Malware problem present even in Safe Mode!

Wexem · May 18, 2011

I have a serious malware problem. It only seems to be redirecting my browsers (IE & Firefox) & opening extra tabs leading to weird links. I can't get rid of it. My browsers are effected even in Safe Mode. I have run full scans with Windows Defender, MS Security Essentials, Panda Anti-virus, Windows Malicious Software Remover Tool, Avast Anti-virus, Malwarebytes' Anti-Malware, IObit Security, & Spybot. I have listed these programs in ascending order of success. Please help! Here is my DDS log:
.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Becky at 0:48:16.07 on Wed 05/18/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.271 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Becky\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://thottbot.com/
uSearch Page = about:blank
uSearch Bar = about:blank
uSearchMigratedDefaultURL = hxxp://www.Google.com/
uDefault_Search_URL = about:blank
mSearch Bar = about:blank
mSearchMigratedDefaultURL = hxxp://www.Google.com/
uSearchAssistant = about:blank
mSearchURL = about:blank
mSearchAssistant = about:blank
uURLSearchHooks: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program

files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search

toolbar\SearchToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: egreetings.com Toolbar: {1c99b848-84cb-4ce4-8cd8-ed5719484d9f} - mscoree.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search

toolbar\SearchToolbar.dll
TB: {06E58E5E-F8CB-4049-991E-A41C03BD419E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
StartupFolder: c:\docume~1\becky\startm~1\programs\startup\erunta~1.lnk - c:\program

files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\becky\startm~1\programs\startup\rthdcpl.lnk - c:\program

files\realtek\installshield\RTHDCPL.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common

files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat

7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\loadou~1.lnk - c:\program

files\belkin\nostromo\nost_LM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pandac~1.lnk -

c:\windows\installer\{c98bbc25-490c-4f3f-81d8-5d12c11732df}\Shortcuts_ProductN_A17DF807A25C4F9396

D48EA53C96348F.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\WINDOW~1.LNK -
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program

files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program

files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
Trusted Zone: youporn.com\www
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
DPF: CabBuilder - hxxp://www.imgag.com/kiw/toolbar/download/InstallerControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -

hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} -

hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} -

hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -

hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} -

hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} -

hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} -

hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {94299420-321F-4FF9-A247-62A23EBB640B} -

hxxp://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {3DAA26B2-99E1-49B3-9D89-27C6669B3868} = 4.2.2.2,4.2.2.1
TCP: {F72F15D4-E199-422B-BD06-061F86DDD7D6} = 4.2.2.1,4.2.2.2
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} -

c:\progra~1\window~4\MpShHook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\becky\applic~1\mozilla\firefox\profiles\0tg9hbn0.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\becky\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nptgeqplugin.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24

165264]
S2 AGCoreService;AG Core Services;"c:\program files\agi\core\4.2.0.10753\agcoreservice.exe" -->

c:\program files\agi\core\4.2.0.10753\AGCoreService.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN

v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2011-5-18 312152]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2003-7-23 22821]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM

[2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache

4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-05-18 05:22:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-05-18 05:00:04 -------- d-----w- c:\docume~1\becky\applic~1\IObit
2011-05-18 05:00:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\IObit
2011-05-18 04:59:59 -------- d-----w- c:\program files\IObit
2011-05-18 04:55:58 -------- d-----w- c:\windows\system32\MpEngineStore
2011-05-18 04:36:47 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft

antimalware\definition updates\{887edd04-3630-4981-93b4-89ccc1c335ba}\MpKsle70c21de.sys
2011-05-18 04:36:19 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft

antimalware\definition updates\{887edd04-3630-4981-93b4-89ccc1c335ba}\mpengine.dll
2011-05-18 04:36:15 -------- d-----w- C:\be32fa19b784f6fcc6c5c1eb6c4314
2011-05-18 04:32:31 -------- d-----w- c:\program files\Microsoft Security Client
2011-05-17 21:58:00 -------- d-----w- c:\docume~1\becky\applic~1\Malwarebytes
2011-05-17 21:57:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-05-03 06:52:59 7071056 ------w- c:\docume~1\alluse~1\applic~1\microsoft\windows

defender\definition updates\{2857b45b-c386-43d9-b829-891e7f99357e}\mpengine.dll
2011-04-21 23:13:52 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-04-21 23:13:52 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-04-21 23:13:51 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-04-21 23:13:51 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-04-21 23:13:50 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-04-21 23:13:49 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-04-21 23:13:49 142296 ----a-w- c:\program files\mozilla

firefox\components\browsercomps.dll
2011-04-21 23:13:48 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-04-20 10:18:09 -------- d-----w- c:\program files\Lavasoft
2011-04-20 10:04:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVAST Software
2011-04-20 09:58:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3200820AS rev.3.AHG -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8573F4D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x857457f0]; MOV

EAX, [0x8574586c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ

0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x856E5AB8]
3 CLASSPNP[0xF77A3FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000066[0x856E73B8]
5 ACPI[0xF771A620] -> nt!IofCallDriver[0x804E13B9] -> [0x8575DD98]
\Driver\atapi[0x856E4980] -> IRP_MJ_CREATE -> 0x8573F4D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ;

MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP,

0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8573F31B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 0:50:12.51 ===============

I'll also attach the second DDS log as requested.
Thank you in advanced for your help,
Wexem

Most of the time, when one of the above programs found anything, they found changes in my registry. Any problems were successfully fixed but more keep popping up whenever I do a new scan.

ken545 · May 19, 2011

:snwelcome:

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

When the logs we request you to post , they will open up in Notepad, you need to go to Format and uncheck wordwrap or else we wont be able to read your logs

I have see enough to know your infected with a rootkit

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply

Wexem · May 20, 2011

aswMBR log as requested

Right after I ran the aswMBR scan, MS Essentials popped up saying it had found Trojan

OS/Alureon.A
I quarantined it.
Here is the log aswMBR made:
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-19 19:21:11
-----------------------------
19:21:11.468 OS Version: Windows 5.1.2600 Service Pack 3
19:21:11.468 Number of processors: 2 586 0x4B02
19:21:11.468 ComputerName: BECKY-PC UserName: Becky
19:21:12.187 Initialize success
19:21:14.234 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5
19:21:14.234 Disk 0 Vendor: ST3200820AS 3.AHG Size: 190782MB BusType: 3
19:21:14.234 Device \Driver\atapi -> DriverStartIo 8530a31b
19:21:16.234 Disk 0 MBR read successfully
19:21:16.234 Disk 0 MBR scan
19:21:16.234 Disk 0 TDL4@MBR code has been found
19:21:16.234 Disk 0 Windows XP default MBR code found via API
19:21:16.234 Disk 0 MBR hidden
19:21:16.234 Disk 0 MBR [TDL4] **ROOTKIT**
19:21:16.234 Disk 0 trace - called modules:
19:21:16.234 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8530a4d0]<<
19:21:16.234 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85319ab8]
19:21:16.234 3 CLASSPNP.SYS[f7590fd7] -> nt!IofCallDriver -> \Device\0000006c[0x8537cf18]
19:21:16.234 5 ACPI.sys[f7427620] -> nt!IofCallDriver -> [0x852aa940]
19:21:16.234 \Driver\atapi[0x852a8a80] -> IRP_MJ_CREATE -> 0x8530a4d0
19:21:16.234 Scan finished successfully
19:21:56.968 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Becky\Desktop\MBR.dat"
19:21:57.093 The log file has been saved successfully to "C:\Documents and Settings\Becky\Desktop\aswMBR.txt"

Thanks for your help,
Becky

ken545 · May 20, 2011

Hello Becky

Re-Run aswMBR

Click Scan

On completion of the scan

Click Fix

Save the log as before and post in your next reply

Wexem · May 20, 2011

Did it but...

