:confused: Here is what happened and what I've done so far:

I clicked on a webpage while browsing and a box opened saying [Security Shield has installed successfully!]. Suspicious, I didn't dare click anywhere in the box, my delete key is not working so I could not ctrl+alt+delete it either, so I right clicked on the task bar to 'close' it. That prompted a "system check scan" (fake I'm sure) so I quickly turned my computer off. I restarted it a few minutes later, and disabled my wireless connection. I tried to run free AVG 2012 but a message appeared stating [AVG failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.] I didn't reinstall, figuring it had been disabled by the malware. Um, do I have to be connected to run AVG??

At this point I should admit that I am not very tech savvy, so the following may seem somewhat...'naive' too. :red: I then opened msconfig to see if any new boxes had been checked in startup and it didn't seem so. (I hate anything running in startup that doesn't have too, so I disable the obvious) I then started a search (including hidden files) for files named or with, "security" in them that was modified today 1.26.12. The search produced two files found in C:windows/system32/config - both named "Security". One was a 1K text file and the other a 256K "file." There was a warning before opening the Windows folder basically warning 'dumbies' like me not to mess around in there if you don't know what you are doing. So I resisted the temptation to drag those two files out to a new folder on the desktop and exited before touching anything.

Still scrambling for something that might help, I started S&D even though I was not going to be able to update it first (still worried about connecting to the internet, unless you say I can). S&D found about five things and fixed them (mostly cookies, I wrote them down, jic). Interestingly, before the scan started, a screen came up saying the scan would go faster if I allowed it to delete the files in the temporary folder, and I did so. It then came up saying [Spybot removed ? files, 2 files are still running and cannot be removed].

Knowing I needed help, I got out an old laptop and came here looking for assistance. I read Tashi's stickey notes and followed the directions. I did have to save ERUNT and DDS to a thumb drive first, then move and save it to the desktop on the affected pc (an Asus eee netbook, btw). Running ERUNT I didn't get the last "file>exit" window, but something a bit different. It created and saved something to a folder in C:windows/ERUNT (I assume it was a backup of the registry...it had today's date). Running DDS, I got as far as the black screen, it then flashed a blue screen quickly (with lots of white writing), then proceeded to restart itself. I now have a "Activate Desktop Recovery" screen (with options. It's hard to read them as the icons are jumbled with the writing), one however is a button [Restore My Desktop]. After a moment another window popped up with [An error has occurred in the script on this page, ...continue.....Yes / No]? I am out of my league, and this is where I am, and also why I'm on a different computer.

This wonderful forum helped me a several years ago and I hope you can "save" me again! I would sure appreciate any help you could offer.

Many thanks. for what you do.
Robin

Hi MTnestRobin, welcome to the forum.

To make cleaning this machine easier
Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
Please do not run any scans other than those requested
Please follow all instructions in the order posted
All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
Do not attach any logs/reports, etc.. unless specifically requested to do so.
If you have problems with or do not understand the instructions, Please ask before continuing.
Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.


Basically your system crashed. Click the restore button to restore your desktop then reboot the computer.

The crash could have been an interaction between the malware and DDS or just the malware.

Next
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png

There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Next

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.

Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output
Check the boxes beside LOP Check and Purity Check.
In the window under Custom Scans/Fixes copy and paste the following


netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lîk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
%USERPROFILE%\..|smtmp;true;true;true /FP
%temp%\smtmp\*.* /s
/md5start
iexplore.*
explorer.*
winlogon.*
dll
zx.dll
hlp.dat
consrv.dll
/md5stop


Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Please post back with
aswMBR log
both OTL logs

Thank you, thank you, thank you Oldman960 for coming to my rescue!

I can't get the 'restore the active desktop' to work. When I push the button I get this message again, [An error has occurred in the script on this page, ...continue.....Yes / No]. When I push yes (or no) nothing happens other than the message goes away.

I have the aswMBR.exe downloaded to a thumb drive. Should I insert it into the usb of the infected machine and see if it does anything?

Much appreciation,
Robin

Hi MTnestRobin,

Move both OTL and aswMBR to the desktop of the infected computer if possible. If not move them to C:\ and run them from there. These are scantools and will not fix anything when ran. The fixin' comes after we gather the information we need.

Hello Oldman960,

I was able to successfully move those files onto the desktop of the infected computer using the thumb drive.

After the scan there was no .dat file file on the desktop, only a .txt file. I right clicked and zipped that one. Let me know if you want me to try again.

Question: Can I (or should I,) reconnect the infected computer to the internet?

Here is the Extras Report (OTL Report to follow in separate post):

OTL Extras logfile created on: 2/2/2012 10:24:56 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Robin\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.17 Mb Total Physical Memory | 612.46 Mb Available Physical Memory | 60.33% Memory free
2.38 Gb Paging File | 1.97 Gb Available in Paging File | 82.60% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 72.06 Gb Total Space | 38.45 Gb Free Space | 53.36% Space Free | Partition Type: NTFS
Drive D: | 72.05 Gb Total Space | 71.75 Gb Free Space | 99.58% Space Free | Partition Type: NTFS

