This is my first post to a forum.

My computer was infected by something and running DDS completely hangs my system.

A fake virus removal tool popped up and starting scanning my system called “system check“. Before I could stop it, by shutting down my system, it hid all my files, disabled task manager, and deleted all icons from my desktop, except for recycle bin and Internet Explorer. It also started redirecting all my searches (bing) to ‘www.berlinfernsehturm.de’ then to a rotating list of bogus help websites.
I was able to 'unhide' my files and regain control of my desktop. A system restore removed the NoDriverTypeAutoRun error it created. I then ran Spybot and discovered a Fraud.DefenseCenter. I also found a program in ‘c:\Documents and Setting\AllUsers\ApplicationData’ called WgjpPxjtqGl.exe. I opened the file and the fake virus removal tool started again. Immediately, I shutdown my system. After restarting, I deleted that file and four others with the same timestamp using secure shredder. The Fraud.DefenseCenter was also removed from the SB recovery using the secure shredder.
I went through the steps in the Manual Removal Guide for Fraud.DefenseCenter. I did not find any of the files listed in any of the steps. I thought maybe I had stopped the virus before it had done too much damage.
I tried the search again using IE (bing). It was now directing me to ‘www.hipnoza.com’ then again to the rotating list of websites. During this, a different fake virus removal tool popped up called “internet security check”. I immediately ended the program by shutting down my system, using ‘shutdown‘. Task manager was not working but not disabled as before. I now have a file called isecurity.exe in ’c:\Documents and Setting\AllUsers\ApplicationData’ and a shortcut on my desktop.
After I restarted my system I ran Spybot and it came back clean. I scanned the isecurity.exe using Spybot and it came back clean.
There is something definitely hiding somewhere. Since I interrupted the program before it could complete, I don't know what the outcame would be.

I tried to run DDS before requesting assistance but my system hangs after 11 mins. Even the clock stops. It required a hard reboot to restart. I tried again in safe mode with the same results. Unfortunately, there are no logs or files to share.

I am way over my head on this. Your assistance and guidance would greatly be appreciated!!

:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Running programs with Vista or Windows 7 , you need to Right Click on the program and select RUN AS ADMINISTATOR



You need to boot to safemode with networking

To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)





Please download rkill (Courtesy of Bleepingcomputer.com).
There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
Note: You only need to get one of the tools to run, not all of them.




1. rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
2. rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
3. rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
4. WiNlOgOn.exe (http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe)
5. uSeRiNiT.exe (http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe)


Note: You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message.

Run rkill repeatedly until it's able to do it's job. This may take a few tries.

You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.







Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please






Download this program to your desktop
http://download.bleepingcomputer.com/grinler/unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

Greeting ken545,
Thank you for you assistance.

Here is the log from the Rkill and the Malwarebytes' Scan:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 02/08/2012 at 19:34:11.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 02/08/2012 at 19:35:26.

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.09.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Brenda Poland :: D6KX9PB1 [administrator]

Protection: Enabled

2/8/2012 8:04:14 PM
mbam-log-2012-02-08 (20-04-14).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 245244
Time elapsed: 33 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.AV2009) -> Quarantined and deleted successfully.

Files Detected: 1
C:\Documents and Settings\Brenda Poland\Local Settings\Temp\3A.tmp (Rogue.InternetSecurity) -> Quarantined and deleted successfully.

(end)


What, if any, is the next step?

Thank you kindly,
Jess

Jess,

Are your icons missing from your desktop, are there any files or folders you cant see that are hidden, if so you need to run the last program I posted. unhide


Sometimes when you have an infection like this there may be more hiding so lets look a bit further



Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Good day ken545,

Last night, Malwarebytes would not run in Safe Mode. I had switched back to normal mode to run the Quick Scan. I provided the log with two items found in my previous post.

I did manage to unhide my desktop icons and files previously, but I ran the unhide to be safe. Everything seems normal, no new files or icons showed up. I did take advantage of the antispyware and security software being turned off and ran it again this morning. I did this based on the message from unhide : “Your files should now be visible. If you are still missing Start Menu items, please temporarily disable your antivirus or security programs and try again. In the event that they interfered with the restoral process.”
I figured it would not hurt to run Unhide again.

After I posted my reply last night, curiosity got the best of me and I ran Malwarebytes again using a Full Scan. Here is the log from the Full Scan:

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.09.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Brenda Poland :: D6KX9PB1 [administrator]

Protection: Enabled

2/8/2012 10:18:27 PM
mbam-log-2012-02-08 (22-18-27).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 321632
Time elapsed: 1 hour(s), 6 minute(s), 39 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1724\A0195920.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1724\A0195921.exe (Rogue.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1727\A0196042.exe (Rogue.InternetSecurity) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1729\A0199155.exe (Rogue.InternetSecurity) -> Quarantined and deleted successfully.

(end)

Now for the results of the instructions in your last post.


I downloaded Combofix and saved it to my desktop.
I disabled MalwareBytes, Spybot TeaTimer, Windows XP firewall, TrendMicro Real-Time Protection, disable TrendMicro firewall.
Double clicked ComboFix.exe
MicroWindows Recovery Console was installed
Continued with Malware scan
Restore point point created HIV-backup
AutoScan started at 10:25 am
Computer clock stopped at 10:31 am - computer hung no keys or mouse control
Finally shut down computer at 11:25 am - 1 hour later


Restarted computer in safe mode
Tried CF for the second time
Autoscan started 11:31 am
Watched task manager and noticed sevices.exe (user - SYSTEM) used most resources
At 11:36 am task mgr window disappeared
Clocked stopped at 11:38 am
Turned off computer at 11:58 am - computer hung no keys or mouse control


3rd try - with safe mode with networking.
Same senario - computer hung after about after 12 minutes.

Sorry, I have no C:\comboFix.txt. There is a ComboFix folder but no text file. I am so lost….. Am I doing something wrong?

Many thanks!

Jess

Hello Jess,

Those files that Malwarebytes found are in your System Restore Program, lets clear them all out and create a new restore point.

System Restore is a component of Microsoft's Windows Me, Windows XP, Windows Vista and Windows 7 operating systems that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of malfunctioning or failure. Old restore points can be a source of re-infection.

Please follow the steps below to create a clean restore point:

Click Start > Run > copy and paste the following into the run box:

%SystemRoot%\System32\restore\rstrui.exe
Press OK. Choose Create a Restore Point then click Next.
Name it (something you'll remember) and click Create.
When the confirmation screen shows the restore point has been created click Close.


Then remove all previous Restore Points

Click Start > Run > copy and paste the following into the run box:

cleanmgr
Choose to scan drive C:\ (if C:\ is your main drive).
At the top, click on More Options tab. Click the Clean up... button in the System Restore box.
Click on the Yes button.
When finished, click on Cancel button to exit.








Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

Go to http://www.techsupportforum.com/sectools/tetonbob/StartBtn.gif -> Run -> copy/paste in the following single line command & click OK


"%userprofile%\desktop\combofix.exe" /killall

http://www.techsupportforum.com/sectools/tetonbob/killall.JPG

Click OK and this will start ComboFix in a special way.
When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply along with a fresh HJT log.


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* After you have saved the logs, restart your system to re-enable all the programs that were disabled during the running of ComboFix.

* Reconnect to the internet

* Post the following logs/Reports:
ComboFix.txt

ken545,

I am completely baffled…

The first two task for the creating a system restore and purging the old restore point was successful. No problems!

Running CF is another story.

I unplugged the internet connection from the PC and stopped all monitoring programs. Then followed your instructions. About 6 minutes into the special way of running CF using the command line, the window for “no connection to the internet is currently available. Etc.. Click to work offline or try again to reconnect.” I had not touched the keyboard or mouse after the click “OK” in the run window. The computer’s clock stopped also. I waited about 5 minutes before touching anything to verify the system had indeed hung.
I tried again. Reconnected the internet, thinking that was the issue. Clicked “OK” and things seemed fine. I had the yellow blinking cursor in the Autoscan window until about 6 minutes into the scan. The cursor stopped blinking and went solid. The clock stopped again. I waited another 5 minutes before touching the keyboard or mouse. Yes, the system was hung.

Do you have any words of wisdom you might be able to share on this baffling situation.

Thanks for being patient with me.
Jess

Hello Jess,

Run into this all the time with different programs, at this point I am not sure if its malware related of something on your system preventing Combofix from running. Lets set Combofix on the back burner for now.



Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png

ken545,
I have Windows XP Service Pack 3 x86 NTFS. aswMBR.exe doesn't seem to want to run. I tried running each of the different compatibility modes and also running it as a different user and Admin. No Luck...
Help :sad:
Thank you for sharing your wisdom.
Jess

Not looking good, see if this one will run

Download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.
Be sure to disable your security programs
Double click on the file to run it
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.

ken545,
Sucess! It ran. I don't kknow what the results mean but it doesn't look good to me...
Here is the log:
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000000fc

Kernel Drivers (total 144):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xF7992000 \WINDOWS\system32\KDCOM.DLL
0xF78A2000 \WINDOWS\system32\BOOTVID.dll
0xF7363000 ACPI.sys
0xF7994000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7352000 pci.sys
0xF7492000 isapnp.sys
0xF7A5A000 pciide.sys
0xF7712000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF74A2000 MountMgr.sys
0xF7333000 ftdisk.sys
0xF7996000 dmload.sys
0xF730D000 dmio.sys
0xF771A000 PartMgr.sys
0xF74B2000 VolSnap.sys
0xF72F5000 atapi.sys
0xF74C2000 disk.sys
0xF74D2000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF72D5000 fltmgr.sys
0xF72C3000 sr.sys
0xF72AD000 DRVMCDB.SYS
0xF74E2000 PxHelp20.sys
0xF7296000 KSecDD.sys
0xF7283000 WudfPf.sys
0xF71F6000 Ntfs.sys
0xF71C9000 NDIS.sys
0xF71AF000 Mup.sys
0xF690B000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF66C7000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF66B3000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF668B000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF785A000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6667000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7862000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6633000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xF6610000 \SystemRoot\system32\DRIVERS\ks.sys
0xF6511000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF646A000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF786A000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6444000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF7502000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF79C4000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xF7512000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7522000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7B1B000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7532000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF797E000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF642D000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7542000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7552000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7872000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF641C000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7562000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF787A000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7882000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF63EC000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7572000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF788A000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7892000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF79C6000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF638E000 \SystemRoot\system32\DRIVERS\update.sys
0xF7172000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF61D0000 \SystemRoot\system32\DRIVERS\TM_CFW.sys
0xF7582000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF4083000 \SystemRoot\system32\drivers\sthda.sys
0xF405F000 \SystemRoot\system32\drivers\portcls.sys
0xF75C2000 \SystemRoot\system32\drivers\drmk.sys
0xF793E000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF75E2000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79D2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF6824000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF79D4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B88000 \SystemRoot\System32\Drivers\Null.SYS
0xF79D6000 \SystemRoot\System32\Drivers\Beep.SYS
0xF772A000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
0xF774A000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7752000 \SystemRoot\System32\drivers\vga.sys
0xF79D8000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79DA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF775A000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7762000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6818000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF3E94000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF3E3B000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF3E13000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF6810000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF3DF1000 \SystemRoot\System32\drivers\afd.sys
0xF7602000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF3DB1000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF3DA0000 \SystemRoot\system32\DRIVERS\tmtdi.sys
0xF7622000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF3D75000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF3D05000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7632000 \SystemRoot\System32\Drivers\Fips.SYS
0xF776A000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF7772000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF7966000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF7642000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF796A000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF7782000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF796E000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF7976000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF7662000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF3CC5000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79E6000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF793A000 \SystemRoot\System32\drivers\Dxapi.sys
0xF77AA000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B22000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF049000 \SystemRoot\System32\ati2cqag.dll
0xBF07D000 \SystemRoot\System32\atikvmag.dll
0xBF0B2000 \SystemRoot\System32\ati3duag.dll
0xBF2F4000 \SystemRoot\System32\ativvaxx.dll
0xBF391000 \SystemRoot\System32\ATMFD.DLL
0xF1428000 \??\C:\WINDOWS\system32\drivers\mbam.sys
0xF693B000 \SystemRoot\system32\DRIVERS\tmpreflt.sys
0xF1291000 \SystemRoot\system32\DRIVERS\vsapint.sys
0xF1226000 \SystemRoot\system32\drivers\TmXPFlt.sys
0xF692B000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xF7ABC000 \SystemRoot\System32\DLA\DLADResN.SYS
0xF1210000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0xF13FC000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0xF7A0A000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0xF77CA000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0xF11F8000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0xF11E2000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0xF108C000 \SystemRoot\system32\DRIVERS\nwlnkipx.sys
0xF1BFD000 \SystemRoot\system32\DRIVERS\nwlnknb.sys
0xF11BE000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF077B000 \SystemRoot\system32\DRIVERS\nwrdr.sys
0xF074E000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF106C000 \SystemRoot\system32\DRIVERS\nwlnkspx.sys
0xF0649000 \SystemRoot\system32\drivers\wdmaud.sys
0xF697B000 \SystemRoot\system32\drivers\sysaudio.sys
0xF7A02000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xF7A04000 \SystemRoot\system32\DRIVERS\dsunidrv.sys
0xEF919000 \SystemRoot\System32\Drivers\HTTP.sys
0xEF899000 \SystemRoot\system32\DRIVERS\srv.sys
0xEF875000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xEE87C000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 41):
0 System Idle Process
4 System
924 C:\WINDOWS\system32\smss.exe
972 csrss.exe
1000 C:\WINDOWS\system32\winlogon.exe
1044 C:\WINDOWS\system32\services.exe
1056 C:\WINDOWS\system32\lsass.exe
1308 C:\WINDOWS\system32\ati2evxx.exe
1324 C:\WINDOWS\system32\svchost.exe
1432 svchost.exe
1556 C:\WINDOWS\system32\svchost.exe
1592 C:\WINDOWS\system32\svchost.exe
1728 svchost.exe
2012 svchost.exe
332 C:\WINDOWS\system32\spoolsv.exe
412 svchost.exe
780 C:\WINDOWS\explorer.exe
1480 C:\WINDOWS\ehome\ehtray.exe
1492 C:\WINDOWS\stsystra.exe
1520 C:\WINDOWS\system32\DLA\DLACTRLW.EXE
1580 C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
1696 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
1752 C:\WINDOWS\ehome\ehrecvr.exe
192 C:\WINDOWS\system32\ctfmon.exe
240 C:\WINDOWS\ehome\ehSched.exe
644 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
960 C:\Program Files\Digital Line Detect\DLG.exe
948 C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
2232 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
2256 C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
2456 svchost.exe
2520 C:\WINDOWS\system32\svchost.exe
2876 C:\WINDOWS\system32\fxssvc.exe
2988 mcrdsvc.exe
3868 C:\WINDOWS\system32\dllhost.exe
3984 C:\WINDOWS\system32\dlcccoms.exe
2060 alg.exe
3620 C:\WINDOWS\ehome\ehmsas.exe
2884 C:\WINDOWS\system32\wscntfy.exe
1428 C:\Program Files\Internet Explorer\iexplore.exe
2200 C:\Documents and Settings\Brenda Poland\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHD160JJ/P, Rev: ZM100-34