My computer froze just after the program showed "verifying disinfection", therefore I was unable to save a log after hitting "fix". I restarted my computer, rescanned, and did not have the option to fix again. Here's the log I was able to save after the restart and rescan:
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-19 21:22:02
-----------------------------
21:22:02.984 OS Version: Windows 5.1.2600 Service Pack 3
21:22:02.984 Number of processors: 2 586 0x4B02
21:22:02.984 ComputerName: BECKY-PC UserName: Becky
21:22:03.437 Initialize success
21:22:07.250 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5
21:22:07.250 Disk 0 Vendor: ST3200820AS 3.AHG Size: 190782MB BusType: 3
21:22:09.281 Disk 0 MBR read successfully
21:22:09.281 Disk 0 MBR scan
21:22:09.281 Disk 0 Windows XP default MBR code
21:22:11.281 Disk 0 scanning sectors +390715920
21:22:11.296 Disk 0 scanning C:\WINDOWS\system32\drivers
21:22:16.703 Service scanning
21:22:17.796 Disk 0 trace - called modules:
21:22:17.812 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
21:22:17.812 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8537cab8]
21:22:17.812 3 CLASSPNP.SYS[f7590fd7] -> nt!IofCallDriver -> \Device\00000068[0x85376f18]
21:22:17.812 5 ACPI.sys[f7427620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-5[0x85324d98]
21:22:17.812 Scan finished successfully
21:22:31.828 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Becky\Desktop\MBR.dat"
21:22:31.859 The log file has been saved successfully to "C:\Documents and Settings\Becky\Desktop\aswMBR 2.txt"

Thank you, oh awesome Tech-Lord,
Becky

ken545 · May 20, 2011

Good Morning Becky,

Looks like the tool did its job, the rootkit appears gone so your browser redirects should be gone also.

The problem with rootkits is sometimes they bring there friends along for a ride so lets check a bit further

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Wexem · May 20, 2011

Check!

ComboFix ran without any hiccups. I did have to download the MS Recovery Console. I now understand why I should only use ComboFix when instructed to. Seeing it delete my Windows folder was scary! I do like the log entry "Orphans Removed" though.

Here's the log:
ComboFix 11-05-19.01 - Becky 05/20/2011 4:14.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.346 [GMT -5:00]
Running from: c:\documents and settings\Becky\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
ADS - system32: deleted 142 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Becky\WINDOWS
c:\windows\system32\AutoRun.inf
.
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-04-20 to 2011-05-20 )))))))))))))))))))))))))))))))
.
.
2011-05-20 09:18 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2011-05-20 09:18 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2011-05-20 09:07 . 2011-05-20 09:07 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{70A650F3-90A6-4787-AC3A-CE26C361F7BE}\MpKsla260ca5e.sys
2011-05-20 08:22 . 2011-05-20 08:22 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{70A650F3-90A6-4787-AC3A-CE26C361F7BE}\MpKsl000de241.sys
2011-05-20 08:01 . 2011-05-20 08:01 -------- d-----w- c:\program files\Reference Assemblies
2011-05-20 08:01 . 2011-05-20 08:01 -------- d-----w- c:\program files\Microsoft.NET
2011-05-20 08:01 . 2011-05-20 08:01 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2011-05-20 02:37 . 2011-04-18 14:15 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-05-20 02:36 . 2011-05-09 20:46 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{70A650F3-90A6-4787-AC3A-CE26C361F7BE}\mpengine.dll
2011-05-20 02:28 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{B76BD9F0-3726-4E3A-ABB3-4200EDD31BF1}\mpengine.dll
2011-05-20 02:28 . 2011-05-20 02:28 -------- d--h--w- c:\windows\$hf_mig$
2011-05-20 00:42 . 2011-05-20 00:42 -------- d-s---w- c:\windows\Downloaded Program Files
2011-05-19 22:56 . 2011-05-19 22:56 -------- d-----w- c:\documents and settings\Becky\Application Data\AVG10
2011-05-19 02:12 . 2011-05-19 02:12 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-05-19 02:03 . 2011-05-20 00:07 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-05-18 10:52 . 2011-05-18 10:53 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-18 06:18 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-18 06:18 . 2011-05-18 06:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-18 06:18 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-18 06:10 . 2011-05-18 06:12 -------- d-----w- c:\program files\SpywareBlaster
2011-05-18 05:46 . 2011-05-18 05:46 -------- d-----w- c:\program files\ERUNT
2011-05-18 05:22 . 2011-05-18 05:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-05-18 05:00 . 2011-05-18 05:00 -------- d-----w- c:\documents and settings\Becky\Application Data\IObit
2011-05-18 05:00 . 2011-05-18 05:00 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-05-18 04:59 . 2011-05-18 04:59 -------- d-----w- c:\program files\IObit
2011-05-18 04:36 . 2011-05-18 04:36 -------- d-----w- C:\be32fa19b784f6fcc6c5c1eb6c4314
2011-05-18 04:32 . 2011-05-18 04:32 -------- d-----w- c:\program files\Microsoft Security Client
2011-05-17 21:58 . 2011-05-17 21:58 -------- d-----w- c:\documents and settings\Becky\Application Data\Malwarebytes
2011-05-17 21:57 . 2011-05-17 21:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-15 23:25 . 2011-05-17 05:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-04-21 23:13 . 2011-05-01 17:49 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-21 23:13 . 2011-05-01 17:49 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-21 23:13 . 2011-05-01 17:49 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-21 23:13 . 2011-05-01 17:49 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-04-21 23:13 . 2011-05-01 17:49 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-04-21 23:13 . 2011-05-01 17:49 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-04-21 23:13 . 2011-05-01 17:49 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-21 23:13 . 2011-05-01 17:49 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-04-20 10:24 . 2011-04-20 10:24 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-04-20 10:04 . 2011-05-18 04:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-04-20 09:58 . 2011-05-19 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-11 07:04 . 2007-08-06 22:27 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-07 05:33 . 2007-07-12 04:15 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-04 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-05-01 17:49 . 2011-04-21 23:13 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2009-11-07 297808]
.
[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agihelper.AGUtils]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2009-11-07 06:07 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1c99b848-84cb-4ce4-8cd8-ed5719484d9f}"= "mscoree.dll" [2009-11-07 297808]
.
[HKEY_CLASSES_ROOT\clsid\{1c99b848-84cb-4ce4-8cd8-ed5719484d9f}]
[HKEY_CLASSES_ROOT\UnifiedToolbar.UnifiedToolbar]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 19968]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-03 18085888]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-04 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]
.
c:\documents and settings\Becky\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
RTHDCPL.lnk - c:\program files\Realtek\InstallShield\RTHDCPL.exe [2007-7-12 16377344]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-7-22 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Loadout Manager.lnk - c:\program files\Belkin\Nostromo\nost_LM.exe [N/A]
Panda Cloud Antivirus (2).lnk - c:\windows\Installer\{C98BBC25-490C-4F3F-81D8-5D12C11732DF}\Shortcuts_ProductN_A17DF807A25C4F9396D48EA53C96348F.exe [N/A]
Windows Defender (2).lnk - [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.2.8278-to-2.4.3.8606-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader
"58163:TCP"= 58163:TCP

