Hey Guys! I was so impressed with the help i received with cleaning my primary computer and how fast and smoothly it runs that i had to get help on my 2ndary computer! ;)


Compared to my other computer, this one seems to run a bit slower and doesnt operate as smoothly eventhough its better and faster than my other one. Everytime i open IE i get a run adobe flash download pop on on top of the tab. I ran spybot searxch and it found like 68 infections and when i cleaned it, it couldnt remove 4 of them..

Anyways here are the requsted logs:




DDS------------------------



.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.7.2
Run by Joe at 1:29:31 on 2012-09-18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2178 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
BHO: Vid-Saver: {11111111-1111-1111-1111-110011341191} - c:\program files\vid-saver\Vid-Saver.dll
BHO: Incredibar.com Helper Object: {6e13dde1-2b6e-46ce-8b66-dc8bf36f6b99} - c:\program files\incredibar.com\incredibar\1.5.11.14\bh\incredibar.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: Yontoo: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo\YontooIEClient.dll
TB: Incredibar Toolbar: {f9639e4a-801b-4843-aee3-03d9da199e77} - c:\program files\incredibar.com\incredibar\1.5.11.14\incredibarTlbr.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [uTorrent] "c:\documents and settings\joe.trade2win\desktop\utorrent downloads\uTorrent.exe" /MINIMIZED
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\joe.trade2win\local settings\application data\google\update\GoogleUpdate.exe" /c
uRunOnce: [SpybotDeletingB2137] command.com /c del "c:\program files\yontoo\YontooIEClient.dll"
uRunOnce: [SpybotDeletingD5728] cmd.exe /c del "c:\program files\yontoo\YontooIEClient.dll"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [SpybotDeletingA332] command.com /c del "c:\program files\yontoo\YontooIEClient.dll"
mRunOnce: [SpybotDeletingC7709] cmd.exe /c del "c:\program files\yontoo\YontooIEClient.dll"
mRunOnce: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\bdarem~1.lnk - c:\program files\usb tv\em28xx\BDARemote.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167648530484
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://scottrade.webex.com/client/T27LD/nbr/ieatgpc.cab
TCP: DhcpNameServer = 167.206.251.129 167.206.251.130
TCP: Interfaces\{3A7AD81D-B8B9-488A-BFFE-A71F7AF2EE21} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{CB5DC14C-7B25-4BF7-8AB3-473A441D6398} : DhcpNameServer = 167.206.251.129 167.206.251.130
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: AtiExtEvent - Ati2evxx.dll
.
============= SERVICES / DRIVERS ===============
.
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 PEVSystemStart;PEVSystemStart;"c:\combofix\pev.3xe" exec /i "c:\combofix\regt.3xe" /s "c:\combofix\cregb.dat" --> c:\combofix\pev.3XE [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-1 250568]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2007-1-1 103040]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-09-18 05:05:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-09-18 05:05:42 -------- d-----w- c:\documents and settings\all users.windows\application data\Spybot - Search & Destroy
2012-09-18 04:39:53 -------- d-----w- c:\windows\1CF65E1864634D28A4767DA10FBCE816.TMP
2012-09-12 14:10:05 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-09-12 14:10:02 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-10 17:11:42 -------- d-sha-r- C:\cmdcons
2012-09-10 17:10:35 98816 ----a-w- c:\windows\sed.exe
2012-09-10 17:10:35 518144 ----a-w- c:\windows\SWREG.exe
2012-09-10 17:10:35 256000 ----a-w- c:\windows\PEV.exe
2012-09-10 17:10:35 208896 ----a-w- c:\windows\MBR.exe
2012-09-10 17:10:31 -------- d-----w- C:\ComboFix
2012-09-10 08:02:28 773968 ----a-w- c:\windows\system32\msvcr100.dll
2012-09-10 08:02:28 632656 ----a-w- c:\windows\system32\msvcr80.dll
2012-09-10 08:02:28 554832 ----a-w- c:\windows\system32\msvcp80.dll
2012-09-10 08:02:28 479232 ----a-w- c:\windows\system32\msvcm80.dll
2012-09-10 08:02:28 421200 ----a-w- c:\windows\system32\msvcp100.dll
.
==================== Find3M ====================
.
2012-09-12 14:09:51 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-12 14:09:51 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-11 01:13:57 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-11 01:13:57 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-04 14:05:18 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40:15 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-07-02 17:49:33 916992 ----a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05:43 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 1:29:56.84 ===============


