I really hate to bother the forum with this, but I'm at my wit's end! :confused:

I've been trying to remove this virus for several days now with no success. I'm running Windows XP and the virus shows up in SpyBot. It will disappear in safe mode, then reappear in the next regular scan. I've searched the forum and tried everything that I can find, with no luck...

Any help is greatly appreciated. Thanks! Keith

(Original link first posted in Forum-Software-Spybot)http://forums.spybot.info/showthread.php?69266-win32-downloader-gen-Help-Please&p=444761#post444761

Here's the DDS.txt:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Keith Simmons at 12:46:50 on 2013-09-04
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.462 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *Enabled*
.
============== Running Processes ================
.
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\WINDOWS\etMon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WksCal.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft Works\WkDStore.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://us.yahoo.com?fr=fp-comodo
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070111 (http://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070111)
uInternet Connection Wizard,ShellNext = hxxp://home.frontiernet.net/WelcomeCD.asp
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com
BHO: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - <orphaned>
BHO: {53707962-6F74-2D53-2644-206D7942484F} - <orphaned>
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - <orphaned>
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - <orphaned>
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
EB: Real.com: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\shdocvw.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ConduitFloatingPlugin_jcnkjmghmdigcjcajaemenhlleobnhih] "c:\windows\system32\rundll32.exe" "c:\program files\conduit\ct3309657\plugins\TBVerifier.dll",RunConduitFloatingPlugin jcnkjmghmdigcjcajaemenhlleobnhih
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [etMonitor] c:\windows\etMon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\docume~1\keiths~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\keiths~1\startm~1\programs\startup\wkcalrem.lnk - c:\program files\common files\microsoft shared\works shared\WkCalRem.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
TCP: NameServer = 192.168.254.254
TCP: Interfaces\{87A4AD3F-113A-4EA7-8351-9EB8BFD5832D} : DHCPNameServer = 192.168.254.254
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: WgaLogon - <no file>
AppInit_DLLs= c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\29.0.1547.66\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2013-3-19 49376]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2013-3-19 175176]
R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [2008-11-25 149376]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-31 770344]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-3-28 369584]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-4 497952]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 32640]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-28 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-3-19 66336]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-17 46808]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-6-1 1990464]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2012-1-5 12184]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-1-11 1251720]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S3 DCamUSBET;ET USB 2710 Camera;c:\windows\system32\drivers\etDevice.sys [2007-6-27 88704]
S3 FiltUSBET;ET USB Device Lower Filter;c:\windows\system32\drivers\etFilter.sys [2007-6-27 103680]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys --> c:\windows\system32\drivers\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys --> c:\windows\system32\drivers\motccgpfl.sys [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys --> c:\windows\system32\drivers\motport.sys [?]
S3 ScanUSBET;ET USB Still Image Capture Device;c:\windows\system32\drivers\etScan.sys [2007-6-27 5760]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [2010-11-8 14592]
.
=============== File Associations ===============
.
ShellExec: pi11.exe: Open="c:\program files\microsoft digital image 2006\pi.exe" "%1"
.
=============== Created Last 30 ================
.
2013-09-04 16:37:18 -------- d-----w- c:\windows\QIUEKXANT6IGFLKJ
2013-09-04 16:36:47 -------- d-----w- c:\windows\BM375WFYPGE5O1KX
2013-09-04 16:31:30 -------- d-----w- C:\AdwCleaner
2013-09-04 14:18:10 -------- d-----w- c:\windows\UJP2LYBHU7JWER3F
2013-09-04 14:17:36 -------- d-----w- c:\windows\3VCP2EKXAGFLRJAG
2013-09-04 05:19:41 -------- d-----w- c:\windows\NGT6IV8KP2FLRX1K
2013-09-04 05:13:51 -------- d-----w- c:\documents and settings\keith simmons\application data\PC VITALWARE
2013-09-04 05:13:51 -------- d-----w- c:\documents and settings\all users\application data\PC VITALWARE
2013-09-04 04:05:30 -------- d-----w- c:\windows\IQA1J2ZBVM68YH8Y
2013-09-04 03:00:39 -------- d-----w- c:\windows\LA1YI9ZI90J9XNEY
2013-09-04 00:55:17 -------- d-----w- c:\windows\D69TXG7XH1YO1LYI
2013-09-03 23:11:31 -------- d-----w- c:\windows\XLYB2LYBO1DX2MZJ
2013-09-03 21:19:48 -------- d-----w- c:\windows\R14HMR4G05AMZ5HG
2013-09-02 21:36:07 -------- d-----w- c:\windows\QFLYBOU7CPOUTLRX
2013-09-02 21:35:05 -------- d-----w- c:\windows\GBS5HU0CHU4GTZCP
2013-09-02 19:52:10 -------- d-----w- c:\windows\S9RA1RB9ZIE5OF6P
2013-09-02 19:47:52 -------- d-----w- c:\windows\AEA8C2ZWUSQA1KB2
2013-09-02 18:05:36 -------- d-----w- c:\windows\3SHU7CWG0H1EJW9L
2013-09-02 17:28:00 -------- d-----w- c:\windows\I5HMZCWNJW9ZJW9E
2013-09-02 17:21:30 -------- d-----w- c:\windows\96HTZCP27JONMEDC
2013-09-02 14:52:26 -------- d-----w- c:\windows\MWLY4NS5HMZBV8K2
2013-09-02 06:58:55 -------- d-----w- c:\windows\SZRUX0UWZ2IE03JW
2013-09-02 06:53:33 -------- d-----w- c:\windows\63EXOFZQHZQH8RI9
2013-09-02 06:50:53 -------- d-----w- c:\windows\930DAN7CP2EQ3GT6
2013-09-02 06:50:19 -------- d-----w- c:\windows\0XQTWZ24DFXTPLHD
2013-09-02 06:39:25 -------- d-----w- c:\windows\GCNT6IN05PNTSKJI
2013-09-02 06:38:45 -------- d-----w- c:\windows\JEH8YP9ZP9TDXH1K
2013-09-02 06:33:50 -------- d-----w- c:\windows\QS5O1DQV8KJB3RIV
2013-09-02 06:32:05 -------- d-----w- c:\windows\Y4YEV5EHRT3CFPZS
2013-09-02 06:22:01 -------- d-----w- c:\windows\Y6MORUX09IKUNQTW
2013-09-02 06:16:32 -------- d-----w- c:\windows\841ZI96W8R8YI2ZJ
2013-09-02 03:39:27 -------- d-----w- c:\windows\0AS5AN05IU05HMLK
2013-09-02 03:33:22 338 ----a-w- c:\documents and settings\keith simmons\local settings\application data\poetsch.bat
2013-09-01 22:17:29 -------- d-----w- c:\windows\SOS2SI2SBVL5H1DQ
2013-09-01 21:03:14 -------- d-----w- c:\windows\7HPZGQ7NXE7N4KUB
2013-08-31 22:43:11 -------- d-----w- c:\windows\QGY305386IDA7XUS
2013-08-31 22:25:11 -------- d-----w- c:\windows\X63N6XG7Q9ZI9SCP
2013-08-31 03:46:12 -------- d-----w- c:\windows\7I7JO16IN05A8DBA
2013-08-30 16:20:57 28552 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
2013-08-30 16:20:57 28040 ----a-w- c:\windows\system32\mdimon.dll
2013-08-14 23:03:22 -------- d-----w- c:\windows\LAGT6IV8DPV7J3M6
2013-08-14 23:02:20 -------- d-----w- c:\windows\WDQ3T6IV0C3M6XGT
2013-08-08 14:18:17 -------- d-----w- c:\windows\RN7Q3FZC3FS5HCPG
.
==================== Find3M ====================
.
2013-08-03 19:18:38 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-07-29 22:07:42 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-29 22:07:41 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-26 02:47:17 920064 ----a-w- c:\windows\system32\wininet.dll
2013-07-26 02:47:13 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-07-26 02:47:12 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-07-25 15:52:59 385024 ----a-w- c:\windows\system32\html.iec
2013-07-10 10:37:53 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 03:03:25 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08:30 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-27 19:34:32 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-06-27 19:34:32 175176 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2008-11-13 21:56:09 11281 ----a-w- c:\program files\common files\woko.bin
.
============= FINISH: 12:49:30.12 ===============

10908



Here is the asmMBR Log:

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-09-04 13:33:04
-----------------------------
13:33:04.203 OS Version: Windows 5.1.2600 Service Pack 3
13:33:04.203 Number of processors: 2 586 0xF06
13:33:04.203 ComputerName: D1Q0QCC1 UserName:
13:33:07.031 Initialize success
13:33:11.156 AVAST engine defs: 13090400
13:33:28.828 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
13:33:28.828 Disk 0 Vendor: ST316081 3.AD Size: 152587MB BusType: 3
13:33:29.015 Disk 0 MBR read successfully
13:33:29.015 Disk 0 MBR scan
13:33:29.015 Disk 0 unknown MBR code
13:33:29.046 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
13:33:29.062 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 147793 MB offset 80325
13:33:29.093 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 4753 MB offset 302760990
13:33:29.093 Disk 0 scanning sectors +312496380
13:33:29.281 Disk 0 scanning C:\WINDOWS\system32\drivers
13:33:46.671 Service scanning
13:34:02.484 Modules scanning
13:34:16.140 Module: C:\WINDOWS\System32\DLA\DLADResN.SYS **SUSPICIOUS**
13:34:18.046 Disk 0 trace - called modules:
13:34:18.078 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
13:34:18.078 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f87870]
13:34:18.078 3 CLASSPNP.SYS[f75b0fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x86f75030]
13:34:18.562 AVAST engine scan C:\WINDOWS
13:34:39.765 AVAST engine scan C:\WINDOWS\system32
13:38:40.796 AVAST engine scan C:\WINDOWS\system32\drivers
13:39:14.234 AVAST engine scan C:\Documents and Settings\Keith Simmons
14:45:05.640 AVAST engine scan C:\Documents and Settings\All Users
14:47:22.359 Scan finished successfully
14:55:25.500 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Keith Simmons\My Documents\MBR.dat"
14:55:25.515 The log file has been saved successfully to "C:\Documents and Settings\Keith Simmons\My Documents\aswMBR.txt"
14:56:01.359 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Keith Simmons\Desktop\MBR.dat"
14:56:01.359 The log file has been saved successfully to "C:\Documents and Settings\Keith Simmons\Desktop\aswMBR.txt"

In case the above attachment fails, here is the zipped attach.txt file. 10909

Best,

Keith

I haven't attempted any fixes since posting this thread, but just now ran SpyBot to check the system.