ando Media Booster
"58163:UDP"= 58163:UDP

ando Media Booster
"5985:TCP"= 5985:TCP:*

isabled:Windows Remote Management
.
R1 MpKsl000de241;MpKsl000de241;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{70A650F3-90A6-4787-AC3A-CE26C361F7BE}\MpKsl000de241.sys [5/20/2011 3:22 AM 28752]
R1 MpKsla260ca5e;MpKsla260ca5e;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{70A650F3-90A6-4787-AC3A-CE26C361F7BE}\MpKsla260ca5e.sys [5/20/2011 4:07 AM 28752]
S1 MpKsl2fc1b704;MpKsl2fc1b704;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{887EDD04-3630-4981-93B4-89CCC1C335BA}\MpKsl2fc1b704.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{887EDD04-3630-4981-93B4-89CCC1C335BA}\MpKsl2fc1b704.sys [?]
S2 AGCoreService;AG Core Services;"c:\program files\AGI\core\4.2.0.10753\AGCoreService.exe" --> c:\program files\AGI\core\4.2.0.10753\AGCoreService.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [5/18/2011 12:00 AM 312152]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [7/23/2003 2:16 PM 22821]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 7:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL000DE241
*NewlyCreated* - MPKSLA260CA5E
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-05-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://thottbot.com/
uSearchMigratedDefaultURL = hxxp://www.Google.com/
uDefault_Search_URL = about:blank
mSearch Bar = hxxp://internetsearchservice.com/ie6.html
mSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
uSearchAssistant = about:blank
mSearchURL = about:blank
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: youporn.com\www
TCP: {F72F15D4-E199-422B-BD06-061F86DDD7D6} = 4.2.2.1,4.2.2.2
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
DPF: CabBuilder - hxxp://www.imgag.com/kiw/toolbar/download/InstallerControl.cab
FF - ProfilePath - c:\documents and settings\Becky\Application Data\Mozilla\Firefox\Profiles\0tg9hbn0.default\
FF - prefs.js: browser.startup.homepage - hxxp://forums.spybot.info/showthread.php?t=62733
FF - prefs.js: network.proxy.type - 4
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Pando Media Booster - c:\program files\Pando Networks\Media Booster\PMB.exe
HKLM-Run-nwiz - nwiz.exe
AddRemove-CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1 - c:\program files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1\HXFSETUP.EXE
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
AddRemove-{15EEFF80-97EC-43C4-BDD4-50E4A8E3117D} - c:\program files\InstallShield Installation Information\{15EEFF80-97EC-43C4-BDD4-50E4A8E3117D}\setup.exe
AddRemove-{308AA8B7-FBF8-43CE-A446-78A26B3D91E7} - c:\program files\InstallShield Installation Information\{308AA8B7-FBF8-43CE-A446-78A26B3D91E7}\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-20 04:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-05-20 04:22:48
ComboFix-quarantined-files.txt 2011-05-20 09:22
.
Pre-Run: 119,008,714,752 bytes free
Post-Run: 120,186,179,584 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - A7A7984E66E600A8345E16B03594770A

I bow to your techno-knowledge,
Becky

ken545 · May 20, 2011

Becky

Your windows folder is in C:\windows , the one CF removed was bogus.

Your using Microsoft Security Essentials but I also so markers in your log for AVG, you can use there removal tool to remove any remnants of it

AVG Removal
http://www.avg.com/us-en/download-tools
http://download.avg.com/filedir/util/support/avg_remover_stf_x86_2011_1322.exe

Lets sweep for leftovers, run Malwarebytes

Please download Malwarebytes from Here or Here

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report please

[

Wexem · May 20, 2011

Looks like it found a couple...

...and both are messing with my registry. There's is also a new IE icon on my desktop but I think that's from my computer automatically updating and restarting. Can I try to completely remove IE from my computer? Here is the Malwarebyte's log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6627

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

5/20/2011 10:26:08 AM
mbam-log-2011-05-20 (10-26-08).txt

Scan type: Quick scan
Objects scanned: 144018
Time elapsed: 3 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.SearchPage) -> Bad: (http://internetsearchservice.com/ie6.html) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.SearchPage) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Could have never gotten this far without you,
Becky

ken545 · May 20, 2011

Lets do this

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the

button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
1. Click on
  
  to download the ESET Smart Installer. Save it to your desktop.
2. Double click on the
  
  icon on your desktop.
Check
Click the

button.
Accept any security warnings from your browser.
Check
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push

, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the

button.
Push

Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

Wexem · May 21, 2011

Eset found a couple things.

While the scan was running, a yellow shield with an exclamation point popped up in my system tray with a speech bubble saying "Updates are ready for your computer. Click here to install these updates." I don't trust it. Anyhow, here's the log from the scan:
C:\Documents and Settings\Becky\Application Data\Sun\Java\Deployment\cache\6.0\10\4476a30a-135f279e multiple threats
C:\Documents and Settings\Becky\Application Data\Sun\Java\Deployment\cache\6.0\13\27d4524d-1105dd65 Java/Agent.X trojan

I don't even have Java installed on my computer right now. I removed it along with shockwave, flash, and adobe so I could reinstall them later. I was planning on removing and reinstalling IE and firefox too.

Lead me mighty Tech-Lord,
Becky

ken545 · May 21, 2011

Those files ESET found where in your Java Cache, lets run this tool, post the log and we can run a fix to clear that all out

OTL by OldTimer

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
  Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

Wexem · May 21, 2011

Check and check!

Here is the OTL log:
OTL logfile created on: 5/21/2011 4:56:44 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Becky\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 409.00 Mb Available Physical Memory | 46.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 177.54 Gb Total Space | 111.71 Gb Free Space | 62.92% Space Free | Partition Type: NTFS
Drive H: | 8.76 Gb Total Space | 0.96 Gb Free Space | 10.98% Space Free | Partition Type: NTFS

Computer Name: BECKY-PC | User Name: Becky | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Becky\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\IObit\IObit Security 360\is360.exe (IObit)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\IObit\IObit Security 360\is360tray.exe (IObit)
PRC - C:\Program Files\IObit\IObit Security 360\is360srv.exe (IObit)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE (Logitech Inc.)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Becky\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Program Files\IObit\IObit Security 360\is360mon.dll (IObit)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
MOD - C:\Program Files\Common Files\Logitech\Scrolling\LGMSGHK.DLL (Logitech Inc.)
MOD - C:\Program Files\Logitech\MouseWare\system\LgWndHk.dll (Logitech Inc.)

========== Win32 Services (SafeList) ==========

SRV - (AppMgmt) -- File not found
SRV - (AGCoreService) -- File not found
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
SRV - (IS360service) -- C:\Program Files\IObit\IObit Security 360\is360srv.exe (IObit)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (MpKsl28473160) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{83497E5B-CE00-43C7-A5F4-F2B6A09F1E2C}\MpKsl28473160.sys (Microsoft Corporation)
DRV - (Tcpip6) -- C:\WINDOWS\system32\drivers\tcpip6.sys (Microsoft Corporation)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)
DRV - (nm) -- C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation)
DRV - (AR5416) -- C:\WINDOWS\system32\drivers\ar5416.sys (Atheros Communications, Inc.)
DRV - (AmdPPM) -- C:\WINDOWS\system32\drivers\AmdPPM.sys (Advanced Micro Devices)
DRV - (nvport) -- C:\WINDOWS\system32\drivers\nvport.sys (NVIDIA Corporation.)
DRV - (pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (HSFHWBS2) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (LMouFlt2) -- C:\WINDOWS\system32\drivers\LMouFlt2.Sys (Logitech, Inc.)
DRV - (L8042pr2) -- C:\WINDOWS\system32\drivers\L8042pr2.Sys (Logitech, Inc.)
DRV - (LHidFlt2) -- C:\WINDOWS\system32\drivers\LHIDFLT2.SYS (Logitech, Inc.)
DRV - (GTNDIS5) -- C:\Program Files\Belkin\F5D8001v1\GTNDIS5.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (bcgame) -- C:\WINDOWS\system32\drivers\bcgame.sys (Belkin Corporation)
DRV - (KeyMaestro) -- C:\WINDOWS\system32\drivers\Maestro1.sys (BTC)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Search
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.Google.com/
IE - HKLM\Software\Microsoft\Internet Explorer\SearchURL\w, = http://www.Google.com/

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-484763869-1604221776-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
IE - HKU\S-1-5-21-484763869-1604221776-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Search
IE - HKU\S-1-5-21-484763869-1604221776-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.Google.com/
IE - HKU\S-1-5-21-484763869-1604221776-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://thottbot.com/
IE - HKU\S-1-5-21-484763869-1604221776-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
IE - HKU\S-1-5-21-484763869-1604221776-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "egreetings.com Toolbar"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://forums.spybot.info/showthread.php?t=62733&page=2"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: btpersonas@brandthunder.com:1.0.7.3
FF - prefs.js..extensions.enabledItems: wrc@avast.com:20110101
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Firefox\Extensions\\unifiedtoolbar@aginteractive.com: C:\Program Files\UnifiedToolbar\3.2\Firefox
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/01 12:49:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/21 18:14:04 | 000,000,000 | ---D | M]