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 57BDF501CE769EF2720C705B6C71C893DA31574E


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Thanks for not giving up on this!
Jess

Lets try another, if I suspect what you may be infected with this may not run either, but no need for alarm just yet



Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan

Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now

Copy and paste the log in your next reply

A copy of the log will be saved automatically to the root of the drive (typically C:\)

ken545,
You were right. It did not run.
What is the next step in this suspected infection?
Thanks again,
Jess

Jess, still not 100% sure but you have signs that your Master Boot Record may be infected, lots of this going around lately.

What I need you to do is get me an offline dump of your MBR, be sure to use Firefox and not Internet Explorer for the downloads as IE has been really messing it up. Then we can look at it and determine if it is indeed infected, if it is it can be fixed, if its not we can look at other options

I would print this out so you can follow along real well.



xPUD

We will need a USB stick and access to an uninfected machine.

We need to prepare the USB stick. It is not absolutely essential that it is formatted, but it may help if it is:

Insert your USB drive ino the uninfected machine.
Click on Start > My Computer > right click your USB drive > choose Format > Quick format.


Next

Download both http://sourceforge.net/projects/unetbootin/files/UNetbootin/Custom/unetbootin-xpud-windows-387.exe/download and http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of the uninfected machine.
Make sure you have the formatted USB stick in the uninfected system.
Double click on the unetbootin-xpud-windows-387.exe that you just downloaded.
Press Run and then OK.
Select the DiskImage option then click the browse button located on the right side of the textbox field.
Browse to and select the xpud-0.9.2.iso file you downloaded.
Verify the correct drive letter is selected for your USB device then click OK.
It will install a little bootable OS on your USB device
After it has completed do not choose to reboot the clean computer, simply close the installer.


Next

Use the clean computer to download dumpit from the following link: http://noahdfear.net/downloads/dumpit
Once dumpit is downloaded save it to the USB stick.


Next

Take the USB to the infected computer and boot with it.
The computer must be set to boot from the USB (as soon as BIOS is loaded tap F12 and choose to boot from the USB drive).
A Welcome to xPUD screen will appear.
Press File.
Expand mnt.
sda1,2...usually corresponds to your HDD.
sdb1 is likely your USB drive.
Click on the folder that represents your USB drive (sdb1 ?).
Confirm that you see dumpit that you downloaded there.
Double click on dumpit.
Once completed, a file called mbr.zip will be saved to the USB drive.
Take the USB drive back to the uninfected system and attach the mbr.zip in your next reply.



If you encounter any diffuculties just let me know.

ken545,
Does the uninfected machine need to be the some OS as the infected machine?

There is a message at the end of each post, "Just a reminder that threads will be closed if no reply in 3 days."
I will be out of town for the weekend, back Sun pm. Getting to an uninfected machine, back, then to the uninfected machine may take some time.
Just in case, please do not close the thread. I will be back!

Thank you for your persistence.
Jess

ken545,

I checked the link for ".... to download dumpit from the following link: http://noahdfear.net/downloads/dumpit"

There were no downloads. A page full of symbols and characters showed up.

Did the link get truncated?

Thanks,
Jess

Jess,

Let me check on that link for you, it may have changed. You should use a computer with the NTFS file system which is XP, Vista or Win 7.

Not to worry about this thread, I will keep it open for you

Are you using Firefox to download the dumpit file ?

ken545,
Thank you for keeping the thread open for me, much appreciated.

I was not using Firefox to download the dumpit. I was reviewing your procedures using my machine and IE, default browser, to make sure I fully understood before proceeding to use a friend's PC. Today, I switched to Firefox and the window for "save file" came up for dumpit. It is working fine. Sorry, my bad.

I see that it is imperative to have Firefox on my friend's PC before starting the the offline dump procedure. She will be dropping off her laptop today during her lunch break. It is a newer PC and should have Win 7. Definitely, will download Firefox, if it is not already there. Hopefully, I'll have something today before I leave for the weekend.

Once again, thank you ken545 for your help.
Jess

Hello Jess,

Yep, you will need FF to download those files and then if your friend dont like it she can uninstall it, myself, been a FF fan for many years.

ken545,

Very happy to report that the offline dump of my infected MBR was successful. Finally! Feels good to be making some progress. Attached is the mbr.zip for your review. (Sent from uninfected machine.)

Many thanks!!
Jess

Jess,

Just looking at the dump file now, it basically looks ok , I do see a hidden partition but that could have been put there by your manufacturer. This looks like a Dell computer

I have sent that dump file up to VirusTotal to be analysed and it came back as ok.

I want to have someone else take another look, be back in a bit

ken545,
Yes, it is a Dell computer.
Thanks for all your efforts on this unusual problem.
Jess

Jess,

This is what we are up against, malware has installed an infected hidden partition within your Master Boot Record and set that partition as active so everytime you boot up your system it boots from the infected partition and the malware is activated.

aswMBR has been updated to remove the rogue partition, lets give it more more shot , hang on to your usb drive with xPud as if aswMBR wont run than we will need it, first drag aswMBR that you have on your desktop to the trash and download a fresh new copy, when you run it let it update if it asks


Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png

ken545,

aswMBR.exe did not run. It did nothing. (I had made sure all monitoring software was turn off.) Double-clicked a second time, nothing.
Just to make sure, I repeated the procedure with trashing the old, downloading a fresh copy of the new, made sure the monitoring software was off and nothing again.

Seems this malware really has control over my machine.

What is the next step in ousting this hostile takeover?

Thanks much,
Jess

Jess,

Go to Start > Control Panel> Admistrative Tools> Computer Management > Disk Management, expand the picture , then press ALT. . . .PrtScr ( Print screen ) and paste it into a picture editor ( Paint would do fine ) name the file DiskMange and save the file to your desktop and then attach it to your next reply

ken545,
Here is the screen print of the disk management.
Thanks,
Jess

You may want to print this out so you can follow along.

Download tdl_fix.sh (http://noahdfear.net/downloads/tdl_fix.sh) and save it to the xPUD flash drive.
Boot into xPUD then click the File tab.
Press File
Expand mnt
Click on the folder under mnt that represents your USB drive (sdb1 ?)
You should see the tdl_fix.sh file in the main window.
Select Tool from the Menu
Choose Open Terminal
Type bash tdl_fix.sh then press Enter.
Read the warning then type y and press Enter to continue.
Type sda then press Enter when prompted.
You will be shown a list of partitions to choose marking active.
Type 2 then press Enter.
If you are presented with a warning about no bootloader files, type n then press Enter to choose another. If this happens, type 2 to select partition 2 then press Enter.
When you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter.
The script will complete and prompt you to reboot the computer.
Close the Terminal window and restart back into Windows.
Post the contents of the tdl_fix.txt file that was created on your flash drive and let me know how the computer is behaving.


Note - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.

bash tdl_fix.sh -restore

Make sure to leave a space to either side of tdl_fix.sh in the command.
This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Ok the procedure then restart when complete.
This is a backup of the original mbr and will restore it to it's current state.

ken545,

The program worked on the first attempt. The first time through it came back with "Does this look correct?" for the partition. It quickly completed with no issues. I rebooted normally into Windows. The machine is not longer running sluggish. I didn't realize how slow it had become. (Seems like I just upgraded!) I tried the dreaded IE search for "system restore" which was causing the original redirect. It worked!! I was able to navigate through the search results and back with no problems. I also tried other similar "restore" searches with no issues. It seems to be working as it should be.

Here is the txt file from the program run.

Is the machine now clean? Do you know what are the security concerns and ramifications from this malware would be?

I am deeply grateful for your assistance with this problem. I know it is not easy trying to debug from remote control.

Jess :D:

One more step Jess, what we have done was to set the legit partition as active but the rogue partition is still there, just run this and it will remove the bad partition.





Boot into xPUD then click the File tab.
Press File
Expand mnt
Click on the folder under mnt that represents your USB drive (sdb1 ?)
You should see the tdl_fix.sh file in the main window.
Select Tool from the Menu
Choose Open Terminal
Type bash tdl_fix.sh -delete then press Enter.
** Make sure to leave a space to either side of tdl_fix.sh in the command.
You should be notified of a hidden partition found and prompted to delete it.
Type y then press Enter.
The script will complete and prompt you to reboot the computer.
Close the Terminal window and restart back into Windows.
Post the contents of the tdl_delete.txt file that was created on your flash drive.


Note - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.

bash tdl_fix.sh -restore

Make sure to leave a space to either side of tdl_fix.sh in the command.
This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Ok the procedure then restart when complete.





Then go to Disk Management once more and attach a new screenshot

ken545,

Elated to report the hidden partition has been deleted!! Those 2MB are gone!

I have attached the Disk Management screen shot and the txt output file from the delete.

I've been reviewing the forum for ways to prevent further intrusions and will apply the practices as soon as my machine is deemed "clean".

Thanks for your time and expertise,
Jess

Good Morning Jess,

Wonderful, when where done I will give you some tips and links to free programs to install that can help you keep your system more secure.


Things should run fairly well now, so open Malwarebytes , check for updates and run the Quick Scan removing what it finds, post the log please but dont bother if nothing is found.

Then run aswMBR just to scan, dont fix anything and post that log.


OTL by OldTimer

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

ken545,
I'm glad to finally be at the point to run the scans and produce logs. A big thanks to you!
Here are the results:
Malware bytes - No malicious items were detected.
aswMBR - downloaded the latest Avast! virus definitions - attached produced txt file.
OTL completed with no issues - logs listed below (Lots of things in log I have no idea what they are or where the came from.)