Strangely, the virus isn't showing up. Can this virus go dormant for periods and then reactivate???

Thanks,

Keith

Hi and Welcome!! snurd :)

My name is Robybel.

I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

Vista and Windows 7 users:

These tools MUST be run from the executable. (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

Having said that....Let's get going!! ;)

================================

Download Security Check by screen317 from here (http://screen317.spywareinfoforum.org/SecurityCheck.exe) or here (http://screen317.changelog.fr/SecurityCheck.exe).

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Next

http://i.imgur.com/81mYIKe.jpg AdwCleaner

Double click on AdwCleaner.exe to run the tool again.

Click on the Scan button.
AdwCleaner will begin to scan your computer like it did before.
After the scan has finished...
This time, click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
Copy and paste the contents of that logfile in your next reply.
A copy of that logfile will also be saved in the C:\AdwCleaner folder.


Next

http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool (http://thisisudax.org/downloads/JRT.exe) to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.



Next



Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/) and save it to your desktop.
Quit all other programs
Start RogueKiller.exe
Wait until the Prescan has finished ...
Click on Scan
http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png
Wait for the end of the scan
A report will be created on your desktop.
Click on the Delete button
http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png
Next click on the ShortcutsFix
http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png
another report will be created on your desktop.


Please post: All RKreport.txt text files located on your desktop.

On your next reply please post :

checkup.txt
AdwCleaner[S1].txt
JRT.txt
All RKreport.txt

Let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!

Hi Robybel,

Thanks so much for your kind help!!!

Here are the results requested...


checkup.txt

Results of screen317's Security Check version 0.99.73
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
avast! Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.75.0.1300
CCleaner
Adobe Flash Player 11.8.800.94
Adobe Reader 7 Adobe Reader out of Date!
Google Chrome 29.0.1547.62
Google Chrome 29.0.1547.66
````````Process Check: objlist.exe by Laurent````````
Comodo Firewall cmdagent.exe
Comodo Firewall cfp.exe
Alwil Software Avast5 AvastSvc.exe
ALWILS~1 Avast5 avastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 15% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````



Adwcleaner.txt

# AdwCleaner v3.003 - Report created 07/09/2013 at 11:23:20
# Updated 07/09/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Keith Simmons - D1Q0QCC1
# Running from : C:\Documents and Settings\Keith Simmons\My Documents\Downloads\AdwCleaner (1).exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [ConduitFloatingPlugin_jcnkjmghmdigcjcajaemenhlleobnhih]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [Tabs]

-\\ Google Chrome v29.0.1547.66

[ File : C:\Documents and Settings\Keith Simmons\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]


[ File : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [6263 octets] - [04/09/2013 11:31:37]
AdwCleaner[R1].txt - [2112 octets] - [07/09/2013 09:57:38]
AdwCleaner[R2].txt - [2172 octets] - [07/09/2013 10:15:35]
AdwCleaner[S0].txt - [6291 octets] - [04/09/2013 11:33:19]
AdwCleaner[S1].txt - [2009 octets] - [07/09/2013 11:23:20]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [2069 octets] ##########


JRT.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.5.8 (09.05.2013:1)
OS: Microsoft Windows XP x86
Ran by Keith Simmons on Sat 09/07/2013 at 11:30:34.28
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{660552A4-E87B-45B7-98C6-DBCCDA9F2830}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{390A908E-A8CB-4e7c-8102-724F4C50CF08}



~~~ Files



~~~ Folders





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 09/07/2013 at 11:39:49.70
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


All RKreport.txt

RogueKiller V8.6.9 [Sep 3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Keith Simmons [Admin rights]
Mode : Scan -- Date : 09/07/2013 11:51:34
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][SUSP PATH] HKLM\[...]\Run : etMonitor (C:\WINDOWS\etMon.exe [-]) -> FOUND
[HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V1][SUSP PATH] At5.job : C:\DOCUME~1\KEITHS~1\APPLIC~1\DSite\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤




RogueKiller V8.6.9 [Sep 3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Keith Simmons [Admin rights]
Mode : Remove -- Date : 09/07/2013 11:52:14
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][SUSP PATH] HKLM\[...]\Run : etMonitor (C:\WINDOWS\etMon.exe [-]) -> DELETED
[HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V1][SUSP PATH] At5.job : C:\DOCUME~1\KEITHS~1\APPLIC~1\DSite\UPDATE~1\UPDATE~1.EXE - /Check [x] -> DELETED

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1001namen.com
127.0.0.1 1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3160812AS +++++
--- User ---
[MBR] ccd14587e2bd1506151bda17c281545b
3efdd157322bc54deb4f0f8435ac64f6 : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 147793 Mo
2 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 302760990 | Size: 4753 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_09072013_115214.txt >>
RKreport[0]_S_09072013_115134.txt



[B]Thanks again!

Best Regards,

Keith

Hi snurd :)

Please read through these instructions to familarize yourself with what to expect when this tool runs

Refer to the ComboFix User's Guide (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================

Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html)

====================================================


Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://img.photobucket.com/albums/v706/ried7/RC_update.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


http://img.photobucket.com/albums/v706/ried7/cfRC_screen_2.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.



On your next reply please post :

Combofix log

Let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!

Here is the requested log. Thanks!

ComboFix.txt:

ComboFix 13-09-08.02 - Keith Simmons 09/08/2013 12:42:07.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.649 [GMT -5:00]
Running from: c:\documents and settings\Keith Simmons\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\imgdoc2.dll
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP
c:\documents and settings\Keith Simmons\Cookies\arudonine.bat
c:\documents and settings\Keith Simmons\Cookies\dyvycudi.pif
c:\documents and settings\Keith Simmons\Cookies\ihepofyhuw.inf
c:\documents and settings\Keith Simmons\Cookies\ofukisamac.pif
c:\documents and settings\Keith Simmons\My Documents\~WRL0836.tmp
c:\documents and settings\Keith Simmons\My Documents\~WRL3408.tmp
c:\documents and settings\Keith Simmons\WINDOWS
c:\program files\Common Files\daxipezeju.db
c:\program files\Internet Explorer\SET862.tmp
c:\program files\Internet Explorer\SET863.tmp
c:\program files\Internet Explorer\SET865.tmp
c:\program files\Internet Explorer\SET8C8.tmp
c:\program files\Internet Explorer\SET8C9.tmp
c:\program files\Internet Explorer\SET8CA.tmp
c:\windows\badymivili._sy
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000010_.tmp.dll
.
.
((((((((((((((((((((((((( Files Created from 2013-08-08 to 2013-09-08 )))))))))))))))))))))))))))))))
.
.
2013-09-07 20:44 . 2013-09-07 20:44 -------- d-----w- c:\windows\Q8Y3FKXANT6BHNTZ
2013-09-07 20:25 . 2013-09-07 20:25 -------- d-----w- c:\windows\GDO1DPV16BGTZCIV
2013-09-07 20:19 . 2013-09-07 20:19 -------- d-----w- c:\windows\T1KP27JO164H87KI
2013-09-07 17:29 . 2013-09-07 17:29 -------- d-----w- c:\windows\0W3GZCP2LYBV8KXE
2013-09-07 16:30 . 2013-09-07 16:30 -------- d-----w- c:\windows\ERUNT
2013-09-07 16:25 . 2013-09-07 16:25 -------- d-----w- c:\windows\MXFSYBO1DIV8KXA8
2013-09-06 21:11 . 2013-09-06 21:11 -------- d-----w- c:\windows\9XG7QAUSC3KBVF6P
2013-09-06 21:10 . 2013-09-06 21:10 -------- d-----w- c:\windows\GX0Q9SB2SJW9EKQV
2013-09-06 16:26 . 2013-09-06 16:26 -------- d-----w- c:\windows\RN0CP2EJW864A10Z
2013-09-04 17:45 . 2013-09-04 17:45 -------- d-----w- c:\program files\ERUNT
2013-09-04 16:37 . 2013-09-04 16:37 -------- d-----w- c:\windows\QIUEKXANT6IGFLKJ
2013-09-04 16:36 . 2013-09-04 16:36 -------- d-----w- c:\windows\BM375WFYPGE5O1KX
2013-09-04 16:31 . 2013-09-07 16:23 -------- d-----w- C:\AdwCleaner
2013-09-04 14:18 . 2013-09-04 14:18 -------- d-----w- c:\windows\UJP2LYBHU7JWER3F
2013-09-04 14:17 . 2013-09-04 14:17 -------- d-----w- c:\windows\3VCP2EKXAGFLRJAG
2013-09-04 05:19 . 2013-09-04 05:19 -------- d-----w- c:\windows\NGT6IV8KP2FLRX1K
2013-09-04 05:13 . 2013-09-04 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PC VITALWARE
2013-09-04 05:13 . 2013-09-04 05:13 -------- d-----w- c:\documents and settings\Keith Simmons\Application Data\PC VITALWARE
2013-09-04 04:05 . 2013-09-04 04:05 -------- d-----w- c:\windows\IQA1J2ZBVM68YH8Y
2013-09-04 03:00 . 2013-09-04 03:00 -------- d-----w- c:\windows\LA1YI9ZI90J9XNEY
2013-09-04 00:55 . 2013-09-04 00:55 -------- d-----w- c:\windows\D69TXG7XH1YO1LYI
2013-09-03 23:11 . 2013-09-03 23:11 -------- d-----w- c:\windows\XLYB2LYBO1DX2MZJ
2013-09-03 21:19 . 2013-09-03 21:19 -------- d-----w- c:\windows\R14HMR4G05AMZ5HG
2013-09-02 21:36 . 2013-09-02 21:36 -------- d-----w- c:\windows\QFLYBOU7CPOUTLRX
2013-09-02 21:35 . 2013-09-02 21:35 -------- d-----w- c:\windows\GBS5HU0CHU4GTZCP
2013-09-02 20:56 . 2013-09-02 20:56 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2013-09-02 19:52 . 2013-09-02 19:52 -------- d-----w- c:\windows\S9RA1RB9ZIE5OF6P
2013-09-02 19:47 . 2013-09-02 19:47 -------- d-----w- c:\windows\AEA8C2ZWUSQA1KB2
2013-09-02 18:05 . 2013-09-02 18:05 -------- d-----w- c:\windows\3SHU7CWG0H1EJW9L
2013-09-02 17:28 . 2013-09-02 17:28 -------- d-----w- c:\windows\I5HMZCWNJW9ZJW9E
2013-09-02 17:21 . 2013-09-02 17:21 -------- d-----w- c:\windows\96HTZCP27JONMEDC
2013-09-02 14:52 . 2013-09-02 14:52 -------- d-----w- c:\windows\MWLY4NS5HMZBV8K2
2013-09-02 06:58 . 2013-09-02 06:58 -------- d-----w- c:\windows\SZRUX0UWZ2IE03JW
2013-09-02 06:53 . 2013-09-02 06:53 -------- d-----w- c:\windows\63EXOFZQHZQH8RI9
2013-09-02 06:50 . 2013-09-02 06:50 -------- d-----w- c:\windows\930DAN7CP2EQ3GT6
2013-09-02 06:50 . 2013-09-02 06:50 -------- d-----w- c:\windows\0XQTWZ24DFXTPLHD
2013-09-02 06:39 . 2013-09-02 06:39 -------- d-----w- c:\windows\GCNT6IN05PNTSKJI
2013-09-02 06:38 . 2013-09-02 06:38 -------- d-----w- c:\windows\JEH8YP9ZP9TDXH1K
2013-09-02 06:33 . 2013-09-02 06:33 -------- d-----w- c:\windows\QS5O1DQV8KJB3RIV
2013-09-02 06:32 . 2013-09-02 06:32 -------- d-----w- c:\windows\Y4YEV5EHRT3CFPZS
2013-09-02 06:22 . 2013-09-02 06:22 -------- d-----w- c:\windows\Y6MORUX09IKUNQTW
2013-09-02 06:16 . 2013-09-02 06:16 -------- d-----w- c:\windows\841ZI96W8R8YI2ZJ
2013-09-02 03:39 . 2013-09-02 03:39 -------- d-----w- c:\windows\0AS5AN05IU05HMLK
2013-09-02 03:33 . 2013-09-02 03:33 338 ----a-w- c:\documents and settings\Keith Simmons\Local Settings\Application Data\poetsch.bat
2013-09-01 22:17 . 2013-09-01 22:17 -------- d-----w- c:\windows\SOS2SI2SBVL5H1DQ
2013-09-01 21:03 . 2013-09-01 21:03 -------- d-----w- c:\windows\7HPZGQ7NXE7N4KUB
2013-08-31 22:43 . 2013-08-31 22:43 -------- d-----w- c:\windows\QGY305386IDA7XUS
2013-08-31 22:25 . 2013-08-31 22:25 -------- d-----w- c:\windows\X63N6XG7Q9ZI9SCP
2013-08-31 03:46 . 2013-08-31 03:46 -------- d-----w- c:\windows\7I7JO16IN05A8DBA
2013-08-30 16:20 . 2007-04-09 18:23 28552 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2013-08-30 16:20 . 2007-04-09 18:23 28040 ----a-w- c:\windows\system32\mdimon.dll
2013-08-30 16:19 . 2013-08-30 16:19 -------- d-----w- c:\program files\Microsoft.NET
2013-08-14 23:03 . 2013-08-14 23:03 -------- d-----w- c:\windows\LAGT6IV8DPV7J3M6
2013-08-14 23:02 . 2013-08-14 23:02 -------- d-----w- c:\windows\WDQ3T6IV0C3M6XGT
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-03 19:18 . 2006-10-19 02:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-07-29 22:07 . 2013-07-06 22:33 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-29 22:07 . 2013-07-06 22:33 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-26 02:47 . 2005-08-16 10:18 920064 ----a-w- c:\windows\system32\wininet.dll
2013-07-26 02:47 . 2005-08-16 10:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-07-26 02:47 . 2005-08-16 10:18 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-07-25 15:52 . 2005-08-16 10:18 385024 ----a-w- c:\windows\system32\html.iec
2013-07-10 10:37 . 2005-08-16 10:18 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 03:03 . 2005-08-16 10:18 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2004-08-04 04:59 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-27 19:34 . 2013-03-19 15:20 175176 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-06-27 19:34 . 2011-06-01 02:29 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-06-27 19:34 . 2009-03-28 14:33 369584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2008-11-13 21:56 . 2008-11-13 21:56 11281 ----a-w- c:\program files\Common Files\woko.bin
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-05-09 08:58 121968 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-11-07 6756048]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]
.
c:\documents and settings\Keith Simmons\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow [2005-10-20 38912]
WKCALREM.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2005-10-7 21504]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-1-11 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-10-2 815104]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2011-09-27 19:03 66328 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [3/19/2013 10:20 AM 49376]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [3/19/2013 10:20 AM 175176]
R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [11/25/2008 5:52 PM 149376]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/31/2011 9:29 PM 770344]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/28/2009 9:33 AM 369584]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [6/4/2010 11:55 AM 497952]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/1/2010 7:00 PM 32640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/28/2009 9:33 AM 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [3/19/2013 10:20 AM 66336]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [1/5/2012 4:33 PM 12184]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 DCamUSBET;ET USB 2710 Camera;c:\windows\system32\drivers\etDevice.sys [6/27/2007 1:59 PM 88704]
S3 FiltUSBET;ET USB Device Lower Filter;c:\windows\system32\drivers\etFilter.sys [6/27/2007 1:59 PM 103680]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]
S3 ScanUSBET;ET USB Still Image Capture Device;c:\windows\system32\drivers\etScan.sys [6/27/2007 1:59 PM 5760]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [11/8/2010 2:45 PM 14592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-04 10:29 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.66\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-08 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 03:12]
.
2013-09-08 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 03:12]
.
2013-09-07 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 03:12]
.
2013-09-07 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 03:12]
.
2013-09-08 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\Alwil Software\Avast5\AvastEmUpdate.exe [2012-07-06 08:58]
.
2013-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-26 20:07]
.
2013-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-26 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://us.yahoo.com?fr=fp-comodo
uInternet Connection Wizard,ShellNext = hxxp://home.frontiernet.net/WelcomeCD.asp
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.254.254
.
- - - - ORPHANS REMOVED - - - -
.
Notify-WgaLogon - (no file)
AddRemove-EL-USB&10C4&0002 - c:\program files\Silabs\MCU\DriverUninstall\DriverUninstaller.exe USBXpress\EL-USB&10C4&0002
AddRemove-QuickBooks - c:\program files\Intuit\QuickBooks\DeIsL1.isu
AddRemove-SmileBox_EN Toolbar - c:\program files\SmileBox_EN\uninstall.exe
AddRemove-DSite - c:\documents and settings\Keith Simmons\Application Data\DSite\UpdateProc\UpdateTask.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-08 13:03
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\guard32.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
- - - - - - - > 'lsass.exe'(844)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'csrss.exe'(760)
c:\windows\system32\cmdcsr.dll
.
Completion time: 2013-09-08 13:05:45
ComboFix-quarantined-files.txt 2013-09-08 18:05
.
Pre-Run: 117,411,885,056 bytes free
Post-Run: 117,538,107,392 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 432BCEEFE0DD8BB1D0711BB57F8BC230
5CB90281D1A59B251F6603134774EEC3

Hi snurd :)

Please follow all previous instructions regarding security programs.

Open a new Notepad session
Click the Start button, click run
in the run box type notepad
click ok
In the notepad, Click "Format" and be certain that Word Wrap is not checked.

Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE





Folder::
c:\windows\Q8Y3FKXANT6BHNTZ
c:\windows\GDO1DPV16BGTZCIV
c:\windows\T1KP27JO164H87KI
c:\windows\0W3GZCP2LYBV8KXE
c:\windows\MXFSYBO1DIV8KXA8
c:\windows\9XG7QAUSC3KBVF6P
c:\windows\GX0Q9SB2SJW9EKQV
c:\windows\RN0CP2EJW864A10Z
c:\windows\QIUEKXANT6IGFLKJ
c:\windows\BM375WFYPGE5O1KX
c:\windows\UJP2LYBHU7JWER3F
c:\windows\3VCP2EKXAGFLRJAG
c:\windows\NGT6IV8KP2FLRX1K
c:\windows\IQA1J2ZBVM68YH8Y
c:\windows\LA1YI9ZI90J9XNEY
c:\windows\D69TXG7XH1YO1LYI
c:\windows\XLYB2LYBO1DX2MZJ
c:\windows\R14HMR4G05AMZ5HG
c:\windows\QFLYBOU7CPOUTLRX
c:\windows\GBS5HU0CHU4GTZCP
c:\windows\S9RA1RB9ZIE5OF6P
c:\windows\AEA8C2ZWUSQA1KB2
c:\windows\3SHU7CWG0H1EJW9L
c:\windows\I5HMZCWNJW9ZJW9E
c:\windows\96HTZCP27JONMEDC
c:\windows\MWLY4NS5HMZBV8K2
c:\windows\SZRUX0UWZ2IE03JW
c:\windows\63EXOFZQHZQH8RI9
c:\windows\930DAN7CP2EQ3GT6
c:\windows\0XQTWZ24DFXTPLHD
c:\windows\GCNT6IN05PNTSKJI
c:\windows\JEH8YP9ZP9TDXH1K
c:\windows\QS5O1DQV8KJB3RIV
c:\windows\Y4YEV5EHRT3CFPZS
c:\windows\Y6MORUX09IKUNQTW
c:\windows\841ZI96W8R8YI2ZJ
c:\windows\0AS5AN05IU05HMLK
c:\windows\SOS2SI2SBVL5H1DQ
c:\windows\7HPZGQ7NXE7N4KUB
c:\windows\QGY305386IDA7XUS
c:\windows\X63N6XG7Q9ZI9SCP
c:\windows\7I7JO16IN05A8DBA
c:\windows\LAGT6IV8DPV7J3M6
c:\windows\WDQ3T6IV0C3M6XGT




In the notepad
Click File, Save as..., and set the Save in to your Desktop
In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Next

You will have to unhide files/folders to see the "Local SEttings" and "Application Data" folders. To do that, click on My Computer then go to Tools - Folder Options and click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders". Click "Apply" then "OK".

Next

Please go to: VirusTotal (http://www.virustotal.com)

http://i204.photobucket.com/albums/bb106/Juliet702/virustotal2-SWI.png

Click the Browse button and search for the following file:

c:\documents and settings\Keith Simmons\Local Settings\Application Data\poetsch.bat

Click Open
Then click Send File
Please be patient while the file is scanned.
Once the scan results appear, please provide them in your next reply.
If it says already scanned -- click "reanalyze now"

Please post the results in your next reply.

Latest results: Thanks!

ComboFix.txt

ComboFix 13-09-08.02 - Keith Simmons 09/09/2013 0:23.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.559 [GMT -5:00]
Running from: c:\documents and settings\Keith Simmons\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Keith Simmons\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\0AS5AN05IU05HMLK
c:\windows\0W3GZCP2LYBV8KXE
c:\windows\0XQTWZ24DFXTPLHD
c:\windows\3SHU7CWG0H1EJW9L
c:\windows\3VCP2EKXAGFLRJAG
c:\windows\63EXOFZQHZQH8RI9
c:\windows\7HPZGQ7NXE7N4KUB
c:\windows\7I7JO16IN05A8DBA
c:\windows\841ZI96W8R8YI2ZJ
c:\windows\930DAN7CP2EQ3GT6
c:\windows\96HTZCP27JONMEDC
c:\windows\9XG7QAUSC3KBVF6P
c:\windows\AEA8C2ZWUSQA1KB2
c:\windows\BM375WFYPGE5O1KX
c:\windows\D69TXG7XH1YO1LYI
c:\windows\GBS5HU0CHU4GTZCP
c:\windows\GCNT6IN05PNTSKJI
c:\windows\GDO1DPV16BGTZCIV
c:\windows\GX0Q9SB2SJW9EKQV
c:\windows\I5HMZCWNJW9ZJW9E
c:\windows\IQA1J2ZBVM68YH8Y
c:\windows\JEH8YP9ZP9TDXH1K
c:\windows\LA1YI9ZI90J9XNEY
c:\windows\LAGT6IV8DPV7J3M6
c:\windows\MWLY4NS5HMZBV8K2
c:\windows\MXFSYBO1DIV8KXA8
c:\windows\NGT6IV8KP2FLRX1K
c:\windows\Q8Y3FKXANT6BHNTZ
c:\windows\QFLYBOU7CPOUTLRX
c:\windows\QGY305386IDA7XUS
c:\windows\QIUEKXANT6IGFLKJ
c:\windows\QS5O1DQV8KJB3RIV
c:\windows\R14HMR4G05AMZ5HG
c:\windows\RN0CP2EJW864A10Z
c:\windows\S9RA1RB9ZIE5OF6P
c:\windows\SOS2SI2SBVL5H1DQ
c:\windows\SZRUX0UWZ2IE03JW
c:\windows\T1KP27JO164H87KI
c:\windows\UJP2LYBHU7JWER3F
c:\windows\WDQ3T6IV0C3M6XGT
c:\windows\X63N6XG7Q9ZI9SCP
c:\windows\XLYB2LYBO1DX2MZJ
c:\windows\Y4YEV5EHRT3CFPZS
c:\windows\Y6MORUX09IKUNQTW
.
.
((((((((((((((((((((((((( Files Created from 2013-08-09 to 2013-09-09 )))))))))))))))))))))))))))))))
.
.
2013-09-08 18:41 . 2013-09-08 18:41 -------- d-----w- c:\windows\BQFZ5OTZCPONMEW2
2013-09-07 16:30 . 2013-09-07 16:30 -------- d-----w- c:\windows\ERUNT
2013-09-04 17:45 . 2013-09-04 17:45 -------- d-----w- c:\program files\ERUNT
2013-09-04 16:31 . 2013-09-07 16:23 -------- d-----w- C:\AdwCleaner
2013-09-04 05:13 . 2013-09-04 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PC VITALWARE
2013-09-04 05:13 . 2013-09-04 05:13 -------- d-----w- c:\documents and settings\Keith Simmons\Application Data\PC VITALWARE
2013-09-02 20:56 . 2013-09-02 20:56 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2013-09-02 03:33 . 2013-09-02 03:33 338 ----a-w- c:\documents and settings\Keith Simmons\Local Settings\Application Data\poetsch.bat
2013-08-30 16:20 . 2007-04-09 18:23 28552 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2013-08-30 16:20 . 2007-04-09 18:23 28040 ----a-w- c:\windows\system32\mdimon.dll
2013-08-30 16:19 . 2013-08-30 16:19 -------- d-----w- c:\program files\Microsoft.NET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-03 19:18 . 2006-10-19 02:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-07-29 22:07 . 2013-07-06 22:33 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-29 22:07 . 2013-07-06 22:33 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-26 02:47 . 2005-08-16 10:18 920064 ----a-w- c:\windows\system32\wininet.dll
2013-07-26 02:47 . 2005-08-16 10:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-07-26 02:47 . 2005-08-16 10:18 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-07-25 15:52 . 2005-08-16 10:18 385024 ----a-w- c:\windows\system32\html.iec
2013-07-10 10:37 . 2005-08-16 10:18 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 03:03 . 2005-08-16 10:18 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2004-08-04 04:59 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-27 19:34 . 2013-03-19 15:20 175176 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-06-27 19:34 . 2011-06-01 02:29 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-06-27 19:34 . 2009-03-28 14:33 369584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2008-11-13 21:56 . 2008-11-13 21:56 11281 ----a-w- c:\program files\Common Files\woko.bin
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-05-09 08:58 121968 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-11-07 6756048]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]
.
c:\documents and settings\Keith Simmons\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow [2005-10-20 38912]
WKCALREM.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2005-10-7 21504]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-1-11 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-10-2 815104]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2011-09-27 19:03 66328 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]

.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [3/19/2013 10:20 AM 49376]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [3/19/2013 10:20 AM 175176]
R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [11/25/2008 5:52 PM 149376]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/31/2011 9:29 PM 770344]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/28/2009 9:33 AM 369584]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [6/4/2010 11:55 AM 497952]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/1/2010 7:00 PM 32640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/28/2009 9:33 AM 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [3/19/2013 10:20 AM 66336]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [1/5/2012 4:33 PM 12184]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 DCamUSBET;ET USB 2710 Camera;c:\windows\system32\drivers\etDevice.sys [6/27/2007 1:59 PM 88704]
S3 FiltUSBET;ET USB Device Lower Filter;c:\windows\system32\drivers\etFilter.sys [6/27/2007 1:59 PM 103680]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]
S3 ScanUSBET;ET USB Still Image Capture Device;c:\windows\system32\drivers\etScan.sys [6/27/2007 1:59 PM 5760]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [11/8/2010 2:45 PM 14592]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-04 10:29 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.66\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-08 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 03:12]
.
2013-09-09 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 03:12]
.
2013-09-08 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 03:12]
.
2013-09-08 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 03:12]
.
2013-09-09 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\Alwil Software\Avast5\AvastEmUpdate.exe [2012-07-06 08:58]
.
2013-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-26 20:07]
.
2013-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-26 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://us.yahoo.com?fr=fp-comodo
uInternet Connection Wizard,ShellNext = hxxp://home.frontiernet.net/WelcomeCD.asp
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.254.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-09 00:31
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\guard32.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
- - - - - - - > 'lsass.exe'(848)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(3344)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'csrss.exe'(764)
c:\windows\system32\cmdcsr.dll
.
Completion time: 2013-09-09 00:33:56
ComboFix-quarantined-files.txt 2013-09-09 05:33
ComboFix2.txt 2013-09-08 18:05
.
Pre-Run: 117,445,287,936 bytes free
Post-Run: 117,433,683,968 bytes free
.
- - End Of File - - 5AB083EABD964472F78945DCE34E4E61
5CB90281D1A59B251F6603134774EEC3




[B]Virus Total Scan:

SHA256: 064d7b44ca6a31b7905cbb69021271cca86b81cb090467b72871d3dc08fd1ecf
SHA1: ababf26a021b40984011c933cba2734ae883308b
MD5: 66bf6205ff477f3978c69cd2cbfb24b7
File size: 338 bytes ( 338 bytes )
File name: poetsch.bat
File type: Text
Detection ratio: 0 / 47
Analysis date: 2013-09-09 05:43:32 UTC ( 0 minutes ago )


Analysis:

Antivirus Result: (Note-All have green checks beside the result)

Agnitum  20130908
AhnLab-V3  20130908
AntiVir  20130909
Antiy-AVL  20130908
Avast  20130909
AVG  20130908
Baidu-International  20130908
BitDefender  20130909
ByteHero  20130903
CAT-QuickHeal  20130908
ClamAV  20130909
Commtouch  20130909
Comodo  20130909
DrWeb  20130909
Emsisoft  20130909
ESET-NOD32  20130908
F-Prot  20130909
F-Secure  20130909
Fortinet  20130909
GData  20130909
Ikarus  20130909
Jiangmin  20130903
K7AntiVirus  20130906
K7GW  20130906
Kaspersky  20130909
Kingsoft  20130829
Malwarebytes  20130909
McAfee  20130909
McAfee-GW-Edition  20130909
Microsoft  20130909
MicroWorld-eScan  20130909
NANO-Antivirus  20130909
Norman  20130908
nProtect  20130909
Panda  20130908
PCTools  20130908
Rising  20130906
Sophos  20130909
SUPERAntiSpyware  20130908
Symantec  20130909
TheHacker  20130908
TotalDefense  20130906
TrendMicro  20130909
TrendMicro-HouseCall  20130909
VBA32  20130906
VIPRE  20130909
ViRobot  20130909

Additional Information:

File identification
MD5 66bf6205ff477f3978c69cd2cbfb24b7
SHA1 ababf26a021b40984011c933cba2734ae883308b
SHA256 064d7b44ca6a31b7905cbb69021271cca86b81cb090467b72871d3dc08fd1ecf
ssdeep6:mRpLqFsAmBYKdEARm5oJQ+pK/2AY5798rdEARm5oJQ+pK/2AY579V9J40DoCdEAj:mRlqFs7mjGi6HwmjGi6HV9J4dRjGi6/

File size 338 bytes ( 338 bytes )
File type Text
Magic literalASCII text, with CRLF line terminators

TrID file seems to be plain text/ASCII (0.0%)


VirusTotal metadata
First submission 2013-09-09 05:43:32 UTC ( 7 minutes ago )
Last submission 2013-09-09 05:43:32 UTC ( 7 minutes ago )
File names poetsch.bat

Hi snurd

very good job


Please open your MalwareBytes AntiMalware Program
Click the Update Tab and search for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected. <-- very important
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.


Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


Next


ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

Note: If you are using Windows Vista/7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://www.eset.com/online-scanner-popup/)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as MyEsetScan. Alternatively, look for report in C:\Program Files\ESET\ESET Online Scanner\log.txt. Include the contents of this report in your next reply.
Push the Back button.
Select Uninstall application on close check box and push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png

On your next reply please post :

MBAM log
ESET Report

Let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!

Hi Robybel,

Thanks for the very detailed instructions! Makes it
very easy to follow and perform all the requested tasks.

Here are the lastest results requested.

MBAM LOG

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.10.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Keith Simmons :: D1Q0QCC1 [administrator]

9/10/2013 8:36:54 AM
mbam-log-2013-09-10 (08-36-54).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 238890
Time elapsed: 8 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\Keith Simmons\My Documents\Downloads\Express_Installer.exe (PUP.Optional.IBryte) -> Quarantined and deleted successfully.

(end)


ESET REPORT

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDownloadergen18.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDownloadergen19.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDownloadergen20.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinDownloadergen21.zip Win32/Bagle.gen.zip worm


Best regards,

Keith

Hi Snurd :)

Good job
Scan with OTL

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Under Custom Scan paste this in


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
services.exe
/md5stop
%systemroot%\*. /rp /s
%systemdrive%\$Recycle.Bin|@;true;true;true /fp
DRIVES
CREATERESTOREPOINT


Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
You may need two posts to fit them both in.

Hi Robybel,

I've included the OTL.txt file below. The Extras.Txt is in the next post.

Best,

Keith


OTL.txt

OTL logfile created on: 9/11/2013 3:23:47 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Keith Simmons\My Documents\Downloads
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.84 Mb Total Physical Memory | 550.26 Mb Available Physical Memory | 54.27% Memory free
2.38 Gb Paging File | 1.88 Gb Available in Paging File | 78.86% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.33 Gb Total Space | 109.20 Gb Free Space | 75.66% Space Free | Partition Type: NTFS
Drive D: | 6.27 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: D1Q0QCC1 | User Name: Keith Simmons | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Keith Simmons\My Documents\Downloads\OTL (1).exe (OldTimer Tools)
PRC - C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
PRC - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe (COMODO)
PRC - C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
PRC - C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
PRC - C:\Program Files\Common Files\Logishrd\KHAL3\KHALMNPR.exe (Logitech, Inc.)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe ()
PRC - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit, Inc.)
PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\Microsoft Works\WkDStore.exe (Microsoft® Corporation)
PRC - C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Alwil Software\Avast5\defs\13091100\algo.dll ()
MOD - C:\Program Files\Alwil Software\Avast5\defs\13091000\algo.dll ()
MOD - C:\WINDOWS\system32\quartz.dll ()
MOD - C:\Program Files\Logitech\SetPointP\Macros\MacroCore.dll ()
MOD - C:\WINDOWS\system32\sbe.dll ()
MOD - C:\WINDOWS\system32\_pdfxp.dll ()
MOD - C:\WINDOWS\system32\msdmo.dll ()
MOD - C:\WINDOWS\system32\devenum.dll ()
MOD - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe ()
MOD - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcnet.dll ()
MOD - C:\WINDOWS\system32\Dels3LMK.DLL ()
MOD - C:\WINDOWS\system32\pdfmonnt.dll ()


========== Services (SafeList) ==========

SRV - (SymAppCore) -- C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe File not found
SRV - (CLTNetCnService) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon File not found
SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
SRV - (cmdAgent) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe (COMODO)
SRV - (LBTServ) -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe (Logitech, Inc.)
SRV - (Symantec Core LC) -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe ()
SRV - (IAANTMON) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (wanatw) -- system32\DRIVERS\wanatw4.sys File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (motport) -- system32\DRIVERS\motport.sys File not found
DRV - (motmodem) -- system32\DRIVERS\motmodem.sys File not found
DRV - (motccgpfl) -- system32\DRIVERS\motccgpfl.sys File not found
DRV - (motccgp) -- system32\DRIVERS\motccgp.sys File not found
DRV - (lbrtfdc) -- File not found
DRV - (Lbd) -- system32\DRIVERS\Lbd.sys File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\KEITHS~1\LOCALS~1\Temp\catchme.sys File not found
DRV - (bvrp_pci) -- File not found
DRV - (aswSP) -- C:\WINDOWS\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswVmm) -- C:\WINDOWS\System32\drivers\aswVmm.sys ()
DRV - (aswTdi) -- C:\WINDOWS\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswSnx) -- C:\WINDOWS\System32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswRdr) -- C:\WINDOWS\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswRvrt) -- C:\WINDOWS\System32\drivers\aswRvrt.sys ()
DRV - (aswMonFlt) -- C:\WINDOWS\system32\drivers\aswMonFlt.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (Inspect) -- C:\WINDOWS\system32\drivers\inspect.sys (COMODO)
DRV - (cmdHlp) -- C:\WINDOWS\system32\drivers\cmdhlp.sys (COMODO)
DRV - (cmdGuard) -- C:\WINDOWS\system32\drivers\cmdGuard.sys (COMODO)
DRV - (taphss) -- C:\WINDOWS\system32\drivers\taphss.sys (AnchorFree Inc)
DRV - (LMouFilt) -- C:\WINDOWS\system32\drivers\LMouFilt.Sys (Logitech, Inc.)
DRV - (LUsbFilt) -- C:\WINDOWS\system32\drivers\LUsbFilt.sys (Logitech, Inc.)
DRV - (LHidFilt) -- C:\WINDOWS\system32\drivers\LHidFilt.Sys (Logitech, Inc.)
DRV - (LBeepKE) -- C:\WINDOWS\system32\drivers\LBeepKE.sys (Logitech, Inc.)
DRV - (SIUSBXP) -- C:\WINDOWS\system32\drivers\SiUSBXp.sys (Silicon Laboratories)
DRV - (tffsport) -- C:\WINDOWS\system32\drivers\tffsport.sys (M-Systems)
DRV - (symlcbrd) -- C:\WINDOWS\system32\drivers\symlcbrd.sys (Symantec Corporation)
DRV - (ASCTRM) -- C:\WINDOWS\System32\drivers\asctrm.sys (Windows (R) 2000 DDK provider)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (NAL) -- C:\WINDOWS\system32\drivers\iqvw32.sys (Intel Corporation )
DRV - (DSproct) -- C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys (GTek Technologies Ltd.)
DRV - (DLAUDFAM) -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS (Sonic Solutions)
DRV - (DLAUDF_M) -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS (Sonic Solutions)
DRV - (DLAIFS_M) -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS (Sonic Solutions)
DRV - (DLABOIOM) -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS (Sonic Solutions)
DRV - (DLAOPIOM) -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS (Sonic Solutions)
DRV - (DLAPoolM) -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS (Sonic Solutions)
DRV - (DLADResN) -- C:\WINDOWS\system32\DLA\DLADResN.SYS (Sonic Solutions)
DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Sonic Solutions)
DRV - (DLARTL_N) -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS (Sonic Solutions)
DRV - (FiltUSBET) -- C:\WINDOWS\system32\drivers\etFilter.sys (eMPIA Technology Inc.)
DRV - (ScanUSBET) -- C:\WINDOWS\system32\drivers\etScan.sys (eMPIA Technology, Inc.)
DRV - (DCamUSBET) -- C:\WINDOWS\system32\drivers\etDevice.sys (eMPIA Technology, Inc.)
DRV - (HSFHWBS2) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070111
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070111
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://us.yahoo.com?fr=fp-comodo
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B2 84 FD B5 2D 5A CD 01 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search
IE - HKCU\..\SearchScopes\{BEA62368-C50A-453E-A94B-84DC9D8027FA}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7DMUS
IE - HKCU\..\SearchScopes\{F91E27C5-D445-456F-8C38-F80EA76D3F7D}: "URL" = http://us.search.yahoo.com/search?p={searchTerms}&fr=chr-comodo
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_8_800_94.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.21.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Keith Simmons\Application Data\Move Networks\plugins\npqmp071705000014.dll (Move Networks)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Keith Simmons\Application Data\Move Networks\plugins\npqmp071705000014.dll (Move Networks)

FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\moveplayer@movenetworks.com: C:\Documents and Settings\Keith Simmons\Application Data\Move Networks [2010/01/19 17:29:07 | 000,000,000 | ---D | M]

[2013/08/02 23:16:22 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Keith Simmons\Application Data\Mozilla\Extensions

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter}
CHR - homepage: http://us.yahoo.com/