[2010/01/19 18:57:06 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Becky\Application Data\Mozilla\Extensions
[2009/04/25 21:06:18 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Becky\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2011/05/01 12:49:45 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Becky\Application Data\Mozilla\Firefox\Profiles\0tg9hbn0.default\extensions
[2010/04/28 10:50:23 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Becky\Application Data\Mozilla\Firefox\Profiles\0tg9hbn0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/05/01 12:49:45 | 000,000,000 | ---D | M] ("Personas Interactive") -- C:\Documents and Settings\Becky\Application Data\Mozilla\Firefox\Profiles\0tg9hbn0.default\extensions\btpersonas@brandthunder.com
[2011/05/19 18:32:17 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
File not found (No name found) --
[2011/05/01 12:49:10 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/12/10 19:44:20 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2007/07/18 12:19:40 | 002,998,784 | ---- | M] (Tamarack Software, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nptgeqplugin.dll
[2011/05/04 10:17:49 | 000,001,919 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing-zugo.xml
[2011/04/21 18:13:55 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/05/20 04:20:42 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - File not found
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
O3 - HKU\S-1-5-21-484763869-1604221776-682003330-1004\..\Toolbar\WebBrowser: (no name) - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - No CLSID value found.
O4 - HKLM..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe (IObit)
O4 - HKLM..\Run: [Logitech Utility] C:\WINDOWS\LOGI_MWX.EXE (Logitech Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Loadout Manager.lnk = File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Panda Cloud Antivirus (2).lnk = File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Defender (2).lnk = File not found
O4 - Startup: C:\Documents and Settings\Becky\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\Becky\Start Menu\Programs\Startup\RTHDCPL.lnk = C:\Program Files\Realtek\InstallShield\RTHDCPL.exe (Realtek Semiconductor Corp.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-484763869-1604221776-682003330-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-484763869-1604221776-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-484763869-1604221776-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-484763869-1604221776-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - File not found
O9 - Extra 'Tools' menuitem : ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - File not found
O9 - Extra 'Tools' menuitem : ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - File not found
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - File not found
O15 - HKU\S-1-5-21-484763869-1604221776-682003330-1004\..Trusted Domains: youporn.com ([www] http in Trusted sites)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Reg Error: Key error.)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab (HpProductDetection Class)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} http://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab (WordMojo Control)
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} http://www.worldwinner.com/games/v57/wof/wof.cab (WoF Control)
O16 - DPF: ActiveGS.cab http://www.virtualapple.org/activegs.cab (Reg Error: Key error.)
O16 - DPF: CabBuilder http://www.imgag.com/kiw/toolbar/download/InstallerControl.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Becky\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Becky\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/07/11 23:17:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/21 16:54:15 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Becky\Desktop\OTL.exe
[2011/05/21 10:29:04 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/05/21 10:27:56 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\Becky\Desktop\esetsmartinstaller_enu.exe
[2011/05/20 10:21:15 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/20 10:21:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/05/20 10:21:12 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/05/20 10:21:12 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/05/20 10:20:25 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Becky\Desktop\mbam-setup-1.50.1.1100.exe
[2011/05/20 04:22:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/05/20 04:18:21 | 000,050,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\proquota.exe
[2011/05/20 04:18:21 | 000,050,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\proquota.exe
[2011/05/20 04:10:35 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/05/20 04:10:35 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/05/20 04:10:35 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/05/20 04:10:35 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/05/20 04:06:48 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/05/20 03:01:58 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2011/05/20 03:01:32 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2011/05/20 03:01:32 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio 8
[2011/05/20 03:00:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie7updates
[2011/05/19 21:28:10 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$hf_mig$
[2011/05/19 19:42:29 | 000,000,000 | --SD | C] -- C:\WINDOWS\Downloaded Program Files
[2011/05/19 19:20:44 | 000,589,632 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Becky\Desktop\aswMBR.exe
[2011/05/19 19:07:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2011/05/19 18:44:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Becky\Desktop\msagent
[2011/05/19 18:39:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Becky\Desktop\untrusted
[2011/05/19 18:36:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Becky\Desktop\xerox
[2011/05/19 18:30:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Becky\Desktop\microsoft frontpage
[2011/05/19 17:56:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Becky\Application Data\AVG10
[2011/05/18 21:12:47 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/05/18 21:12:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop
[2011/05/18 21:03:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2011/05/18 05:53:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2011/05/18 05:52:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/05/18 01:17:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Becky\Desktop\DDS
[2011/05/18 01:10:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBlaster
[2011/05/18 01:10:27 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2011/05/18 01:08:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Becky\My Documents\Limewire Downloads
[2011/05/18 00:47:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/05/18 00:46:37 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/05/18 00:46:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011/05/18 00:23:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/05/18 00:22:57 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/05/18 00:00:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\IObit Security 360
[2011/05/18 00:00:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Becky\Application Data\IObit
[2011/05/18 00:00:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\IObit
[2011/05/17 23:59:59 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
[2011/05/17 23:36:15 | 000,000,000 | ---D | C] -- C:\be32fa19b784f6fcc6c5c1eb6c4314
[2011/05/17 23:32:31 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2011/05/17 16:58:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Becky\Application Data\Malwarebytes
[2011/05/17 16:57:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/05/15 18:25:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2011/05/15 17:05:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/05/15 16:28:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/05/15 16:28:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/05/15 15:56:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/05/15 15:56:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[11 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/21 16:54:21 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Becky\Desktop\OTL.exe
[2011/05/21 13:16:07 | 000,045,158 | ---- | M] () -- C:\Documents and Settings\Becky\My Documents\Resume, supplimental info.rtf
[2011/05/21 12:33:57 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/05/21 12:28:59 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/21 12:28:56 | 000,272,073 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2011/05/21 12:28:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/21 10:28:31 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\Becky\Desktop\esetsmartinstaller_enu.exe
[2011/05/20 10:20:42 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Becky\Desktop\mbam-setup-1.50.1.1100.exe
[2011/05/20 04:20:42 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/05/20 04:05:17 | 004,352,047 | R--- | M] () -- C:\Documents and Settings\Becky\Desktop\ComboFix.exe
[2011/05/20 03:01:01 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/05/19 21:22:31 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Becky\Desktop\MBR.dat
[2011/05/19 19:20:48 | 000,589,632 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Becky\Desktop\aswMBR.exe
[2011/05/19 14:33:06 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/05/19 01:27:34 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/18 19:03:45 | 000,031,071 | ---- | M] () -- C:\Documents and Settings\Becky\Desktop\Movie poster ad.rtf
[2011/05/18 00:46:46 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\Becky\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/05/17 23:33:30 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/05/17 23:27:06 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/05/17 09:19:01 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Becky\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to firefox.lnk
[2011/05/12 09:56:28 | 000,043,644 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Resume, supplimental info.rtf
[2011/05/05 21:48:07 | 000,000,955 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Defender (2).lnk
[2011/05/05 11:29:16 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\UMdsyGU7.dat
[2011/04/24 20:58:41 | 000,071,266 | ---- | M] () -- C:\Documents and Settings\Becky\My Documents\Resume Rebecka Moore.rtf
[2011/04/24 20:58:41 | 000,071,266 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Resume Rebecka Moore.rtf
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[11 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/20 04:10:35 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/05/20 04:10:35 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/05/20 04:10:35 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/05/20 04:10:35 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/05/20 04:10:35 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/05/20 04:05:04 | 004,352,047 | R--- | C] () -- C:\Documents and Settings\Becky\Desktop\ComboFix.exe
[2011/05/20 03:27:46 | 000,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/05/19 21:22:31 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Becky\Desktop\MBR.dat
[2011/05/18 19:03:45 | 000,031,071 | ---- | C] () -- C:\Documents and Settings\Becky\Desktop\Movie poster ad.rtf
[2011/05/18 00:46:46 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Becky\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/05/17 23:32:39 | 000,001,680 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2011/05/17 10:28:58 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2011/05/17 09:19:01 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\Becky\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to firefox.lnk
[2011/05/12 09:57:02 | 000,043,644 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\Resume, supplimental info.rtf
[2011/05/12 09:56:28 | 000,045,158 | ---- | C] () -- C:\Documents and Settings\Becky\My Documents\Resume, supplimental info.rtf
[2011/05/12 09:44:48 | 000,071,266 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\Resume Rebecka Moore.rtf
[2011/05/05 08:53:44 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\UMdsyGU7.dat
[2010/04/03 22:55:32 | 002,183,470 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2010/01/19 18:56:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/11/06 11:05:17 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\UpdateDriver.exe
[2009/11/06 11:05:17 | 000,004,512 | ---- | C] () -- C:\WINDOWS\System32\ucuiinfo.ini
[2009/07/10 15:16:20 | 000,004,984 | ---- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin
[2008/12/17 16:24:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2008/10/21 14:27:29 | 000,118,568 | ---- | C] () -- C:\WINDOWS\hpoins09.dat.temp
[2008/10/21 14:27:28 | 000,011,645 | ---- | C] () -- C:\WINDOWS\hpomdl09.dat.temp
[2008/10/21 13:06:26 | 000,118,131 | ---- | C] () -- C:\WINDOWS\hpoins09.dat
[2008/04/01 02:26:18 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/01/28 14:20:28 | 000,139,775 | ---- | C] () -- C:\WINDOWS\hpoins15.dat
[2008/01/28 14:20:28 | 000,001,039 | ---- | C] () -- C:\WINDOWS\hpomdl15.dat
[2008/01/28 14:20:20 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2008/01/01 20:41:56 | 000,000,384 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/08/06 18:08:17 | 000,138,240 | ---- | C] () -- C:\Documents and Settings\Becky\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/07/12 15:28:46 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2007/07/12 00:53:09 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2007/07/11 23:35:14 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\KmRemove.exe
[2007/07/11 23:19:11 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2007/07/11 23:15:35 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2007/07/11 18:09:08 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/07/11 18:07:23 | 000,302,032 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/04/19 13:26:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2007/04/19 13:26:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/03/09 12:29:36 | 000,011,645 | ---- | C] () -- C:\WINDOWS\hpomdl09.dat
[2004/08/04 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 07:00:00 | 000,505,394 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 07:00:00 | 000,088,858 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 07:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2010/05/15 23:57:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\agi
[2010/05/07 23:12:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AIM
[2011/05/17 23:27:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/05/19 19:07:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2008/06/09 18:36:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg7
[2011/05/18 21:12:48 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/05/18 00:00:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IObit
[2011/05/19 18:30:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/06/25 07:10:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Panda Security
[2010/05/17 19:59:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2011/05/18 17:40:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/05/07 23:13:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Becky\Application Data\acccore
[2008/03/30 14:20:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Becky\Application Data\Acreon
[2010/05/15 23:57:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Becky\Application Data\AGI
[2011/01/15 17:35:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Becky\Application Data\AnvSoft
[2011/05/19 17:56:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Becky\Application Data\AVG10
[2008/06/09 18:35:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Becky\Application Data\AVG7
[2010/06/30 17:30:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Becky\Application Data\eMusic
[2010/05/21 13:46:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Becky\Application Data\HorizonWimba
[2010/01/17 16:57:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Becky\Application Data\ieSpell
[2011/05/18 00:00:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Becky\Application Data\IObit
[2010/09/30 18:45:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Becky\Application Data\LimeWire
[2010/05/08 15:40:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Becky\Application Data\NwDocx
[2010/04/20 12:01:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Becky\Application Data\Panda Security
[2010/06/27 22:18:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Becky\Application Data\Windows Search
[2007/07/12 00:19:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\AVG7
[2011/05/21 12:33:57 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7E95B6FD
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F085C8A1