OTL.txt:
OTL logfile created on: 2/14/2012 10:12:40 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Brenda Poland\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.07 Mb Total Physical Memory | 536.63 Mb Available Physical Memory | 52.50% Memory free
30.20 Gb Paging File | 29.89 Gb Available in Paging File | 98.99% Paging File free
Paging file location(s): C:\pagefile.sys 30000 50000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.18 Gb Total Space | 83.72 Gb Free Space | 58.07% Space Free | Partition Type: NTFS

Computer Name: D6KX9PB1 | User Name: Brenda Poland | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Brenda Poland\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
PRC - C:\WINDOWS\system32\dlcccoms.exe ( )
PRC - C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe (Dell)
PRC - C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.)
PRC - C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\system32\quartz.dll ()
MOD - C:\WINDOWS\system32\sbe.dll ()
MOD - C:\WINDOWS\system32\msdmo.dll ()
MOD - C:\WINDOWS\system32\devenum.dll ()
MOD - C:\WINDOWS\system32\spool\drivers\w32x86\3\dlccHPEC.DLL ()
MOD - C:\WINDOWS\system32\spool\drivers\w32x86\3\dlccFLIB.DLL ()
MOD - C:\WINDOWS\system32\spool\drivers\w32x86\3\dlcccfg.dll ()
MOD - C:\WINDOWS\system32\dlcccfg.dll ()
MOD - C:\Program Files\Dell Photo AIO Printer 924\dlcccfg.dll ()
MOD - C:\Program Files\Dell Photo AIO Printer 924\dlccdrec.dll ()
MOD - C:\Program Files\Dell Photo AIO Printer 924\dlcccnv4.dll ()


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia)
SRV - (PcCtlCom) -- C:\Program Files\Trend Micro\Internet Security 14\PcCtlCom.exe (Trend Micro Inc.)
SRV - (DSBrokerService) -- C:\Program Files\DellSupport\brkrsvc.exe ()
SRV - (Tmntsrv) -- C:\Program Files\Trend Micro\Internet Security 14\Tmntsrv.exe (Trend Micro Inc.)
SRV - (tmproxy) -- C:\Program Files\Trend Micro\Internet Security 14\tmproxy.exe (Trend Micro Inc.)
SRV - (TmPfw) -- C:\Program Files\Trend Micro\Internet Security 14\TmPfw.exe (Trend Micro Inc.)
SRV - (dlcc_device) -- C:\WINDOWS\System32\dlcccoms.exe ( )


========== Driver Services (SafeList) ==========

DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (UsbserFilt) -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys (Nokia)
DRV - (upperdev) -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys (Nokia)
DRV - (nmwcdc) -- C:\WINDOWS\system32\drivers\ccdcmbo.sys (Nokia)
DRV - (nmwcd) -- C:\WINDOWS\system32\drivers\ccdcmb.sys (Nokia)
DRV - (nmwcdnsu) -- C:\WINDOWS\system32\drivers\nmwcdnsu.sys (Nokia)
DRV - (nmwcdnsuc) -- C:\WINDOWS\system32\drivers\nmwcdnsuc.sys (Nokia)
DRV - (tmxpflt) -- C:\WINDOWS\system32\drivers\tmxpflt.sys (Trend Micro Inc.)
DRV - (tmpreflt) -- C:\WINDOWS\system32\drivers\tmpreflt.sys (Trend Micro Inc.)
DRV - (vsapint) -- C:\WINDOWS\system32\drivers\vsapint.sys (Trend Micro Inc.)
DRV - (pccsmcfd) -- C:\WINDOWS\system32\drivers\pccsmcfd.sys (Nokia)
DRV - (USB_RNDIS_XP) -- C:\WINDOWS\system32\drivers\usb8023.sys (Microsoft Corporation)
DRV - (NwlnkIpx) -- C:\WINDOWS\system32\drivers\nwlnkipx.sys (Microsoft Corporation)
DRV - (dsunidrv) -- C:\WINDOWS\system32\drivers\dsunidrv.sys (Gteko Ltd.)
DRV - (tmcfw) -- C:\WINDOWS\system32\drivers\TM_CFW.sys (Trend Micro Inc.)
DRV - (tmtdi) -- C:\WINDOWS\system32\drivers\tmtdi.sys (Trend Micro Inc.)
DRV - (DSproct) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (Gteko Ltd.)
DRV - (ASCTRM) -- C:\WINDOWS\System32\drivers\asctrm.sys (Windows (R) 2000 DDK provider)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (DLAUDFAM) -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS (Sonic Solutions)
DRV - (DLAUDF_M) -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS (Sonic Solutions)
DRV - (DLAIFS_M) -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS (Sonic Solutions)
DRV - (DLABOIOM) -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS (Sonic Solutions)
DRV - (DLAOPIOM) -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS (Sonic Solutions)
DRV - (DLAPoolM) -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS (Sonic Solutions)
DRV - (DLADResN) -- C:\WINDOWS\system32\DLA\DLADResN.SYS (Sonic Solutions)
DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Sonic Solutions)
DRV - (DLARTL_N) -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS (Sonic Solutions)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (NwlnkNb) -- C:\WINDOWS\system32\drivers\nwlnknb.sys (Microsoft Corporation)
DRV - (NwlnkSpx) -- C:\WINDOWS\system32\drivers\nwlnkspx.sys (Microsoft Corporation)
DRV - (HSFHWBS2) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar =
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Search"

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Content Upload Plugin,version=1.0.0: C:\Program Files\DivX\DivX Content Uploader\npUpload.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll (Yahoo! Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{A27F3FEF-1113-4cfb-A032-8E12D7D8EE70}: C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension\ [2011/07/24 20:08:02 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/19 10:04:16 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/02/16 10:40:29 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\{CCB7D94B-CA92-4E3F-B79D-ADE0F07ADC74}: C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Thunderbird Connector\ThunderbirdExtension\ [2011/07/24 20:08:03 | 000,000,000 | ---D | M]

[2010/08/19 10:05:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Brenda Poland\Application Data\Mozilla\Extensions
[2010/08/19 10:05:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Brenda Poland\Application Data\Mozilla\Firefox\Profiles\jcs6xakz.default\extensions
[2010/08/19 10:05:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Brenda Poland\Application Data\Mozilla\Firefox\Profiles\jcs6xakz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2007/11/17 08:49:17 | 000,000,276 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Application Data\Mozilla\Firefox\Profiles\jcs6xakz.default\searchplugins\search.xml
[2010/08/19 10:05:11 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2007/03/09 18:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\mozilla firefox\plugins\npyaxmpb.dll

O1 HOSTS File: ([2012/02/10 09:38:18 | 000,442,741 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 www.163ns.com
O1 - Hosts: 127.0.0.1 163ns.com
O1 - Hosts: 127.0.0.1 171203.com
O1 - Hosts: 127.0.0.1 17-plus.com
O1 - Hosts: 127.0.0.1 www.1800searchonline.com
O1 - Hosts: 127.0.0.1 1800searchonline.com
O1 - Hosts: 127.0.0.1 www.180searchassistant.com
O1 - Hosts: 15219 more lines...
O2 - BHO: (Reg Error: Value error.) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - File not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No CLSID value found.
O3 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O3 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\..\Toolbar\WebBrowser: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [DLCCCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.DLL ()
O4 - HKLM..\Run: [dlccmon.exe] C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe (Dell)
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe File not found
O4 - HKLM..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.)
O4 - HKLM..\Run: [pccguide.exe] C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - Startup: C:\Documents and Settings\Brenda Poland\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT1\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html File not found
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.0.cab (DLM Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{87A9F30A-15CF-4635-8B39-9399F6194D80}: DhcpNameServer = 192.168.1.254 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Brenda Poland\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Brenda Poland\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (nwprovau) -C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 03:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/14 09:29:11 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Brenda Poland\Desktop\OTL.exe
[2012/02/13 13:30:17 | 004,733,440 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Brenda Poland\Desktop\aswMBR.exe
[2012/02/10 18:38:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brenda Poland\My Documents\Downloads
[2012/02/09 15:05:30 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/02/09 10:23:04 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/02/09 10:15:24 | 002,059,824 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Brenda Poland\Desktop\TDSSKiller.exe
[2012/02/09 10:14:56 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/02/09 10:14:56 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/02/09 10:14:56 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/02/09 10:14:56 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/02/09 10:12:04 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/02/09 08:59:55 | 004,399,011 | R--- | C] (Swearware) -- C:\Documents and Settings\Brenda Poland\Desktop\ComboFix.exe
[2012/02/08 19:55:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brenda Poland\Application Data\Malwarebytes
[2012/02/08 19:54:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/02/08 19:54:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/02/08 19:54:41 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/02/08 19:54:41 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/02/08 19:53:51 | 009,502,424 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Brenda Poland\Desktop\mbam-setup-1.60.1.1000.exe
[2012/02/08 19:07:10 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2012/02/08 13:38:21 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Brenda Poland\Desktop\dds.scr
[2012/02/08 13:36:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2012/02/08 13:36:14 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT1
[2012/02/08 13:34:45 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Brenda Poland\Desktop\erunt-setup.exe
[2012/02/08 13:05:27 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Brenda Poland\Recent
[2012/02/08 09:12:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/02/08 09:09:42 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/02/07 13:31:38 | 000,000,000 | ---D | C] -- C:\Program Files\Safer Networking
[2012/02/07 13:26:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brenda Poland\Desktop\snlTCNTplugins01
[2012/01/23 08:18:04 | 000,414,368 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2006/08/28 22:19:24 | 001,183,744 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccserv.dll
[2006/08/28 22:19:24 | 001,134,592 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccusb1.dll
[2006/08/28 22:19:24 | 000,774,144 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcchbn3.dll
[2006/08/28 22:19:24 | 000,704,512 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcccomc.dll
[2006/08/28 22:19:24 | 000,638,976 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccpmui.dll
[2006/08/28 22:19:24 | 000,491,520 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcccoms.exe
[2006/08/28 22:19:24 | 000,483,328 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcclmpm.dll
[2006/08/28 22:19:24 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcccomm.dll
[2006/08/28 22:19:24 | 000,372,736 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccih.exe
[2006/08/28 22:19:24 | 000,368,640 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcccfg.exe
[2006/08/28 22:19:24 | 000,155,648 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccprox.dll
[2006/08/28 22:19:24 | 000,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccpplc.dll
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Brenda Poland\*.tmp files -> C:\Documents and Settings\Brenda Poland\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/14 10:02:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/02/14 10:01:58 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\MBR.dat
[2012/02/14 09:29:13 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Brenda Poland\Desktop\OTL.exe
[2012/02/14 09:02:01 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/02/14 08:01:45 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/02/14 08:01:42 | 1071,796,224 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/13 21:53:00 | 000,024,030 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Application Data\wklnhst.dat
[2012/02/13 20:40:27 | 000,057,952 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\DiskMange-del.GIF
[2012/02/13 14:15:36 | 000,058,184 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\DiskMange.GIF
[2012/02/13 14:06:57 | 000,060,416 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/02/13 13:30:20 | 004,733,440 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Brenda Poland\Desktop\aswMBR.exe
[2012/02/13 13:16:19 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/02/10 09:38:18 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/02/09 21:18:09 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-09-fix3.wps
[2012/02/09 18:28:08 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120210-093818.backup
[2012/02/09 18:20:22 | 002,059,824 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Brenda Poland\Desktop\TDSSKiller.exe
[2012/02/09 18:18:50 | 002,041,278 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\tdsskiller.zip
[2012/02/09 17:56:58 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\MBRCheck.exe
[2012/02/09 15:49:35 | 000,014,848 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-09-fix2.wps
[2012/02/09 15:24:40 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120209-182808.backup
[2012/02/09 13:33:02 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-09-fix.wps
[2012/02/09 12:29:52 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120209-152440.backup
[2012/02/09 10:23:23 | 000,000,326 | RHS- | M] () -- C:\boot.ini
[2012/02/09 09:57:51 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120209-122952.backup
[2012/02/09 08:59:55 | 004,399,011 | R--- | M] (Swearware) -- C:\Documents and Settings\Brenda Poland\Desktop\ComboFix.exe
[2012/02/09 08:47:09 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120209-095750.backup
[2012/02/08 21:40:55 | 000,684,297 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\unhide.exe
[2012/02/08 21:30:33 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120209-084709.backup
[2012/02/08 21:10:13 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120208-213033.backup
[2012/02/08 20:51:04 | 000,010,240 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-08-fix.wps
[2012/02/08 19:54:44 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/08 19:53:51 | 009,502,424 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Brenda Poland\Desktop\mbam-setup-1.60.1.1000.exe
[2012/02/08 19:12:04 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\rkill.exe
[2012/02/08 19:09:22 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120208-211013.backup
[2012/02/08 19:03:32 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-08.wps
[2012/02/08 13:38:24 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Brenda Poland\Desktop\dds.scr
[2012/02/08 13:36:40 | 000,000,774 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/02/08 13:36:16 | 000,000,599 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\ERUNT.lnk
[2012/02/08 13:35:19 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Brenda Poland\Desktop\erunt-setup.exe
[2012/02/08 13:30:20 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120208-190922.backup
[2012/02/08 09:37:50 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120208-133019.backup
[2012/02/07 19:53:01 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120208-093749.backup
[2012/02/07 15:51:32 | 000,043,876 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\requested-files[2012-02-07_15_51].cab
[2012/02/07 14:59:58 | 000,007,145 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\requested-files[2012-02-07_14_59].cab
[2012/02/07 14:49:43 | 001,339,719 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\rootalyz-0.3.4.47.zip
[2012/02/07 07:45:12 | 000,859,992 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\snlTCNTplugins01.zip
[2012/02/06 18:38:34 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120207-195300.backup
[2012/02/06 17:15:05 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120206-183833.backup
[2012/02/06 16:04:30 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120206-171505.backup
[2012/02/06 14:51:15 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120206-160430.backup
[2012/02/06 12:14:23 | 000,442,655 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120206-145115.backup
[2012/02/06 10:42:46 | 000,442,655 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120206-121423.backup
[2012/02/04 16:58:55 | 000,442,655 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120206-104246.backup
[2012/01/31 11:02:25 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/01/30 22:56:20 | 000,210,432 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\Silicone Space Station Guide.wps
[2012/01/30 22:08:55 | 000,441,842 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120204-165854.backup
[2012/01/25 20:31:40 | 000,000,848 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2012/01/23 08:18:04 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/01/22 09:45:11 | 000,441,692 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120130-220854.backup
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Brenda Poland\*.tmp files -> C:\Documents and Settings\Brenda Poland\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/14 10:01:58 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\MBR.dat
[2012/02/13 20:40:22 | 000,057,952 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\DiskMange-del.GIF
[2012/02/13 14:15:27 | 000,058,184 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\DiskMange.GIF
[2012/02/09 19:49:47 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-09-fix3.wps
[2012/02/09 18:18:39 | 002,041,278 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\tdsskiller.zip
[2012/02/09 17:56:57 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\MBRCheck.exe
[2012/02/09 13:59:50 | 000,014,848 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-09-fix2.wps
[2012/02/09 12:26:58 | 1071,796,224 | -HS- | C] () -- C:\hiberfil.sys
[2012/02/09 10:23:21 | 000,000,210 | ---- | C] () -- C:\Boot.bak
[2012/02/09 10:23:08 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/02/09 10:14:56 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/02/09 10:14:56 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/02/09 10:14:56 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/02/09 10:14:56 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/02/09 10:14:56 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/02/09 08:58:05 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-09-fix.wps
[2012/02/08 21:40:52 | 000,684,297 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\unhide.exe
[2012/02/08 19:54:44 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/08 19:40:26 | 000,010,240 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-08-fix.wps
[2012/02/08 19:11:58 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\rkill.exe
[2012/02/08 15:32:00 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-08.wps
[2012/02/08 13:36:40 | 000,000,774 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/02/08 13:36:16 | 000,000,599 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\ERUNT.lnk
[2012/02/07 15:51:32 | 000,043,876 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\requested-files[2012-02-07_15_51].cab
[2012/02/07 14:59:58 | 000,007,145 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\requested-files[2012-02-07_14_59].cab
[2012/02/07 14:49:30 | 001,339,719 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\rootalyz-0.3.4.47.zip
[2012/02/07 07:45:07 | 000,859,992 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\snlTCNTplugins01.zip
[2010/08/10 15:59:12 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Local Settings\Application Data\housecall.guid.cache
[2010/03/10 10:47:47 | 000,000,186 | ---- | C] () -- C:\WINDOWS\RealFlight.INI
[2008/07/23 11:50:52 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/07/23 11:46:38 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/05/16 08:56:34 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/02/12 13:13:58 | 000,060,416 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/02/10 09:21:56 | 000,691,545 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2008/02/10 09:21:56 | 000,003,453 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2007/03/01 15:46:27 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2007/03/01 10:17:24 | 000,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.dll
[2007/03/01 08:01:34 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\BJAXSecurityManager.dll
[2007/03/01 08:01:33 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\BJInstaller.dll
[2006/12/03 08:40:28 | 000,000,848 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/12/02 11:56:46 | 000,024,030 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Application Data\wklnhst.dat
[2006/09/04 14:54:48 | 000,000,034 | ---- | C] () -- C:\WINDOWS\AuthMgr.INI
[2006/09/04 14:21:18 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Local Settings\Application Data\fusioncache.dat
[2006/08/28 23:05:25 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/08/28 22:59:04 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/08/28 22:53:47 | 000,000,779 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/08/28 22:50:37 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2006/08/28 22:47:17 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/08/28 22:19:24 | 000,430,080 | ---- | C] () -- C:\WINDOWS\System32\dlccutil.dll
[2006/08/28 22:19:24 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\dlccinsb.dll
[2006/08/28 22:19:24 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\dlccins.dll
[2006/08/28 22:19:24 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\dlccjswr.dll
[2006/08/28 22:19:24 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\dlccinsr.dll
[2006/08/28 22:19:24 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\dlcccub.dll
[2006/08/28 22:19:24 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\dlcccu.dll
[2006/08/28 22:19:24 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlccvs.dll
[2006/08/28 22:19:24 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\dlcccur.dll
[2006/08/28 22:19:22 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\dlcccfg.dll
[2006/08/28 22:19:02 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe
[2006/08/28 22:18:58 | 000,095,617 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2006/08/28 22:18:26 | 000,000,392 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/11/10 07:56:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/16 03:48:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/08/16 03:38:45 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/08/16 03:37:24 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/16 03:33:38 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/08/16 03:27:59 | 000,297,256 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/08/16 03:18:35 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/08/16 03:18:33 | 000,553,836 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/08/16 03:18:33 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2005/08/16 03:18:33 | 000,117,452 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2005/08/16 03:18:33 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2005/08/16 03:18:32 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2005/08/16 03:18:30 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/08/16 03:18:28 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/08/16 03:18:23 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2005/08/16 03:18:23 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2005/08/16 03:18:15 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2005/08/16 03:18:08 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2005/08/05 13:01:54 | 000,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/08/02 13:00:16 | 000,000,611 | ---- | C] () -- C:\WINDOWS\System32\dlccplc.ini
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/03/13 15:46:46 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\zlib.dll