Computer Name: ROBINSNETBOOK | User Name: Robin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\lxbucoms.exe" = C:\WINDOWS\system32\lxbucoms.exe:*:Disabled:6200 Series Server -- (Lexmark International, Inc.)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\AVG\AVG10\avgmfapx.exe" = C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer
"C:\Program Files\AVG\AVG2012\avgmfapx.exe" = C:\Program Files\AVG\AVG2012\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Documents and Settings\Robin\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\Robin\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- (Dropbox, Inc.)
"C:\Program Files\AVG\AVG2012\avgnsx.exe" = C:\Program Files\AVG\AVG2012\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgdiagex.exe" = C:\Program Files\AVG\AVG2012\avgdiagex.exe:*:Enabled:AVG Diagnostics 2012 -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgemcx.exe" = C:\Program Files\AVG\AVG2012\avgemcx.exe:*:Enabled:Personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0FABD3D7-3036-4e78-B29D-58957ADB0A12}" = HP PSC & OfficeJet 3.5
"{11728A17-412A-4A08-91C4-ACD8ADEDCE82}" = Angry Birds
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{19F5658D-92E8-4A08-8657-D38ABB1574B2}" = Asus ACPI Driver
"{1CB92574-96F2-467B-B793-5CEB35C40C29}" = Image Resizer Powertoy for Windows XP
"{24C8FBF7-26C6-48ca-834B-A4E5C09E362F}" = AiO_Scan
"{257EC58E-03FD-472B-A9B6-93F23A3C4CB0}" = Scan
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 21
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Client Installation Program
"{300D9EF4-2721-4cb4-A6C3-FB2337CFEA2D}" = AIOMinimal
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
"{3127F76D-5335-4AC7-BD1E-2F5247A23C24}" = iTunes
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FB39BED-37C8-4E60-8E02-315B8C2B07E3}" = USB2.0 UVC Camera Device
"{47BACF74-5A07-48BD-BADB-A769550F0F5A}" = FontResizer
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{587178E7-B1DF-494E-9838-FA4DD36E873C}" = ASUSUpdate for Eee PC
"{6333FC29-BFE5-4024-AC78-958A1A7555D1}" = EeeSplendid
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{8398852A-7B61-4808-8F58-D0A40D1B2CB6}" = AVG 2012
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{88F08F98-12BC-4613-81A2-8F9B88CFC73E}" = Super Hybrid Engine
"{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}" = Azurewave Wireless LAN Card
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
"{AC76BA86-7AD7-1033-7B44-A81100000003}" = Adobe Reader 8.1.1
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint Plus
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B9BDA46B-2E17-4F43-9D7A-9B1E09A0A4D8}" = Data Sync
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C72CA49A-9237-4810-8449-45DA3BD26D64}" = EzMessenger
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D186329B-1B4D-408D-ABEC-EA5CE1F182C9}" = Overland
"{D647F06F-2908-487E-9CDA-DE52148CBF49}" = OverDrive Media Console
"{E171F5DA-6F17-472D-A223-92468142C5E8}" = AVG 2012
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{EBB7C1C1-D439-4D9B-9FDC-954C10F266B0}" = Adobe Photoshop Elements 4.0
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Photoshop Elements 4" = Adobe Photoshop Elements 4.0
"AudibleManager" = AudibleManager
"AVG" = AVG 2012
"Cisco Connect" = Cisco Connect
"CutePDF Writer Installation" = CutePDF Writer 2.8
"DX-Ball 1.09" = DX-Ball 1.09
"Eee Docking_is1" = Eee Docking 1.3.1.0
"EeePC_1005HA" = EeePC_1005HA Screen Saver
"ERUNT_is1" = ERUNT 1.1j
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"Hoyle Puzzle and Board Games Classic" = Hoyle Puzzle and Board Games Classic
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Lexmark 6200 Series" = Lexmark 6200 Series
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 9.0.1 (x86 en-US)" = Mozilla Firefox 9.0.1 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSPUB5" = Microsoft Publisher 98
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"SCRABBLE" = SCRABBLE
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"VLC media player" = VLC media player 1.1.11
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/30/2011 5:02:17 PM | Computer Name = YOUR-E9ZDEK3JF1 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 15734

Error - 9/30/2011 5:02:33 PM | Computer Name = YOUR-E9ZDEK3JF1 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 9/30/2011 5:02:33 PM | Computer Name = YOUR-E9ZDEK3JF1 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 31469

Error - 9/30/2011 5:02:33 PM | Computer Name = YOUR-E9ZDEK3JF1 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 31469

Error - 9/30/2011 5:02:48 PM | Computer Name = YOUR-E9ZDEK3JF1 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 9/30/2011 5:02:48 PM | Computer Name = YOUR-E9ZDEK3JF1 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 47078

Error - 9/30/2011 5:02:48 PM | Computer Name = YOUR-E9ZDEK3JF1 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 47078

Error - 9/30/2011 5:11:11 PM | Computer Name = YOUR-E9ZDEK3JF1 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 9/30/2011 5:11:11 PM | Computer Name = YOUR-E9ZDEK3JF1 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 549812

Error - 9/30/2011 5:11:11 PM | Computer Name = YOUR-E9ZDEK3JF1 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 549812

[ System Events ]
Error - 2/2/2012 9:58:42 PM | Computer Name = ROBINSNETBOOK | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\AVG\AVG2012\avgtray.exe.
Reference
error message: The operation completed successfully. .

Error - 2/2/2012 10:04:29 PM | Computer Name = ROBINSNETBOOK | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC90.MFC could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 2/2/2012 10:04:29 PM | Computer Name = ROBINSNETBOOK | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC90.MFC. Reference error
message: The referenced assembly is not installed on your system. .

Error - 2/2/2012 10:04:29 PM | Computer Name = ROBINSNETBOOK | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\AVG\AVG2012\avgse.dll.
Reference
error message: The operation completed successfully. .

Error - 2/2/2012 10:31:17 PM | Computer Name = ROBINSNETBOOK | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC90.MFC could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 2/2/2012 10:31:17 PM | Computer Name = ROBINSNETBOOK | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC90.MFC. Reference error
message: The referenced assembly is not installed on your system. .

Error - 2/2/2012 10:31:17 PM | Computer Name = ROBINSNETBOOK | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\AVG\AVG2012\avgse.dll.
Reference
error message: The operation completed successfully. .

Error - 2/2/2012 10:36:56 PM | Computer Name = ROBINSNETBOOK | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC90.MFC could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 2/2/2012 10:36:56 PM | Computer Name = ROBINSNETBOOK | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC90.MFC. Reference error
message: The referenced assembly is not installed on your system. .

Error - 2/2/2012 10:36:56 PM | Computer Name = ROBINSNETBOOK | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\AVG\AVG2012\avgse.dll.
Reference
error message: The operation completed successfully. .


< End of report >

OTL logfile created on: 2/2/2012 10:24:56 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Robin\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.17 Mb Total Physical Memory | 612.46 Mb Available Physical Memory | 60.33% Memory free
2.38 Gb Paging File | 1.97 Gb Available in Paging File | 82.60% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 72.06 Gb Total Space | 38.45 Gb Free Space | 53.36% Space Free | Partition Type: NTFS
Drive D: | 72.05 Gb Total Space | 71.75 Gb Free Space | 99.58% Space Free | Partition Type: NTFS

Computer Name: ROBINSNETBOOK | User Name: Robin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Robin\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Documents and Settings\Robin\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
PRC - C:\Program Files\AVG\AVG2012\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgemcx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe (ASUSTeK Computer Inc.)
PRC - C:\Program Files\EeePC\ACPI\AsTray.exe (ASUSTeK Computer Inc.)
PRC - C:\Program Files\EeePC\ACPI\AsEPCMon.exe (ASUSTeK Computer Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe ()


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\WINDOWS\system32\cpwmon2k.dll ()
MOD - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe ()
MOD - C:\WINDOWS\system32\spool\prtprocs\w32x86\lxbuPP5C.DLL ()


========== Win32 Services (SafeList) ==========

SRV - (AppMgmt) -- File not found
SRV - (AVGIDSAgent) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
SRV - (avgwd) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (AdobeActiveFileMonitor4.0) -- C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe ()
SRV - (lxbu_device) -- C:\WINDOWS\System32\lxbucoms.exe (Lexmark International, Inc.)