< End of report >

I'll post the Extras log in the next post.

Wexem · May 21, 2011

...

Here is the Extars log:
OTL Extras logfile created on: 5/21/2011 4:56:44 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Becky\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 409.00 Mb Available Physical Memory | 46.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 177.54 Gb Total Space | 111.71 Gb Free Space | 62.92% Space Free | Partition Type: NTFS
Drive H: | 8.76 Gb Total Space | 0.96 Gb Free Space | 10.98% Space Free | Partition Type: NTFS

Computer Name: BECKY-PC | User Name: Becky | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled

xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled

xpsp2res.dll,-22008
"139:TCP" = 139:TCP:*:Enabled

xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled

xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled

xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled

xpsp2res.dll,-22002
"58163:TCP" = 58163:TCP:*:Enabled

ando Media Booster
"58163:UDP" = 58163:UDP:*:Enabled

ando Media Booster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled

xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled

xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled

xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled

xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:LocalSubNet:Enabled

xpsp2res.dll,-22009
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled

xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled

xpsp2res.dll,-22008
"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader: 3724
"6112:TCP" = 6112:TCP:*:Enabled:Blizzard Downloader
"58163:TCP" = 58163:TCP:*:Enabled

ando Media Booster
"58163:UDP" = 58163:UDP:*:Enabled

ando Media Booster
"5985:TCP" = 5985:TCP:*

isabled:Windows Remote Management

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled

ando Media Booster
"C:\Program Files\Microsoft Office Communicator\communicator.exe" = C:\Program Files\Microsoft Office Communicator\communicator.exe:*:Enabled:Microsoft Office Communicator 2007 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000
"C:\Program Files\World of Warcraft\WoW-2.4.2.8278-to-2.4.3.8606-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-2.4.2.8278-to-2.4.3.8606-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\Repair.exe" = C:\Program Files\World of Warcraft\Repair.exe:*:Enabled:World of Warcraft - Repair -- ()
"C:\Program Files\World of Warcraft\Launcher.exe" = C:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:World of Warcraft -- (Blizzard Entertainment)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AIM -- (AOL Inc.)
"C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:firefox -- (Mozilla Corporation)
"C:\Program Files\Microsoft Office Communicator\communicator.exe" = C:\Program Files\Microsoft Office Communicator\communicator.exe:*:Enabled:Microsoft Office Communicator 2007 -- (Microsoft Corporation)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{001E7FB6-BB6B-4ED0-BEDC-B5404ED96D4E}" = DocProc
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{055FEF8E-4B86-400F-A5C6-8FAC0042DCD9}" = NVIDIA PureVideo Decoder
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0F3A1C5A-DA6A-4536-A058-CBB857CAC20C}" = Nostromo Array Programming Software
"{10E1E87C-656C-4D08-86D6-5443D28583BE}" = TrayApp
"{13F00518-807A-4B3A-83B0-A7CD90F3A398}" = MarketResearch
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{1753255A-0AEB-4220-8C75-607B73F0C133}" = Copy
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}" = Rhapsody Player Engine
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{29FA38B4-0AE4-4D0D-8A51-6165BB990BB0}" = WebReg
"{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}" = Scan
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{487B0B9B-DCD4-440D-89A0-A6EDE1A545A3}" = HPSSupply
"{543E938C-BDC4-4933-A612-01293996845F}" = UnloadSupport
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5809E7CF-4DCF-11D4-9875-00105ACE7734}" = Logitech MouseWare 9.79
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{68763C27-235D-4165-A961-FDEA228CE504}" = AiOSoftwareNPI
"{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{736C803C-DD3B-4015-BC51-AFB9E67B9076}" = Readme
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware
"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7E7B7865-6C80-4373-8BC1-C2EB9431F9DE}" = ProductContextNPI
"{824D3839-DAA1-4315-A822-7AE3E620E528}" = VideoToolkit01
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8389382B-53BA-4A87-8854-91E3D80A5AC7}" = HP Photosmart Essential2.01
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8C6027FD-53DC-446D-BB75-CACD7028A134}" = HP Update
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUSR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUSR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUSR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{91120000-0011-0000-0000-0000000FF1CE}_PROPLUSR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0011-0000-0000-0000000FF1CE}_PROPLUSR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{93F54611-2701-454e-94AB-623F458D9E6B}" = DeviceDiscovery
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{996512CF-F35B-48DE-9291-557FA5316967}" = ScannerCopy
"{9FC8D8F8-AF3A-4488-98AF-51C6DEC732F2}" = c3100_Help
"{A036E231-5A03-4d63-94F6-7864CC77EC48}" = PS_AIO_ProductContext
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{A9F5421F-DA70-4C77-BB97-8D77EC33ED5E}" = HP Photosmart and Deskjet 7.0.A
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9
"{AEA07F97-9088-497c-8821-0F36BD5DC251}" = HPProductAssistant
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{B040FEFE-B45F-4e30-B3C6-035F53F544A9}" = c4200_Help
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B22C19AE-6A67-4f28-B541-5AE72FB17A25}" = HP Photosmart All-In-One Software 9.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{B9F3A6E6-9C77-4535-9ED9-B16C1EBDFEC2}" = C4200
"{BCD6CD1A-0DBE-412E-9F25-3B500D1E6BA1}" = SolutionCenter
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0E39A1D-0CEE-4D85-B4A2-E3BE990D075E}" = Destination Component
"{D719E8F1-6931-40b4-AC0B-5FE2C097F995}" = C4200_doccd
"{E2662C24-B31E-4349-A084-32EB76E8B760}" = BufferChm
"{E39A3770-3DDE-404c-B91F-3522947874A3}" = PS_AIO_Software_min
"{E5BA0430-919F-46DD-B656-0796F8A5ADFF}" = Microsoft Office Communicator 2007
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
"{EB8C9964-09AC-48bf-8B98-027609C78251}" = C3100
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6076EF9-08E1-442F-B6A2-BFB61B295A14}" = Fax_CDA
"{F72E2DDC-3DB8-4190-A21D-63883D955FE7}" = PSSWCORE
"{FA4FA322-5C90-4d2b-A019-9E588273DED5}" = PS_AIO_Software
"{FBB980B0-63F8-4B48-8D65-90F1D9F81D9F}" = NewCopy_CDA
"{FD8D8B04-BEAD-4A55-AA1D-62D2373E7DEA}" = Status
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"AIM_7" = AIM 7
"Any Video Converter_is1" = Any Video Converter 3.1.7
"BtcMaestro" = HP Multimedia Keyboard Driver V1.6 (2.0.W-137A9 MUL)
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"ERUNT_is1" = ERUNT 1.1j
"HP Imaging Device Functions" = HP Imaging Device Functions 9.0
"HP Photosmart Essential" = HP Photosmart Essential 2.01
"HP Solution Center & Imaging Support Tools" = HP Solution Center 9.0
"HPExtendedCapabilities" = HP Customer Participation Program 9.0
"HPOCR" = HP OCR Software 9.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"IObit Security 360_is1" = IObit Security 360
"LimeWire" = LimeWire 5.5.16
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox 4.0.1 (x86 en-US)" = Mozilla Firefox 4.0.1 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"PROPLUSR" = Microsoft Office Professional Plus 2007
"RealPlayer 6.0" = RealPlayer
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"SpywareBlaster_is1" = SpywareBlaster 4.4
"Steam App 400" = Portal
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"World of Warcraft" = World of Warcraft
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Messenger" = Yahoo! Messenger