========== LOP Check ==========

[2005/08/16 19:54:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DIGStream
[2007/08/28 17:57:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
[2011/08/19 17:19:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nokia
[2011/09/22 15:03:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NokiaInstallerCache
[2011/07/24 20:12:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2007/04/19 18:41:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Transparent
[2006/08/28 22:48:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/12/23 16:49:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brenda Poland\Application Data\Amazon
[2007/03/01 09:01:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brenda Poland\Application Data\BellSouth
[2006/09/17 15:42:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brenda Poland\Application Data\Leadertech
[2011/08/19 17:19:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brenda Poland\Application Data\PC Suite
[2006/09/07 08:35:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brenda Poland\Application Data\Simple Star
[2007/08/07 17:47:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brenda Poland\Application Data\Souptoys
[2006/12/02 11:56:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brenda Poland\Application Data\Template
[2006/11/19 07:18:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brenda Poland\Application Data\Walgreens
[2006/10/02 10:55:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\EarthLink Toolbar
[2006/09/08 06:13:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Randy Poland\Application Data\EarthLink Toolbar

========== Purity Check ==========



< End of report >

Here is the Extras.txt:

OTL Extras logfile created on: 2/14/2012 10:12:41 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Brenda Poland\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.07 Mb Total Physical Memory | 536.63 Mb Available Physical Memory | 52.50% Memory free
30.20 Gb Paging File | 29.89 Gb Available in Paging File | 98.99% Paging File free
Paging file location(s): C:\pagefile.sys 30000 50000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.18 Gb Total Space | 83.72 Gb Free Space | 58.07% Space Free | Partition Type: NTFS

Computer Name: D6KX9PB1 | User Name: Brenda Poland | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Disabled:America Online 9.0
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Disabled:AOL
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Disabled:AOL
"C:\WINDOWS\system32\fxsclnt.exe" = C:\WINDOWS\system32\fxsclnt.exe:*:Enabled:Microsoft Fax Console -- (Microsoft Corporation)
"C:\WINDOWS\system32\mmc.exe" = C:\WINDOWS\system32\mmc.exe:*:Disabled:Microsoft Management Console -- (Microsoft Corporation)
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealPlayer -- (RealNetworks, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{07D77970-B205-460C-84E4-263F30455597}" = Nokia Ovi Suite
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{12451AF7-EFF8-4B5B-8255-282D7CC7CAEE}" = OviMPlatform
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD LE
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2CC53A53-44F4-4667-8584-2FFC9ACB2242}" = Ovi Desktop Sync Engine
"{2D99A593-C841-43A7-B7C9-D6F3AE70B756}" = Nokia Connectivity Cable Driver
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer
"{4667B940-BB01-428B-986E-A0CC46497BF7}" = ELIcon
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{566FE0E6-599E-4324-A733-613CC2A19ACA}" = Before You Know It 3.6
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}" = Digital Content Portal
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{7A3F0566-5E05-4919-9C98-456F6B5CF831}" = Get High Speed Internet!
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}" = Intel(R) PROSet for Wired Connections
"{85D3CC30-8859-481A-9654-FD9B74310BEF}" = Musicmatch® Jukebox
"{8A9B8148-DDD7-448F-BD6C-358386D32354}" = Corel Photo Album 6
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003
"{94721EA3-7EA6-43EA-B99C-A5D0E3C66240}" = 924PLC32
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A654A805-41D9-40C7-AA46-4AF04F044D61}" = Adobe® Photoshop® Album Starter Edition 3.2
"{A683A2C0-821C-486F-858C-FA634DB5E864}" = EducateU
"{A8F7FCEF-3CA6-4CE9-8FEA-8BB18F8686F0}" = Nokia Ovi Suite Software Updater
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{AF111648-99A1-453E-81DD-80DBBF6DAD0D}" = MSVC90_x86
"{B0DF58A2-40DF-4465-AA56-38623EC9938C}" = Documentation & Support Launcher
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{B6884A07-0305-47AE-9969-8F26FADC17DE}" = Games, Music, & Photos Launcher
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BA68600E-96D9-4E92-80F2-26B9681B5A63}" = Microsoft Office Outlook 2003 with Business Contact Manager Update
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C373F7C4-05D2-4047-96D1-6AF30661C6AA}" = PC Connectivity Solution
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DF6A589A-7A1A-430C-9FF2-A0BDB42669DC}" = Search Assist
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{EA8C73AA-3D75-44C9-87A2-8E945FC5FEE6}" = Trend Micro PC-cillin Internet Security 14
"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"Adobe® Photoshop® Album Starter Edition 3.2" = Adobe® Photoshop® Album Starter Edition 3.2
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.12
"ATI Display Driver" = ATI Display Driver
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"BellSouth" = BellSouth FastAccess DSL Help Center
"BellSouth Application Management" = BellSouth Application Management
"blstoolbar" = BellSouth Toolbar 1.0
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"Dell Game Console" = Dell Game Console
"Dell Photo AIO Printer 924" = Dell Photo AIO Printer 924
"EmeraldQFE2" = Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
"ERUNT_is1" = ERUNT 1.1j
"ESPNMotion" = ESPNMotion
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Nokia Ovi Suite" = Nokia Ovi Suite
"PhotoShow Express" = PhotoShow Express
"PROSet" = Intel(R) PRO Network Connections Drivers
"QuickTime" = QuickTime
"RadialpointClientGateway_is1" = BellSouth Internet Security - Alert Manager 1.3.20
"RealFlightBasic" = RealFlight Basic R/C Simulator
"RealPlayer 6.0" = RealPlayer Basic
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.5.2.20
"StreetPlugin" = Learn2 Player (Uninstall Only)
"TmPcc" = Trend Micro PC-cillin Internet Security 14
"ViewpointMediaPlayer" = Viewpoint Media Player
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"WebCyberCoach_wtrb" = WebCyberCoach 3.2 Dell
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Toolbar" = Yahoo! Toolbar
"YInstHelper" = Yahoo! Install Manager

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/8/2012 10:54:10 AM | Computer Name = D6KX9PB1 | Source = Media Center Scheduler | ID = 0
Description =

Error - 2/8/2012 1:29:12 PM | Computer Name = D6KX9PB1 | Source = Media Center Scheduler | ID = 0
Description =

Error - 2/8/2012 1:59:05 PM | Computer Name = D6KX9PB1 | Source = Media Center Scheduler | ID = 0
Description =

Error - 2/8/2012 2:13:04 PM | Computer Name = D6KX9PB1 | Source = Media Center Scheduler | ID = 0
Description =

Error - 2/8/2012 2:15:52 PM | Computer Name = D6KX9PB1 | Source = Media Center Scheduler | ID = 0
Description =

Error - 2/8/2012 8:59:38 PM | Computer Name = D6KX9PB1 | Source = Media Center Scheduler | ID = 0
Description =

Error - 2/8/2012 9:01:34 PM | Computer Name = D6KX9PB1 | Source = Media Center Scheduler | ID = 0
Description =

Error - 2/8/2012 9:54:16 PM | Computer Name = D6KX9PB1 | Source = Media Center Scheduler | ID = 0
Description =

Error - 2/8/2012 10:05:08 PM | Computer Name = D6KX9PB1 | Source = Media Center Scheduler | ID = 0
Description =

Error - 2/9/2012 9:42:47 AM | Computer Name = D6KX9PB1 | Source = COM+ | ID = 135761
Description = The run-time environment has detected an inconsistency in its internal
state. This indicates a potential instability in the process that could be caused
by the custom components running in the COM+ application, the components they make
use of, or other factors. Error in f:\xpsp3\com\com1x\src\comsvcs\package\cpackage.cpp(1184),
hr = 8007041d: InitEventCollector fail

[ System Events ]
Error - 2/10/2012 4:20:01 PM | Computer Name = D6KX9PB1 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 2/10/2012 4:20:01 PM | Computer Name = D6KX9PB1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 2/10/2012 4:35:00 PM | Computer Name = D6KX9PB1 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 30 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 2/10/2012 4:35:00 PM | Computer Name = D6KX9PB1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 30 minutes. NtpClient has no source of accurate
time.