Answmbr Report----------------------------------------------------
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-09-18 02:04:01
-----------------------------
02:04:01.437 OS Version: Windows 5.1.2600 Service Pack 3
02:04:01.437 Number of processors: 4 586 0xF0B
02:04:01.437 ComputerName: TRADE2WIN UserName: Joe
02:04:02.031 Initialize success
02:05:34.968 AVAST engine defs: 12091400
02:06:03.000 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-5
02:06:03.000 Disk 0 Vendor: ST3160815AS 3.AAC Size: 152627MB BusType: 3
02:06:03.031 Disk 0 MBR read successfully
02:06:03.031 Disk 0 MBR scan
02:06:03.062 Disk 0 Windows XP default MBR code
02:06:03.062 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 10189 MB offset 63
02:06:03.078 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 142437 MB offset 20868435
02:06:03.078 Disk 0 scanning sectors +312579760
02:06:03.140 Disk 0 scanning C:\WINDOWS\system32\drivers
02:06:10.250 Service scanning
02:06:20.109 Modules scanning
02:06:23.453 Disk 0 trace - called modules:
02:06:23.468 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
02:06:23.484 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8af58558]
02:06:23.484 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000005d[0x8af34f18]
02:06:23.484 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-5[0x8af32940]
02:06:23.781 AVAST engine scan C:\WINDOWS
02:06:36.750 AVAST engine scan C:\WINDOWS\system32
02:08:38.921 AVAST engine scan C:\WINDOWS\system32\drivers
02:08:49.546 AVAST engine scan C:\Documents and Settings\Joe.TRADE2WIN
02:11:09.140 AVAST engine scan C:\Documents and Settings\All Users.WINDOWS
02:11:18.265 Scan finished successfully
02:11:25.343 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Joe.TRADE2WIN\Desktop\MBR.dat"
02:11:25.359 The log file has been saved successfully to "C:\Documents and Settings\Joe.TRADE2WIN\Desktop\aswMBR.txt"
02:12:46.187 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Joe.TRADE2WIN\Desktop\MBR.dat"
02:12:46.187 The log file has been saved successfully to "C:\Documents and Settings\Joe.TRADE2WIN\Desktop\newaswMBR.txt"





Thanks for the help !

:bigthumb::crowned::oreo::devil:heeeeeeeeeeelp!:funny:

:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.


You have an awful lot of bogus toolbars installed, you get those from downloading programs and not reading what your installing and just accepting all the defauts.


uTorrent <-- You have this installed, the program itself is safe but your downloading files from an unknown source and most contain malware of some sort, its like playing Russian Roulette malwarewise, if you still want help then uninstall it and post a new DDS log please. If you want to keep it than let me know and this thread will be closed as it does not make any sense to help you clean your computer and then have you just reinfect yourself again

hm makes sense as this was a computer that was used by a younger family member. how do i uninstall utorrent? Can you please advise?


Also , would it make sense to just re-install windows?

Hi,

You can follow this path and just delete this folder, looks like its on your desktop
c:\documents and settings\joe.trade2win\desktop\utorrent downloads

As far as reinstalling windows, sometimes with the malware being as crazy as its become its a good option but this is your call, do you have your windows CD ?

We can run a few scans and see where your at and determine if your infected seriously or if your just burdened down with some garbage.



Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please







OTL by OldTimer

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

hey ken,

I am computer savy.. I forgot to mention that i followed the link by going into the C drive and following it down the chain and i couldnt find anything.

I also hit stat-> run and pasted the command link into run. SOMEHOW the utorrent folder is hidden somewhere and i cant locate it..

I even went to the control panels and tried doing an add/remove....there is no such thing as utorrent. ..

i was wondering if theres a special way to uninstall it....

Comptuer works perfectly fine, runs fast has no problems.. The only problem is that i took it back from my brother and he obvously played a lot of games on it and its obvously infected, but as to how and how its effecting my computer i have no idea.


I do have the windows cd and license key that i want installed for this specific machine....

OTL logfile created on: 9/25/2012 7:33:59 PM - Run 1
OTL by OldTimer - Version 3.2.68.0 Folder = C:\Documents and Settings\Joe.TRADE2WIN\Desktop\help
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.65 Gb Available Physical Memory | 81.63% Memory free
4.59 Gb Paging File | 4.15 Gb Available in Paging File | 90.38% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 139.10 Gb Total Space | 118.24 Gb Free Space | 85.01% Space Free | Partition Type: NTFS
Drive I: | 9.95 Gb Total Space | 3.91 Gb Free Space | 39.25% Space Free | Partition Type: NTFS

Computer Name: TRADE2WIN | User Name: Joe | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Joe.TRADE2WIN\Desktop\help\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\USB TV\EM28XX\BDARemote.exe ()
PRC - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe (ATI Technologies Inc.)


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\dbc413807cb7360b3e26ef3ca1d54f9a\System.Web.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\01abbadafaf265d9f4ac9bbb247acb98\System.Windows.Forms.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\d86f2038209a4cf0d0f5b30f6375c9b2\System.Drawing.ni.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management\9080c8e8e7b6dfb502c1328673d636f8\System.Management.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\3d5b7368bde0f65aa15d9f46b498cc89\System.Configuration.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\3bba1b8b0b5ef0be238b011cc7a0575e\System.Xml.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll ()
MOD - C:\WINDOWS\system32\msdmo.dll ()
MOD - C:\Program Files\USB TV\EM28XX\BDARemote.exe ()
MOD - C:\WINDOWS\system32\redmonnt.dll ()


========== Services (SafeList) ==========

SRV - (PEVSystemStart) -- C:\ComboFix\pev.3XE EXEC /i C:\ComboFix\REGT.3XE /S C:\ComboFix\CregB.dat File not found
SRV - (AppMgmt) -- %SystemRoot%\System32\appmgmts.dll File not found
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MBAMScheduler) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)


