22:20:18.0921 2396 Windows directory: C:\WINDOWS
2011/05/30 22:20:18.0921 2396 System windows directory: C:\WINDOWS
2011/05/30 22:20:18.0921 2396 Processor architecture: Intel x86
2011/05/30 22:20:18.0921 2396 Number of processors: 2
2011/05/30 22:20:18.0921 2396 Page size: 0x1000
2011/05/30 22:20:18.0921 2396 Boot type: Normal boot
2011/05/30 22:20:18.0921 2396 ================================================================================
2011/05/30 22:20:23.0437 2396 Initialize success
2011/05/30 22:20:35.0390 2384 ================================================================================
2011/05/30 22:20:35.0390 2384 Scan started
2011/05/30 22:20:35.0390 2384 Mode: Manual;
2011/05/30 22:20:35.0390 2384 ================================================================================
2011/05/30 22:20:36.0609 2384 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/30 22:20:36.0656 2384 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/30 22:20:36.0703 2384 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/30 22:20:36.0765 2384 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/30 22:20:36.0890 2384 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/30 22:20:36.0890 2384 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/30 22:20:36.0968 2384 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/30 22:20:37.0015 2384 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/30 22:20:37.0062 2384 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/30 22:20:37.0093 2384 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/30 22:20:37.0140 2384 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/30 22:20:37.0156 2384 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/30 22:20:37.0171 2384 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/30 22:20:37.0218 2384 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2011/05/30 22:20:37.0250 2384 Changer (2a5815ca6fff24b688c01f828b96819c) C:\WINDOWS\system32\drivers\Changer.sys
2011/05/30 22:20:37.0328 2384 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/30 22:20:37.0375 2384 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/30 22:20:37.0437 2384 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/30 22:20:37.0468 2384 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/30 22:20:37.0500 2384 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/30 22:20:37.0531 2384 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/30 22:20:37.0578 2384 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/30 22:20:37.0593 2384 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/30 22:20:37.0625 2384 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/30 22:20:37.0687 2384 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/05/30 22:20:37.0750 2384 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/30 22:20:37.0765 2384 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/30 22:20:37.0765 2384 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/30 22:20:37.0828 2384 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/05/30 22:20:37.0843 2384 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/30 22:20:37.0859 2384 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/05/30 22:20:37.0875 2384 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/30 22:20:37.0937 2384 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/05/30 22:20:37.0968 2384 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/05/30 22:20:38.0015 2384 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/05/30 22:20:38.0062 2384 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/30 22:20:38.0109 2384 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/05/30 22:20:38.0140 2384 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
2011/05/30 22:20:38.0156 2384 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/30 22:20:38.0328 2384 IntcAzAudAddService (39a817320087ef1c851d7a8f1701b3e0) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/05/30 22:20:38.0406 2384 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/30 22:20:38.0437 2384 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/30 22:20:38.0484 2384 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/30 22:20:38.0531 2384 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/30 22:20:38.0546 2384 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/30 22:20:38.0593 2384 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/30 22:20:38.0609 2384 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/30 22:20:38.0640 2384 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/30 22:20:38.0640 2384 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/30 22:20:38.0687 2384 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/30 22:20:38.0734 2384 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/30 22:20:38.0843 2384 lbrtfdc (406598827a1b5f77954de11dde115ced) C:\WINDOWS\system32\drivers\lbrtfdc.sys
2011/05/30 22:20:38.0875 2384 MBAMSwissArmy (d68e165c3123aba3b1282eddb4213bd8) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/05/30 22:20:38.0906 2384 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/30 22:20:38.0953 2384 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/30 22:20:38.0984 2384 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/30 22:20:39.0031 2384 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/30 22:20:39.0062 2384 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/30 22:20:39.0281 2384 MRVW245 (275796d1114b524aec686091e8aafd3c) C:\WINDOWS\system32\DRIVERS\MRVW245.sys
2011/05/30 22:20:39.0296 2384 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/30 22:20:39.0359 2384 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/30 22:20:39.0390 2384 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/30 22:20:39.0437 2384 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/30 22:20:39.0453 2384 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/30 22:20:39.0468 2384 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/30 22:20:39.0515 2384 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/30 22:20:39.0546 2384 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/30 22:20:39.0562 2384 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/30 22:20:39.0640 2384 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/30 22:20:39.0703 2384 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/30 22:20:39.0718 2384 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/30 22:20:39.0750 2384 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/30 22:20:39.0750 2384 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/30 22:20:39.0796 2384 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/30 22:20:39.0828 2384 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/30 22:20:39.0843 2384 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/30 22:20:39.0906 2384 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2011/05/30 22:20:39.0968 2384 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/30 22:20:40.0187 2384 nv (b702be0aa72ea2e1d644baef9123a4ce) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/05/30 22:20:40.0390 2384 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/30 22:20:40.0406 2384 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/30 22:20:40.0453 2384 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/05/30 22:20:40.0468 2384 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/30 22:20:40.0515 2384 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/30 22:20:40.0546 2384 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/30 22:20:40.0593 2384 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/30 22:20:40.0609 2384 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/30 22:20:40.0718 2384 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/30 22:20:40.0734 2384 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/30 22:20:40.0750 2384 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/30 22:20:40.0812 2384 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/30 22:20:40.0828 2384 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/30 22:20:40.0828 2384 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/30 22:20:40.0843 2384 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/30 22:20:40.0890 2384 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/30 22:20:40.0906 2384 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/30 22:20:40.0968 2384 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/30 22:20:41.0000 2384 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/30 22:20:41.0062 2384 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/30 22:20:41.0093 2384 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/05/30 22:20:41.0125 2384 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/30 22:20:41.0171 2384 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/30 22:20:41.0218 2384 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/30 22:20:41.0265 2384 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/30 22:20:41.0328 2384 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/30 22:20:41.0359 2384 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/30 22:20:41.0437 2384 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/30 22:20:41.0500 2384 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/30 22:20:41.0531 2384 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/30 22:20:41.0578 2384 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/30 22:20:41.0593 2384 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/30 22:20:41.0656 2384 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/30 22:20:41.0718 2384 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/30 22:20:41.0781 2384 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/05/30 22:20:41.0828 2384 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/30 22:20:41.0843 2384 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/30 22:20:41.0859 2384 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/30 22:20:41.0890 2384 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/30 22:20:41.0937 2384 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/30 22:20:41.0968 2384 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/30 22:20:42.0000 2384 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/30 22:20:42.0000 2384 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/30 22:20:42.0031 2384 VolSnap (7c38f81f40d61d1607ddb62fe5817bb9) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/30 22:20:42.0031 2384 VolSnap - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/05/30 22:20:42.0046 2384 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/30 22:20:42.0140 2384 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/05/30 22:20:42.0203 2384 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/30 22:20:42.0281 2384 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
2011/05/30 22:20:42.0281 2384 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/05/30 22:20:42.0296 2384 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR2
2011/05/30 22:20:42.0359 2384 ================================================================================
2011/05/30 22:20:42.0359 2384 Scan finished
2011/05/30 22:20:42.0359 2384 ================================================================================
2011/05/30 22:20:42.0375 2392 Detected object count: 2
2011/05/30 22:20:42.0375 2392 Actual detected object count: 2
2011/05/30 22:22:45.0062 2392 VolSnap (7c38f81f40d61d1607ddb62fe5817bb9) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/30 22:22:47.0437 2392 Backup copy found, using it..
2011/05/30 22:22:47.0453 2392 C:\WINDOWS\system32\drivers\VolSnap.sys - will be cured after reboot
2011/05/30 22:22:47.0453 2392 Rootkit.Win32.TDSS.tdl3(VolSnap) - User select action: Cure
2011/05/30 22:22:47.0500 2392 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/30 22:22:47.0500 2392 \Device\Harddisk0\DR0 - ok
2011/05/30 22:22:47.0515 2392 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/05/30 22:23:34.0671 2404 Deinitialize success

ken545 · May 31, 2011

:bigthumb:

I am sure there is more to remove

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Caroll · May 31, 2011

I wasn't able to properly download Windows Recovery Console since one of the desktops icons that is still missing is my D-Link program.