========== Driver Services (SafeList) ==========

DRV - (Avgldx86) -- C:\WINDOWS\system32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSShim) -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys (AVG Technologies CZ, s.r.o. )
DRV - (Avgrkx86) -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgmfx86) -- C:\WINDOWS\system32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgtdix) -- C:\WINDOWS\system32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSFilter) -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSEH) -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSDriver) -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys (AVG Technologies CZ, s.r.o. )
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (SRS_PremiumSound_Service) -- C:\WINDOWS\system32\drivers\SRS_PremiumSound_i386.sys ()
DRV - (AR5416) -- C:\WINDOWS\system32\drivers\athw.sys (Atheros Communications, Inc.)
DRV - (L1c) -- C:\WINDOWS\system32\drivers\l1c51x86.sys (Atheros Communications, Inc.)
DRV - (uvclf) -- C:\WINDOWS\system32\drivers\uvclf.sys (GenesysLogic Technologies, Inc.)
DRV - (Ambfilt) -- C:\WINDOWS\system32\drivers\Ambfilt.sys (Creative)
DRV - (AsusACPI) -- C:\WINDOWS\system32\drivers\ASUSACPI.SYS (ASUSTeK Computer Inc.)
DRV - (Monfilt) -- C:\WINDOWS\system32\drivers\Monfilt.sys (Creative Technology Ltd.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.facebook.com/home.php? [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://my.yahoo.com/|http://www.facebook.com/home.php?"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {1E73965B-8B48-48be-9C8D-68B920ABC1C4}:12.0.0.1865
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2011/12/23 08:07:03 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/24 11:54:18 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/02/04 13:09:41 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Robin\Application Data\Mozilla\Extensions
[2011/12/09 21:10:22 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Robin\Application Data\Mozilla\Firefox\Profiles\50spamrh.default\extensions
[2011/02/04 13:57:07 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Robin\Application Data\Mozilla\Firefox\Profiles\50spamrh.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/12/09 21:27:59 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/01/24 11:54:18 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/01/24 11:54:11 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/01/24 11:54:11 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2008/04/14 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [LXBUCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.DLL ()
O4 - HKLM..\Run: [SynAsusAcpi] C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe (Synaptics Incorporated)
O4 - Startup: C:\Documents and Settings\Robin\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Robin\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Documents and Settings\Robin\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm File not found
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/28 00:03:59 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{8a0813e0-6c1e-11e0-bc51-0025d35f1262}\Shell - "" = AutoRun
O33 - MountPoints2\{8a0813e0-6c1e-11e0-bc51-0025d35f1262}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8a0813e0-6c1e-11e0-bc51-0025d35f1262}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/02/02 21:38:01 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Robin\Desktop\OTL.exe
[2012/02/02 21:00:31 | 004,733,440 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Robin\Desktop\aswMBR.exe
[2012/01/26 22:27:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2012/01/26 22:26:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Robin\Desktop\help
[2012/01/26 22:25:39 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Robin\Start Menu\Programs\Administrative Tools
[2012/01/26 22:22:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/01/26 22:18:03 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/01/26 22:18:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2012/01/26 22:15:27 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Robin\Desktop\dds.com
[2012/01/26 22:14:57 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Robin\Desktop\erunt-setup.exe
[2012/01/18 14:22:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Robin\My Documents\My Media
[2012/01/18 14:19:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Robin\Application Data\OverDrive
[2012/01/18 14:18:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\OverDrive Media Console
[2012/01/18 14:18:26 | 000,000,000 | ---D | C] -- C:\Program Files\OverDrive Media Console
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/02 21:35:02 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Robin\Desktop\OTL.exe
[2012/02/02 20:58:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/02/02 14:16:57 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{C1482AEE-FC7E-4A82-BD0A-2B591FC95935}.job
[2012/02/02 14:10:57 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/02/02 13:57:08 | 004,733,440 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Robin\Desktop\aswMBR.exe
[2012/01/27 20:13:59 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2012/01/26 22:19:30 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\Robin\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/01/26 22:18:09 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Robin\Desktop\ERUNT.lnk
[2012/01/26 22:11:32 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Robin\Desktop\dds.com
[2012/01/26 22:04:52 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Robin\Desktop\erunt-setup.exe
[2012/01/26 21:42:34 | 001,402,880 | ---- | M] () -- C:\Documents and Settings\Robin\Desktop\HijackThis.msi
[2012/01/26 19:44:09 | 000,326,656 | ---- | M] () -- C:\Documents and Settings\Robin\Local Settings\Application Data\jvlogkoegl.exe
[2012/01/26 18:44:38 | 087,515,122 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/01/25 18:43:12 | 000,212,052 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2012/01/18 14:18:27 | 000,001,888 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\OverDrive Media Console.lnk
[2012/01/16 09:32:56 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2012/01/15 12:55:46 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/01/15 12:49:19 | 000,442,140 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/01/15 12:49:19 | 000,071,910 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/01/15 12:44:59 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Robin\Desktop\Word.lnk
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/26 22:19:30 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Robin\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/01/26 22:18:09 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Robin\Desktop\ERUNT.lnk
[2012/01/26 22:15:21 | 001,402,880 | ---- | C] () -- C:\Documents and Settings\Robin\Desktop\HijackThis.msi
[2012/01/26 19:44:09 | 000,326,656 | ---- | C] () -- C:\Documents and Settings\Robin\Local Settings\Application Data\jvlogkoegl.exe
[2012/01/18 14:18:27 | 000,001,888 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\OverDrive Media Console.lnk
[2011/11/26 12:27:13 | 000,063,792 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/07/28 14:25:04 | 000,000,239 | ---- | C] () -- C:\WINDOWS\thumbs.ini
[2011/02/04 13:09:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/10/05 22:36:33 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2010/10/05 21:13:15 | 000,000,160 | ---- | C] () -- C:\WINDOWS\EPSON RX500 Installer.ini
[2010/05/13 12:38:01 | 000,029,467 | ---- | C] () -- C:\WINDOWS\hpoins03.dat.temp
[2010/05/13 12:38:00 | 000,038,867 | ---- | C] () -- C:\WINDOWS\hpomdl03.dat.temp
[2010/05/07 15:34:56 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/30 23:10:11 | 000,029,440 | ---- | C] () -- C:\WINDOWS\hpoins03.dat
[2010/04/30 23:10:10 | 000,038,867 | ---- | C] () -- C:\WINDOWS\hpomdl03.dat
[2010/04/29 22:07:07 | 000,001,746 | ---- | C] () -- C:\WINDOWS\Language_trs.ini
[2010/04/29 22:06:47 | 000,028,372 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2010/04/29 22:06:46 | 000,010,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2010/04/26 00:50:11 | 005,254,656 | ---- | C] () -- C:\Program Files\converter.exe
[2010/04/26 00:13:24 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2010/04/25 21:24:47 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbuvs.dll
[2010/04/25 20:40:09 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Robin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/25 17:30:45 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/03/11 20:30:08 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2009/12/20 15:54:54 | 000,001,848 | ---- | C] () -- C:\Documents and Settings\Robin\Application Data\wklnhst.dat
[2009/05/05 13:13:43 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/05/05 12:16:46 | 000,232,872 | R--- | C] () -- C:\WINDOWS\System32\drivers\SRS_PremiumSound_i386.sys
[2009/05/05 11:03:49 | 000,021,864 | ---- | C] () -- C:\WINDOWS\AsAcpiSvrLang.ini
[2009/05/05 11:03:49 | 000,012,208 | ---- | C] () -- C:\WINDOWS\AsTrayLang.ini
[2009/05/05 11:02:03 | 000,013,650 | ---- | C] () -- C:\WINDOWS\System32\RaCoInst.dat
[2009/05/05 11:00:13 | 000,000,712 | ---- | C] () -- C:\WINDOWS\System32\drivers\SamSfPa.dat
[2009/05/05 11:00:13 | 000,000,008 | ---- | C] () -- C:\WINDOWS\System32\drivers\rtkhdaud.dat
[2009/05/05 10:52:19 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4906.dll
[2009/04/28 00:06:09 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/04/28 00:02:07 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/04/27 23:51:49 | 000,005,312 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/04/27 23:51:38 | 000,442,140 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/27 23:51:38 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2009/04/27 23:51:38 | 000,071,910 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/27 23:51:38 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2009/04/27 23:51:38 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2009/04/27 23:51:37 | 000,004,562 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2009/04/27 23:51:36 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2009/04/27 23:51:36 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2009/04/27 23:51:34 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2009/04/27 23:51:34 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2009/04/27 23:51:32 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2009/04/27 23:51:29 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2009/04/27 16:58:42 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/04/27 16:58:00 | 000,330,960 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/01/05 02:30:18 | 000,565,248 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll

========== LOP Check ==========

[2011/10/12 10:01:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2010/11/27 10:36:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/05/05 17:34:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cisco Systems
[2010/11/27 10:41:24 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2010/10/27 11:49:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
[2012/01/26 18:45:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/12/25 19:11:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/05/05 11:02:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wireless LAN Card
[2010/04/26 02:44:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/10/12 09:49:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robin\Application Data\AVG2012
[2012/02/02 20:59:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robin\Application Data\Dropbox
[2010/04/25 20:24:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robin\Application Data\Hoyle FaceCreator
[2011/08/17 15:02:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robin\Application Data\Hoyle Puzzle and Board Games
[2010/10/05 21:15:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robin\Application Data\Leadertech
[2012/01/18 14:19:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robin\Application Data\OverDrive
[2011/12/04 09:44:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robin\Application Data\Rovio
[2009/12/20 15:54:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robin\Application Data\Template
[2012/02/02 14:16:57 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{C1482AEE-FC7E-4A82-BD0A-2B591FC95935}.job

========== Purity Check ==========



========== Custom Scans ==========


< >

< %SYSTEMDRIVE%\*.* >
[2010/10/27 11:49:55 | 000,000,000 | ---- | M] () -- C:\AdobeDebug.txt
[2009/04/28 00:03:59 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2012/01/27 20:13:59 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2009/04/28 00:03:59 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2009/04/28 00:03:59 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2011/03/09 18:27:36 | 000,001,243 | ---- | M] () -- C:\lxbu.log
[2011/02/27 15:31:05 | 000,002,172 | ---- | M] () -- C:\lxbuscan.log
[2009/04/28 00:03:59 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/04/14 07:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/14 07:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2012/02/02 20:58:24 | 1598,029,824 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2009/04/28 00:03:31 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2004/09/14 08:42:04 | 000,073,728 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\lxbuPP5C.DLL
[2003/06/18 16:31:48 | 000,018,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
[2006/10/26 18:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll
[2008/07/06 05:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2010/04/26 00:50:21 | 005,254,656 | ---- | M] () -- C:\Program Files\converter.exe

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2009/04/27 16:57:35 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2009/04/27 16:57:35 | 001,064,960 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2009/04/27 16:57:35 | 000,909,312 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lîk /x >
[2011/12/04 09:43:54 | 000,001,737 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Angry Birds.lnk
[2009/04/28 00:04:00 | 000,000,294 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini
[2009/12/06 11:45:57 | 000,001,607 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Set Program Access and Defaults.lnk
[2009/04/28 00:04:00 | 000,000,398 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Windows Catalog.lnk
[2009/04/28 00:04:00 | 000,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Windows Update.lnk

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >
[2008/06/25 06:18:46 | 000,004,608 | ---- | M] () -- C:\WINDOWS\system32\THUMBS.DB
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x >

< %USERPROFILE%\Desktop\*.exe >
[2012/02/02 13:57:08 | 004,733,440 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Robin\Desktop\aswMBR.exe
[2012/01/26 22:04:52 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Robin\Desktop\erunt-setup.exe
[2012/02/02 21:35:02 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Robin\Desktop\OTL.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2012-01-15 17:55:54