Error - 2/10/2012 5:05:01 PM | Computer Name = D6KX9PB1 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 60 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 2/10/2012 5:05:01 PM | Computer Name = D6KX9PB1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 60 minutes. NtpClient has no source of accurate
time.

Error - 2/10/2012 6:05:01 PM | Computer Name = D6KX9PB1 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 120 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 2/10/2012 6:05:01 PM | Computer Name = D6KX9PB1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 120 minutes. NtpClient has no source of accurate
time.

Error - 2/10/2012 8:05:02 PM | Computer Name = D6KX9PB1 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 240 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 2/10/2012 8:05:02 PM | Computer Name = D6KX9PB1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 240 minutes. NtpClient has no source of accurate
time.


< End of report >

The scans did find more malware. I did not run any fixes.
Please let me know what the next will be.

Many thanks,
Jess

Jess, most of what we are removing are infected entries for your hosts file.

I did not see the attached aswMBR log, you can just go ahead and copy and paste it in


Open OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL




:processes
killallprocesses

:OTL
[2012/02/09 18:28:08 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120210-093818.backup
[2012/02/09 09:57:51 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120209-122952.backup
[2012/02/09 12:29:52 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120209-152440.backup
[2012/02/09 09:57:51 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120209-122952.backup
[2012/02/09 08:47:09 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120209-095750.backup
[2012/02/08 21:30:33 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120209-084709.backup
[2012/02/08 21:10:13 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120208-213033.backup
[2012/02/08 19:09:22 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120208-211013.backup
[2012/02/08 13:30:20 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120208-190922.backup
[2012/02/08 09:37:50 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120208-133019.backup
[2012/02/07 19:53:01 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120208-093749.backup
[2012/02/06 18:38:34 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120207-195300.backup
[2012/02/06 17:15:05 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120206-183833.backup
[2012/02/06 16:04:30 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120206-171505.backup
[2012/02/06 14:51:15 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120206-160430.backup
[2012/02/06 12:14:23 | 000,442,655 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120206-145115.backup
[2012/02/06 10:42:46 | 000,442,655 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120206-121423.backup
[2012/02/04 16:58:55 | 000,442,655 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120206-104246.backup
[2012/01/22 09:45:11 | 000,441,692 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120130-220854.backup
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe
O3 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.


:Services

:Reg

:Files
ipconfig /flushdns /c





:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Sorry ken545, I thought I had attached the aswMBR log. Here is the log for your review while I remove the unwanted infected entries.

BTW, I found this unusual file in C:\Program Files\Dl_cats with an upload and userid and password with a link. Would you please take a look at it and let me know if it is legit. I've changed the folder name but it keeps changing back to the original.

I'll post my other two log results as soon as the program finish.

As always, thanks so much,
Jess

Jess, still some malware present, I want to run Combofix as aswMBR found a bad entry but I want to wait to see the OTL logs from both the fix and the new scan.


FYI
Do you have a lexmark printer?

If so both dl_cats and lx_cats are part of that. I think that they report ink and printer utilization and other stuff back to lexmark.

ken545,
My machine was worse off than I thought.

I have a Dell printer, probably a re-branded Lexmark. Thanks for look at that. Any way to get rid of it??

No problems running the fix or the new scan... making progress!!

Here is the log for the fix:
All processes killed
========== PROCESSES ==========
========== OTL ==========
C:\WINDOWS\system32\drivers\etc\hosts.20120210-093818.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20120209-122952.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20120209-152440.backup moved successfully.
File C:\WINDOWS\System32\drivers\etc\hosts.20120209-122952.backup not found.
C:\WINDOWS\system32\drivers\etc\hosts.20120209-095750.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20120209-084709.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20120208-213033.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20120208-211013.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20120208-190922.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20120208-133019.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20120208-093749.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20120207-195300.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20120206-183833.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20120206-171505.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20120206-160430.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20120206-145115.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20120206-121423.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20120206-104246.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20120130-220854.backup moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found.
File E:\setup.exe not found.
Registry value HKEY_USERS\S-1-5-21-3120691911-3222514972-401631166-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}\ not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Brenda Poland\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Brenda Poland\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Brenda Poland
->Temp folder emptied: 72750568 bytes
->Temporary Internet Files folder emptied: 52977253 bytes
->Java cache emptied: 9251626 bytes
->FireFox cache emptied: 56878256 bytes
->Flash cache emptied: 1718 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 56502 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 65938 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Poland Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 405 bytes

User: Randy Poland
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 152081 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 65536 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 54721825 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 185972 bytes
RecycleBin emptied: 28438054 bytes

Total Files Cleaned = 263.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 02142012_133304

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_204.dat not found!

Registry entries deleted on Reboot...



Here is the new OTL scan log:
OTL logfile created on: 2/14/2012 1:40:27 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Brenda Poland\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.07 Mb Total Physical Memory | 324.07 Mb Available Physical Memory | 31.71% Memory free
30.20 Gb Paging File | 29.65 Gb Available in Paging File | 98.17% Paging File free
Paging file location(s): C:\pagefile.sys 30000 50000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.18 Gb Total Space | 83.98 Gb Free Space | 58.24% Space Free | Partition Type: NTFS

Computer Name: D6KX9PB1 | User Name: Brenda Poland | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Brenda Poland\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Trend Micro\Internet Security 14\PcCtlCom.exe (Trend Micro Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Trend Micro\Internet Security 14\Tmntsrv.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\Internet Security 14\tmproxy.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\Internet Security 14\TmPfw.exe (Trend Micro Inc.)
PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
PRC - C:\WINDOWS\system32\dlcccoms.exe ( )
PRC - C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe (Dell)
PRC - C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.)
PRC - C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\system32\quartz.dll ()
MOD - C:\WINDOWS\system32\sbe.dll ()
MOD - C:\WINDOWS\system32\msdmo.dll ()
MOD - C:\WINDOWS\system32\devenum.dll ()
MOD - C:\Program Files\Trend Micro\Internet Security 14\PcSSE.dll ()
MOD - C:\Program Files\Trend Micro\Internet Security 14\tmdbg.dll ()
MOD - C:\WINDOWS\system32\dlcccfg.dll ()
MOD - C:\Program Files\Dell Photo AIO Printer 924\dlcccfg.dll ()
MOD - C:\Program Files\Dell Photo AIO Printer 924\dlccdrec.dll ()
MOD - C:\Program Files\Dell Photo AIO Printer 924\dlcccnv4.dll ()


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia)
SRV - (PcCtlCom) -- C:\Program Files\Trend Micro\Internet Security 14\PcCtlCom.exe (Trend Micro Inc.)
SRV - (DSBrokerService) -- C:\Program Files\DellSupport\brkrsvc.exe ()
SRV - (Tmntsrv) -- C:\Program Files\Trend Micro\Internet Security 14\Tmntsrv.exe (Trend Micro Inc.)
SRV - (tmproxy) -- C:\Program Files\Trend Micro\Internet Security 14\tmproxy.exe (Trend Micro Inc.)
SRV - (TmPfw) -- C:\Program Files\Trend Micro\Internet Security 14\TmPfw.exe (Trend Micro Inc.)
SRV - (dlcc_device) -- C:\WINDOWS\System32\dlcccoms.exe ( )


========== Driver Services (SafeList) ==========

DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (UsbserFilt) -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys (Nokia)
DRV - (upperdev) -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys (Nokia)
DRV - (nmwcdc) -- C:\WINDOWS\system32\drivers\ccdcmbo.sys (Nokia)
DRV - (nmwcd) -- C:\WINDOWS\system32\drivers\ccdcmb.sys (Nokia)
DRV - (nmwcdnsu) -- C:\WINDOWS\system32\drivers\nmwcdnsu.sys (Nokia)
DRV - (nmwcdnsuc) -- C:\WINDOWS\system32\drivers\nmwcdnsuc.sys (Nokia)
DRV - (tmxpflt) -- C:\WINDOWS\system32\drivers\tmxpflt.sys (Trend Micro Inc.)
DRV - (tmpreflt) -- C:\WINDOWS\system32\drivers\tmpreflt.sys (Trend Micro Inc.)
DRV - (vsapint) -- C:\WINDOWS\system32\drivers\vsapint.sys (Trend Micro Inc.)
DRV - (pccsmcfd) -- C:\WINDOWS\system32\drivers\pccsmcfd.sys (Nokia)
DRV - (USB_RNDIS_XP) -- C:\WINDOWS\system32\drivers\usb8023.sys (Microsoft Corporation)
DRV - (NwlnkIpx) -- C:\WINDOWS\system32\drivers\nwlnkipx.sys (Microsoft Corporation)
DRV - (dsunidrv) -- C:\WINDOWS\system32\drivers\dsunidrv.sys (Gteko Ltd.)
DRV - (tmcfw) -- C:\WINDOWS\system32\drivers\TM_CFW.sys (Trend Micro Inc.)
DRV - (tmtdi) -- C:\WINDOWS\system32\drivers\tmtdi.sys (Trend Micro Inc.)
DRV - (DSproct) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (Gteko Ltd.)
DRV - (ASCTRM) -- C:\WINDOWS\System32\drivers\asctrm.sys (Windows (R) 2000 DDK provider)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (DLAUDFAM) -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS (Sonic Solutions)
DRV - (DLAUDF_M) -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS (Sonic Solutions)
DRV - (DLAIFS_M) -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS (Sonic Solutions)
DRV - (DLABOIOM) -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS (Sonic Solutions)
DRV - (DLAOPIOM) -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS (Sonic Solutions)
DRV - (DLAPoolM) -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS (Sonic Solutions)
DRV - (DLADResN) -- C:\WINDOWS\system32\DLA\DLADResN.SYS (Sonic Solutions)
DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Sonic Solutions)
DRV - (DLARTL_N) -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS (Sonic Solutions)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (NwlnkNb) -- C:\WINDOWS\system32\drivers\nwlnknb.sys (Microsoft Corporation)
DRV - (NwlnkSpx) -- C:\WINDOWS\system32\drivers\nwlnkspx.sys (Microsoft Corporation)
DRV - (HSFHWBS2) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar =
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Search"

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Content Upload Plugin,version=1.0.0: C:\Program Files\DivX\DivX Content Uploader\npUpload.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll (Yahoo! Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{A27F3FEF-1113-4cfb-A032-8E12D7D8EE70}: C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension\ [2011/07/24 20:08:02 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/19 10:04:16 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/02/16 10:40:29 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\{CCB7D94B-CA92-4E3F-B79D-ADE0F07ADC74}: C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Thunderbird Connector\ThunderbirdExtension\ [2011/07/24 20:08:03 | 000,000,000 | ---D | M]