========== Driver Services (SafeList) ==========

DRV - (winachsf) -- system32\DRIVERS\HSF_CNXT.sys File not found
DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (mdmxsdk) -- system32\DRIVERS\mdmxsdk.sys File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (HSFHWBS2) -- system32\DRIVERS\HSFHWBS2.sys File not found
DRV - (HSF_DPV) -- system32\DRIVERS\HSF_DPV.sys File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\JOE~1.TRA\LOCALS~1\Temp\catchme.sys File not found
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (AtiHDAudioService) -- C:\WINDOWS\system32\drivers\AtihdXP3.sys (Advanced Micro Devices)
DRV - (hamachi) -- C:\WINDOWS\system32\drivers\hamachi.sys (LogMeIn, Inc.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (IntcAzAudAddService) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (AtiHdmiService) -- C:\WINDOWS\system32\drivers\AtiHdmi.sys (ATI Research Inc.)
DRV - (rtl8139) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1844237615-1897051121-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
IE - HKU\S-1-5-21-1844237615-1897051121-839522115-1004\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
IE - HKU\S-1-5-21-1844237615-1897051121-839522115-1004\..\SearchScopes,DefaultScope = {9C1E8A8D-83B7-4C4F-B424-A46DF2E55E29}
IE - HKU\S-1-5-21-1844237615-1897051121-839522115-1004\..\SearchScopes\{9C1E8A8D-83B7-4C4F-B424-A46DF2E55E29}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKU\S-1-5-21-1844237615-1897051121-839522115-1004\..\SearchScopes\{B2CEC88B-23D4-4E5B-AC5A-D82CDDD6EE6D}: "URL" = http://www.mysearchresults.com/search?&c=2638&t=03&q={searchTerms}
IE - HKU\S-1-5-21-1844237615-1897051121-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@mozilla.zeniko.ch/PDFlite_Browser_Plugin: C:\Program Files\PDFlite\npPdfViewer.dll (Amnis Technology Ltd)
FF - HKCU\Software\MozillaPlugins\@mozilla.zeniko.ch/PDFlite_Browser_Plugin: C:\Program Files\PDFlite\npPdfViewer.dll (Amnis Technology Ltd)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Joe.TRADE2WIN\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Joe.TRADE2WIN\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\Program Files\Web Assistant\Firefox

[2012/05/30 16:56:42 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Joe.TRADE2WIN\Application Data\Mozilla\Firefox\extensions
[2012/05/30 16:56:42 | 000,000,000 | ---D | M] (uTorrentControl2 Community Toolbar) -- C:\Documents and Settings\Joe.TRADE2WIN\Application Data\Mozilla\Firefox\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}
[2012/05/30 19:42:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Joe.TRADE2WIN\Application Data\Mozilla\Firefox\Profiles\0\extensions
[2012/05/30 19:42:10 | 000,086,818 | ---- | M] () (No name found) -- C:\Documents and Settings\Joe.TRADE2WIN\Application Data\Mozilla\Firefox\Profiles\0\extensions\OneClickDownloader@OneClickDownloader.com.xpi
[2012/05/30 19:43:44 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