< %USERPROFILE%\..|smtmp;true;true;true /FP >

< %temp%\smtmp\*.* /s >


< MD5 for: EXPLORER.EX_ >
[2008/04/14 07:00:00 | 000,356,615 | ---- | M] () MD5=D7B59A7EC9CB1429FDCEC84A22228555 -- C:\WINDOWS\I386\EXPLORER.EX_

< MD5 for: EXPLORER.EXE >
[2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\system32\dllcache\explorer.exe

< MD5 for: EXPLORER.SC_ >
[2008/04/14 07:00:00 | 000,000,181 | ---- | M] () MD5=BC5B38879C56DFBC05C8B5C43AC4D739 -- C:\WINDOWS\I386\EXPLORER.SC_

< MD5 for: EXPLORER.SCF >
[2008/04/14 07:00:00 | 000,000,080 | ---- | M] () MD5=A3975A7D2C98B30A2AE010754FFB9392 -- C:\WINDOWS\explorer.scf

< MD5 for: IEXPLORE.CH_ >
[2008/04/14 07:00:00 | 000,199,077 | ---- | M] () MD5=1D662719AB9BB40BA7526B3973D3F626 -- C:\WINDOWS\I386\IEXPLORE.CH_

< MD5 for: IEXPLORE.CHM >
[2009/02/21 01:21:24 | 000,529,818 | ---- | M] () MD5=1435F4731719DF5F57D17DC38196245D -- C:\WINDOWS\Help\iexplore.chm
[2008/04/14 07:00:00 | 000,204,810 | ---- | M] () MD5=60858526AAD1CC55F5F0055B8E3B66FE -- C:\WINDOWS\ie7\iexplore.chm
[2006/09/01 07:43:50 | 000,503,758 | ---- | M] () MD5=652E46500C149D1DC948BF9CEA8C4933 -- C:\WINDOWS\ie8\iexplore.chm

< MD5 for: IEXPLORE.CHW >
[2010/04/25 14:28:30 | 000,157,092 | ---- | M] () MD5=3741E9A8312CD758C9EF6E0E42370214 -- C:\WINDOWS\Help\iexplore.chw

< MD5 for: IEXPLORE.EX_ >
[2008/04/14 07:00:00 | 000,037,887 | ---- | M] () MD5=2B46169148FFD81CAE84572CD32BDF86 -- C:\WINDOWS\I386\IEXPLORE.EX_

< MD5 for: IEXPLORE.EXE >
[2008/12/19 00:25:25 | 000,634,024 | ---- | M] (Microsoft Corporation) MD5=030D78FE84A086ED376EFCBD2D72C522 -- C:\WINDOWS\ie7updates\KB963027-IE7\iexplore.exe
[2008/10/15 01:34:58 | 000,633,632 | ---- | M] (Microsoft Corporation) MD5=056C927CF7207857E8B34F7A8FFD9B9E -- C:\WINDOWS\$hf_mig$\KB958215-IE7\SP2QFE\iexplore.exe
[2008/12/19 00:25:30 | 000,634,024 | ---- | M] (Microsoft Corporation) MD5=15E8A89499741D5CF59A9CF6463A4339 -- C:\WINDOWS\$hf_mig$\KB961260-IE7\SP2QFE\iexplore.exe
[2008/08/23 00:56:15 | 000,635,848 | ---- | M] (Microsoft Corporation) MD5=1F03216084447F990AE797317D0A6E70 -- C:\WINDOWS\ie7updates\KB958215-IE7\iexplore.exe
[2008/02/29 03:55:46 | 000,625,664 | ---- | M] (Microsoft Corporation) MD5=2D0E5592AB5A46C27DAF7CCAFF4F5B59 -- C:\WINDOWS\ie7updates\KB956390-IE7\iexplore.exe
[2008/04/14 07:00:00 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=55794B97A7FAABD2910873C85274F409 -- C:\WINDOWS\ie7\iexplore.exe
[2008/02/22 04:40:22 | 000,625,664 | ---- | M] (Microsoft Corporation) MD5=6E0888626E0CAC79F57149814E22DB4D -- C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe
[2010/10/18 06:07:43 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=72D1F43C4146D312B0DB6AB98C21340E -- C:\WINDOWS\ie8\iexplore.exe
[2007/01/08 17:08:42 | 000,623,616 | ---- | M] (Microsoft Corporation) MD5=93A6A4F5293AE19E3B37021AABCF0902 -- C:\WINDOWS\ie7updates\KB947864-IE7\iexplore.exe
[2008/10/15 02:06:26 | 000,633,632 | ---- | M] (Microsoft Corporation) MD5=9D3DB9ADFABD2F0BC778EC03250A3ABB -- C:\WINDOWS\ie7updates\KB961260-IE7\iexplore.exe
[2009/02/27 23:54:41 | 000,636,072 | ---- | M] (Microsoft Corporation) MD5=A251068640DDB69FD7805B57D89D7FF7 -- C:\WINDOWS\ie7updates\KB2416400-IE7\iexplore.exe
[2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) MD5=B60DDDD2D63CE41CB8C487FCFBB6419E -- C:\Program Files\Internet Explorer\iexplore.exe
[2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) MD5=B60DDDD2D63CE41CB8C487FCFBB6419E -- C:\WINDOWS\system32\dllcache\iexplore.exe
[2009/02/27 23:54:44 | 000,636,088 | ---- | M] (Microsoft Corporation) MD5=BCD8E48709BE4A79606F0B6E8E9A6162 -- C:\WINDOWS\$hf_mig$\KB963027-IE7\SP3QFE\iexplore.exe
[2010/10/18 05:36:30 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=DA6E1F0F1932B62DD2F6ED05541C555C -- C:\WINDOWS\$hf_mig$\KB2416400-IE7\SP3QFE\iexplore.exe
[2007/08/13 17:43:56 | 000,622,080 | ---- | M] (Microsoft Corporation) MD5=DE49B348A18369B4626FBA1D49B07FB4 -- C:\WINDOWS\ie7updates\KB928090-IE7\iexplore.exe
[2008/08/23 00:56:16 | 000,635,848 | ---- | M] (Microsoft Corporation) MD5=E8305C30D35E85D6657ED3E9934CB302 -- C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\iexplore.exe