ComboFix Log:
ComboFix 11-05-31.01 - FISH 05/31/2011 16:46:04.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.442 [GMT -5:00]
Running from: c:\documents and settings\FISH\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\FISH\Application Data\557585D252B73FCE8AED58180034268F
c:\documents and settings\FISH\Application Data\557585D252B73FCE8AED58180034268F\enemies-names.txt
c:\documents and settings\FISH\Application Data\557585D252B73FCE8AED58180034268F\local.ini
c:\documents and settings\FISH\Application Data\557585D252B73FCE8AED58180034268F\lsrslt.ini
c:\documents and settings\FISH\Application Data\Adobe\plugs
c:\documents and settings\FISH\Application Data\Adobe\plugs\mmc673218.txt
c:\documents and settings\FISH\Application Data\Adobe\shed
c:\documents and settings\FISH\Application Data\Adobe\shed\thr1.chm
c:\documents and settings\FISH\Local Settings\Application Data\{3ADFE71B-53EC-42F8-8A2C-3845783D84D7}
c:\documents and settings\FISH\Local Settings\Application Data\{3ADFE71B-53EC-42F8-8A2C-3845783D84D7}\chrome.manifest
c:\documents and settings\FISH\Local Settings\Application Data\{3ADFE71B-53EC-42F8-8A2C-3845783D84D7}\chrome\content\_cfg.js
c:\documents and settings\FISH\Local Settings\Application Data\{3ADFE71B-53EC-42F8-8A2C-3845783D84D7}\chrome\content\overlay.xul
c:\documents and settings\FISH\Local Settings\Application Data\{3ADFE71B-53EC-42F8-8A2C-3845783D84D7}\install.rdf
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\windows\system32\nb8Yt0vy.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SRV218
-------\Service_srv218
.
.
((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-31 )))))))))))))))))))))))))))))))
.
.
2011-05-18 03:59 . 2011-05-18 03:59 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2011-05-18 03:58 . 2011-05-18 03:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-18 03:50 . 2011-05-18 03:50 0 ----a-w- c:\windows\Txozofoyeje.bin
2011-05-18 03:47 . 2011-05-18 03:47 50000 ----a-w- c:\windows\system32\zetj7n.dll
2011-05-11 01:45 . 2011-05-11 01:45 -------- d-----w- c:\documents and settings\FISH\Local Settings\Application Data\Deployment
2011-05-11 01:42 . 2011-05-11 01:42 -------- d-----w- c:\program files\SystemRequirementsLab
2011-05-11 01:42 . 2011-05-11 01:42 -------- d-----w- c:\documents and settings\FISH\Application Data\SystemRequirementsLab
2011-05-11 00:32 . 2011-05-11 00:46 -------- d-----w- c:\documents and settings\FISH\Application Data\DAEMON Tools Lite
2011-05-11 00:32 . 2011-05-11 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2011-05-10 05:08 . 2011-05-10 05:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Last.fm
2011-05-10 05:07 . 2011-05-10 05:07 -------- d-----w- c:\documents and settings\FISH\Local Settings\Application Data\Last.fm
2011-05-10 05:07 . 2011-05-10 05:07 -------- d-----w- c:\program files\Last.fm
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-31 03:24 . 2004-08-04 10:00 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys
2011-03-07 05:33 . 2010-03-20 22:07 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-04 10:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 10:00 1857920 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-26 15026056]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16132608]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-14 8429568]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\Father\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srv218]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58919:TCP"= 58919:TCP

ando Media Booster
"58919:UDP"= 58919:UDP

ando Media Booster
"443:UDP"= 443:UDP:*

isabled

oVoo UDP port 443
"37674:TCP"= 37674:TCP:*

isabled

oVoo TCP port 37674
"37674:UDP"= 37674:UDP:*

isabled

oVoo UDP port 37674
"37675:UDP"= 37675:UDP:*

isabled

oVoo UDP port 37675
"67:UDP"= 67:UDP

HCP Server
.
S1 MpKsl48409f78;MpKsl48409f78;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F1658268-739D-4510-8FE5-5431C252117A}\MpKsl48409f78.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F1658268-739D-4510-8FE5-5431C252117A}\MpKsl48409f78.sys [?]
S1 MpKsl568832de;MpKsl568832de;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{171A7CFC-87EA-4816-B40C-8064A87763E5}\MpKsl568832de.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{171A7CFC-87EA-4816-B40C-8064A87763E5}\MpKsl568832de.sys [?]
S1 MpKsl5c86842c;MpKsl5c86842c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9DEF27FE-ED8B-4A55-B077-BCE6BB053895}\MpKsl5c86842c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9DEF27FE-ED8B-4A55-B077-BCE6BB053895}\MpKsl5c86842c.sys [?]
S1 MpKsl5ca919e2;MpKsl5ca919e2;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F1658268-739D-4510-8FE5-5431C252117A}\MpKsl5ca919e2.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F1658268-739D-4510-8FE5-5431C252117A}\MpKsl5ca919e2.sys [?]
S1 MpKslaec9657b;MpKslaec9657b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{171A7CFC-87EA-4816-B40C-8064A87763E5}\MpKslaec9657b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{171A7CFC-87EA-4816-B40C-8064A87763E5}\MpKslaec9657b.sys [?]
S1 MpKslc27ffded;MpKslc27ffded;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F8EFA619-099A-445E-AFC6-F43B93FFB054}\MpKslc27ffded.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F8EFA619-099A-445E-AFC6-F43B93FFB054}\MpKslc27ffded.sys [?]
S1 MpKsldae9533d;MpKsldae9533d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{188E21A2-6228-4BFE-ADAC-7198788516C4}\MpKsldae9533d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{188E21A2-6228-4BFE-ADAC-7198788516C4}\MpKsldae9533d.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [3/21/2010 4:29 AM 38224]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva375;XDva375;\??\c:\windows\system32\XDva375.sys --> c:\windows\system32\XDva375.sys [?]
S3 XDva385;XDva385;\??\c:\windows\system32\XDva385.sys --> c:\windows\system32\XDva385.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPService REG_MULTI_SZ HPSLPSVC
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2011-05-29 c:\windows\Tasks\Norton Security Scan for FISH.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-11-29 16:04]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US

fficial
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z006&form=ZGAADF&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: tektek.org GaiaOnline Toolbar 2.1: {0df7b3bb-9581-44bb-835f-061a29ec8a46} - %profile%\extensions\{0df7b3bb-9581-44bb-835f-061a29ec8a46}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: BlockSite: {dd3d7613-0246-469d-bc65-2a3cc1668adc} - %profile%\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
FF - Ext: Easy Youtube Video Downloader: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} - %profile%\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: general.useragent.extra.brc - BRI/1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{24A123C3-A500-99BD-A120-04B53A2C8952} - (no file)
SafeBoot-90596686.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-31 16:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3156)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-05-31 17:00:40 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-31 22:00
.
Pre-Run: 59,308,109,824 bytes free
Post-Run: 59,545,378,816 bytes free
.
- - End Of File - - C7F54D6ACBA2B335FBD331E246BE59DE

ken545 · Jun 1, 2011

Hi,

Your doing just fine, things should have improved a lot for you ???