========== Chrome ==========

CHR - homepage: http://google.com/
CHR - default_search_provider: Search Results (Enabled)
CHR - default_search_provider: search_url = http://dts.search-results.com/sr?src=crb&appid=387&systemid=406&sr=0&q={searchTerms}
CHR - default_search_provider: suggest_url =
CHR - homepage: http://google.com/
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Joe.TRADE2WIN\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.89\gcswf32.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Joe.TRADE2WIN\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.89\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Joe.TRADE2WIN\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.89\pdf.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Joe.TRADE2WIN\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Documents and Settings\Joe.TRADE2WIN\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Documents and Settings\Joe.TRADE2WIN\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Tennis = C:\Documents and Settings\Joe.TRADE2WIN\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ekkomjfglgnfeeachhdckcbgjhfiahco\1.9_0\
CHR - Extension: Gmail = C:\Documents and Settings\Joe.TRADE2WIN\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/09/10 13:19:18 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Incredibar.com Helper Object) - {6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99} - C:\Program Files\Incredibar.com\incredibar\1.5.11.14\bh\incredibar.dll File not found
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (DefaultTab Browser Helper) - {7F6AFBF1-E065-4627-A2FD-810366367D01} - C:\Documents and Settings\Joe.TRADE2WIN\Application Data\DefaultTab\DefaultTab\DefaultTabBHO.dll File not found
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (Yontoo) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo\YontooIEClient.dll File not found
O3 - HKLM\..\Toolbar: (Incredibar Toolbar) - {F9639E4A-801B-4843-AEE3-03D9DA199E77} - C:\Program Files\Incredibar.com\incredibar\1.5.11.14\incredibarTlbr.dll File not found
O3 - HKU\S-1-5-21-1844237615-1897051121-839522115-1004\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe ()
O4 - HKU\S-1-5-21-1844237615-1897051121-839522115-1004..\Run: [uTorrent] "C:\Documents and Settings\Joe.TRADE2WIN\Desktop\Utorrent downloads\uTorrent.exe" /MINIMIZED File not found
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\BDARemote.lnk = C:\Program Files\USB TV\EM28XX\BDARemote.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1844237615-1897051121-839522115-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1844237615-1897051121-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1844237615-1897051121-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1844237615-1897051121-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167648530484 (MUWebControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://scottrade.webex.com/client/T27LD/nbr/ieatgpc.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 167.206.251.129 167.206.251.130
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3A7AD81D-B8B9-488A-BFFE-A71F7AF2EE21}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{CB5DC14C-7B25-4BF7-8AB3-473A441D6398}: DhcpNameServer = 167.206.251.129 167.206.251.130
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Joe.TRADE2WIN\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Joe.TRADE2WIN\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/12/09 04:21:34 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/09/25 19:08:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe.TRADE2WIN\Application Data\Malwarebytes
[2012/09/25 19:07:45 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/09/25 19:07:45 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/09/25 19:07:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/09/25 19:07:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
[2012/09/22 21:49:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe.TRADE2WIN\Start Menu\Programs\Google Chrome
[2012/09/22 21:45:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe.TRADE2WIN\Local Settings\Application Data\Deployment
[2012/09/22 21:29:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe.TRADE2WIN\Application Data\PDFlite
[2012/09/22 21:27:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\PDFlite
[2012/09/22 21:27:06 | 000,000,000 | ---D | C] -- C:\Program Files\PDFlite
[2012/09/22 21:26:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo!
[2012/09/22 21:26:53 | 000,000,000 | ---D | C] -- C:\Program Files\Yahoo!
[2012/09/22 21:26:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe.TRADE2WIN\Application Data\Yahoo!
[2012/09/18 01:05:42 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2012/09/18 01:05:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
[2012/09/12 10:10:13 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/09/12 10:10:05 | 000,246,760 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2012/09/12 10:10:05 | 000,143,872 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2012/09/12 10:10:02 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/09/12 10:10:02 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/09/12 10:10:02 | 000,093,672 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2012/09/12 10:09:46 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2012/09/11 09:24:35 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/09/10 21:13:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Adobe
[2012/09/10 13:11:42 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/09/10 13:10:35 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/09/10 13:10:35 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/09/10 13:10:35 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/09/10 13:10:35 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/09/10 13:10:31 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/09/10 13:10:26 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/09/10 04:13:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe.TRADE2WIN\Desktop\help
[2012/09/10 04:12:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Joe.TRADE2WIN\My Documents\My Videos
[2012/09/10 04:12:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\My Videos
[2012/09/10 04:12:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Joe.TRADE2WIN\Start Menu\Programs\Administrative Tools
[2012/09/10 04:11:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/09/10 04:02:28 | 000,773,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr100.dll
[2012/09/10 04:02:28 | 000,632,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr80.dll
[2012/09/10 04:02:28 | 000,554,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp80.dll
[2012/09/10 04:02:28 | 000,479,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcm80.dll
[2012/09/10 04:02:28 | 000,421,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp100.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/09/25 19:20:47 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/09/25 19:07:46 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes Anti-Malware.lnk
[2012/09/25 18:56:00 | 000,000,990 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1897051121-839522115-1004UA.job
[2012/09/25 18:53:37 | 000,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/09/25 18:42:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/09/24 21:56:00 | 000,000,938 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1897051121-839522115-1004Core.job
[2012/09/22 21:49:32 | 000,002,344 | ---- | M] () -- C:\Documents and Settings\Joe.TRADE2WIN\Desktop\Google Chrome.lnk