< MD5 for: IEXPLORE.EXE.MUI >
[2009/03/08 14:21:44 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=943030B55FDB56FB8B8FCC086071E119 -- C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui
[2009/03/08 14:21:44 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=943030B55FDB56FB8B8FCC086071E119 -- C:\Program Files\Internet Explorer\iexplore.exe.mui
[2007/08/13 17:43:36 | 000,573,440 | ---- | M] (Microsoft Corporation) MD5=B58D8A1C7EE0E922EC7D2616DA136FC3 -- C:\WINDOWS\ie8\iexplore.exe.mui

< MD5 for: IEXPLORE.EXE-27122324.PF >
[2012/01/11 14:06:20 | 000,093,036 | ---- | M] () MD5=8CB3C3054B381CD8CCF65C1A40A10A87 -- C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf

< MD5 for: IEXPLORE.HL_ >
[2008/04/14 07:00:00 | 000,059,881 | ---- | M] () MD5=D23388C8D5D82D4D1C3B0B6A256E3CB7 -- C:\WINDOWS\I386\IEXPLORE.HL_

< MD5 for: IEXPLORE.HLP >
[2008/04/14 07:00:00 | 000,180,335 | ---- | M] () MD5=3F19AF1B745140DAFAC6F78F561A3C62 -- C:\WINDOWS\Help\iexplore.hlp

< MD5 for: WINLOGON.EX_ >
[2008/04/14 07:00:00 | 000,265,069 | ---- | M] () MD5=063EF1A46C58A731F78AE5AF47070D65 -- C:\WINDOWS\I386\WINLOGON.EX_

< MD5 for: WINLOGON.EXE >
[2008/04/14 07:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2008/04/14 07:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< End of report >

Hi MTnestRobin,

Try this for your desktop.
rightclick on the desktop
click properties
click the Settings tab
use the slider to change your screen resolution
click apply, click ok
right click the desktop again and click refresh

Did that resolve the problem?

You can set the resolution at whatever your preference.


aswMBR didn't run correctly. We'll try a different tool. You should be able to use the sick computer.

Download Rogue Killer (http://www.sur-la-toile.com/RogueKiller/)and save it to your desktop.

double click the Rogue Killer icon to run it
After it has completed it's prescan click scan
When the scan is complete click report
Please post the log.

Hi Oldman960!

I am doing a happy dance :banana: , my desk top is back! Thank you!

Robin


RogueKiller V7.0.2 [01/30/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Robin [Admin rights]
Mode: Scan -- Date : 02/03/2012 14:08:47

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 3 ¤¤¤
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9160314AS +++++
--- User ---
[MBR] 04fd081331b27c922c1e9be073c1eb55
[BSP] 92710b27dc83f01f72d41137bbcc549d : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 73790 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 151123455 | Size: 73782 Mo
2 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 302230845 | Size: 5004 Mo
3 - [XXXXXX] UNKNOWN (0xef) [VISIBLE] Offset (sectors): 312480315 | Size: 47 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

Hi MTnestRobin,

Are you experiencing any problems? Any redirects?


Your java is out of date. Click your start button, open Control panel.
Locate the Java icon (it looks like a coffee cup)
double click it to open it
click the Update tab
Click update now



Next, Double click on OTL.exe
Under the Custom Scans/Fixes box at the bottom, paste in the following
Do Not copy the word CODE
please note the fix starts with the :




:Services

:Files
C:\Documents and Settings\Robin\Local Settings\Application Data\jvlogkoegl.exe
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[createrestorepoint]


Then click the Run Fix button at the top
Let the program run unhindered
Please save the resulting log to be posted in your next reply.
Please post the OTL fix log.


Next

Download and save to your desktop Malwarebytes Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Please post back with
OTL fix log
MBAM log

Hi Oldman960,

The computer seems to be running okay. It sure isn't doing what is was before. AVG updated it self, so that is back operating too.

I ran the OTL and now that the scan is over it wants to restart my machine to 'finishing removing files". Do I okay that before it gives me a report? (I don't dare make that call on my own and ruin any info). Is the program going to reopen on its own and provide the report after the reboot?

Robin

Hi MTnestRobin,

Yes allow it to reboot. OTL should open and the log should appear after the reboot. If the log doesn't appear you can find it at C:\_OTL\Moved Files. It will me named some thing like 02032012_042020.log

Hi Oldman960,

Here is the OTL:

All processes killed
========== SERVICES/DRIVERS ==========
========== FILES ==========
C:\Documents and Settings\Robin\Local Settings\Application Data\jvlogkoegl.exe moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Robin\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Robin\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Robin
->Temp folder emptied: 19238274 bytes
->Temporary Internet Files folder emptied: 129557443 bytes
->Java cache emptied: 14392343 bytes
->FireFox cache emptied: 52282279 bytes
->Flash cache emptied: 2093568 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 10748 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1055201 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 61178054 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1514460527 bytes

Total Files Cleaned = 1,711.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.31.0 log created on 02032012_190222

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

***********************************************

And here is the MBAM:

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.04.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Robin :: ROBINSNETBOOK [administrator]

Protection: Enabled

2/4/2012 11:13:06 AM
mbam-log-2012-02-04 (11-13-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 167881
Time elapsed: 8 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Hi MTnestRobin,

Everything looks good so far. Any problems?

Hi Oldman960,

Everything seems to be normal to me...meaning nothing blatantly obvious, and everything is smooth! Wow, you made it seem so ...easy! Is that it?

Robin

Hi Oldman960,

Maybe I 'spoke' too soon. While most everything seems to be normal, I just noticed that I don't have an AVG icon in the 'tray??' by the clock anymore. When I click on the icon on the desktop I get the same message I had in the beginning when the problem started [AVG failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.]. Strangely, after one of the fixes, I remember it (AVG) updating itself.

Should I just uninstall and reinstall? And if so, is AVG the best for the job or should I choose another like Avast or Antivir?

Robin

Hi MTnestRobin,

Sorry I thought I had replied earlier.


Let's give this tool a run. Since AVG seems to be damaged you may as well uninstall it before running the tool. We will reinstall it or another one after we are sure there isn't anything left.

Without an active antivirus program please limit the internet activity with this computer to downloading tools and posting in this thread.


Please read through these instructions to familarize yourself with what to expect when this tool runs


Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)


* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


Please post back with the combofix log.