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Driver::

Code:

Driver::
XDva375
XDva385

File::
c:\windows\system32\XDva375.sys
c:\windows\system32\XDva385.sys

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srv218]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please download Malwarebytes from Here or Here

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report please

Post both reports please

Caroll · Jun 1, 2011

I can't really say improved. There aren't any pop-ups but some of my desktop icons and programs aren't functioning properly as well as my background still being replaced by a grey screen.

ComboFix Log:
ComboFix 11-05-31.01 - FISH 05/31/2011 20:02:50.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.420 [GMT -5:00]
Running from: c:\documents and settings\FISH\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\FISH\Desktop\CFScript.txt
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
FILE ::
"c:\windows\system32\XDva375.sys"
"c:\windows\system32\XDva385.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_XDVA375
-------\Legacy_XDVA385
-------\Service_XDva375
-------\Service_XDva385
.
.
((((((((((((((((((((((((( Files Created from 2011-05-01 to 2011-06-01 )))))))))))))))))))))))))))))))
.
.
2011-05-18 03:59 . 2011-05-18 03:59 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2011-05-18 03:58 . 2011-05-18 03:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-18 03:50 . 2011-05-18 03:50 0 ----a-w- c:\windows\Txozofoyeje.bin
2011-05-18 03:47 . 2011-05-18 03:47 50000 ----a-w- c:\windows\system32\zetj7n.dll
2011-05-11 01:45 . 2011-05-11 01:45 -------- d-----w- c:\documents and settings\FISH\Local Settings\Application Data\Deployment
2011-05-11 01:42 . 2011-05-11 01:42 -------- d-----w- c:\program files\SystemRequirementsLab
2011-05-11 01:42 . 2011-05-11 01:42 -------- d-----w- c:\documents and settings\FISH\Application Data\SystemRequirementsLab
2011-05-11 00:32 . 2011-05-11 00:46 -------- d-----w- c:\documents and settings\FISH\Application Data\DAEMON Tools Lite
2011-05-11 00:32 . 2011-05-11 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2011-05-10 05:08 . 2011-05-10 05:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Last.fm
2011-05-10 05:07 . 2011-05-10 05:07 -------- d-----w- c:\documents and settings\FISH\Local Settings\Application Data\Last.fm
2011-05-10 05:07 . 2011-05-10 05:07 -------- d-----w- c:\program files\Last.fm
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-31 03:24 . 2004-08-04 10:00 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys
2011-03-07 05:33 . 2010-03-20 22:07 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-04 10:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 10:00 1857920 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-26 15026056]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16132608]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-14 8429568]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\Father\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srv218]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58919:TCP"= 58919:TCP

ando Media Booster
"58919:UDP"= 58919:UDP

ando Media Booster
"443:UDP"= 443:UDP:*

isabled

oVoo UDP port 443
"37674:TCP"= 37674:TCP:*

isabled

oVoo TCP port 37674
"37674:UDP"= 37674:UDP:*

isabled

oVoo UDP port 37674
"37675:UDP"= 37675:UDP:*

isabled

oVoo UDP port 37675
"67:UDP"= 67:UDP

HCP Server
.
S1 MpKsl48409f78;MpKsl48409f78;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F1658268-739D-4510-8FE5-5431C252117A}\MpKsl48409f78.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F1658268-739D-4510-8FE5-5431C252117A}\MpKsl48409f78.sys [?]
S1 MpKsl568832de;MpKsl568832de;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{171A7CFC-87EA-4816-B40C-8064A87763E5}\MpKsl568832de.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{171A7CFC-87EA-4816-B40C-8064A87763E5}\MpKsl568832de.sys [?]
S1 MpKsl5c86842c;MpKsl5c86842c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9DEF27FE-ED8B-4A55-B077-BCE6BB053895}\MpKsl5c86842c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9DEF27FE-ED8B-4A55-B077-BCE6BB053895}\MpKsl5c86842c.sys [?]
S1 MpKsl5ca919e2;MpKsl5ca919e2;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F1658268-739D-4510-8FE5-5431C252117A}\MpKsl5ca919e2.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F1658268-739D-4510-8FE5-5431C252117A}\MpKsl5ca919e2.sys [?]
S1 MpKslaec9657b;MpKslaec9657b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{171A7CFC-87EA-4816-B40C-8064A87763E5}\MpKslaec9657b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{171A7CFC-87EA-4816-B40C-8064A87763E5}\MpKslaec9657b.sys [?]
S1 MpKslc27ffded;MpKslc27ffded;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F8EFA619-099A-445E-AFC6-F43B93FFB054}\MpKslc27ffded.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F8EFA619-099A-445E-AFC6-F43B93FFB054}\MpKslc27ffded.sys [?]
S1 MpKsldae9533d;MpKsldae9533d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{188E21A2-6228-4BFE-ADAC-7198788516C4}\MpKsldae9533d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{188E21A2-6228-4BFE-ADAC-7198788516C4}\MpKsldae9533d.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [3/21/2010 4:29 AM 38224]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPService REG_MULTI_SZ HPSLPSVC
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2011-05-29 c:\windows\Tasks\Norton Security Scan for FISH.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-11-29 16:04]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US

fficial
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z006&form=ZGAADF&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: tektek.org GaiaOnline Toolbar 2.1: {0df7b3bb-9581-44bb-835f-061a29ec8a46} - %profile%\extensions\{0df7b3bb-9581-44bb-835f-061a29ec8a46}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: BlockSite: {dd3d7613-0246-469d-bc65-2a3cc1668adc} - %profile%\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
FF - Ext: Easy Youtube Video Downloader: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} - %profile%\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: general.useragent.extra.brc - BRI/1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{24A123C3-A500-99BD-A120-04B53A2C8952} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-31 20:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2252)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2011-05-31 20:13:53 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-01 01:13
ComboFix2.txt 2011-05-31 22:00
.
Pre-Run: 59,519,254,528 bytes free
Post-Run: 59,505,795,072 bytes free
.
- - End Of File - - 626E9BD263091DA76155390B78F04900

Malwarebytes Log:
Malwarebytes' Anti-Malware
www.malwarebytes.org

Database version:

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/31/2011 8:21:47 PM
mbam-log-2011-05-31 (20-21-47).txt

Scan type: Quick scan
Objects scanned: 170416
Time elapsed: 2 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ken545 · Jun 1, 2011

Lets run a few more scans

Please download ATF Cleaner by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the

button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
1. Click on
  
  to download the ESET Smart Installer. Save it to your desktop.
2. Double click on the
  
  icon on your desktop.
Check
Click the

button.
Accept any security warnings from your browser.
Check
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push

, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the

button.
Push

Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

Caroll · Jun 1, 2011

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Bredolabfb.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchLeftovers.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws1.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws11.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws13.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws15.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws17.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws19.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws21.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws23.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws25.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws27.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws29.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws3.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws31.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws5.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws7.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws9.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudAntiMalwares.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\KillSec.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentieu.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentws.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAutoRunabt.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\FISH\Application Data\Sun\Java\Deployment\cache\6.0\8\2f367388-458e18be Java/TrojanDownloader.OpenStream.NCA trojan
C:\Qoobox\Quarantine\C\Documents and Settings\FISH\Application Data\557585D252B73FCE8AED58180034268F\enemies-names.txt.vir Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Qoobox\Quarantine\C\Documents and Settings\FISH\Application Data\557585D252B73FCE8AED58180034268F\local.ini.vir Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Qoobox\Quarantine\C\WINDOWS\system32\nb8Yt0vy.dll.vir a variant of Win32/Ertfor.C trojan
C:\WINDOWS\system32\zetj7n.dll a variant of Win32/Ertfor.C trojan

ken545 · Jun 1, 2011

Most of those entries are just backups of what was removed

Open Spybot and go to Recovery and remove it all.