[2010/08/19 10:05:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Brenda Poland\Application Data\Mozilla\Extensions
[2010/08/19 10:05:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Brenda Poland\Application Data\Mozilla\Firefox\Profiles\jcs6xakz.default\extensions
[2010/08/19 10:05:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Brenda Poland\Application Data\Mozilla\Firefox\Profiles\jcs6xakz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2007/11/17 08:49:17 | 000,000,276 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Application Data\Mozilla\Firefox\Profiles\jcs6xakz.default\searchplugins\search.xml
[2010/08/19 10:05:11 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2007/03/09 18:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\mozilla firefox\plugins\npyaxmpb.dll

O1 HOSTS File: ([2012/02/14 13:33:07 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Reg Error: Value error.) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - File not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No CLSID value found.
O3 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\..\Toolbar\WebBrowser: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [DLCCCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.DLL ()
O4 - HKLM..\Run: [dlccmon.exe] C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe (Dell)
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe File not found
O4 - HKLM..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.)
O4 - HKLM..\Run: [pccguide.exe] C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - Startup: C:\Documents and Settings\Brenda Poland\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT1\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html File not found
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.0.cab (DLM Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{87A9F30A-15CF-4635-8B39-9399F6194D80}: DhcpNameServer = 192.168.1.254 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Brenda Poland\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Brenda Poland\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (nwprovau) -C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 03:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/14 13:33:04 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/02/14 09:29:11 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Brenda Poland\Desktop\OTL.exe
[2012/02/13 13:30:17 | 004,733,440 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Brenda Poland\Desktop\aswMBR.exe
[2012/02/10 18:38:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brenda Poland\My Documents\Downloads
[2012/02/09 15:05:30 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/02/09 10:23:04 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/02/09 10:15:24 | 002,059,824 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Brenda Poland\Desktop\TDSSKiller.exe
[2012/02/09 10:14:56 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/02/09 10:14:56 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/02/09 10:14:56 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/02/09 10:14:56 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/02/09 10:12:04 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/02/09 08:59:55 | 004,399,011 | R--- | C] (Swearware) -- C:\Documents and Settings\Brenda Poland\Desktop\ComboFix.exe
[2012/02/08 19:55:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brenda Poland\Application Data\Malwarebytes
[2012/02/08 19:54:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/02/08 19:54:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/02/08 19:54:41 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/02/08 19:54:41 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/02/08 19:53:51 | 009,502,424 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Brenda Poland\Desktop\mbam-setup-1.60.1.1000.exe
[2012/02/08 19:07:10 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2012/02/08 13:38:21 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Brenda Poland\Desktop\dds.scr
[2012/02/08 13:36:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2012/02/08 13:36:14 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT1
[2012/02/08 13:34:45 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Brenda Poland\Desktop\erunt-setup.exe
[2012/02/08 13:05:27 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Brenda Poland\Recent
[2012/02/08 09:12:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/02/08 09:09:42 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/02/07 13:31:38 | 000,000,000 | ---D | C] -- C:\Program Files\Safer Networking
[2012/02/07 13:26:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brenda Poland\Desktop\snlTCNTplugins01
[2012/01/23 08:18:04 | 000,414,368 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2006/08/28 22:19:24 | 001,183,744 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccserv.dll
[2006/08/28 22:19:24 | 001,134,592 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccusb1.dll
[2006/08/28 22:19:24 | 000,774,144 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcchbn3.dll
[2006/08/28 22:19:24 | 000,704,512 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcccomc.dll
[2006/08/28 22:19:24 | 000,638,976 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccpmui.dll
[2006/08/28 22:19:24 | 000,491,520 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcccoms.exe
[2006/08/28 22:19:24 | 000,483,328 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcclmpm.dll
[2006/08/28 22:19:24 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcccomm.dll
[2006/08/28 22:19:24 | 000,372,736 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccih.exe
[2006/08/28 22:19:24 | 000,368,640 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcccfg.exe
[2006/08/28 22:19:24 | 000,155,648 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccprox.dll
[2006/08/28 22:19:24 | 000,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccpplc.dll
[1 C:\Documents and Settings\Brenda Poland\*.tmp files -> C:\Documents and Settings\Brenda Poland\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/14 13:35:13 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/02/14 13:35:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/02/14 13:35:04 | 1071,796,224 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/14 13:33:07 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2012/02/14 13:02:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/02/14 10:01:58 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\MBR.dat
[2012/02/14 09:29:13 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Brenda Poland\Desktop\OTL.exe
[2012/02/13 21:53:00 | 000,024,030 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Application Data\wklnhst.dat
[2012/02/13 20:40:27 | 000,057,952 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\DiskMange-del.GIF
[2012/02/13 14:15:36 | 000,058,184 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\DiskMange.GIF
[2012/02/13 14:06:57 | 000,060,416 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/02/13 13:30:20 | 004,733,440 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Brenda Poland\Desktop\aswMBR.exe
[2012/02/13 13:16:19 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/02/10 09:38:18 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120214-132629.backup
[2012/02/09 21:18:09 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-09-fix3.wps
[2012/02/09 18:20:22 | 002,059,824 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Brenda Poland\Desktop\TDSSKiller.exe
[2012/02/09 18:18:50 | 002,041,278 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\tdsskiller.zip
[2012/02/09 17:56:58 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\MBRCheck.exe
[2012/02/09 15:49:35 | 000,014,848 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-09-fix2.wps
[2012/02/09 15:24:40 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120209-182808.backup
[2012/02/09 13:33:02 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-09-fix.wps
[2012/02/09 10:23:23 | 000,000,326 | RHS- | M] () -- C:\boot.ini
[2012/02/09 08:59:55 | 004,399,011 | R--- | M] (Swearware) -- C:\Documents and Settings\Brenda Poland\Desktop\ComboFix.exe
[2012/02/08 21:40:55 | 000,684,297 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\unhide.exe
[2012/02/08 20:51:04 | 000,010,240 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-08-fix.wps
[2012/02/08 19:54:44 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/08 19:53:51 | 009,502,424 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Brenda Poland\Desktop\mbam-setup-1.60.1.1000.exe
[2012/02/08 19:12:04 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\rkill.exe
[2012/02/08 19:03:32 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-08.wps
[2012/02/08 13:38:24 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Brenda Poland\Desktop\dds.scr
[2012/02/08 13:36:40 | 000,000,774 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/02/08 13:36:16 | 000,000,599 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\ERUNT.lnk
[2012/02/08 13:35:19 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Brenda Poland\Desktop\erunt-setup.exe
[2012/02/07 15:51:32 | 000,043,876 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\requested-files[2012-02-07_15_51].cab
[2012/02/07 14:59:58 | 000,007,145 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\requested-files[2012-02-07_14_59].cab
[2012/02/07 14:49:43 | 001,339,719 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\rootalyz-0.3.4.47.zip
[2012/02/07 07:45:12 | 000,859,992 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\snlTCNTplugins01.zip
[2012/01/31 11:02:25 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/01/30 22:56:20 | 000,210,432 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\Silicone Space Station Guide.wps
[2012/01/30 22:08:55 | 000,441,842 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120204-165854.backup
[2012/01/25 20:31:40 | 000,000,848 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2012/01/23 08:18:04 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[1 C:\Documents and Settings\Brenda Poland\*.tmp files -> C:\Documents and Settings\Brenda Poland\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/14 10:01:58 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\MBR.dat
[2012/02/13 20:40:22 | 000,057,952 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\DiskMange-del.GIF
[2012/02/13 14:15:27 | 000,058,184 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\DiskMange.GIF
[2012/02/09 19:49:47 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-09-fix3.wps
[2012/02/09 18:18:39 | 002,041,278 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\tdsskiller.zip
[2012/02/09 17:56:57 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\MBRCheck.exe
[2012/02/09 13:59:50 | 000,014,848 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-09-fix2.wps
[2012/02/09 12:26:58 | 1071,796,224 | -HS- | C] () -- C:\hiberfil.sys
[2012/02/09 10:23:21 | 000,000,210 | ---- | C] () -- C:\Boot.bak
[2012/02/09 10:23:08 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/02/09 10:14:56 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/02/09 10:14:56 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/02/09 10:14:56 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/02/09 10:14:56 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/02/09 10:14:56 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/02/09 08:58:05 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-09-fix.wps
[2012/02/08 21:40:52 | 000,684,297 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\unhide.exe
[2012/02/08 19:54:44 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/08 19:40:26 | 000,010,240 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-08-fix.wps
[2012/02/08 19:11:58 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\rkill.exe
[2012/02/08 15:32:00 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-08.wps
[2012/02/08 13:36:40 | 000,000,774 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/02/08 13:36:16 | 000,000,599 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\ERUNT.lnk
[2012/02/07 15:51:32 | 000,043,876 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\requested-files[2012-02-07_15_51].cab
[2012/02/07 14:59:58 | 000,007,145 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\requested-files[2012-02-07_14_59].cab
[2012/02/07 14:49:30 | 001,339,719 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\rootalyz-0.3.4.47.zip
[2012/02/07 07:45:07 | 000,859,992 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\snlTCNTplugins01.zip
[2010/08/10 15:59:12 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Local Settings\Application Data\housecall.guid.cache
[2010/03/10 10:47:47 | 000,000,186 | ---- | C] () -- C:\WINDOWS\RealFlight.INI
[2008/07/23 11:50:52 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/07/23 11:46:38 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/05/16 08:56:34 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/02/12 13:13:58 | 000,060,416 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/02/10 09:21:56 | 000,691,545 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2008/02/10 09:21:56 | 000,003,453 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2007/03/01 15:46:27 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2007/03/01 10:17:24 | 000,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.dll
[2007/03/01 08:01:34 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\BJAXSecurityManager.dll
[2007/03/01 08:01:33 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\BJInstaller.dll
[2006/12/03 08:40:28 | 000,000,848 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/12/02 11:56:46 | 000,024,030 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Application Data\wklnhst.dat
[2006/09/04 14:54:48 | 000,000,034 | ---- | C] () -- C:\WINDOWS\AuthMgr.INI
[2006/09/04 14:21:18 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Local Settings\Application Data\fusioncache.dat
[2006/08/28 23:05:25 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/08/28 22:59:04 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/08/28 22:53:47 | 000,000,779 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/08/28 22:50:37 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2006/08/28 22:47:17 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/08/28 22:19:24 | 000,430,080 | ---- | C] () -- C:\WINDOWS\System32\dlccutil.dll
[2006/08/28 22:19:24 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\dlccinsb.dll
[2006/08/28 22:19:24 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\dlccins.dll
[2006/08/28 22:19:24 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\dlccjswr.dll
[2006/08/28 22:19:24 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\dlccinsr.dll
[2006/08/28 22:19:24 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\dlcccub.dll
[2006/08/28 22:19:24 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\dlcccu.dll
[2006/08/28 22:19:24 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlccvs.dll
[2006/08/28 22:19:24 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\dlcccur.dll
[2006/08/28 22:19:22 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\dlcccfg.dll
[2006/08/28 22:19:02 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe
[2006/08/28 22:18:58 | 000,095,617 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2006/08/28 22:18:26 | 000,000,392 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/11/10 07:56:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/16 03:48:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/08/16 03:38:45 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/08/16 03:37:24 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/16 03:33:38 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/08/16 03:27:59 | 000,297,256 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/08/16 03:18:35 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/08/16 03:18:33 | 000,553,836 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/08/16 03:18:33 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2005/08/16 03:18:33 | 000,117,452 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2005/08/16 03:18:33 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2005/08/16 03:18:32 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2005/08/16 03:18:30 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/08/16 03:18:28 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/08/16 03:18:23 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2005/08/16 03:18:23 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2005/08/16 03:18:15 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2005/08/16 03:18:08 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2005/08/05 13:01:54 | 000,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/08/02 13:00:16 | 000,000,611 | ---- | C] () -- C:\WINDOWS\System32\dlccplc.ini
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/03/13 15:46:46 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\zlib.dll

< End of report >


Thanks for your help,
Jess

Jess,

Those files are related to this printer, Dell Photo AIO Printer 924, there not harmful so just leave them be


You had so many back up entries for the hosts file that I may have missed these

Open OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL




:processes
killallprocesses


:OTL
[2012/02/10 09:38:18 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120214-132629.backup
[2012/02/09 15:24:40 | 000,442,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120209-182808.backup


:Services

:Reg

:Files
ipconfig /flushdns /c





:Commands
[purity]
[resethosts]
[CLEARALLRESTOREPOINTS]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

ken545,

Thank you for being so thorough.

Here is the log from the OTL fix:

All processes killed
========== PROCESSES ==========
========== OTL ==========
C:\WINDOWS\system32\drivers\etc\hosts.20120214-132629.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20120209-182808.backup moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Brenda Poland\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Brenda Poland\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore points cleared and new OTL Restore Point set!