Hi Oldman 960,

Here is the ComboFix log:

ComboFix 12-02-05.02 - Robin 02/05/2012 15:12:22.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.471 [GMT -5:00]
Running from: c:\documents and settings\Robin\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\Thumbs.db
.
Infected copy of c:\windows\system32\d3d8.dll was found and disinfected
Restored copy from - c:\windows\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\d3d8.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-01-05 to 2012-02-05 )))))))))))))))))))))))))))))))
.
.
2012-02-04 16:09 . 2012-02-04 16:09 -------- d-----w- c:\documents and settings\Robin\Application Data\Malwarebytes
2012-02-04 16:09 . 2012-02-04 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-04 16:09 . 2012-02-04 16:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-04 16:09 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-04 00:02 . 2012-02-04 00:02 -------- d-----w- C:\_OTL
2012-02-03 23:58 . 2012-02-03 23:58 -------- d-----w- c:\program files\Common Files\Java
2012-01-27 03:18 . 2012-01-27 03:19 -------- d-----w- c:\program files\ERUNT
2012-01-24 16:54 . 2012-01-24 16:54 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-24 16:54 . 2012-01-24 16:54 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-24 16:54 . 2012-01-24 16:54 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-24 16:54 . 2012-01-24 16:54 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-18 19:19 . 2012-01-18 19:19 -------- d-----w- c:\documents and settings\Robin\Application Data\OverDrive
2012-01-18 19:18 . 2012-01-18 19:18 -------- d-----w- c:\program files\OverDrive Media Console
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2009-04-28 04:51 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2009-04-28 04:51 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2009-04-28 04:51 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2009-04-28 04:51 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2009-04-28 04:51 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-10 10:54 . 2010-08-21 05:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27 . 2010-04-26 06:09 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-26 05:50 . 2010-04-26 05:50 5254656 ----a-w- c:\program files\converter.exe
2012-01-24 16:54 . 2011-12-10 02:28 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Robin\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Robin\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Robin\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\documents and settings\Robin\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-04-16 630784]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-03-13 98304]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-04-16 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-03-06 79144]
"LXBUCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll" [2004-09-10 69632]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\documents and settings\Robin\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ SuperHybridEngine.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ SuperHybridEngine.lnk
backup=c:\windows\pss\ SuperHybridEngine.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Robin^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Robin\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-09-09 05:18 57344 ----a-w- c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 23:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 12:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eee Docking]
2009-05-08 14:42 395776 ----a-w- c:\program files\ASUS\Eee Docking\Eee Docking.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2004-09-17 13:24 61440 ----a-w- c:\program files\Lexmark 6200 Series\ezprint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-12-22 12:38 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-12-19 15:08 135168 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-14 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-11-13 05:24 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxbumon.exe]
2004-09-22 10:43 188416 ----a-w- c:\program files\Lexmark 6200 Series\lxbumon.exE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2008-04-14 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-12-19 15:07 131072 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 16:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-04-27 21:08 17881088 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 18:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\lxbucoms.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Robin\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/4/2012 11:09 AM 652360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/4/2012 11:09 AM 20464]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/5/2009 11:00 AM 1684736]
S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [4/27/2009 8:59 PM 38912]
S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [5/5/2009 12:16 PM 232872]
S3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [3/16/2009 4:27 PM 39040]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-05 c:\windows\Tasks\User_Feed_Synchronization-{C1482AEE-FC7E-4A82-BD0A-2B591FC95935}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\Robin\Application Data\Mozilla\Firefox\Profiles\50spamrh.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/|http://www.facebook.com/home.php?
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-MsnMsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
AddRemove-AudibleManager - c:\documents and settings\Robin\My Documents\Audible\Bin\Upgrade.exe
AddRemove-WinZip - c:\program files\WinZip\WINZIP32.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-05 15:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBUCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1511041104-3879260708-71502492-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:13,ba,4f,04,1e,d7,d5,3f,63,a4,c0,05,86,72,23,ba,6c,28,d1,e8,86,2d,3c,
f7,70,48,2e,8f,cb,27,1b,8f,d3,25,fa,39,b5,f0,ea,36,36,6a,c2,9a,03,a7,fa,cf,\
"??"=hex:33,a2,92,ba,44,d1,1d,12,98,06,30,04,7f,5d,44,bb
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2856)
c:\windows\system32\WININET.dll
c:\documents and settings\Robin\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
.
**************************************************************************
.
Completion time: 2012-02-05 15:24:32 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-05 20:24
.
Pre-Run: 43,585,724,416 bytes free
Post-Run: 43,532,959,744 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 998FF166F89B22EA3D6B3E44B83BC42D

Robin

Hi MTnestRobin,

How's the computer now?


*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


Go here to run an online scannner from
ESET (http://www.eset.eu/online-scanner)

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)


Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
Click Start
Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is Checked.
Click Scan.
Wait for the scan to finish.
When the scan completes, click List of found threats
click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
Include the contents of this report in your next reply

Note - when ESET doesn't find any threats, no report will be created.

Push the back button.
Push Finish
Re-enable your Antivirus software.

Hi Oldman960,

Nothing noticed, but then I haven't used the computer much for anything but this.

Here are the results from the online scan:

C:\Documents and Settings\Robin\My Documents\Downloads\cnet2_AngryBirdsInstaller_1_5_1_exe.exe a variant of Win32/InstallCore.D application
C:\_OTL\MovedFiles\02032012_190222\C_Documents and Settings\Robin\Local Settings\Application Data\jvlogkoegl.exe a variant of Win32/Kryptik.ZPL trojan

SOOOO...having read what this scan found, I find myself a little alarmed by it! The word 'trojan' of course caught my eye, but the download for Angry Birds being there too upsets me! I always felt I was safe downloading from Cnet. :hair: If I have the Angry Birds installer (setup program) on my thumb drive does that mean I better delete it off there too? Uninstall the program too?

Robin

Hi MTnestRobin,

Don't worry about the Cnet detection. ESET is just warning you about the presence of the downloader used as a potentialy unwanted application. The other is all ready quarantined and was all that remained of the infection. The quarantined file will be removed when the tools are removed.

From your desktop, please delete, if present
any notepads/logs that we created
aswMBR.exe
RogueKiller



Next

Click the Start button, click Run. [Vista users, go Start>"Start search"] Copy and paste the following line into the run box and click OK
Combofix /uninstall


Next

Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.


I suggest you keep MBAM. Keep it updated and use it regularly.