The files in Qoobox are what Combofix removed, we will deal with that in a bit.

I need you to run this quick scan and post the log and we will use the fix option after I see the log to remove that one bad file and clear the Java cache

OTL by OldTimer

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
  Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

Caroll · Jun 2, 2011

OTL logfile created on: 6/1/2011 6:38:29 PM - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\FISH\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.10 Mb Total Physical Memory | 558.09 Mb Available Physical Memory | 54.60% Memory free
2.40 Gb Paging File | 2.09 Gb Available in Paging File | 86.92% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 55.34 Gb Free Space | 74.28% Space Free | Partition Type: NTFS
Drive F: | 3.67 Gb Total Space | 3.66 Gb Free Space | 99.53% Space Free | Partition Type: FAT32

Computer Name: BELINDA | User Name: FISH | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\FISH\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
PRC - C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe ( )

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\FISH\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (AppMgmt) -- File not found
SRV - (npggsvc) -- C:\WINDOWS\System32\GameMon.des (INCA Internet Co., Ltd.)

========== Driver Services (SafeList) ==========

DRV - (Changer) -- C:\WINDOWS\System32\drivers\changer.sys (Microsoft Corporation)
DRV - (lbrtfdc) -- C:\WINDOWS\System32\drivers\lbrtfdc.sys (Toshiba Corp.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (MRVW245) -- C:\WINDOWS\system32\drivers\MRVW245.sys (Marvell Semiconductor, Inc)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-583907252-764733703-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-583907252-764733703-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-583907252-764733703-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US

fficial"
FF - prefs.js..extensions.enabledItems: {0df7b3bb-9581-44bb-835f-061a29ec8a46}:2.1.20110214
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.6.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {dd3d7613-0246-469d-bc65-2a3cc1668adc}:0.7.1.1
FF - prefs.js..extensions.enabledItems: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}:4.1
FF - prefs.js..keyword.URL: "http://www.bing.com/search?pc=Z006&form=ZGAADF&q="

FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/03/21 01:32:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}: C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\ [2010/12/17 19:10:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/12 00:35:01 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/01 15:14:57 | 000,000,000 | ---D | M]