[2012/09/22 21:49:32 | 000,002,322 | ---- | M] () -- C:\Documents and Settings\Joe.TRADE2WIN\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/09/22 21:27:16 | 000,001,522 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\PDFlite.lnk
[2012/09/18 01:31:35 | 000,004,125 | ---- | M] () -- C:\Documents and Settings\Joe.TRADE2WIN\Desktop\attach.zip
[2012/09/18 01:25:01 | 000,000,097 | ---- | M] () -- C:\WINDOWS\WININIT.INI
[2012/09/18 00:24:20 | 000,492,944 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/09/18 00:24:20 | 000,083,466 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/09/12 10:09:52 | 000,093,672 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2012/09/12 10:09:51 | 000,821,736 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\npDeployJava1.dll
[2012/09/12 10:09:51 | 000,746,984 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\deployJava1.dll
[2012/09/12 10:09:51 | 000,246,760 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2012/09/12 10:09:51 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/09/12 10:09:51 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/09/12 10:09:51 | 000,143,872 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2012/09/11 03:02:22 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/09/11 02:04:46 | 000,007,116 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\services
[2012/09/10 21:13:57 | 000,696,520 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/09/10 21:13:57 | 000,073,416 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/09/10 20:36:29 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\Joe.TRADE2WIN\Desktop\thinkorswim.lnk
[2012/09/10 20:35:42 | 018,959,872 | ---- | M] (thinkorswim, Inc) -- C:\Documents and Settings\Joe.TRADE2WIN\Desktop\thinkorswim_jse6_installer.exe
[2012/09/10 13:19:18 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/09/10 13:11:47 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/09/10 04:31:55 | 000,251,088 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/09/07 17:04:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/08/28 20:44:54 | 011,111,424 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll
[2012/08/28 11:14:53 | 006,008,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2012/08/28 11:14:53 | 001,212,416 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\urlmon.dll
[2012/08/28 11:14:53 | 000,916,992 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll
[2012/08/28 11:14:53 | 000,630,272 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeeds.dll
[2012/08/28 11:14:53 | 000,630,272 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll
[2012/08/28 11:14:53 | 000,611,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mstime.dll
[2012/08/28 11:14:53 | 000,611,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstime.dll
[2012/08/28 11:14:53 | 000,521,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jsdbgui.dll
[2012/08/28 11:14:53 | 000,206,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\occache.dll
[2012/08/28 11:14:53 | 000,105,984 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\url.dll
[2012/08/28 11:14:53 | 000,105,984 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\url.dll
[2012/08/28 11:14:53 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtmled.dll
[2012/08/28 11:14:53 | 000,055,296 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeedsbs.dll
[2012/08/28 11:14:53 | 000,055,296 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll
[2012/08/28 11:14:53 | 000,043,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\licmgr10.dll
[2012/08/28 11:14:53 | 000,043,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\licmgr10.dll
[2012/08/28 11:14:53 | 000,025,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\jsproxy.dll
[2012/08/28 11:14:53 | 000,025,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jsproxy.dll
[2012/08/28 11:14:52 | 002,000,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll
[2012/08/28 11:14:52 | 001,469,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetcpl.cpl
[2012/08/28 11:14:52 | 001,469,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetcpl.cpl
[2012/08/28 11:14:52 | 000,743,424 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2012/08/28 11:14:52 | 000,387,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iedkcs32.dll
[2012/08/28 11:14:52 | 000,387,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedkcs32.dll
[2012/08/28 11:14:52 | 000,184,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iepeers.dll
[2012/08/28 11:14:52 | 000,184,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iepeers.dll
[2012/08/28 08:07:34 | 000,174,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ie4uinit.exe
[2012/08/28 08:07:34 | 000,174,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ie4uinit.exe
[2012/08/28 08:07:15 | 000,385,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\html.iec
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/09/25 19:07:46 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes Anti-Malware.lnk
[2012/09/22 21:49:32 | 000,002,344 | ---- | C] () -- C:\Documents and Settings\Joe.TRADE2WIN\Desktop\Google Chrome.lnk
[2012/09/22 21:49:32 | 000,002,322 | ---- | C] () -- C:\Documents and Settings\Joe.TRADE2WIN\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/09/22 21:46:03 | 000,000,990 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1897051121-839522115-1004UA.job
[2012/09/22 21:46:03 | 000,000,938 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1897051121-839522115-1004Core.job
[2012/09/22 21:27:16 | 000,001,522 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\PDFlite.lnk
[2012/09/22 21:27:14 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\redmonnt.dll
[2012/09/22 21:27:14 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\unredmon.exe
[2012/09/18 01:31:35 | 000,004,125 | ---- | C] () -- C:\Documents and Settings\Joe.TRADE2WIN\Desktop\attach.zip
[2012/09/10 20:36:29 | 000,001,652 | ---- | C] () -- C:\Documents and Settings\Joe.TRADE2WIN\Start Menu\Programs\thinkorswim.lnk
[2012/09/10 20:36:29 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\Joe.TRADE2WIN\Desktop\thinkorswim.lnk
[2012/09/10 13:11:47 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/09/10 13:11:43 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/09/10 13:10:35 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/09/10 13:10:35 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/09/10 13:10:35 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/09/10 13:10:35 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/09/10 13:10:35 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/05/10 21:06:54 | 000,000,435 | ---- | C] () -- C:\WINDOWS\ArcView9x.INI
[2012/02/15 23:19:32 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/12/14 12:30:40 | 000,000,026 | ---- | C] () -- C:\WINDOWS\Blackwood Pro.INI
[2011/12/09 04:29:40 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2011/12/09 04:29:40 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2011/12/09 04:29:40 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2011/12/09 04:29:40 | 000,168,883 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2011/12/09 04:29:40 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ATIODE.exe
[2011/12/09 04:29:40 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ATIODCLI.exe
[2011/12/09 03:04:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2011/12/09 02:58:57 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/12/09 02:54:56 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/12/08 18:50:34 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/12/08 18:49:32 | 000,251,088 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== ZeroAccess Check ==========

[2011/12/14 02:37:14 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 20:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 08:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 20:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/06/30 11:55:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\boost_interprocess
[2012/05/10 20:42:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\ESRI
[2012/09/22 21:42:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Tarma Installer
[2012/06/23 23:16:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe.TRADE2WIN\Application Data\.minecraft
[2012/05/10 21:50:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe.TRADE2WIN\Application Data\ESRI
[2012/09/22 21:29:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe.TRADE2WIN\Application Data\PDFlite
[2012/06/29 19:11:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe.TRADE2WIN\Application Data\searchqutoolbar

========== Purity Check ==========



< End of report >



OTL # 2 - extras
OTL Extras logfile created on: 9/25/2012 7:33:59 PM - Run 1
OTL by OldTimer - Version 3.2.68.0 Folder = C:\Documents and Settings\Joe.TRADE2WIN\Desktop\help
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.65 Gb Available Physical Memory | 81.63% Memory free
4.59 Gb Paging File | 4.15 Gb Available in Paging File | 90.38% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 139.10 Gb Total Space | 118.24 Gb Free Space | 85.01% Space Free | Partition Type: NTFS
Drive I: | 9.95 Gb Total Space | 3.91 Gb Free Space | 39.25% Space Free | Partition Type: NTFS

Computer Name: TRADE2WIN | User Name: Joe | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-1844237615-1897051121-839522115-1004\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE:*:Enabled:Microsoft OneNote -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary
"C:\Program Files\Searchqu Toolbar\Datamngr\ToolBar\dtUser.exe" = C:\Program Files\Searchqu Toolbar\Datamngr\ToolBar\dtUser.exe:*:Enabled:DTX broker -- (Visicom Media Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{1CF65E18-6463-4D28-A476-7DA10FBCE816}" = ArcGIS Desktop Evaluation Edition
"{26A24AE4-039D-4CA4-87B4-2F83217007FF}" = Java 7 Update 7
"{2758691A-2CDE-4942-A4AC-0E8F61FE2067}" = USB Video Driver
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel(R) PRO Network Connections 12.1.12.0
"{87841AF8-C785-42FF-A76E-CC0F0C2816CC}" = ATI Catalyst Control Center
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90140000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 14
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0015-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.SingleImage_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.SingleImage_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.SingleImage_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-002C-0409-0000-0000000FF1CE}_Office14.SingleImage_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-003D-0000-0000-0000000FF1CE}" = Microsoft Office Single Image 2010
"{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}_Office14.SingleImage_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}_Office14.SingleImage_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{94B5EB58-4409-4CD2-BEA4-A8E8B1708A50}" = AMD Catalyst Install Manager
"{A13D16C5-38A9-4D96-9647-59FCCAB12A85}" = Visual Basic for Applications (R) Core - English
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FB97C283-1F3C-42D4-AE01-ADC1DC12F774}" = Visual Basic for Applications (R) Core
"69083DC58646DE46A09847A522A1CC487F918039" = Windows Driver Package - eMPIA Technology Inc, (emAudio) MEDIA (08/31/2007 5.7.0831.0)
"9722CA1E8F72F362E93CBEC75A707FDABFC8D880" = Windows Driver Package - Advanced Micro Devices, Inc. (USB28xxBGA) Media (08/31/2007 5.7.0831.0)
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"All ATI Software" = ATI - Software Uninstall Utility
"ArcGIS Desktop Evaluation Edition" = ArcGIS Desktop Evaluation Edition
"ATI Display Driver" = ATI Display Driver
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F40&SUBSYS_200014F1" = Soft Data Fax Modem with SmartCP
"Doxillion" = Doxillion Document Converter
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.0.1400
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Office14.SingleImage" = Microsoft Office Home and Business 2010
"PDFlite" = PDFlite 0.7
"Redirection Port Monitor" = RedMon - Redirection Port Monitor
"thinkorswim" = thinkorswim
"Windows XP Service Pack" = Windows XP Service Pack 3

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1844237615-1897051121-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 1/5/2007 3:50:10 AM | Computer Name = TRADE2WIN | Source = Windows Product Activation | ID = 1009
Description = You have not activated Windows within the grace period. To activate
Windows, contact a customer service representative by telephone.

Error - 1/5/2007 3:52:04 AM | Computer Name = TRADE2WIN | Source = Windows Product Activation | ID = 1009
Description = You have not activated Windows within the grace period. To activate
Windows, contact a customer service representative by telephone.

Error - 1/5/2007 3:55:18 AM | Computer Name = TRADE2WIN | Source = Windows Product Activation | ID = 1009
Description = You have not activated Windows within the grace period. To activate
Windows, contact a customer service representative by telephone.

Error - 9/10/2012 1:12:39 PM | Computer Name = TRADE2WIN | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x715b9e59.

Error - 9/10/2012 1:13:08 PM | Computer Name = TRADE2WIN | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x715b9e59.

Error - 9/10/2012 1:14:01 PM | Computer Name = TRADE2WIN | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.

Error - 1/1/2007 12:17:12 AM | Computer Name = TRADE2WIN | Source = MsiInstaller | ID = 10005
Description = Product: ATI AVIVO Codecs -- Internal Error 2908. {AA1B1A2A-A427-4DEA-BF41-18DDB4FDC6AA}

Error - 1/1/2007 12:17:12 AM | Computer Name = TRADE2WIN | Source = MsiInstaller | ID = 10005
Description = Product: ATI AVIVO Codecs -- Internal Error 2908. {6937E918-B0C3-4E37-ABB3-0A8A665B6D61}

Error - 1/1/2007 12:17:12 AM | Computer Name = TRADE2WIN | Source = MsiInstaller | ID = 10005
Description = Product: ATI AVIVO Codecs -- Internal Error 2908. {4D1A93F4-09B4-4D3E-8937-44926BF81DE3}

Error - 1/1/2007 12:17:12 AM | Computer Name = TRADE2WIN | Source = MsiInstaller | ID = 10005
Description = Product: ATI AVIVO Codecs -- Internal Error 2908. {B482E629-7A44-4DAB-A14C-94F6186B4DA4}

[ System Events ]
Error - 9/24/2012 9:20:15 PM | Computer Name = TRADE2WIN | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 60 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 9/24/2012 9:20:15 PM | Computer Name = TRADE2WIN | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 59 minutes. NtpClient has no source of accurate
time.

Error - 9/24/2012 10:20:15 PM | Computer Name = TRADE2WIN | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 120 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 9/24/2012 10:20:15 PM | Computer Name = TRADE2WIN | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 119 minutes. NtpClient has no source of accurate
time.

Error - 9/25/2012 12:20:15 AM | Computer Name = TRADE2WIN | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 240 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 9/25/2012 12:20:15 AM | Computer Name = TRADE2WIN | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 239 minutes. NtpClient has no source of accurate
time.

Error - 9/25/2012 4:20:00 AM | Computer Name = TRADE2WIN | Source = W32Time | ID = 39452706
Description = The time service has detected that the system time needs to be changed
by +86298 seconds. The time service will not change the system time by more than
+54000 seconds. Verify that your time and time zone are correct, and that the time
source time.windows.com (ntp.m|0x1|192.168.0.102:123->65.55.21.20:123) is working
properly.

Error - 9/25/2012 6:53:50 PM | Computer Name = TRADE2WIN | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 9/25/2012 7:20:58 PM | Computer Name = TRADE2WIN | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.

Error - 9/25/2012 7:21:02 PM | Computer Name = TRADE2WIN | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058


< End of report >




Malware softie log-

Malwarebytes Anti-Malware (Trial) 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.26.13

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Joe :: TRADE2WIN [administrator]

Protection: Enabled

9/25/2012 7:09:46 PM
mbam-log-2012-09-25 (19-16-42).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 344098
Time elapsed: 6 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 11
HKCR\CLSID\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> No action taken.
HKCR\TypeLib\{44444444-4444-4444-4444-440044344491} (PUP.GamePlayLab) -> No action taken.
HKCR\Interface\{55555555-5555-5555-5555-550055345591} (PUP.GamePlayLab) -> No action taken.
HKCR\CrossriderApp0003491.BHO.1 (PUP.GamePlayLab) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> No action taken.
HKCR\CrossriderApp0003491.BHO (PUP.GamePlayLab) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (PUP.BundleInstaller.VG) -> No action taken.
HKCU\SOFTWARE\INSTALLEDBROWSEREXTENSIONS\215 APPS (PUP.CrossFire.SA) -> No action taken.

Registry Values Detected: 1
HKCU\Software\InstalledBrowserExtensions\215 Apps|3491 (PUP.CrossFire.SA) -> Data: Vid-Saver -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Documents and Settings\Joe.TRADE2WIN\My Documents\Downloads\setup.exe (PUP.BundleInstaller.VG) -> No action taken.
C:\Documents and Settings\Joe.TRADE2WIN\Local Settings\Temporary Internet Files\Content.IE5\I30VSR17\pdflite_d166369[1].exe (PUP.BundleOffers.IIQ) -> No action taken.
C:\Documents and Settings\Joe.TRADE2WIN\Local Settings\Temporary Internet Files\Content.IE5\I30VSR17\pdflite_d166369[2].exe (PUP.BundleOffers.IIQ) -> No action taken.

(end)

You had Malwarebytes set to TAKE NO ACTION, you need to run it again and make sure to remove all thats checked


Open OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL




:processes
killallprocesses

:OTL
SRV - (PEVSystemStart) -- C:\ComboFix\pev.3XE EXEC /i C:\ComboFix\REGT.3XE /S C:\ComboFix\CregB.dat File not found
IE - HKU\S-1-5-21-1844237615-1897051121-839522115-1004\..\SearchScopes\{B2CEC88B-23D4-4E5B-AC5A-D82CDDD6EE6D}: "URL" = http://www.mysearchresults.com/search?&c=2638&t=03&q={searchTerms}
O2 - BHO: (Incredibar.com Helper Object) - {6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99} - C:\Program Files\Incredibar.com\incredibar\1.5.11.14\bh\incredibar.dll File not found
O2 - BHO: (Yontoo) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo\YontooIEClient.dll File not found
O3 - HKLM\..\Toolbar: (Incredibar Toolbar) - {F9639E4A-801B-4843-AEE3-03D9DA199E77} - C:\Program Files\Incredibar.com\incredibar\1.5.11.14\incredibarTlbr.dll File not found
O4 - HKU\S-1-5-21-1844237615-1897051121-839522115-1004..\Run: [uTorrent] "C:\Documents and Settings\Joe.TRADE2WIN\Desktop\Utorrent downloads\uTorrent.exe" /MINIMIZED File not found
[2012/09/10 13:10:31 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/09/10 13:10:26 | 000,000,000 | ---D | C] -- C:\Qoobox


:Services

:Reg

:Files
C:\Program Files\Yontoo
C:\Documents and Settings\Joe.TRADE2WIN\Desktop\Utorrent downloads
ipconfig /flushdns /c


:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces
Run a new scan with OTL and post the log please

Hey Ken,

So i pasted the code that you have me into OTL and it didnt work, my computer just froze...i left it runing all night and its still on the same killprocess do not interupt inital start page...i wont be ablet to looka t the computer again until later today after i get out of work. any help is greatly appreciated!

Did you rerun Malwarebytes and remove all selected.

Lets clean out the cobwebs

Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean




Make sure you reboot and then try OTL again with this new script




:OTL
SRV - (PEVSystemStart) -- C:\ComboFix\pev.3XE EXEC /i C:\ComboFix\REGT.3XE /S C:\ComboFix\CregB.dat File not found
IE - HKU\S-1-5-21-1844237615-1897051121-839522115-1004\..\SearchScopes\{B2CEC88B-23D4-4E5B-AC5A-D82CDDD6EE6D}: "URL" = http://www.mysearchresults.com/search?&c=2638&t=03&q={searchTerms}
O2 - BHO: (Incredibar.com Helper Object) - {6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99} - C:\Program Files\Incredibar.com\incredibar\1.5.11.14\bh\incredibar.dll File not found
O2 - BHO: (Yontoo) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo\YontooIEClient.dll File not found
O3 - HKLM\..\Toolbar: (Incredibar Toolbar) - {F9639E4A-801B-4843-AEE3-03D9DA199E77} - C:\Program Files\Incredibar.com\incredibar\1.5.11.14\incredibarTlbr.dll File not found
O4 - HKU\S-1-5-21-1844237615-1897051121-839522115-1004..\Run: [uTorrent] "C:\Documents and Settings\Joe.TRADE2WIN\Desktop\Utorrent downloads\uTorrent.exe" /MINIMIZED File not found
[2012/09/10 13:10:31 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/09/10 13:10:26 | 000,000,000 | ---D | C] -- C:\Qoobox


:Services

:Reg

:Files
C:\Program Files\Yontoo
C:\Documents and Settings\Joe.TRADE2WIN\Desktop\Utorrent downloads
ipconfig /flushdns /c


:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]

hey, yea i ran malware again afterwards... i also ran the TFC program and it froze, i also ran the OTL with the new script and it froze aswell..

Here is the log from the malwarebytes:

Malwarebytes Anti-Malware (Trial) 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.27.10

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Joe :: TRADE2WIN [administrator]

Protection: Enabled

9/26/2012 6:42:51 PM
mbam-log-2012-09-26 (18-42-51).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 344216
Time elapsed: 6 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



Any suggestions as to why its freezing? Should i try running it in safemodes? i will be back later 2nite.

Yep,

Try it in safemode,


To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)

good news, i ran the first script that you gave in in safemodes and everythign worked fine and smoothly. After restarting, the computer seems to run into trouble loading windows, it goes to a blue screen and restarts, & i can access safemodes still.

When i ran the script i ran it under admin not joe. here is the log that was produced after entering the 2nd script:

All processes killed
========== OTL ==========
Error: No service named PEVSystemStart was found to stop!
Service\Driver key PEVSystemStart not found.
File C:\ComboFix\pev.3XE EXEC /i C:\ComboFix\REGT.3XE /S C:\ComboFix\CregB.dat File not found not found.
Registry key HKEY_USERS\S-1-5-21-1844237615-1897051121-839522115-1004\Software\Microsoft\Internet Explorer\SearchScopes\{B2CEC88B-23D4-4E5B-AC5A-D82CDDD6EE6D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B2CEC88B-23D4-4E5B-AC5A-D82CDDD6EE6D}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{F9639E4A-801B-4843-AEE3-03D9DA199E77} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9639E4A-801B-4843-AEE3-03D9DA199E77}\ not found.
Registry value HKEY_USERS\S-1-5-21-1844237615-1897051121-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Run\\uTorrent deleted successfully.
Folder C:\ComboFix\ not found.
Folder C:\Qoobox\ not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File\Folder C:\Program Files\Yontoo not found.
File\Folder C:\Documents and Settings\Joe.TRADE2WIN\Desktop\Utorrent downloads not found.
< ipconfig /flushdns /c >
Windows IP Configuration
An internal error occurred: The request is not supported.

Please contact Microsoft Product Support Services for further help.
Additional information: Unable to query host name.
C:\Documents and Settings\Joe.TRADE2WIN\Desktop\help\cmd.bat deleted successfully.
C:\Documents and Settings\Joe.TRADE2WIN\Desktop\help\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: All Users.WINDOWS

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Desktop
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: joe
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Joe.TRADE2WIN
->Temp folder emptied: 83456 bytes
->Temporary Internet Files folder emptied: 559933 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService.NT AUTHORITY.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService.NT AUTHORITY.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 108557816 bytes

Total Files Cleaned = 104.00 mb


OTL by OldTimer - Version 3.2.68.0 log created on 12312005_184842

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Joe.TRADE2WIN\Local Settings\Temp\~DFED03.tmp not found!
File\Folder C:\Documents and Settings\Joe.TRADE2WIN\Local Settings\Temp\~DFED10.tmp not found!
File\Folder C:\Documents and Settings\Joe.TRADE2WIN\Local Settings\Temp\~DFED6A.tmp not found!
File\Folder C:\Documents and Settings\Joe.TRADE2WIN\Local Settings\Temp\~DFED77.tmp not found!
File\Folder C:\Documents and Settings\Joe.TRADE2WIN\Local Settings\Temp\~DFEE7A.tmp not found!
File\Folder C:\Documents and Settings\Joe.TRADE2WIN\Local Settings\Temp\~DFEE87.tmp not found!
File move failed. C:\Documents and Settings\Joe.TRADE2WIN\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Hmmm, not looking at anything that was removed that would cause any problems. Reboot your system a few times and see if it clears it up.


If not then lets restore your system to a previous date

Go to Start> Run and copy and paste this in and click OK

%SystemRoot%\System32\restore\rstrui.exe


Choose to Restore your computer to a previous date and pick the date prior to running the OTL fix.

Let me know how it went

there is no prior date to restore the system restore to.

think i might just have to reformat the whole hard-drive again. I was able to get the information that i needed thru safemodes.

there is no prior date to restore the system restore to.

That may be a good option, then you will have a nice clean copy of windows installed, do you need help with this ?

That may be a good option, then you will have a nice clean copy of windows installed, do you need help with this ?

nope, i know how to re-install windows, appreciate the help, you can consider this closed! thanks amillion to everyone!

OK...so when i try to reboot i get the following error message

"Windows could not start because the following file is missing or corrupt:

<Windows root>\systen32\hal.dll.

Please re-install a copy of the above file"

That file is missing or corrupt, give this a shot

http://pcsupport.about.com/od/fixtheproblem/ht/restorehaldll.htm

re-installed windows but when the computer loads i get to choose which windows to load and the bad copy is still there, any way to delete it?

You should have reformatted the drive and started fresh creating a primary partition. We just do malware removal on this forum but post here and you will get some windows people that can help you. Like safer its free but you will have to register

http://forums.whatthetech.com/index.php?showforum=119

Ken :)

i reformated the drive..there was a partition 1- which was recovery and much smalelr and parition 2 whjch was a the actual harddrive and i reformated the 2nd one..should have done it to the first. case closed tho, thanks for the help!

Your welcome



How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/index.php?showtopic=57817)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Safe Surfn
Ken

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.