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Brenda Poland
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 327974 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 29772347 bytes
->Flash cache emptied: 291 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Poland Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Randy Poland
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16384 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 29.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 02142012_185913

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_62c.dat not found!

Registry entries deleted on Reboot...


Here is the log from the new OTL scan:

OTL logfile created on: 2/14/2012 7:04:56 PM - Run 3
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Brenda Poland\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.07 Mb Total Physical Memory | 323.80 Mb Available Physical Memory | 31.68% Memory free
30.20 Gb Paging File | 29.65 Gb Available in Paging File | 98.18% Paging File free
Paging file location(s): C:\pagefile.sys 30000 50000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.18 Gb Total Space | 84.04 Gb Free Space | 58.29% Space Free | Partition Type: NTFS

Computer Name: D6KX9PB1 | User Name: Brenda Poland | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Brenda Poland\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Trend Micro\Internet Security 14\PcCtlCom.exe (Trend Micro Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Trend Micro\Internet Security 14\Tmntsrv.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\Internet Security 14\tmproxy.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\Internet Security 14\TmPfw.exe (Trend Micro Inc.)
PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
PRC - C:\WINDOWS\system32\dlcccoms.exe ( )
PRC - C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe (Dell)
PRC - C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.)
PRC - C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\system32\quartz.dll ()
MOD - C:\WINDOWS\system32\sbe.dll ()
MOD - C:\WINDOWS\system32\msdmo.dll ()
MOD - C:\WINDOWS\system32\devenum.dll ()
MOD - C:\Program Files\Trend Micro\Internet Security 14\PcSSE.dll ()
MOD - C:\Program Files\Trend Micro\Internet Security 14\tmdbg.dll ()
MOD - C:\WINDOWS\system32\dlcccfg.dll ()
MOD - C:\Program Files\Dell Photo AIO Printer 924\dlcccfg.dll ()
MOD - C:\Program Files\Dell Photo AIO Printer 924\dlccdrec.dll ()
MOD - C:\Program Files\Dell Photo AIO Printer 924\dlcccnv4.dll ()


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia)
SRV - (PcCtlCom) -- C:\Program Files\Trend Micro\Internet Security 14\PcCtlCom.exe (Trend Micro Inc.)
SRV - (DSBrokerService) -- C:\Program Files\DellSupport\brkrsvc.exe ()
SRV - (Tmntsrv) -- C:\Program Files\Trend Micro\Internet Security 14\Tmntsrv.exe (Trend Micro Inc.)
SRV - (tmproxy) -- C:\Program Files\Trend Micro\Internet Security 14\tmproxy.exe (Trend Micro Inc.)
SRV - (TmPfw) -- C:\Program Files\Trend Micro\Internet Security 14\TmPfw.exe (Trend Micro Inc.)
SRV - (dlcc_device) -- C:\WINDOWS\System32\dlcccoms.exe ( )


========== Driver Services (SafeList) ==========

DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (UsbserFilt) -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys (Nokia)
DRV - (upperdev) -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys (Nokia)
DRV - (nmwcdc) -- C:\WINDOWS\system32\drivers\ccdcmbo.sys (Nokia)
DRV - (nmwcd) -- C:\WINDOWS\system32\drivers\ccdcmb.sys (Nokia)
DRV - (nmwcdnsu) -- C:\WINDOWS\system32\drivers\nmwcdnsu.sys (Nokia)
DRV - (nmwcdnsuc) -- C:\WINDOWS\system32\drivers\nmwcdnsuc.sys (Nokia)
DRV - (tmxpflt) -- C:\WINDOWS\system32\drivers\tmxpflt.sys (Trend Micro Inc.)
DRV - (tmpreflt) -- C:\WINDOWS\system32\drivers\tmpreflt.sys (Trend Micro Inc.)
DRV - (vsapint) -- C:\WINDOWS\system32\drivers\vsapint.sys (Trend Micro Inc.)
DRV - (pccsmcfd) -- C:\WINDOWS\system32\drivers\pccsmcfd.sys (Nokia)
DRV - (USB_RNDIS_XP) -- C:\WINDOWS\system32\drivers\usb8023.sys (Microsoft Corporation)
DRV - (NwlnkIpx) -- C:\WINDOWS\system32\drivers\nwlnkipx.sys (Microsoft Corporation)
DRV - (dsunidrv) -- C:\WINDOWS\system32\drivers\dsunidrv.sys (Gteko Ltd.)
DRV - (tmcfw) -- C:\WINDOWS\system32\drivers\TM_CFW.sys (Trend Micro Inc.)
DRV - (tmtdi) -- C:\WINDOWS\system32\drivers\tmtdi.sys (Trend Micro Inc.)
DRV - (DSproct) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (Gteko Ltd.)
DRV - (ASCTRM) -- C:\WINDOWS\System32\drivers\asctrm.sys (Windows (R) 2000 DDK provider)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (DLAUDFAM) -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS (Sonic Solutions)
DRV - (DLAUDF_M) -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS (Sonic Solutions)
DRV - (DLAIFS_M) -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS (Sonic Solutions)
DRV - (DLABOIOM) -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS (Sonic Solutions)
DRV - (DLAOPIOM) -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS (Sonic Solutions)
DRV - (DLAPoolM) -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS (Sonic Solutions)
DRV - (DLADResN) -- C:\WINDOWS\system32\DLA\DLADResN.SYS (Sonic Solutions)
DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Sonic Solutions)
DRV - (DLARTL_N) -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS (Sonic Solutions)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (NwlnkNb) -- C:\WINDOWS\system32\drivers\nwlnknb.sys (Microsoft Corporation)
DRV - (NwlnkSpx) -- C:\WINDOWS\system32\drivers\nwlnkspx.sys (Microsoft Corporation)
DRV - (HSFHWBS2) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar =
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Search"

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Content Upload Plugin,version=1.0.0: C:\Program Files\DivX\DivX Content Uploader\npUpload.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll (Yahoo! Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{A27F3FEF-1113-4cfb-A032-8E12D7D8EE70}: C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension\ [2011/07/24 20:08:02 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/19 10:04:16 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/02/16 10:40:29 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\{CCB7D94B-CA92-4E3F-B79D-ADE0F07ADC74}: C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Thunderbird Connector\ThunderbirdExtension\ [2011/07/24 20:08:03 | 000,000,000 | ---D | M]

[2010/08/19 10:05:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Brenda Poland\Application Data\Mozilla\Extensions
[2010/08/19 10:05:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Brenda Poland\Application Data\Mozilla\Firefox\Profiles\jcs6xakz.default\extensions
[2010/08/19 10:05:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Brenda Poland\Application Data\Mozilla\Firefox\Profiles\jcs6xakz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2007/11/17 08:49:17 | 000,000,276 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Application Data\Mozilla\Firefox\Profiles\jcs6xakz.default\searchplugins\search.xml
[2010/08/19 10:05:11 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2007/03/09 18:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\mozilla firefox\plugins\npyaxmpb.dll