Updates and upgrades

You can either reinstall AVG or one of the other free antivirus programs in the links below:

Avast (http://www.avast.com/free-antivirus-download)
Help and support can be found here Avast Forum (http://forum.avast.com/)
AVG (http://free.grisoft.com/freeweb.php/doc/2/)
Help and support can be found here AVG Forum (http://forum.grisoft.cz/freeforum/index.php)
Antivir PersonalEditionClassic (http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html)
Help and support can be found here Avira Personal Support Forum (http://www.free-av.com/en/support/index.html)
Microsoft Security Essentials (http://www.microsoft.com/security_essentials/)
Support (http://go.microsoft.com/fwlink/?LinkID=153442)


Adobe

You have an older version of Adobe Reader. You can download the current version HERE (http://www.adobe.com/products/acrobat/readstep2.html)

You may want to consider Foxit Reader (http://www.foxitsoftware.com/downloads/index.php) instead. It may be a bit lighter on resources. If you chose to use Foxit decline the Foxit Toolbar.

Visit their support forum
Foxit Forum (http://www.foxitsoftware.com/bbs/forumdisplay.php?f=3)

In either case you should uninstall Adobe Reader 8.1.1 first. Be sure to move any PDF documents to another folder first though.


Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall.

* If you are behind a router Windows firewall should be fine. Otherwise a 3rd party firewall with outbound monitoring is recommended.

Click FIREWALL (http://www.bleepingcomputer.com/forums/tutorial60.html) for links and tutorials to good, free and paid for firewalls. (Note: Zone Alarm is becoming bloatware)


You should also use Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) to help immunize your computer.

- SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

OR

A guide to understanding and using the hosts file.

Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
HOSTS (http://www.mvps.org/winhelp2002/hosts.htm)

Please read the info on disabling the DNS Client before installing a custom hosts file.



-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.


- Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (http://www.update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us)(using Internet Explorer) and download and install all critical updates on a regular basis


- Make sure you have reset Automatic Updates to your chosen optionClick your start button > Control Panel > System > Automatic Updates tab


- Keep your antivirus program updated, as well as any other security programs you have.


-More tips and programs can be found HERE (http://forums.whatthetech.com/Preventing_Malware_Tools_Practices_Safe_Computing_t98700.html)

Please post back if you have any problems.

Take care

Hi Oldman960,

>>I suggest you keep MBAM. Keep it updated and use it regularly.

Regularly...as in weekly? Monthly? (sure hope its dummy proof, lol)

>>...you should uninstall Adobe Reader 8.1.1 first. Be sure to move any PDF documents to another folder first though.

I don't know what you mean by this. :scratch: Please tell me I don't have to locate every pdf I've created, or saved, on this computer and move them all into a folder! :eek:

>>Some Recommendations and prevention tips

Thank you so much for the prevention tips! I wanted to ask, but didn't dare take more of your time. (even though I did read the sticky notes)

>>Basic security consists of :

Virus program- Sticking with AVG because I'm familiar with it and have enough new things to learn! (pm me if you think I chose wrong.)

Resident Spyware program- Does Spybot count for that? (probably should schedule that to update and run automatically too, but how often??)

On-Demand AntiSpyware program- That would be the MBAM, right?

Firewall- Not sure what this means either.

>> If you are behind a router, Windows firewall should be fine.

We receive internet via cable (as opposed to dial-up or dsl), then use a wireless 'router,' is that what you mean? So maybe I could get away with just the Windows firewall instead??? Otherwise I am thinking of Comodo.

>>OR a guide to understanding and using the hosts file....Please read the info on disabling the DNS Client before installing a custom hosts file :blink:.

Omg, this is way out of my league (went right over my head)! Maybe I'd take on learning it... if it came down to that, or a root canal! I picked SpyBlaster instead!

All the other suggestions I did, or they were done already.

I do have one nagging annoyance. My startup in msconfig has a bunch of junk in there that I try to keep unchecked. Can you tell me what HAS to stay there / needs to be checked. I have HijackThis, but am a little leery using it on my own. Can we take out the obvious? :cleaning:

Most appreciatively,
Robin

Hi MTnestRobin,


>>...you should uninstall Adobe Reader 8.1.1 first. Be sure to move any PDF documents to another folder first though.

I don't know what you mean by this. Please tell me I don't have to locate every pdf I've created, or saved, on this computer and move them all into a folder! Only if you saved them in the Adobe folder.


Virus program- Sticking with AVG because I'm familiar with it and have enough new things to learn! (pm me if you think I chose wrong.)They are all about as good as each other. None are perfect and will miss somethings. I usually recommend what you feel comfortable with.


Resident Spyware program- Does Spybot count for that? (probably should schedule that to update and run automatically too, but how often??)

TeaTimer is the resident scanner in Spybot. If it's turned on then you have a resident scanner otherwise it's an on demand.


On-Demand AntiSpyware program- That would be the MBAM, right? Yes.


If you are behind a router, Windows firewall should be fine.The problem with the XP firewall is it doesn't have outbound monitoring. Most routers come with a firewall so yes you should be on with the windows firewall.


OR a guide to understanding and using the hosts file....Please read the info on disabling the DNS Client before installing a custom hosts fileThe link provided to the custom Hosts also has a very good explaination of what the Hosts file is. Spywareblaster does the same thing in bit different manner. Either one will do the job for you.


My startup in msconfig has a bunch of junk in there that I try to keep uncheckedPretty much everything you have in msconfig can stay there. They are not doing anything and do not really take up any space on the computer. Having them unchecked means a program will not start when you start your computer. However the program can be started manually. They are a link to a registry key which controls startup items. When they are unchecked they are moved to a different key so they don't run at startup. If later you decide you want a program to start when you start the computer you can recheck the item and the entry will be moved back to the run key. Fixing items with HijackThis will remove the entry from the run key leaving you no option other than rewritting the entry in the registry should you decide you want it to run.

Here's a link to a startup database with information as to what the items are and recommendations as to whether or not to uncheck them.
http://www.pacs-portal.co.uk/startup_search.php

Come here Oldman960 I want to give you a great big hug! :bighug:

My computer is running fine now. I will do my very best to educate myself, in order to stay protected.

:thanks: I wish there were better words to thank you and your colleagues for what you do! You are truly heroes! I hope all the good you do is returned many times over!

With heart felt appreciation,
Robin *heading off to the donate page*

Hi MTnestRobin,

You are more than welcome,, happy to have been able to help.


[With heart felt appreciation,
Robin *heading off to the donate page*Thank you!

Since this issue appears to be resolved ... this Topic has been closed.