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/18/2011 12:42:59 AM | Computer Name = BECKY-PC | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8007043c, P2 beginsearch, P3 search, P4
3.0.8107.0, P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 5/18/2011 12:43:01 AM | Computer Name = BECKY-PC | Source = Microsoft Security Client | ID = 5000
Description =

Error - 5/18/2011 12:46:28 AM | Computer Name = BECKY-PC | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8007043c, P2 updateservicemanager-_get_services,
P3 fallbackcheck, P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender,
P8 NIL, P9 NIL, P10 NIL.

Error - 5/18/2011 12:59:14 AM | Computer Name = BECKY-PC | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0, P2 moaccapability, P3 3.0.8107.0, P4
1, P5 1, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 5/18/2011 1:28:48 AM | Computer Name = BECKY-PC | Source = MsiInstaller | ID = 1008
Description = The installation of C:\Documents and Settings\Becky\Desktop\HijackThis.msi
is not permitted due to an error in software restriction policy processing. The
object cannot be trusted.

Error - 5/18/2011 9:36:28 PM | Computer Name = BECKY-PC | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80072efe, P2 endsearch, P3 search, P4 3.0.8107.0,
P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 5/18/2011 9:41:20 PM | Computer Name = BECKY-PC | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80072efe, P2 endsearch, P3 search, P4 1.1.1593.0,
P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 NIL, P10 NIL.

Error - 5/19/2011 7:23:36 PM | Computer Name = BECKY-PC | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.50.1.3, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/19/2011 7:23:36 PM | Computer Name = BECKY-PC | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.50.1.3, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/19/2011 7:49:03 PM | Computer Name = BECKY-PC | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 1.1.1593.0,
P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 NIL, P10 NIL.

[ System Events ]
Error - 5/20/2011 3:28:00 AM | Computer Name = BECKY-PC | Source = Schedule | ID = 7901
Description = The At3.job command failed to start due to the following error: %%2147942402

Error - 5/20/2011 4:22:45 AM | Computer Name = BECKY-PC | Source = Service Control Manager | ID = 7000
Description = The AG Core Services service failed to start due to the following
error: %%3

Error - 5/20/2011 4:28:00 AM | Computer Name = BECKY-PC | Source = Schedule | ID = 7901
Description = The At4.job command failed to start due to the following error: %%2147942402

Error - 5/20/2011 5:07:24 AM | Computer Name = BECKY-PC | Source = Service Control Manager | ID = 7031
Description = The Microsoft Antimalware Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
15000 milliseconds: Restart the service.

Error - 5/20/2011 5:10:04 AM | Computer Name = BECKY-PC | Source = Service Control Manager | ID = 7031
Description = The Microsoft Antimalware Service service terminated unexpectedly.
It has done this 2 time(s). The following corrective action will be taken in
15000 milliseconds: Restart the service.

Error - 5/20/2011 11:35:40 AM | Computer Name = BECKY-PC | Source = Service Control Manager | ID = 7000
Description = The AG Core Services service failed to start due to the following
error: %%3

Error - 5/21/2011 11:25:33 AM | Computer Name = BECKY-PC | Source = Service Control Manager | ID = 7031
Description = The Microsoft Antimalware Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
15000 milliseconds: Restart the service.

Error - 5/21/2011 11:34:05 AM | Computer Name = BECKY-PC | Source = Service Control Manager | ID = 7031
Description = The Microsoft Antimalware Service service terminated unexpectedly.
It has done this 2 time(s). The following corrective action will be taken in
15000 milliseconds: Restart the service.

Error - 5/21/2011 1:28:39 PM | Computer Name = BECKY-PC | Source = Microsoft Antimalware | ID = 2004
Description = %%860 has encountered an error trying to load signatures and will
attempt reverting back to a known-good set of signatures. Signatures Attempted: %%824

Error
Code: 0x80070003 Error description: The system cannot find the path specified. Signature
version: 0.0.0.0;0.0.0.0 Engine version: 0.0.0.0

Error - 5/21/2011 1:28:43 PM | Computer Name = BECKY-PC | Source = Service Control Manager | ID = 7000
Description = The AG Core Services service failed to start due to the following
error: %%3

< End of report >

Awaiting your command,
Becky

ken545 · May 21, 2011

Open OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code:

:processes
killallprocesses

:OTL
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.


:Services

:Reg

:Files
ipconfig /release /c
ipconfig /renew /c
ipconfig /flushdns /c





:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Also let me know how things are running now , any redirects or unwanted pop up windows ?

Wexem · May 22, 2011

Post reboot report

My computer seemed to load the desktop and run much faster sometime after we ran ComboFix. I haven't experienced a redirect or random tab opening up since we ran Malwarebytes. Here is the post reboot log:
All processes killed
========== PROCESSES ==========
========== OTL ==========
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{9D425283-D487-4337-BAB6-AB8354A81457} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D425283-D487-4337-BAB6-AB8354A81457}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{9D425283-D487-4337-BAB6-AB8354A81457} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D425283-D487-4337-BAB6-AB8354A81457}\ not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /release /c >
Windows IP Configuration
The operation failed as no adapter is in the state permissible for
this operation.
C:\Documents and Settings\Becky\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Becky\Desktop\cmd.txt deleted successfully.
< ipconfig /renew /c >
Windows IP Configuration
The operation failed as no adapter is in the state permissible for
this operation.
C:\Documents and Settings\Becky\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Becky\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Becky\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Becky\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Becky
->Temp folder emptied: 915863 bytes
->Temporary Internet Files folder emptied: 1056783 bytes
->Java cache emptied: 61723 bytes
->FireFox cache emptied: 222333402 bytes
->Flash cache emptied: 2209869 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1278086 bytes
->Java cache emptied: 19648 bytes
->Flash cache emptied: 6025 bytes

User: NetworkService
->Temp folder emptied: 11824 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 20661 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162440 bytes
%systemroot%\System32 .tmp files removed: 11542521 bytes
%systemroot%\System32\dllcache .tmp files removed: 333336 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 28442 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 231.00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 05212011_180238

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

I'll post the rescan post next...