O1 HOSTS File: ([2012/02/14 18:59:16 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Reg Error: Value error.) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - File not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No CLSID value found.
O3 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\..\Toolbar\WebBrowser: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [DLCCCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.DLL ()
O4 - HKLM..\Run: [dlccmon.exe] C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe (Dell)
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe File not found
O4 - HKLM..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.)
O4 - HKLM..\Run: [pccguide.exe] C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - Startup: C:\Documents and Settings\Brenda Poland\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT1\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html File not found
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.0.cab (DLM Control)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Brenda Poland\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Brenda Poland\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (nwprovau) -C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 03:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/14 13:33:04 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/02/14 09:29:11 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Brenda Poland\Desktop\OTL.exe
[2012/02/13 13:30:17 | 004,733,440 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Brenda Poland\Desktop\aswMBR.exe
[2012/02/10 18:38:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brenda Poland\My Documents\Downloads
[2012/02/09 15:05:30 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/02/09 10:23:04 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/02/09 10:15:24 | 002,059,824 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Brenda Poland\Desktop\TDSSKiller.exe
[2012/02/09 10:14:56 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/02/09 10:14:56 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/02/09 10:14:56 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/02/09 10:14:56 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/02/09 10:12:04 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/02/09 08:59:55 | 004,399,011 | R--- | C] (Swearware) -- C:\Documents and Settings\Brenda Poland\Desktop\ComboFix.exe
[2012/02/08 19:55:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brenda Poland\Application Data\Malwarebytes
[2012/02/08 19:54:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/02/08 19:54:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/02/08 19:54:41 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/02/08 19:54:41 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/02/08 19:53:51 | 009,502,424 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Brenda Poland\Desktop\mbam-setup-1.60.1.1000.exe
[2012/02/08 19:07:10 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2012/02/08 13:38:21 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Brenda Poland\Desktop\dds.scr
[2012/02/08 13:36:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2012/02/08 13:36:14 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT1
[2012/02/08 13:34:45 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Brenda Poland\Desktop\erunt-setup.exe
[2012/02/08 13:05:27 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Brenda Poland\Recent
[2012/02/08 09:12:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/02/08 09:09:42 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/02/07 13:31:38 | 000,000,000 | ---D | C] -- C:\Program Files\Safer Networking
[2012/02/07 13:26:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brenda Poland\Desktop\snlTCNTplugins01
[2012/01/23 08:18:04 | 000,414,368 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2006/08/28 22:19:24 | 001,183,744 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccserv.dll
[2006/08/28 22:19:24 | 001,134,592 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccusb1.dll
[2006/08/28 22:19:24 | 000,774,144 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcchbn3.dll
[2006/08/28 22:19:24 | 000,704,512 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcccomc.dll
[2006/08/28 22:19:24 | 000,638,976 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccpmui.dll
[2006/08/28 22:19:24 | 000,491,520 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcccoms.exe
[2006/08/28 22:19:24 | 000,483,328 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcclmpm.dll
[2006/08/28 22:19:24 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcccomm.dll
[2006/08/28 22:19:24 | 000,372,736 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccih.exe
[2006/08/28 22:19:24 | 000,368,640 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcccfg.exe
[2006/08/28 22:19:24 | 000,155,648 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccprox.dll
[2006/08/28 22:19:24 | 000,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccpplc.dll
[1 C:\Documents and Settings\Brenda Poland\*.tmp files -> C:\Documents and Settings\Brenda Poland\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/14 19:02:11 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/02/14 19:01:23 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/02/14 19:01:16 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/02/14 19:01:14 | 1071,796,224 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/14 18:59:16 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2012/02/14 10:01:58 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\MBR.dat
[2012/02/14 09:29:13 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Brenda Poland\Desktop\OTL.exe
[2012/02/13 21:53:00 | 000,024,030 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Application Data\wklnhst.dat
[2012/02/13 20:40:27 | 000,057,952 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\DiskMange-del.GIF
[2012/02/13 14:15:36 | 000,058,184 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\DiskMange.GIF
[2012/02/13 14:06:57 | 000,060,416 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/02/13 13:30:20 | 004,733,440 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Brenda Poland\Desktop\aswMBR.exe
[2012/02/13 13:16:19 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/02/09 21:18:09 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-09-fix3.wps
[2012/02/09 18:20:22 | 002,059,824 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Brenda Poland\Desktop\TDSSKiller.exe
[2012/02/09 18:18:50 | 002,041,278 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\tdsskiller.zip
[2012/02/09 17:56:58 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\MBRCheck.exe
[2012/02/09 15:49:35 | 000,014,848 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-09-fix2.wps
[2012/02/09 13:33:02 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-09-fix.wps
[2012/02/09 10:23:23 | 000,000,326 | RHS- | M] () -- C:\boot.ini
[2012/02/09 08:59:55 | 004,399,011 | R--- | M] (Swearware) -- C:\Documents and Settings\Brenda Poland\Desktop\ComboFix.exe
[2012/02/08 21:40:55 | 000,684,297 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\unhide.exe
[2012/02/08 20:51:04 | 000,010,240 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-08-fix.wps
[2012/02/08 19:54:44 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/08 19:53:51 | 009,502,424 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Brenda Poland\Desktop\mbam-setup-1.60.1.1000.exe
[2012/02/08 19:12:04 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\rkill.exe
[2012/02/08 19:03:32 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-08.wps
[2012/02/08 13:38:24 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Brenda Poland\Desktop\dds.scr
[2012/02/08 13:36:40 | 000,000,774 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/02/08 13:36:16 | 000,000,599 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\ERUNT.lnk
[2012/02/08 13:35:19 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Brenda Poland\Desktop\erunt-setup.exe
[2012/02/07 15:51:32 | 000,043,876 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\requested-files[2012-02-07_15_51].cab
[2012/02/07 14:59:58 | 000,007,145 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\requested-files[2012-02-07_14_59].cab
[2012/02/07 14:49:43 | 001,339,719 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\rootalyz-0.3.4.47.zip
[2012/02/07 07:45:12 | 000,859,992 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\snlTCNTplugins01.zip
[2012/01/31 11:02:25 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/01/30 22:56:20 | 000,210,432 | ---- | M] () -- C:\Documents and Settings\Brenda Poland\Desktop\Silicone Space Station Guide.wps
[2012/01/30 22:08:55 | 000,441,842 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120204-165854.backup
[2012/01/25 20:31:40 | 000,000,848 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2012/01/23 08:18:04 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[1 C:\Documents and Settings\Brenda Poland\*.tmp files -> C:\Documents and Settings\Brenda Poland\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/14 10:01:58 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\MBR.dat
[2012/02/13 20:40:22 | 000,057,952 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\DiskMange-del.GIF
[2012/02/13 14:15:27 | 000,058,184 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\DiskMange.GIF
[2012/02/09 19:49:47 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-09-fix3.wps
[2012/02/09 18:18:39 | 002,041,278 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\tdsskiller.zip
[2012/02/09 17:56:57 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\MBRCheck.exe
[2012/02/09 13:59:50 | 000,014,848 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-09-fix2.wps
[2012/02/09 12:26:58 | 1071,796,224 | -HS- | C] () -- C:\hiberfil.sys
[2012/02/09 10:23:21 | 000,000,210 | ---- | C] () -- C:\Boot.bak
[2012/02/09 10:23:08 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/02/09 10:14:56 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/02/09 10:14:56 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/02/09 10:14:56 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/02/09 10:14:56 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/02/09 10:14:56 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/02/09 08:58:05 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-09-fix.wps
[2012/02/08 21:40:52 | 000,684,297 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\unhide.exe
[2012/02/08 19:54:44 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/08 19:40:26 | 000,010,240 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-08-fix.wps
[2012/02/08 19:11:58 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\rkill.exe
[2012/02/08 15:32:00 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\spybot-forum-post 2012-02-08.wps
[2012/02/08 13:36:40 | 000,000,774 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/02/08 13:36:16 | 000,000,599 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\ERUNT.lnk
[2012/02/07 15:51:32 | 000,043,876 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\requested-files[2012-02-07_15_51].cab
[2012/02/07 14:59:58 | 000,007,145 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\requested-files[2012-02-07_14_59].cab
[2012/02/07 14:49:30 | 001,339,719 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\rootalyz-0.3.4.47.zip
[2012/02/07 07:45:07 | 000,859,992 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Desktop\snlTCNTplugins01.zip
[2010/08/10 15:59:12 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Local Settings\Application Data\housecall.guid.cache
[2010/03/10 10:47:47 | 000,000,186 | ---- | C] () -- C:\WINDOWS\RealFlight.INI
[2008/07/23 11:50:52 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/07/23 11:46:38 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/05/16 08:56:34 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/02/12 13:13:58 | 000,060,416 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/02/10 09:21:56 | 000,691,545 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2008/02/10 09:21:56 | 000,003,453 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2007/03/01 15:46:27 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2007/03/01 10:17:24 | 000,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.dll
[2007/03/01 08:01:34 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\BJAXSecurityManager.dll
[2007/03/01 08:01:33 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\BJInstaller.dll
[2006/12/03 08:40:28 | 000,000,848 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/12/02 11:56:46 | 000,024,030 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Application Data\wklnhst.dat
[2006/09/04 14:54:48 | 000,000,034 | ---- | C] () -- C:\WINDOWS\AuthMgr.INI
[2006/09/04 14:21:18 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Brenda Poland\Local Settings\Application Data\fusioncache.dat
[2006/08/28 23:05:25 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/08/28 22:59:04 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/08/28 22:53:47 | 000,000,779 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/08/28 22:50:37 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2006/08/28 22:47:17 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/08/28 22:19:24 | 000,430,080 | ---- | C] () -- C:\WINDOWS\System32\dlccutil.dll
[2006/08/28 22:19:24 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\dlccinsb.dll
[2006/08/28 22:19:24 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\dlccins.dll
[2006/08/28 22:19:24 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\dlccjswr.dll
[2006/08/28 22:19:24 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\dlccinsr.dll
[2006/08/28 22:19:24 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\dlcccub.dll
[2006/08/28 22:19:24 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\dlcccu.dll
[2006/08/28 22:19:24 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlccvs.dll
[2006/08/28 22:19:24 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\dlcccur.dll
[2006/08/28 22:19:22 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\dlcccfg.dll
[2006/08/28 22:19:02 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe
[2006/08/28 22:18:58 | 000,095,617 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2006/08/28 22:18:26 | 000,000,392 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/11/10 07:56:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/16 03:48:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/08/16 03:38:45 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/08/16 03:37:24 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/16 03:33:38 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/08/16 03:27:59 | 000,297,256 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/08/16 03:18:35 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/08/16 03:18:33 | 000,553,836 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/08/16 03:18:33 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2005/08/16 03:18:33 | 000,117,452 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2005/08/16 03:18:33 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2005/08/16 03:18:32 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2005/08/16 03:18:30 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/08/16 03:18:28 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/08/16 03:18:23 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2005/08/16 03:18:23 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2005/08/16 03:18:15 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2005/08/16 03:18:08 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2005/08/05 13:01:54 | 000,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/08/02 13:00:16 | 000,000,611 | ---- | C] () -- C:\WINDOWS\System32\dlccplc.ini
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/03/13 15:46:46 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\zlib.dll

< End of report >

The OTL program seems to be comprehensive and powerful in the right hands.... and dangerous in the (uneducated) wrong hands.

Gratefully, one who is unknowing.
Jess

Missed this one, it has to go.

Open OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL




:processes
killallprocesses


:OTL
[2012/01/30 22:08:55 | 000,441,842 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120204-165854.backup

:Services

:Reg

:Files
ipconfig /flushdns /c





:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces



Just post the log it produced, we will run another OTL scan after we run Combofix


Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

ken545,

:D: :D: :D: :D:
Everything seems to have completed successfully.
I have attached the logs from the OTL-fix and the ComboFix.

I did re-enable all my anti-virus, anti-malware and firewall. Please let me know if I need to disable again.

I'm ready for the next step......

Much thanks,
Jess


ComboFix 12-02-13.01 - Brenda Poland 02/14/2012 20:27:39.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.496 [GMT -5:00]
Running from: c:\documents and settings\Brenda Poland\Desktop\ComboFix.exe
AV: PC-cillin Internet Security - Virus Protection *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *Disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Brenda Poland\fsmprint3.0.tmp
c:\documents and settings\Brenda Poland\PNPrint3.exe
c:\program files\INSTALL.LOG
c:\windows\kb913800.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-01-15 to 2012-02-15 )))))))))))))))))))))))))))))))
.
.
2012-02-14 18:33 . 2012-02-14 18:33 -------- d-----w- C:\_OTL
2012-02-09 00:55 . 2012-02-09 00:55 -------- d-----w- c:\documents and settings\Brenda Poland\Application Data\Malwarebytes
2012-02-09 00:54 . 2012-02-09 00:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-09 00:54 . 2012-02-09 00:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-09 00:54 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-08 18:10 . 2012-02-08 18:10 -------- d-----w- c:\windows\system32\wbem\Repository
2012-02-08 14:09 . 2012-02-08 18:02 -------- d-----w- c:\program files\ERUNT
2012-02-07 18:31 . 2012-02-07 18:32 -------- d-----w- c:\program files\Safer Networking
2012-01-23 13:18 . 2012-01-23 13:18 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2005-08-16 08:18 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2005-08-16 08:18 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2005-08-16 08:18 60416 ----a-w- c:\windows\system32\packager.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-20 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 282624]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 430080]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 110592]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-29 98304]
.
c:\documents and settings\Brenda Poland\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT1\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-28 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"NokiaOviSuite2"=c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"NokiaMServer"=c:\program files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/8/2012 7:54 PM 652360]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [11/16/2006 1:27 PM 36368]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/8/2012 7:54 PM 20464]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [11/9/2006 3:03 PM 280392]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 10:06 AM 135664]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [12/15/2006 6:08 PM 345696]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [11/9/2006 3:03 PM 923216]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [11/9/2006 3:04 PM 566872]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 10:06 AM 135664]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [7/24/2011 8:07 PM 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [7/24/2011 8:07 PM 8576]
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 15:06]
.
2012-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 15:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mLocal Page =
mStart Page =
uSearchAssistant =
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
Trusted Zone: musicmatch.com\online
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
FF - ProfilePath - c:\documents and settings\Brenda Poland\Application Data\Mozilla\Firefox\Profiles\jcs6xakz.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-DMXLauncher - c:\program files\Dell\Media Experience\DMXLauncher.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-14 20:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-02-14 20:38:59
ComboFix-quarantined-files.txt 2012-02-15 01:38
.
Pre-Run: 90,234,601,472 bytes free
Post-Run: 90,177,961,984 bytes free
.
- - End Of File - - A8CD8C4720C425CD35109766AA47E95E

Looking good, where almost home.

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

ken545,
Looks like there is still something lingering somewhere....

Here is the log from the latest ESET scan:

C:\Program Files\blstoolbar\blstoolbar.dll probably a variant of Win32/Adware.BHO.MegaSearch application


Thank you,
Jess

http://www.threatexpert.com/files/blstoolbar.dll.html

Looks like its ok

I think were done here unless you feel you still have issues

ken545,

I do have one issue and a few questions, if you could help, please?


Should I uninstall ESET? My machine seems to be running slower with this installed.
Can I delete C:\Program Files\blstoolbar\blstoolbar.dll even if it is not deemed a threat?
Which of the download programs should I keep and which ones should I delete?
How can I completely Delete temporary file like in OTL program? The user interface programs will not accomplish the same results.
You had offered to give me some tips and links to free programs to install that can help you keep your system more secure. I would sure appreciate that so this does happen again.
I thought my machine was protected. Any information will be read and implemented.


I really appreciated your help and incredible knowledge.
Thank you so so much!!
Jess

ken545,

I don't know what to do in this situation....
I enabled Tea Timer and it came up with a change

"NoDriveTypeAutoRun"
old data hex:91,00,00,00
new data 323

I had the same change came up when the malware starting.

What should I do?? :confused:

Thanks,
Jess

Jess,

See if this is in your Add Remove Programs and uninstall it if you wish.

C:\Program Files\blstoolbar



Spybot is a great program but I have not been a big fan of the TeaTimer, I would disable it

I believe this is related to your CD Rom drive and this is the entry you want to keep
"NoDriveTypeAutoRun"
old data hex:91,00,00,00


You can uninstall ESET, we dont need it anymore.


Follow this instructions, any programs that we used that are not removed you can just drag to the trash.


Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.


http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png



Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups



How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Safe Surfn
Ken

Ken,
Just wanted to give you an update on my machine.... It has been behaving itself. Yeah!! I can't thank you enough for your assistance. I thought I was dead in the water.
I've been using FireFox as you suggested. System seems to be running faster than before. (Like the available FF add-ons, still researching more.)
I have also been reading your suggested links, lots of good info! I've been in the process of implementing more security. Definitely will not let this happen again if I can help it.
I am a big fan and supporter of this forum. Will pass along the word to all others about the awesome forum, the great support by generous volunteers and the incredible information available.

forever grateful,
Jess Fixit

Thank you Jess,

This is totally up to you but the Pro Version of Malwarebytes has a protection module, if you should wander into a bad site by accident you will get a page not found and a pop up from Malwarebytes that it blocked a potentially malicious site, the cost is minimal, I have this on all my systems.

Well, its been a long hard ride, glad things are running well for you again,

Take care my friend,

Ken :)

Ken,
Could not have completed the journey without you. I've learned so much and will continue to keep my machine up to date with the correct tools.
I had decide to purchase the Pro version of Malwarebytes. I'm glad to know you also recommend it. I also decided to keep OTL. I found a tutorial and a "donate" for OldTimer. (Having a programming background, I think I can figure it out.) I'm all for learning new things and supporting organizations willing to make the web a safer place.
Is there an FF add-on similar to Tea Timer functions you would recommend? I'm liking FF more and more. Thanks for suggesting it.

Cheers,
Jess

The Protection Mod on Malwarebytes will work no matter what browser you use, I have been liking Chrome lately but FF is still my first love

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.