[2010/03/21 01:17:29 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\FISH\Application Data\Mozilla\Extensions
[2011/05/18 20:35:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\extensions
[2011/03/06 14:55:22 | 000,000,000 | ---D | M] ("tektek.org GaiaOnline Toolbar 2.1") -- C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\extensions\{0df7b3bb-9581-44bb-835f-061a29ec8a46}
[2011/02/18 17:40:57 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/04/20 05:37:25 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2011/04/19 21:15:46 | 000,000,000 | ---D | M] (Easy Youtube Video Downloader) -- C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
[2010/11/19 20:10:44 | 000,000,000 | ---D | M] (BlockSite) -- C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
[2011/04/19 21:15:46 | 000,000,000 | ---D | M] (Multirow Bookmarks Toolbar) -- C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\extensions\{FBF6D7FB-F305-4445-BB3D-FEF66579A033}
[2011/03/12 06:28:08 | 000,000,000 | ---D | M] (Personas) -- C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\extensions\personas@christopher.beard
[2011/05/15 19:33:37 | 000,002,431 | ---- | M] () -- C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\searchplugins\anime-news-network.xml
[2010/06/10 22:45:33 | 000,002,357 | ---- | M] () -- C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\searchplugins\photobucket.xml
[2010/03/21 01:38:12 | 000,002,057 | ---- | M] () -- C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\searchplugins\youtube-video-search.xml
[2011/05/18 20:35:23 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/22 16:05:11 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/10/04 22:13:23 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/04/13 19:28:46 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/05/31 20:09:41 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {24A123C3-A500-99BD-A120-04B53A2C8952} - No CLSID value found.
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKU\S-1-5-21-583907252-764733703-725345543-1004..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-583907252-764733703-725345543-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-583907252-764733703-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-583907252-764733703-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-583907252-764733703-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Desktop Background.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/03/20 17:09:42 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/01 18:37:10 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\FISH\Desktop\OTL.exe
[2011/06/01 13:46:16 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/06/01 13:46:06 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\FISH\Desktop\esetsmartinstaller_enu.exe
[2011/06/01 13:43:20 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\FISH\Desktop\ATF-Cleaner.exe
[2011/05/31 20:23:07 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/05/31 20:17:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\FISH\Desktop\Malwarebytes' Anti-Malware
[2011/05/31 16:38:01 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/05/31 16:38:01 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/05/31 16:38:01 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/05/31 16:38:01 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/05/31 16:37:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/05/31 16:37:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/05/31 16:36:58 | 004,109,019 | R--- | C] (Swearware) -- C:\Documents and Settings\FISH\Desktop\ComboFix.exe
[2011/05/30 22:20:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\FISH\Desktop\tdsskiller
[2011/05/19 17:32:18 | 000,000,000 | R--D | C] -- C:\Documents and Settings\FISH\Recent
[2011/05/18 23:20:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\FISH\Start Menu\Programs\Windows XP Recovery
[2011/05/18 20:05:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\FISH\My Documents\Logs
[2011/05/17 22:59:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2011/05/17 22:58:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/05/10 20:45:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\FISH\Local Settings\Application Data\Deployment
[2011/05/10 20:42:20 | 000,000,000 | ---D | C] -- C:\Program Files\SystemRequirementsLab
[2011/05/10 20:42:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\FISH\Application Data\SystemRequirementsLab
[2011/05/10 19:32:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\FISH\Application Data\DAEMON Tools Lite
[2011/05/10 19:32:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2011/05/10 00:08:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Last.fm
[2011/05/10 00:07:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\FISH\Local Settings\Application Data\Last.fm
[2011/05/10 00:07:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Last.fm
[2011/05/10 00:07:48 | 000,000,000 | ---D | C] -- C:\Program Files\Last.fm
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/06/01 18:23:44 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\FISH\Desktop\OTL.exe
[2011/06/01 14:40:58 | 000,000,472 | -H-- | M] () -- C:\WINDOWS\tasks\Norton Security Scan for FISH.job
[2011/06/01 14:07:27 | 000,000,667 | ---- | M] () -- C:\Documents and Settings\FISH\Set.dll
[2011/06/01 13:48:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/01 13:45:08 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\FISH\Desktop\esetsmartinstaller_enu.exe
[2011/06/01 13:37:42 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\FISH\Desktop\ATF-Cleaner.exe
[2011/05/31 20:09:41 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/05/31 19:46:41 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\FISH\Desktop\Skype.lnk
[2011/05/31 19:46:04 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\FISH\Desktop\Microsoft Office Excel 2007.lnk
[2011/05/31 16:44:09 | 000,436,228 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/05/31 16:44:09 | 000,068,680 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/05/31 16:33:20 | 004,109,019 | R--- | M] (Swearware) -- C:\Documents and Settings\FISH\Desktop\ComboFix.exe
[2011/05/30 22:18:45 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/30 22:17:44 | 001,301,452 | ---- | M] () -- C:\Documents and Settings\FISH\Desktop\tdsskiller.zip
[2011/05/19 18:27:13 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/05/18 23:20:15 | 000,000,819 | ---- | M] () -- C:\Documents and Settings\FISH\Desktop\Windows XP Recovery.lnk
[2011/05/18 23:20:09 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\18210596
[2011/05/18 23:04:22 | 000,015,304 | -HS- | M] () -- C:\Documents and Settings\FISH\Local Settings\Application Data\m02aj8c05sb8ycm2623sjs105ifan2c26ws
[2011/05/18 23:04:22 | 000,015,304 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\m02aj8c05sb8ycm2623sjs105ifan2c26ws
[2011/05/18 19:54:02 | 000,000,929 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/05/18 00:30:46 | 000,000,355 | -HS- | M] () -- C:\boot.ini
[2011/05/17 23:05:39 | 000,012,754 | -HS- | M] () -- C:\Documents and Settings\FISH\Local Settings\Application Data\q06y4ded434kq1vq7n7
[2011/05/17 23:05:39 | 000,012,754 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\q06y4ded434kq1vq7n7
[2011/05/17 22:50:02 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Cmilexobe.dat
[2011/05/17 22:50:02 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Txozofoyeje.bin
[2011/05/17 22:47:39 | 000,050,000 | ---- | M] () -- C:\WINDOWS\System32\zetj7n.dll
[2011/05/16 06:04:47 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\FISH\Desktop\Microsoft Office PowerPoint 2007.lnk
[2011/05/13 14:27:41 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\FISH\Desktop\Microsoft Office Word 2007.lnk
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/06/01 13:51:26 | 000,000,667 | ---- | C] () -- C:\Documents and Settings\FISH\Set.dll
[2011/05/31 16:38:01 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/05/31 16:38:01 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/05/31 16:38:01 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/05/31 16:38:01 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/05/31 16:38:01 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/05/30 22:19:52 | 001,301,452 | ---- | C] () -- C:\Documents and Settings\FISH\Desktop\tdsskiller.zip
[2011/05/18 23:20:15 | 000,000,819 | ---- | C] () -- C:\Documents and Settings\FISH\Desktop\Windows XP Recovery.lnk
[2011/05/18 23:20:09 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\18210596
[2011/05/18 20:22:49 | 000,015,304 | -HS- | C] () -- C:\Documents and Settings\FISH\Local Settings\Application Data\m02aj8c05sb8ycm2623sjs105ifan2c26ws
[2011/05/18 20:22:49 | 000,015,304 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\m02aj8c05sb8ycm2623sjs105ifan2c26ws
[2011/05/17 23:06:15 | 000,000,929 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/05/17 23:03:39 | 000,012,754 | -HS- | C] () -- C:\Documents and Settings\FISH\Local Settings\Application Data\q06y4ded434kq1vq7n7
[2011/05/17 23:03:39 | 000,012,754 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\q06y4ded434kq1vq7n7
[2011/05/17 22:50:02 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Cmilexobe.dat
[2011/05/17 22:50:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Txozofoyeje.bin
[2011/05/17 22:47:39 | 000,050,000 | ---- | C] () -- C:\WINDOWS\System32\zetj7n.dll
[2011/02/17 20:05:05 | 000,230,752 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2011/02/17 20:05:04 | 000,118,176 | ---- | C] () -- C:\WINDOWS\patchw.dll
[2010/11/07 16:20:31 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/08/24 00:24:48 | 000,000,056 | ---- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/06/22 21:15:15 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\CNMVS38.DLL
[2010/06/22 21:14:58 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\CNMCP38.EXE
[2010/05/03 00:26:54 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\FISH\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/20 19:03:25 | 000,056,708 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/03/21 04:16:30 | 000,000,162 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/03/21 03:10:53 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2010/03/21 01:37:43 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/21 01:26:38 | 000,201,537 | ---- | C] () -- C:\WINDOWS\hpoins40.dat
[2010/03/21 01:26:38 | 000,000,992 | ---- | C] () -- C:\WINDOWS\hpomdl40.dat
[2010/03/21 01:17:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/03/20 17:11:28 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/03/20 17:07:02 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/03/20 10:59:29 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/03/20 10:58:19 | 000,268,600 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/03/22 13:48:43 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/03/22 13:48:43 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 05:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 05:00:00 | 000,436,228 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 05:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 05:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 05:00:00 | 000,068,680 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 05:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 05:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 05:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 05:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 05:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2011/04/25 18:30:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2011/05/10 19:46:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2010/12/22 21:29:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2011/05/10 00:08:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Last.fm
[2010/11/01 23:09:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/02/15 19:39:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2010/03/27 15:09:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/04/20 18:54:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/04/24 17:46:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Father\Application Data\ooVoo Details
[2011/05/10 19:46:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\FISH\Application Data\DAEMON Tools Lite
[2010/04/12 23:18:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\FISH\Application Data\Facebook
[2011/04/11 00:47:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\FISH\Application Data\FrostWire
[2011/02/26 18:17:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\FISH\Application Data\gtk-2.0
[2011/04/19 23:03:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\FISH\Application Data\ooVoo Details
[2011/05/10 20:42:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\FISH\Application Data\SystemRequirementsLab
[2010/07/13 18:18:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\FISH\Application Data\Vivox

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BEB15613

< End of report >

OTL Extras logfile created on: 6/1/2011 6:38:29 PM - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\FISH\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.10 Mb Total Physical Memory | 558.09 Mb Available Physical Memory | 54.60% Memory free
2.40 Gb Paging File | 2.09 Gb Available in Paging File | 86.92% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 55.34 Gb Free Space | 74.28% Space Free | Partition Type: NTFS
Drive F: | 3.67 Gb Total Space | 3.66 Gb Free Space | 99.53% Space Free | Partition Type: FAT32

Computer Name: BELINDA | User Name: FISH | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-583907252-764733703-725345543-1004\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"58919:TCP" = 58919:TCP:*:Enabled

ando Media Booster
"58919:UDP" = 58919:UDP:*:Enabled

ando Media Booster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"58919:TCP" = 58919:TCP:*:Enabled

ando Media Booster
"58919:UDP" = 58919:UDP:*:Enabled

ando Media Booster
"443:UDP" = 443:UDP:*

isabled

oVoo UDP port 443
"37674:TCP" = 37674:TCP:*

isabled

oVoo TCP port 37674
"37674:UDP" = 37674:UDP:*

isabled

oVoo UDP port 37674
"37675:UDP" = 37675:UDP:*

isabled

oVoo UDP port 37675
"1900:TCP" = 1900:TCP:LocalSubNet:Enabled:UDP 1900
"67:UDP" = 67:UDP:*:Enabled

HCP Server

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled

ando Media Booster -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled

ando Media Booster -- ()
"C:\Program Files\ooVoo\ooVoo.exe" = C:\Program Files\ooVoo\ooVoo.exe:*:Enabled

oVoo -- (ooVoo LLC)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07FB17D8-7DB6-4F06-80C4-8BE1719CB6A1}" = hpWLPGInstaller
"{0A042C19-1F48-4952-B3B6-828E8028A187}" = B209a-m
"{0F367CA3-3B2F-43F9-A44A-25A8EE69E45D}" = Scan
"{175F0111-2968-4935-8F70-33108C6A4DE3}" = MarketResearch
"{1CAC7A41-583B-4483-9FA5-3E5465AFF8C2}" = Microsoft Default Manager
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{21A2F5EE-1DC5-488A-BE7E-E526F8C61488}" = DeviceDiscovery
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 21
"{2866B2D9-B57E-4829-A554-47DF68868F15}" = Fiesta
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
"{43CDF946-F5D9-4292-B006-BA0D92013021}" = WebReg
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{61EDBE71-5D3E-4AB7-AD95-E53FEAF68C17}" = Bing Rewards Client Installer
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{68A10D12-0D0F-4212-BDE6-D87FAD32A8FA}" = SmartWebPrinting
"{6B2FFB21-AC88-45C3-9A7D-4BB3E744EC91}" = HPSSupply
"{6BBA26E9-AB03-4FE7-831A-3535584CA002}" = Toolbox
"{7059BDA7-E1DB-442C-B7A1-6144596720A4}" = HP Update
"{75247E38-5C9B-45D6-ADF8-E11CB56B4990}" = Network
"{7C5B4583-7CBF-4289-B195-03B553959DEA}" = VoiceOver Kit
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_VISPRO_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}_VISPRO_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}_VISPRO_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0051-0000-0000-0000000FF1CE}" = Microsoft Office Visio Professional 2007
"{90120000-0051-0000-0000-0000000FF1CE}_VISPRO_{0FD405D3-CAF8-4CA6-8BFD-911D2F8A6585}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)
"{90120000-0051-0000-0000-0000000FF1CE}_VISPRO_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0054-0409-0000-0000000FF1CE}" = Microsoft Office Visio MUI (English) 2007
"{90120000-0054-0409-0000-0000000FF1CE}_VISPRO_{519D9F45-CBF4-4E57-B419-11F196CCA8AE}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_VISPRO_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}_VISPRO_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{92127AF5-FDD8-4ADF-BC40-C356C9EE0B7D}" = 32 Bit HP CIO Components Installer
"{922E8525-AC7E-4294-ACAA-43712D4423C0}" = Adobe Flash Player 10 ActiveX
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9FEF1A18-8F26-4F49-A5A4-956C12210624}" = HP Photosmart Plus B209a-m All-In-One Driver Software 13.0 Rel .6
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A385AA5D-4B9C-4BB4-A3D9-8BA006D6E831}" = D-Link Wireless N USB Adapter DWA-130
"{AC76BA86-7AD7-1033-7B44-A70800000002}" = Adobe Reader 7.0.8
"{AE8705FB-E13C-40A9-8A2D-68D6733FBFC2}" = Status
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B65759DD-26C6-4EA6-9014-CA798907EBFD}" = PS_AIO_06_B209a-m_SW_Min
"{BD7204BA-DD64-499E-9B55-6A282CDF4FA4}" = Destinations
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{C75CDBA2-3C86-481e-BD10-BDDA758F9DFF}" = hpPrintProjects
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DC0A5F99-FD66-433F-9D3A-05DCBA64BE42}" = TrayApp
"{E127B28D-1A2A-45C4-A74E-C817E0A74E3E}" = Fiesta
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.1
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FAA7F8FF-3C05-4A61-8F14-D8A6E9ED6623}" = ooVoo
"{FAE36873-1941-4076-A9A5-48812B5EA0B7}" = iTunes
"{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
"7-Zip" = 7-Zip 9.16 beta
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CANONBJ_Deinstall_CNMCP38.DLL" = Canon S300
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ESET Online Scanner" = ESET Online Scanner v3
"HP Imaging Device Functions" = HP Imaging Device Functions 13.0
"HP Print Projects" = HP Print Projects 1.0
"HP Smart Web Printing" = HP Smart Web Printing 4.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPExtendedCapabilities" = HP Customer Participation Program 13.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"LastFM_is1" = Last.fm 1.5.4.27091
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.17)" = Mozilla Firefox (3.6.17)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NSS" = Norton Security Scan
"NVIDIA Drivers" = NVIDIA Drivers
"Shop for HP Supplies" = Shop for HP Supplies
"SystemRequirementsLab" = System Requirements Lab
"VISPRO" = Microsoft Office Visio Professional 2007
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = GIMP 2.6.8

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-583907252-764733703-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Facebook Plug-In" = Facebook Plug-In

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/17/2011 11:21:42 PM | Computer Name = BELINDA | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 6359

Error - 3/17/2011 11:21:44 PM | Computer Name = BELINDA | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 3/17/2011 11:21:44 PM | Computer Name = BELINDA | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 8312

Error - 3/17/2011 11:21:44 PM | Computer Name = BELINDA | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 8312

Error - 3/18/2011 3:35:47 AM | Computer Name = BELINDA | Source = Application Error | ID = 1000
Description = Faulting application fiesta.bin, version 0.0.0.0, faulting module
, version 0.0.0.0, fault address 0x00000000.

Error - 3/31/2011 11:59:49 AM | Computer Name = BELINDA | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.4095, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 4/8/2011 11:13:04 PM | Computer Name = BELINDA | Source = ESENT | ID = 490
Description = svchost (996) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 4/9/2011 6:06:56 PM | Computer Name = BELINDA | Source = Application Error | ID = 1000
Description = Faulting application fiesta.bin, version 0.0.0.0, faulting module
, version 0.0.0.0, fault address 0x00000000.

Error - 4/10/2011 3:33:50 PM | Computer Name = BELINDA | Source = Application Error | ID = 1000
Description = Faulting application fiesta.bin, version 0.0.0.0, faulting module
, version 0.0.0.0, fault address 0x00000000.

Error - 4/20/2011 6:08:44 AM | Computer Name = BELINDA | Source = ESENT | ID = 490
Description = svchost (860) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

[ System Events ]
Error - 5/1/2011 10:08:14 PM | Computer Name = BELINDA | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cercsr6

Error - 5/2/2011 12:23:15 AM | Computer Name = BELINDA | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cercsr6

Error - 5/2/2011 3:18:19 AM | Computer Name = BELINDA | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cercsr6

Error - 5/2/2011 9:14:39 PM | Computer Name = BELINDA | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cercsr6

Error - 5/5/2011 4:58:07 PM | Computer Name = BELINDA | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cercsr6

Error - 5/5/2011 6:12:04 PM | Computer Name = BELINDA | Source = Print | ID = 6161
Description = The document Boeing offers Embraer link in Brazil contract bid owned
by FISH failed to print on printer Canon S300. Data type: NT EMF 1.008. Size of
the spool file in bytes: 4422128. Number of bytes printed: 53008. Total number
of pages in the document: 3. Number of pages printed: 1. Client machine: \\BELINDA.
Win32 error code returned by the print processor: 122 (0x7a).