Wexem · May 22, 2011

...

Here is the rescan log:
OTL logfile created on: 5/21/2011 6:17:42 PM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Becky\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 459.00 Mb Available Physical Memory | 51.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 177.54 Gb Total Space | 111.93 Gb Free Space | 63.04% Space Free | Partition Type: NTFS
Drive H: | 8.76 Gb Total Space | 0.96 Gb Free Space | 10.98% Space Free | Partition Type: NTFS

Computer Name: BECKY-PC | User Name: Becky | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Becky\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\IObit\IObit Security 360\is360tray.exe (IObit)
PRC - C:\Program Files\IObit\IObit Security 360\is360srv.exe (IObit)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE (Logitech Inc.)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Becky\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Program Files\IObit\IObit Security 360\is360mon.dll (IObit)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
MOD - C:\Program Files\Common Files\Logitech\Scrolling\LGMSGHK.DLL (Logitech Inc.)
MOD - C:\Program Files\Logitech\MouseWare\system\LgWndHk.dll (Logitech Inc.)

========== Win32 Services (SafeList) ==========

SRV - (AppMgmt) -- File not found
SRV - (AGCoreService) -- File not found
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
SRV - (IS360service) -- C:\Program Files\IObit\IObit Security 360\is360srv.exe (IObit)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (MpKslab8f2633) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{83497E5B-CE00-43C7-A5F4-F2B6A09F1E2C}\MpKslab8f2633.sys (Microsoft Corporation)
DRV - (MpKsl28473160) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{83497E5B-CE00-43C7-A5F4-F2B6A09F1E2C}\MpKsl28473160.sys (Microsoft Corporation)
DRV - (Tcpip6) -- C:\WINDOWS\system32\drivers\tcpip6.sys (Microsoft Corporation)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)
DRV - (nm) -- C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation)
DRV - (AR5416) -- C:\WINDOWS\system32\drivers\ar5416.sys (Atheros Communications, Inc.)
DRV - (AmdPPM) -- C:\WINDOWS\system32\drivers\AmdPPM.sys (Advanced Micro Devices)
DRV - (nvport) -- C:\WINDOWS\system32\drivers\nvport.sys (NVIDIA Corporation.)
DRV - (pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (HSFHWBS2) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (LMouFlt2) -- C:\WINDOWS\system32\drivers\LMouFlt2.Sys (Logitech, Inc.)
DRV - (L8042pr2) -- C:\WINDOWS\system32\drivers\L8042pr2.Sys (Logitech, Inc.)
DRV - (LHidFlt2) -- C:\WINDOWS\system32\drivers\LHIDFLT2.SYS (Logitech, Inc.)
DRV - (GTNDIS5) -- C:\Program Files\Belkin\F5D8001v1\GTNDIS5.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (bcgame) -- C:\WINDOWS\system32\drivers\bcgame.sys (Belkin Corporation)
DRV - (KeyMaestro) -- C:\WINDOWS\system32\drivers\Maestro1.sys (BTC)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Search
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.Google.com/
IE - HKLM\Software\Microsoft\Internet Explorer\SearchURL\w, = http://www.Google.com/

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-484763869-1604221776-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
IE - HKU\S-1-5-21-484763869-1604221776-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Search
IE - HKU\S-1-5-21-484763869-1604221776-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.Google.com/
IE - HKU\S-1-5-21-484763869-1604221776-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://thottbot.com/
IE - HKU\S-1-5-21-484763869-1604221776-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
IE - HKU\S-1-5-21-484763869-1604221776-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "egreetings.com Toolbar"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://forums.spybot.info/showthread.php?t=62733&page=2"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: btpersonas@brandthunder.com:1.0.7.3
FF - prefs.js..extensions.enabledItems: wrc@avast.com:20110101
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Firefox\Extensions\\unifiedtoolbar@aginteractive.com: C:\Program Files\UnifiedToolbar\3.2\Firefox
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/01 12:49:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/21 18:14:04 | 000,000,000 | ---D | M]

[2010/01/19 18:57:06 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Becky\Application Data\Mozilla\Extensions
[2009/04/25 21:06:18 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Becky\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2011/05/01 12:49:45 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Becky\Application Data\Mozilla\Firefox\Profiles\0tg9hbn0.default\extensions
[2010/04/28 10:50:23 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Becky\Application Data\Mozilla\Firefox\Profiles\0tg9hbn0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/05/01 12:49:45 | 000,000,000 | ---D | M] ("Personas Interactive") -- C:\Documents and Settings\Becky\Application Data\Mozilla\Firefox\Profiles\0tg9hbn0.default\extensions\btpersonas@brandthunder.com
[2011/05/19 18:32:17 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
File not found (No name found) --
[2011/05/01 12:49:10 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/12/10 19:44:20 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2007/07/18 12:19:40 | 002,998,784 | ---- | M] (Tamarack Software, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nptgeqplugin.dll
[2011/05/04 10:17:49 | 000,001,919 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing-zugo.xml
[2011/04/21 18:13:55 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/05/21 18:02:41 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - File not found
O3 - HKU\S-1-5-21-484763869-1604221776-682003330-1004\..\Toolbar\WebBrowser: (no name) - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - No CLSID value found.
O4 - HKLM..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe (IObit)
O4 - HKLM..\Run: [Logitech Utility] C:\WINDOWS\LOGI_MWX.EXE (Logitech Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Loadout Manager.lnk = File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Panda Cloud Antivirus (2).lnk = File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Defender (2).lnk = File not found
O4 - Startup: C:\Documents and Settings\Becky\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\Becky\Start Menu\Programs\Startup\RTHDCPL.lnk = C:\Program Files\Realtek\InstallShield\RTHDCPL.exe (Realtek Semiconductor Corp.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-484763869-1604221776-682003330-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-484763869-1604221776-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-484763869-1604221776-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-484763869-1604221776-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - File not found
O9 - Extra 'Tools' menuitem : ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - File not found
O9 - Extra 'Tools' menuitem : ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - File not found
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - File not found
O15 - HKU\S-1-5-21-484763869-1604221776-682003330-1004\..Trusted Domains: youporn.com ([www] http in Trusted sites)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Reg Error: Key error.)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab (HpProductDetection Class)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} http://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab (WordMojo Control)
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} http://www.worldwinner.com/games/v57/wof/wof.cab (WoF Control)
O16 - DPF: ActiveGS.cab http://www.virtualapple.org/activegs.cab (Reg Error: Key error.)
O16 - DPF: CabBuilder http://www.imgag.com/kiw/toolbar/download/InstallerControl.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Becky\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Becky\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/07/11 23:17:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/21 18:04:18 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/05/21 18:02:38 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/05/21 16:54:15 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Becky\Desktop\OTL.exe
[2011/05/21 10:29:04 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/05/21 10:27:56 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\Becky\Desktop\esetsmartinstaller_enu.exe
[2011/05/20 10:21:15 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/20 10:21:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/05/20 10:21:12 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/05/20 10:21:12 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/05/20 10:20:25 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Becky\Desktop\mbam-setup-1.50.1.1100.exe
[2011/05/20 04:22:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/05/20 04:18:21 | 000,050,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\proquota.exe
[2011/05/20 04:18:21 | 000,050,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\proquota.exe
[2011/05/20 04:10:35 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/05/20 04:10:35 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/05/20 04:10:35 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/05/20 04:10:35 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/05/20 04:06:48 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/05/20 03:01:58 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2011/05/20 03:01:32 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2011/05/20 03:01:32 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio 8
[2011/05/20 03:00:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie7updates
[2011/05/19 21:28:10 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$hf_mig$
[2011/05/19 19:42:29 | 000,000,000 | --SD | C] -- C:\WINDOWS\Downloaded Program Files
[2011/05/19 19:20:44 | 000,589,632 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Becky\Desktop\aswMBR.exe
[2011/05/19 19:07:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2011/05/19 18:44:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Becky\Desktop\msagent
[2011/05/19 18:39:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Becky\Desktop\untrusted
[2011/05/19 18:36:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Becky\Desktop\xerox
[2011/05/19 18:30:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Becky\Desktop\microsoft frontpage
[2011/05/19 17:56:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Becky\Application Data\AVG10
[2011/05/18 21:12:47 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/05/18 21:12:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop
[2011/05/18 21:03:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2011/05/18 05:53:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2011/05/18 05:52:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/05/18 01:17:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Becky\Desktop\DDS
[2011/05/18 01:10:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBlaster
[2011/05/18 01:10:27 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2011/05/18 01:08:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Becky\My Documents\Limewire Downloads
[2011/05/18 00:47:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/05/18 00:46:37 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/05/18 00:46:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011/05/18 00:23:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/05/18 00:22:57 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/05/18 00:00:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\IObit Security 360
[2011/05/18 00:00:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Becky\Application Data\IObit
[2011/05/18 00:00:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\IObit
[2011/05/17 23:59:59 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
[2011/05/17 23:36:15 | 000,000,000 | ---D | C] -- C:\be32fa19b784f6fcc6c5c1eb6c4314
[2011/05/17 23:32:31 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2011/05/17 16:58:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Becky\Application Data\Malwarebytes
[2011/05/17 16:57:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/05/15 18:25:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2011/05/15 17:05:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/05/15 16:28:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/05/15 16:28:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/05/15 15:56:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/05/15 15:56:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