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\29.0.1547.66\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\29.0.1547.66\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\29.0.1547.66\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll
CHR - plugin: Move Streaming Media Player (Enabled) = C:\Documents and Settings\Keith Simmons\Application Data\Move Networks\plugins\npqmp071705000014.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll
CHR - plugin: MetaStream 3 Plugin (Enabled) = C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: Google Drive = C:\Documents and Settings\Keith Simmons\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
CHR - Extension: YouTube = C:\Documents and Settings\Keith Simmons\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: Google Search = C:\Documents and Settings\Keith Simmons\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: Chrome In-App Payments service = C:\Documents and Settings\Keith Simmons\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.10_0\
CHR - Extension: Gmail = C:\Documents and Settings\Keith Simmons\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2013/09/08 13:03:41 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - No CLSID value found.
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - No CLSID value found.
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKLM\..\Toolbar: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A93A3CC9-BA23-4D0D-9440-6A0148362B7E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit, Inc.)
O4 - Startup: C:\Documents and Settings\Keith Simmons\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} http://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab (Device Detection)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/buxus/docs/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.254.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{87A4AD3F-113A-4EA7-8351-9EB8BFD5832D}: DhcpNameServer = 192.168.254.254
O20 - AppInit_DLLs: (C:\WINDOWS\system32\guard32.dll) - C:\WINDOWS\system32\guard32.dll (COMODO)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LBTWlgn: DllName - (c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll) - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O20 - Winlogon\Notify\WgaLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O24 - Desktop Components:0 () - file:///C:/DOCUME~1/KEITHS~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Components:1 () - file:///C:/DOCUME~1/KEITHS~1/LOCALS~1/Temp/msohtml1/01/clip_image002.gif
O24 - Desktop Components:2 () - file:///C:/DOCUME~1/KEITHS~1/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg
O24 - Desktop Components:3 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Keith Simmons\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Keith Simmons\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 05:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2013/09/10 08:53:27 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2013/09/10 08:47:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\KYBO1KQ3FR4HU7CA
[2013/09/09 17:52:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\96INTLKJIOU0Y4SR
[2013/09/09 00:33:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2013/09/08 13:41:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\BQFZ5OTZCPONMEW2
[2013/09/08 12:35:48 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2013/09/08 12:31:43 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/09/08 12:31:43 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/09/08 12:31:43 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/09/08 12:31:43 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/09/08 12:31:26 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/09/07 11:45:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Keith Simmons\Desktop\RK_Quarantine
[2013/09/07 11:30:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2013/09/04 12:46:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2013/09/04 12:45:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2013/09/04 12:45:37 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2013/09/04 11:31:30 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2013/09/04 00:13:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Keith Simmons\Application Data\PC VITALWARE
[2013/09/04 00:13:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC VITALWARE
[2013/09/03 23:19:55 | 001,898,112 | ---- | C] (Bleeping Computer, LLC) -- C:\Documents and Settings\Keith Simmons\Desktop\rkill.com
[2013/09/03 14:43:45 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Keith Simmons\Recent
[2013/09/02 09:31:44 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2013/08/30 11:20:57 | 000,028,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mdimon.dll
[2013/08/30 11:20:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office
[2013/08/30 11:19:47 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[38 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/09/11 15:29:00 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/09/11 15:23:42 | 000,051,208 | ---- | M] () -- C:\Documents and Settings\Keith Simmons\Application Data\wklnhst.dat
[2013/09/11 14:00:00 | 000,000,464 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2013/09/11 13:29:00 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/09/11 10:10:00 | 000,000,464 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2013/09/11 05:50:00 | 000,000,318 | -H-- | M] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2013/09/10 21:32:14 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\Keith Simmons\Desktop\Microsoft Office Outlook 2003.lnk
[2013/09/10 20:40:00 | 000,000,464 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2013/09/10 18:43:00 | 000,000,464 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2013/09/10 08:53:09 | 000,001,039 | ---- | M] () -- C:\Documents and Settings\Keith Simmons\Desktop\Shortcut to esetsmartinstaller_enu.exe.lnk
[2013/09/10 08:47:10 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/09/10 08:47:08 | 1063,165,952 | -HS- | M] () -- C:\hiberfil.sys
[2013/09/09 17:50:36 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2013/09/08 13:03:41 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2013/09/08 12:35:53 | 000,000,325 | RHS- | M] () -- C:\boot.ini
[2013/09/08 12:26:20 | 000,000,969 | ---- | M] () -- C:\Documents and Settings\Keith Simmons\Desktop\Shortcut to ComboFix.exe.lnk
[2013/09/05 09:15:12 | 000,002,321 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\EasyLog USB.lnk
[2013/09/04 15:48:19 | 000,005,119 | ---- | M] () -- C:\Documents and Settings\Keith Simmons\Desktop\attachtxt.zip
[2013/09/04 14:56:01 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Keith Simmons\Desktop\MBR.dat
[2013/09/04 14:55:25 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Keith Simmons\My Documents\MBR.dat
[2013/09/04 12:45:41 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\Keith Simmons\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2013/09/04 12:45:38 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Keith Simmons\Desktop\NTREGOPT.lnk
[2013/09/04 12:45:38 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Keith Simmons\Desktop\ERUNT.lnk
[2013/09/04 05:36:24 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2013/09/03 23:19:58 | 001,898,112 | ---- | M] (Bleeping Computer, LLC) -- C:\Documents and Settings\Keith Simmons\Desktop\rkill.com
[2013/09/03 20:05:29 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/09/03 14:42:52 | 000,013,824 | ---- | M] () -- C:\Documents and Settings\Keith Simmons\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/09/02 12:21:18 | 000,282,928 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/09/02 11:58:02 | 000,000,777 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2013/09/02 09:10:16 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/09/01 22:33:22 | 000,000,338 | ---- | M] () -- C:\Documents and Settings\Keith Simmons\Local Settings\Application Data\poetsch.bat
[2013/08/31 17:48:02 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Keith Simmons\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2013/08/31 17:47:56 | 000,445,836 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/08/31 17:47:56 | 000,073,042 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/08/30 11:21:01 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2013/08/30 11:20:28 | 000,000,974 | ---- | M] () -- C:\Documents and Settings\Keith Simmons\Desktop\Microsoft Word.lnk
[2013/08/30 02:48:13 | 000,369,584 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2013/08/30 02:48:13 | 000,177,864 | ---- | M] () -- C:\WINDOWS\System32\drivers\aswVmm.sys
[2013/08/30 02:48:13 | 000,056,080 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2013/08/30 02:48:12 | 000,770,344 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2013/08/30 02:48:12 | 000,049,760 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2013/08/30 02:48:12 | 000,049,376 | ---- | M] () -- C:\WINDOWS\System32\drivers\aswRvrt.sys
[2013/08/30 02:48:11 | 000,066,336 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswMonFlt.sys
[2013/08/30 02:48:11 | 000,029,816 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2013/08/30 02:47:40 | 000,041,664 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2013/08/30 02:47:32 | 000,229,648 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[38 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/09/10 08:53:09 | 000,001,039 | ---- | C] () -- C:\Documents and Settings\Keith Simmons\Desktop\Shortcut to esetsmartinstaller_enu.exe.lnk
[2013/09/08 12:35:53 | 000,000,209 | ---- | C] () -- C:\Boot.bak
[2013/09/08 12:35:49 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2013/09/08 12:31:43 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013/09/08 12:31:43 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013/09/08 12:31:43 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013/09/08 12:31:43 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013/09/08 12:31:43 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013/09/08 12:26:20 | 000,000,969 | ---- | C] () -- C:\Documents and Settings\Keith Simmons\Desktop\Shortcut to ComboFix.exe.lnk
[2013/09/04 15:46:02 | 000,005,119 | ---- | C] () -- C:\Documents and Settings\Keith Simmons\Desktop\attachtxt.zip
[2013/09/04 14:55:25 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Keith Simmons\My Documents\MBR.dat
[2013/09/04 13:32:24 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Keith Simmons\Desktop\MBR.dat
[2013/09/04 12:45:41 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Keith Simmons\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2013/09/04 12:45:38 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Keith Simmons\Desktop\NTREGOPT.lnk
[2013/09/04 12:45:38 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Keith Simmons\Desktop\ERUNT.lnk
[2013/09/04 09:17:25 | 1063,165,952 | -HS- | C] () -- C:\hiberfil.sys
[2013/09/01 22:33:22 | 000,000,338 | ---- | C] () -- C:\Documents and Settings\Keith Simmons\Local Settings\Application Data\poetsch.bat
[2013/08/30 12:04:39 | 000,002,521 | ---- | C] () -- C:\Documents and Settings\Keith Simmons\Desktop\Microsoft Office Outlook 2003.lnk
[2013/08/30 12:02:05 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Keith Simmons\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2013/08/30 11:20:28 | 000,000,974 | ---- | C] () -- C:\Documents and Settings\Keith Simmons\Desktop\Microsoft Word.lnk
[2013/08/02 23:24:16 | 000,596,176 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2013/06/27 14:34:33 | 000,000,175 | ---- | C] () -- C:\WINDOWS\System32\drivers\aswVmm.sys.sum
[2013/06/26 21:16:10 | 000,000,175 | ---- | C] () -- C:\WINDOWS\System32\drivers\aswSP.sys.sum
[2013/06/26 21:16:10 | 000,000,175 | ---- | C] () -- C:\WINDOWS\System32\drivers\aswSnx.sys.sum
[2013/05/19 01:59:56 | 000,004,922 | ---- | C] () -- C:\Documents and Settings\Keith Simmons\unnamed001.jpg
[2013/05/19 01:57:44 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Keith Simmons\unnamed.png
[2013/03/19 10:20:13 | 000,177,864 | ---- | C] () -- C:\WINDOWS\System32\drivers\aswVmm.sys
[2013/03/19 10:20:13 | 000,049,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\aswRvrt.sys
[2012/02/27 14:55:25 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfmonnt.dll
[2012/02/27 14:55:16 | 000,000,164 | ---- | C] () -- C:\WINDOWS\System32\psconv.ini
[2012/02/14 22:46:45 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/01/31 11:28:09 | 000,000,024 | ---- | C] () -- C:\WINDOWS\SW_Win3112X32.DLL
[2012/01/09 01:36:11 | 000,000,069 | ---- | C] () -- C:\WINDOWS\doc2pdf_win.INI
[2012/01/09 01:28:48 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\docPrint.dat
[2012/01/09 01:28:29 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\_pdfxp.dll
[2012/01/04 17:16:29 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\redmonnt.dll
[2009/12/20 12:27:47 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\Keith Simmons\Application Data\dvd.bmk
[2008/11/13 16:56:09 | 000,017,795 | ---- | C] () -- C:\Program Files\Common Files\selubyg.inf
[2008/11/13 16:56:09 | 000,015,234 | ---- | C] () -- C:\Documents and Settings\Keith Simmons\Local Settings\Application Data\vafyluto.pif
[2008/11/13 16:56:09 | 000,012,821 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\evitedyvuk.dat
[2008/11/13 16:56:09 | 000,011,281 | ---- | C] () -- C:\Program Files\Common Files\woko.bin
[2008/05/10 13:38:42 | 000,000,014 | ---- | C] () -- C:\Documents and Settings\Keith Simmons\usb001
[2007/01/24 15:52:47 | 000,013,824 | ---- | C] () -- C:\Documents and Settings\Keith Simmons\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/01/17 21:50:25 | 000,051,208 | ---- | C] () -- C:\Documents and Settings\Keith Simmons\Application Data\wklnhst.dat
[2007/01/17 21:44:37 | 000,488,250 | ---- | C] () -- C:\Documents and Settings\Keith Simmons\TRANSFORMS=1033.mst
[2007/01/17 21:44:37 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Keith Simmons\Local Settings\Application Data\fusioncache.dat

========== ZeroAccess Check ==========

[2005/08/16 05:39:16 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 19:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 19:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2010/06/17 16:20:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2005/08/16 21:54:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DIGStream
[2013/09/04 00:24:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC VITALWARE
[2012/01/23 21:18:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Visan
[2013/05/23 13:29:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YAHOO
[2012/03/14 09:28:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith Simmons\Application Data\Dropbox
[2011/07/28 19:52:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith Simmons\Application Data\Leadertech
[2012/12/18 13:34:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith Simmons\Application Data\Motorola
[2012/12/18 13:36:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith Simmons\Application Data\Motorola Mobility
[2013/09/04 00:13:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith Simmons\Application Data\PC VITALWARE
[2010/06/14 13:29:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith Simmons\Application Data\R-Wipe&Clean
[2008/11/25 17:23:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith Simmons\Application Data\Simple Star
[2007/02/19 12:44:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith Simmons\Application Data\Template
[2008/08/12 23:40:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith Simmons\Application Data\Uniblue
[2012/01/23 22:14:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Keith Simmons\Application Data\Visan

========== Purity Check ==========



========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: EXPLORER.EXE >
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2007/06/13 06:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2004/08/10 06:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

< MD5 for: SERVICES.EXE >
[2009/02/06 06:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
[2008/04/13 19:12:34 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\$NtUninstallKB956572$\services.exe
[2008/04/13 19:12:34 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\ServicePackFiles\i386\services.exe
[2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\ERDNT\cache\services.exe
[2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\dllcache\services.exe
[2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\services.exe
[2004/08/10 06:00:00 | 000,108,032 | ---- | M] (Microsoft Corporation) MD5=C6CE6EEC82F187615D1002BB3BB50ED4 -- C:\i386\services.exe
[2004/08/10 06:00:00 | 000,108,032 | ---- | M] (Microsoft Corporation) MD5=C6CE6EEC82F187615D1002BB3BB50ED4 -- C:\WINDOWS\$NtServicePackUninstall$\services.exe

< MD5 for: SVCHOST.EXE >
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ERDNT\cache\svchost.exe
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2004/08/10 06:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\i386\svchost.exe
[2004/08/10 06:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
[2013/04/04 14:50:32 | 000,218,184 | ---- | M] () MD5=B4C6E3889BB310CA7E974A04EC6E46AC -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/10 06:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\i386\userinit.exe
[2004/08/10 06:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004/08/10 06:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\i386\winlogon.exe
[2004/08/10 06:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2013/04/04 14:50:32 | 000,218,184 | ---- | M] () MD5=B4C6E3889BB310CA7E974A04EC6E46AC -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< %systemroot%\*. /rp /s >

< %systemdrive%\$Recycle.Bin|@;true;true;true /fp >

========== Drive Information ==========

Physical Drives
---------------

Drive: \\\\.\\PHYSICALDRIVE0 - Fixed\thard disk media
Interface type: SCSI
Media Type: Fixed\thard disk media
Model: ST3160812AS
Partitions: 3
Status: OK
Status Info: 0

Partitions
---------------

DeviceID: Disk #0, Partition #0
PartitionType: Unknown
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 39.00MB
Starting Offset: 32256
Hidden sectors: 0


DeviceID: Disk #0, Partition #1
PartitionType: Installable File System
Bootable: True
BootPartition: True
PrimaryPartition: True
Size: 144.00GB
Starting Offset: 41126400
Hidden sectors: 0


DeviceID: Disk #0, Partition #2
PartitionType: Unknown
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 5.00GB
Starting Offset: 155013626880
Hidden sectors: 0


========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790 -> Junction
[C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e -> Junction

========== Alternate Data Streams ==========

@Alternate Data Stream - 332 bytes -> C:\Documents and Settings\Keith Simmons\My Documents\China432.jpg:SummaryInformation
@Alternate Data Stream - 332 bytes -> C:\Documents and Settings\Keith Simmons\Desktop\China432.jpg:SummaryInformation

< End of report >

Extras.Txt

OTL Extras logfile created on: 9/11/2013 3:23:47 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Keith Simmons\My Documents\Downloads
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.84 Mb Total Physical Memory | 550.26 Mb Available Physical Memory | 54.27% Memory free
2.38 Gb Paging File | 1.88 Gb Available in Paging File | 78.86% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.33 Gb Total Space | 109.20 Gb Free Space | 75.66% Space Free | Partition Type: NTFS
Drive D: | 6.27 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: D1Q0QCC1 | User Name: Keith Simmons | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
https [open] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"ANTIVIRUSDISABLENOTIFY" = 0
"FIREWALLDISABLENOTIFY" = 0
"UPDATESDISABLENOTIFY" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\WINDOWS\system32\sessmgr.exe" = C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger -- (Microsoft Corporation)
"C:\Program Files\HP\HP Deskjet 1000 J110 series\Bin\USBSetup.exe" = C:\Program Files\HP\HP Deskjet 1000 J110 series\Bin\USBSetup.exe:LocalSubNet:Enabled:HP Device Setup -- (Hewlett-Packard Co.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{06040048-3E21-46D6-9A91-D927BA08F41D}" = Microsoft Encarta Encyclopedia Standard 2006
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}" = Symantec KB-DocID:2003093015493306
"{0A0873E1-D9BA-4994-B85D-A0A331EF1F0C}" = Intel(R) PRO Network Connections
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{14374621-0900-4056-BA06-C87C900AF9E6}" = QuickBooks Basic 2005
"{17E3A651-12B9-4149-BAE8-E6FB9A5ADC4F}" = Microsoft Works Suite Add-in for Microsoft Word
"{184E7118-0295-43C4-B72C-1D54AA75AAF7}" = Windows Live Mail
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = eReg
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{5D95AD35-368F-47D5-B63A-A082DDF00116}" = Microsoft Digital Image Standard 2006 Editor
"{5E68BB65-4059-4FE5-AAC4-0CD1D79BBDE2}" = EarthLink Setup Files
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{691F4068-81BF-49E3-B32E-FE3E16400112}" = Microsoft Digital Image Standard 2006 Library
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}" = Digital Content Portal
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{822B325F-9CDD-4E78-87A2-35E6F0DDEEA2}" = HP Deskjet 1000 J110 series Product Improvement Study
"{83ED1E80-A1B7-4226-BCF1-AC4A88151A6B}" = Microsoft Streets & Trips 2006
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel(R) Matrix Storage Manager
"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{911B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-003F-0409-0000-0000000FF1CE}" = Microsoft Office Excel Viewer
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A70800000002}" = Adobe Reader 7.0.8
"{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}" = HP Update
"{B0DF58A2-40DF-4465-AA56-38623EC9938C}" = Documentation & Support Launcher
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B67BAFBA-4C9F-48FA-9496-933E3B255044}" = QuickTime
"{B6884A07-0305-47AE-9969-8F26FADC17DE}" = Games, Music, & Photos Launcher
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC6B1BB4-4E06-4A5B-A166-B371B551324B}" = COMODO Internet Security
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEE2252C-4035-4B27-8EC6-0B085DD3A413}" = Dell Support 3.2.1
"{DDC63227-BA06-4855-B002-BDB49E9F677E}" = Symantec Technical Support Web Controls
"{DDDFCC77-7F9C-45E9-B38E-721BA599BA0C}" = HP Deskjet 1000 J110 series Help
"{DE1AF137-C455-494A-A817-EFE44BCCFDEE}" = Works Upgrade
"{E42BD75A-FC23-4E3F-9F91-2658334C644F}" = Internet Service Offers Launcher
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F3D5ECF7-7AE4-4B53-8A7E-1F850D6AE6B4}" = USB Video/Audio Device Driver
"{F4B1B985-F308-4DBA-BFD7-CCCB8839234B}" = HP Deskjet 1000 J110 series Basic Device Software
"{FF631EC0-370E-460A-8A22-46D8DC243AD7}" = EasyLog USB
"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"avast" = avast! Free Antivirus
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"Batch Word to PNG Converter" = Batch Word to PNG Converter
"CCleaner" = CCleaner
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"Dell Laser Printer 1110" = Dell Laser Printer 1110 Software Uninstall
"EmeraldQFE2" = Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
"ERUNT_is1" = ERUNT 1.1j
"ESPNMotion" = ESPNMotion
"Free PS Convert driver_is1" = Free PS Convert driver 8.15
"Google Chrome" = Google Chrome
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Money2006b" = Microsoft Money 2006
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PictureItPrem_v11" = Microsoft Digital Image Standard 2006
"RealPlayer 6.0" = RealPlayer Basic
"sp6" = Logitech SetPoint 6.32
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Works2006Setup" = Microsoft Works Suite 2006 Setup Launcher
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Toolbar" = Yahoo! Toolbar

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 20 Event Log Errors ==========

[ Antivirus Events ]
Error - 11/20/2009 6:47:05 PM | Computer Name = D1Q0QCC1 | Source = avast! | ID = 33554522
Description =

[ Application Events ]
Error - 9/3/2013 11:10:14 PM | Computer Name = D1Q0QCC1 | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 11.0.8326.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/3/2013 11:10:19 PM | Computer Name = D1Q0QCC1 | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 11.0.8326.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/3/2013 11:10:20 PM | Computer Name = D1Q0QCC1 | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 11.0.8326.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/3/2013 11:10:20 PM | Computer Name = D1Q0QCC1 | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 11.0.8326.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/3/2013 11:10:20 PM | Computer Name = D1Q0QCC1 | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 11.0.8326.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/3/2013 11:11:37 PM | Computer Name = D1Q0QCC1 | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 11.0.8326.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/3/2013 11:49:51 PM | Computer Name = D1Q0QCC1 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: The data is invalid.

Error - 9/4/2013 1:28:08 AM | Computer Name = D1Q0QCC1 | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 11.0.8326.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/4/2013 1:28:10 AM | Computer Name = D1Q0QCC1 | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 11.0.8326.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/4/2013 1:28:22 AM | Computer Name = D1Q0QCC1 | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 11.0.8326.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 9/7/2013 4:25:14 PM | Computer Name = D1Q0QCC1 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000022'
while processing the file 'avast5.ini' on the volume 'HarddiskVolume2'. It has
stopped monitoring the volume.

Error - 9/7/2013 4:44:55 PM | Computer Name = D1Q0QCC1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 9/7/2013 4:45:01 PM | Computer Name = D1Q0QCC1 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000022'
while processing the file 'avast5.ini' on the volume 'HarddiskVolume2'. It has
stopped monitoring the volume.

Error - 9/8/2013 1:31:34 PM | Computer Name = D1Q0QCC1 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000022'
while processing the file 'desktop.ini' on the volume 'HarddiskVolume2'. It has
stopped monitoring the volume.

Error - 9/8/2013 2:41:17 PM | Computer Name = D1Q0QCC1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 9/8/2013 2:41:23 PM | Computer Name = D1Q0QCC1 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000022'
while processing the file 'avast5.ini' on the volume 'HarddiskVolume2'. It has
stopped monitoring the volume.

Error - 9/9/2013 6:52:58 PM | Computer Name = D1Q0QCC1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 9/9/2013 6:53:03 PM | Computer Name = D1Q0QCC1 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000022'
while processing the file 'avast5.ini' on the volume 'HarddiskVolume2'. It has
stopped monitoring the volume.

Error - 9/10/2013 9:47:36 AM | Computer Name = D1Q0QCC1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd tffsport

Error - 9/10/2013 9:47:38 AM | Computer Name = D1Q0QCC1 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000022'
while processing the file 'avast5.ini' on the volume 'HarddiskVolume2'. It has
stopped monitoring the volume.


< End of report >

Hi Snurd :2thumb:

How are you? You have done a very good job ;)


Run OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:OTL
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - No CLSID value found.
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - No CLSID value found.
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A93A3CC9-BA23-4D0D-9440-6A0148362B7E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/buxus/docs/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O20 - Winlogon\Notify\WgaLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
[2013/09/10 08:47:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\KYBO1KQ3FR4HU7CA
[2013/09/09 17:52:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\96INTLKJIOU0Y4SR
[2013/09/08 13:41:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\BQFZ5OTZCPONMEW2
@Alternate Data Stream - 332 bytes -> C:\Documents and Settings\Keith Simmons\My Documents\China432.jpg:SummaryInformation
@Alternate Data Stream - 332 bytes -> C:\Documents and Settings\Keith Simmons\Desktop\China432.jpg:SummaryInformation



:Files
ipconfig /flushdns /c


:Commands
[EMPTYFLASH]
[REBOOT]
[RESETHOSTS]
[CREATERESTOREPOINT]


Then click the Run Fix button at the top
Let the program run unhindered.
OTL may ask to reboot the machine. Please do so if asked.
The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Hi Robybel,

So far, so good!

OTL Log

========== OTL ==========
127.0.0.1 localhost removed from HOSTS file successfully
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E8A6170-7264-4D0F-BEAE-D42A53123C75}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E8A6170-7264-4D0F-BEAE-D42A53123C75}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{2318C2B1-4965-11d4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A93A3CC9-BA23-4D0D-9440-6A0148362B7E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A93A3CC9-BA23-4D0D-9440-6A0148362B7E}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
Starting removal of ActiveX control {56762DEC-6B0D-4AB4-A8AD-989993B5D08B}
C:\WINDOWS\Downloaded Program Files\OnlineScanner.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56762DEC-6B0D-4AB4-A8AD-989993B5D08B}\ not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\ deleted successfully.
C:\WINDOWS\KYBO1KQ3FR4HU7CA folder moved successfully.
C:\WINDOWS\96INTLKJIOU0Y4SR folder moved successfully.
C:\WINDOWS\BQFZ5OTZCPONMEW2 folder moved successfully.
Unable to delete ADS C:\Documents and Settings\Keith Simmons\My Documents\China432.jpg:SummaryInformation .
Unable to delete ADS C:\Documents and Settings\Keith Simmons\Desktop\China432.jpg:SummaryInformation .
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Keith Simmons\My Documents\Downloads\cmd.bat deleted successfully.
C:\Documents and Settings\Keith Simmons\My Documents\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: Keith Simmons
->Flash cache emptied: 3130332 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 3.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.69.0 log created on 09122013_055740

Hi snurd :)

Please let me know how your machine is running and if there are any outstanding issues.

Hi Robybel,

I took the time to do a full boot time scan with Avast, which shows no problems.
I also scanned using Spybot and Malwarebytes. Everything shows clean.

The computer runs fine. It's seems slow to boot initially, but after that it has good
speed. This all seems to have started after I downloaded a file from CNET. It was a
file shredder program named Eraser, but appears to have been filled with Malware!

Best,

Keith

Ok snurd :)

IT APPEARS THAT YOUR LOGS ARE NOW CLEAN :) SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!! :)

This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.


Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png


Unistall AdwCleaner

Double click on adwcleaner.exe to run the tool.
Click on Uninstall.
Confirm with yes.

Clean up with OTL:

Double-click OTL.exe to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the CLEANUP button
Say Yes to the prompt and then allow the program to reboot your computer.


Adobe Update to the latest version

On your computer exist an old version of Adobe products:

Adobe reader


Please go to this page, http://www.adobe.com/downloads/updates/
In Find product updates, scroll down the menu until you find the product you want to update.
Select it and click go.
At this point you will be directed to the update page, scroll down until you Updates/Programs and select the latest version of the product.
It will be 'directed to the download page, and then click proceed to download and follow the instructions.
Follow these steps for all products that require upgrade.


Java is very easily exploited these days and it's a good idea to disable Java in the browser

Please read here (http://www.techsupportforum.com/forums/f50/disable-java-in-browsers-683721.html)


Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.

MOST IMPORTANT: You Need to Update Windows and IE to get all the Latest Security Patches to protect your computer from the malware that is around on the internet.

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Make your Mozilla Firefox more secure - This can be done by adding these add-ons:


NoScript (https://addons.mozilla.org/en-US/firefox/addon/noscript/?src=ss)
AdBlockPlus (https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/)


2. Enable Protected Mode in Internet Explorer. This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:
Open Internet Explorer
Click on Tools > Internet Options
Press Security tab
Select Internet zone then place check next to Enable Protected Mode if not already done
Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.

3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here (http://www.bleepingcomputer.com/forums/tutorial60.html). **There are firewalls listed in this tutorial that could be downloaded and used but I would personally only recommend using one of the following two below:
Online Armor Free (http://download.cnet.com/Online-Armor-Free/3000-10435_4-10426782.html)
Agnitum Outpost Firewall Free (http://download.cnet.com/Agnitum-Outpost-Firewall-Free/3000-10435_4-10913746.html)


5.SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:
How Did I Get Infected In The First Place? (http://forums.whatthetech.com/So_how_did_I_get_infected_first_place_t57817.html) by TonyKlein
How to Prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)by miekiemoes
PC Safety and Security--What Do I Need? (http://www.techsupportforum.com/forums/f112/pc-safety-and-security-what-do-i-need-525915.html)

6. Consider a custom hosts file such as MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.htm). This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial by WinHelp2002 (http://www.mvps.org/winhelp2002/hosts.htm)
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

7. WOT (http://www.mywot.com/) (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

8.Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place? (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.