Error - 5/6/2011 9:18:47 AM | Computer Name = BELINDA | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cercsr6

Error - 5/7/2011 6:04:27 PM | Computer Name = BELINDA | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cercsr6

Error - 5/8/2011 5:33:50 PM | Computer Name = BELINDA | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cercsr6

Error - 5/8/2011 5:45:11 PM | Computer Name = BELINDA | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cercsr6

< End of report >

ken545 · Jun 2, 2011

Open OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code:

:processes
killallprocesses

:OTL
O2 - BHO: (no name) - {24A123C3-A500-99BD-A120-04B53A2C8952} - No CLSID value found.
[2011/05/17 22:50:02 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Cmilexobe.dat
[2011/05/17 22:50:02 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Txozofoyeje.bin
[2011/05/17 22:47:39 | 000,050,000 | ---- | M] () -- C:\WINDOWS\System32\zetj7n.dll


:Services

:Reg

:Files
ipconfig /release /c
ipconfig /renew /c
ipconfig /flushdns /c





:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Caroll · Jun 2, 2011

All processes killed
========== PROCESSES ==========
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{24A123C3-A500-99BD-A120-04B53A2C8952}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24A123C3-A500-99BD-A120-04B53A2C8952}\ not found.
C:\WINDOWS\Cmilexobe.dat moved successfully.
C:\WINDOWS\Txozofoyeje.bin moved successfully.
C:\WINDOWS\system32\zetj7n.dll moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /release /c >
C:\Documents and Settings\FISH\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\FISH\Desktop\cmd.txt deleted successfully.
< ipconfig /renew /c >
C:\Documents and Settings\FISH\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\FISH\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\FISH\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\FISH\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 73738868 bytes
->Flash cache emptied: 1363 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Father
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 106090532 bytes
->Flash cache emptied: 92990 bytes

User: FISH
->Temp folder emptied: 597337 bytes
->Temporary Internet Files folder emptied: 2095304 bytes
->Java cache emptied: 20272 bytes
->FireFox cache emptied: 53365857 bytes
->Flash cache emptied: 175897 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 28 bytes
->Flash cache emptied: 71472 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 1091917 bytes
->Flash cache emptied: 104010 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2195181 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 61160 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 32902 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 229.00 mb

OTL by OldTimer - Version 3.2.23.0 log created on 06012011_234128

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

New OTL Log:
OTL logfile created on: 6/2/2011 1:03:58 AM - Run 2
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\FISH\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.10 Mb Total Physical Memory | 484.18 Mb Available Physical Memory | 47.37% Memory free
2.40 Gb Paging File | 2.01 Gb Available in Paging File | 83.64% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 55.50 Gb Free Space | 74.50% Space Free | Partition Type: NTFS

Computer Name: BELINDA | User Name: FISH | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\FISH\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\FISH\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (AppMgmt) -- File not found
SRV - (npggsvc) -- C:\WINDOWS\System32\GameMon.des (INCA Internet Co., Ltd.)

========== Driver Services (SafeList) ==========

DRV - (Changer) -- C:\WINDOWS\System32\drivers\changer.sys (Microsoft Corporation)
DRV - (lbrtfdc) -- C:\WINDOWS\System32\drivers\lbrtfdc.sys (Toshiba Corp.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (MRVW245) -- C:\WINDOWS\system32\drivers\MRVW245.sys (Marvell Semiconductor, Inc)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US

fficial"
FF - prefs.js..extensions.enabledItems: {0df7b3bb-9581-44bb-835f-061a29ec8a46}:2.1.20110214
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.6.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {dd3d7613-0246-469d-bc65-2a3cc1668adc}:0.7.1.1
FF - prefs.js..extensions.enabledItems: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}:4.1
FF - prefs.js..keyword.URL: "http://www.bing.com/search?pc=Z006&form=ZGAADF&q="

FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/03/21 01:32:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}: C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\ [2010/12/17 19:10:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/12 00:35:01 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/01 15:14:57 | 000,000,000 | ---D | M]

[2010/03/21 01:17:29 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\FISH\Application Data\Mozilla\Extensions
[2011/05/18 20:35:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\extensions
[2011/03/06 14:55:22 | 000,000,000 | ---D | M] ("tektek.org GaiaOnline Toolbar 2.1") -- C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\extensions\{0df7b3bb-9581-44bb-835f-061a29ec8a46}
[2011/02/18 17:40:57 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/04/20 05:37:25 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2011/04/19 21:15:46 | 000,000,000 | ---D | M] (Easy Youtube Video Downloader) -- C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
[2010/11/19 20:10:44 | 000,000,000 | ---D | M] (BlockSite) -- C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
[2011/04/19 21:15:46 | 000,000,000 | ---D | M] (Multirow Bookmarks Toolbar) -- C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\extensions\{FBF6D7FB-F305-4445-BB3D-FEF66579A033}
[2011/03/12 06:28:08 | 000,000,000 | ---D | M] (Personas) -- C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\extensions\personas@christopher.beard
[2011/05/15 19:33:37 | 000,002,431 | ---- | M] () -- C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\searchplugins\anime-news-network.xml
[2010/06/10 22:45:33 | 000,002,357 | ---- | M] () -- C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\searchplugins\photobucket.xml
[2010/03/21 01:38:12 | 000,002,057 | ---- | M] () -- C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Profiles\gsbrydu4.default\searchplugins\youtube-video-search.xml
[2011/05/18 20:35:23 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/22 16:05:11 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/10/04 22:13:23 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/04/13 19:28:46 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/06/02 00:58:59 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {24A123C3-A500-99BD-A120-04B53A2C8952} - No CLSID value found.
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\FISH\Application Data\Mozilla\Firefox\Desktop Background.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/03/20 17:09:42 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/01 23:41:28 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/06/01 18:37:10 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\FISH\Desktop\OTL.exe
[2011/06/01 13:46:16 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/06/01 13:46:06 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\FISH\Desktop\esetsmartinstaller_enu.exe
[2011/06/01 13:43:20 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\FISH\Desktop\ATF-Cleaner.exe
[2011/05/31 20:23:07 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/05/31 20:17:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\FISH\Desktop\Malwarebytes' Anti-Malware
[2011/05/31 16:38:01 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/05/31 16:38:01 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/05/31 16:38:01 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/05/31 16:38:01 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/05/31 16:37:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/05/31 16:37:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/05/31 16:36:58 | 004,109,019 | R--- | C] (Swearware) -- C:\Documents and Settings\FISH\Desktop\ComboFix.exe
[2011/05/30 22:20:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\FISH\Desktop\tdsskiller
[2011/05/19 17:32:18 | 000,000,000 | R--D | C] -- C:\Documents and Settings\FISH\Recent
[2011/05/18 23:20:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\FISH\Start Menu\Programs\Windows XP Recovery
[2011/05/18 20:05:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\FISH\My Documents\Logs
[2011/05/17 22:59:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2011/05/17 22:58:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/05/10 20:45:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\FISH\Local Settings\Application Data\Deployment
[2011/05/10 20:42:20 | 000,000,000 | ---D | C] -- C:\Program Files\SystemRequirementsLab
[2011/05/10 20:42:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\FISH\Application Data\SystemRequirementsLab
[2011/05/10 19:32:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\FISH\Application Data\DAEMON Tools Lite
[2011/05/10 19:32:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2011/05/10 00:08:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Last.fm
[2011/05/10 00:07:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\FISH\Local Settings\Application Data\Last.fm
[2011/05/10 00:07:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Last.fm
[2011/05/10 00:07:48 | 000,000,000 | ---D | C] -- C:\Program Files\Last.fm

========== Files - Modified Within 30 Days ==========

[2011/06/02 01:00:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/02 00:58:59 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/06/01 18:23:44 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\FISH\Desktop\OTL.exe
[2011/06/01 14:40:58 | 000,000,472 | -H-- | M] () -- C:\WINDOWS\tasks\Norton Security Scan for FISH.job
[2011/06/01 14:07:27 | 000,000,667 | ---- | M] () -- C:\Documents and Settings\FISH\Set.dll
[2011/06/01 13:45:08 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\FISH\Desktop\esetsmartinstaller_enu.exe
[2011/06/01 13:37:42 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\FISH\Desktop\ATF-Cleaner.exe
[2011/05/31 19:46:41 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\FISH\Desktop\Skype.lnk
[2011/05/31 19:46:04 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\FISH\Desktop\Microsoft Office Excel 2007.lnk
[2011/05/31 16:44:09 | 000,436,228 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/05/31 16:44:09 | 000,068,680 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/05/31 16:33:20 | 004,109,019 | R--- | M] (Swearware) -- C:\Documents and Settings\FISH\Desktop\ComboFix.exe
[2011/05/30 22:18:45 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/30 22:17:44 | 001,301,452 | ---- | M] () -- C:\Documents and Settings\FISH\Desktop\tdsskiller.zip
[2011/05/19 18:27:13 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/05/18 23:20:15 | 000,000,819 | ---- | M] () -- C:\Documents and Settings\FISH\Desktop\Windows XP Recovery.lnk
[2011/05/18 23:20:09 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\18210596
[2011/05/18 23:04:22 | 000,015,304 | -HS- | M] () -- C:\Documents and Settings\FISH\Local Settings\Application Data\m02aj8c05sb8ycm2623sjs105ifan2c26ws
[2011/05/18 23:04:22 | 000,015,304 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\m02aj8c05sb8ycm2623sjs105ifan2c26ws
[2011/05/18 19:54:02 | 000,000,929 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/05/18 00:30:46 | 000,000,355 | -HS- | M] () -- C:\boot.ini
[2011/05/17 23:05:39 | 000,012,754 | -HS- | M] () -- C:\Documents and Settings\FISH\Local Settings\Application Data\q06y4ded434kq1vq7n7
[2011/05/17 23:05:39 | 000,012,754 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\q06y4ded434kq1vq7n7
[2011/05/16 06:04:47 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\FISH\Desktop\Microsoft Office PowerPoint 2007.lnk
[2011/05/13 14:27:41 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\FISH\Desktop\Microsoft Office Word 2007.lnk

========== Files Created - No Company Name ==========

[2011/06/01 13:51:26 | 000,000,667 | ---- | C] () -- C:\Documents and Settings\FISH\Set.dll
[2011/05/31 16:38:01 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/05/31 16:38:01 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/05/31 16:38:01 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/05/31 16:38:01 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/05/31 16:38:01 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/05/30 22:19:52 | 001,301,452 | ---- | C] () -- C:\Documents and Settings\FISH\Desktop\tdsskiller.zip
[2011/05/18 23:20:15 | 000,000,819 | ---- | C] () -- C:\Documents and Settings\FISH\Desktop\Windows XP Recovery.lnk
[2011/05/18 23:20:09 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\18210596
[2011/05/18 20:22:49 | 000,015,304 | -HS- | C] () -- C:\Documents and Settings\FISH\Local Settings\Application Data\m02aj8c05sb8ycm2623sjs105ifan2c26ws
[2011/05/18 20:22:49 | 000,015,304 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\m02aj8c05sb8ycm2623sjs105ifan2c26ws
[2011/05/17 23:06:15 | 000,000,929 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/05/17 23:03:39 | 000,012,754 | -HS- | C] () -- C:\Documents and Settings\FISH\Local Settings\Application Data\q06y4ded434kq1vq7n7
[2011/05/17 23:03:39 | 000,012,754 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\q06y4ded434kq1vq7n7
[2011/02/17 20:05:05 | 000,230,752 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2011/02/17 20:05:04 | 000,118,176 | ---- | C] () -- C:\WINDOWS\patchw.dll
[2010/11/07 16:20:31 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/08/24 00:24:48 | 000,000,056 | ---- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/06/22 21:15:15 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\CNMVS38.DLL
[2010/06/22 21:14:58 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\CNMCP38.EXE
[2010/05/03 00:26:54 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\FISH\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/20 19:03:25 | 000,056,708 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/03/21 04:16:30 | 000,000,162 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/03/21 03:10:53 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2010/03/21 01:37:43 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/21 01:26:38 | 000,201,537 | ---- | C] () -- C:\WINDOWS\hpoins40.dat
[2010/03/21 01:26:38 | 000,000,992 | ---- | C] () -- C:\WINDOWS\hpomdl40.dat
[2010/03/21 01:17:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/03/20 17:11:28 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/03/20 17:07:02 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/03/20 10:59:29 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/03/20 10:58:19 | 000,268,600 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/03/22 13:48:43 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/03/22 13:48:43 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 05:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 05:00:00 | 000,436,228 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 05:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 05:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 05:00:00 | 000,068,680 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 05:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 05:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 05:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 05:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 05:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BEB15613

< End of report >

ken545 · Jun 2, 2011

Great, how is your system running now , any browser redirects or unwanted pop up windows, is your computer running faster than before ?

What other problems do you have, please explain them in detail and if there windows related I can link you to a forum that can help

Caroll · Jun 2, 2011

It looks like everything is fine excepted for the hidden files and folders that I can't access still. I think it's some remnants of the Windows XP virus but I'm not quite sure.

ken545 · Jun 2, 2011

Did you ever set your computer to hide system files ?

You can try this and see if you can see them now

You need to enable windows to Show all Files and Folders
Instructions for your Operating System HERE

Let me know how it went , I can link you to a good windows forum for help if you need it

Caroll · Jun 2, 2011

Still not showing.

ken545 · Jun 3, 2011

Carol, we just do malware removal on this forum. I would like you to post at WhattheTech for your problem. All us forums work together so I would like you to link them to this thread so they can see what we have done, please keep in mind that the infection you had was pretty nasty and may have done some damage, but I am not sure
http://forums.spybot.info/showthread.php?t=62889

This forum like Safer is free but you will need to register
http://forums.whatthetech.com/index.php?showforum=119

Please post back and let me know how it went and if they were able to fix your issue

ken545 · Jun 8, 2011

Carol, how are you coming along ?

Infected with Multiple Things

Caroll

New member

ken545

Emeritus-Security Expert

Caroll

New member

ken545

Emeritus-Security Expert

Caroll

New member

ken545

Emeritus-Security Expert

Caroll

New member

ken545

Emeritus-Security Expert

Caroll

New member

ken545

Emeritus-Security Expert

Caroll

New member

ken545

Emeritus-Security Expert

Caroll

New member

ken545

Emeritus-Security Expert

Caroll

New member

ken545

Emeritus-Security Expert

Caroll

New member

ken545

Emeritus-Security Expert

ken545

Emeritus-Security Expert