========== Files - Modified Within 30 Days ==========

[2011/05/21 18:11:14 | 000,272,073 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2011/05/21 18:11:01 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/05/21 18:07:31 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/21 18:05:55 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/21 18:02:41 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/05/21 16:54:21 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Becky\Desktop\OTL.exe
[2011/05/21 13:16:07 | 000,045,158 | ---- | M] () -- C:\Documents and Settings\Becky\My Documents\Resume, supplimental info.rtf
[2011/05/21 10:28:31 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\Becky\Desktop\esetsmartinstaller_enu.exe
[2011/05/20 10:20:42 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Becky\Desktop\mbam-setup-1.50.1.1100.exe
[2011/05/20 04:05:17 | 004,352,047 | R--- | M] () -- C:\Documents and Settings\Becky\Desktop\ComboFix.exe
[2011/05/20 03:01:01 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/05/19 21:22:31 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Becky\Desktop\MBR.dat
[2011/05/19 19:20:48 | 000,589,632 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Becky\Desktop\aswMBR.exe
[2011/05/19 14:33:06 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/05/19 01:27:34 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/18 19:03:45 | 000,031,071 | ---- | M] () -- C:\Documents and Settings\Becky\Desktop\Movie poster ad.rtf
[2011/05/18 00:46:46 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\Becky\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/05/17 23:33:30 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/05/17 23:27:06 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/05/17 09:19:01 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Becky\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to firefox.lnk
[2011/05/12 09:56:28 | 000,043,644 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Resume, supplimental info.rtf
[2011/05/05 21:48:07 | 000,000,955 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Defender (2).lnk
[2011/05/05 11:29:16 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\UMdsyGU7.dat
[2011/04/24 20:58:41 | 000,071,266 | ---- | M] () -- C:\Documents and Settings\Becky\My Documents\Resume Rebecka Moore.rtf
[2011/04/24 20:58:41 | 000,071,266 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Resume Rebecka Moore.rtf

========== Files Created - No Company Name ==========

[2011/05/20 04:10:35 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/05/20 04:10:35 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/05/20 04:10:35 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/05/20 04:10:35 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/05/20 04:10:35 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/05/20 04:05:04 | 004,352,047 | R--- | C] () -- C:\Documents and Settings\Becky\Desktop\ComboFix.exe
[2011/05/20 03:27:46 | 000,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/05/19 21:22:31 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Becky\Desktop\MBR.dat
[2011/05/18 19:03:45 | 000,031,071 | ---- | C] () -- C:\Documents and Settings\Becky\Desktop\Movie poster ad.rtf
[2011/05/18 00:46:46 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Becky\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/05/17 23:32:39 | 000,001,680 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2011/05/17 10:28:58 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2011/05/17 09:19:01 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\Becky\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to firefox.lnk
[2011/05/12 09:57:02 | 000,043,644 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\Resume, supplimental info.rtf
[2011/05/12 09:56:28 | 000,045,158 | ---- | C] () -- C:\Documents and Settings\Becky\My Documents\Resume, supplimental info.rtf
[2011/05/12 09:44:48 | 000,071,266 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\Resume Rebecka Moore.rtf
[2011/05/05 08:53:44 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\UMdsyGU7.dat
[2010/04/03 22:55:32 | 002,183,470 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2010/01/19 18:56:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/11/06 11:05:17 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\UpdateDriver.exe
[2009/11/06 11:05:17 | 000,004,512 | ---- | C] () -- C:\WINDOWS\System32\ucuiinfo.ini
[2009/07/10 15:16:20 | 000,004,984 | ---- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin
[2008/12/17 16:24:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2008/10/21 14:27:29 | 000,118,568 | ---- | C] () -- C:\WINDOWS\hpoins09.dat.temp
[2008/10/21 14:27:28 | 000,011,645 | ---- | C] () -- C:\WINDOWS\hpomdl09.dat.temp
[2008/10/21 13:06:26 | 000,118,131 | ---- | C] () -- C:\WINDOWS\hpoins09.dat
[2008/04/01 02:26:18 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/01/28 14:20:28 | 000,139,775 | ---- | C] () -- C:\WINDOWS\hpoins15.dat
[2008/01/28 14:20:28 | 000,001,039 | ---- | C] () -- C:\WINDOWS\hpomdl15.dat
[2008/01/28 14:20:20 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2008/01/01 20:41:56 | 000,000,384 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/08/06 18:08:17 | 000,138,240 | ---- | C] () -- C:\Documents and Settings\Becky\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/07/12 15:28:46 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2007/07/12 00:53:09 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2007/07/11 23:35:14 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\KmRemove.exe
[2007/07/11 23:19:11 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2007/07/11 23:15:35 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2007/07/11 18:09:08 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/07/11 18:07:23 | 000,302,032 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/04/19 13:26:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2007/04/19 13:26:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/03/09 12:29:36 | 000,011,645 | ---- | C] () -- C:\WINDOWS\hpomdl09.dat
[2004/08/04 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 07:00:00 | 000,505,394 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 07:00:00 | 000,088,858 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 07:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7E95B6FD
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F085C8A1

< End of report >

I've got a good feeling about this,
Becky

ken545 · May 22, 2011

Wonderful :bigthumb:

I guess I didn't to bad as your computer Geek, let me tell ya, you did very well following instructions , do you want to be my assistant ???

Malwarebytes is the free version and yours to keep, it will not be removed

Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups

How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
WhattheTech
Grinler BleepingComputer
GeeksTo Go
Dslreports

Safe Surfn
Ken

Wexem · May 22, 2011

Yay! We won the battle! You're so awesome Ken! Kirby Happy Dance Time!!!

(>^.^)> <(^.^<) (>^.^)> <(^.^<) (>^.^)> <(^.^<) (>^.^)> <(^.^<) <(^.^<) (>^.^)> <(^.^<) (>^.^)> <(^.^<) (>^.^)> <(^.^<) (>^.^)>

Sure, I'll assist you with anything.

How may I promote your awesomeness? I'm already sharing tails of your might on FB. Is there anywhere I can show some monetary love? My computer is running so much faster now and I didn't have to visit...shudder...the Geek Squad or give them my money. I like my money.

All hail the great and powerful Tech-Lord Ken!

Your very grateful comrade-in-arms and horn tooter (hehe),
Becky

ken545 · May 22, 2011

Glad all is well. The Geek Squad will cost you big bucks), if your ever in need of computer repair ( like a failed hard drive ) or things of that nature you would be better off finding a local computer shop to do the work.

Take care,
Ken

Malware problem present even in Safe Mode!

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

New member

Emeritus-Security Expert

New member

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert