Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Win32/Patched.GB virus! Please help...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Win32/Patched.GB virus! Please help...

Unread postby lorieoreo » January 10th, 2011, 4:42 pm

Hello,
After searching recipes online and clicking on a random search result in Google, I found myself with a nasty little virus. My AVG Resident Shield popped up with multiple threats from a virus named Win32/Patched.GB. It says it is white-listed as the system files it's attacking (C:\WINDOWS\explorer.exe and C:\WINDOWS\system32\winlogon.exe) are critical/system files that should not be removed.

First, I tried rebooting my computer, only to find when it restarted, I had no icons on my desktop. Just the pretty field/cloud Microsoft background. :( I did a system restore to about an hour before this, and luckily my desktop came back normal. But still with multiple threat detections from AVG's Resident Shield.

At the advice of a friend, I uninstalled AVG and downloaded Eset, ran Eset's scan with no luck. Same outcome, Eset detected the bugs, but couldn't remove them. I then uninstalled Eset. Then I downloaded Malwarebytes and ran it safe mode, then again in regular mode. It seemed to have removed things, and my computer has been and is still working fine, but once I reinstalled AVG, as I knew I couldn't operate without some kind of Antivirus software, everything started again. Same Resident Shield Alerts.

Here's my HijackThis log & Uninstall list.... I hope someone can help me out!!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:26:36 PM, on 1/10/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Je4EM] C:\WINDOWS\kkekpna.exe
O4 - HKLM\..\Run: [ycejlyc] C:\WINDOWS\ycejlyc.EXE
O4 - HKLM\..\Run: [mvihasc] C:\WINDOWS\mvihasc.exe
O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: Chris Sawyer's Locomotion Registration.lnk = C:\Documents and Settings\Owner\Local Settings\Temp\{E046409E-0D6D-44ED-B177-26A8970562E6}\{77F45E76-E897-42CA-A9FE-5F56817D875C}\ATR1.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Program Files\PartyGaming\PartyGammon\RunBackGammon.exe
O9 - Extra 'Tools' menuitem: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Program Files\PartyGaming\PartyGammon\RunBackGammon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install-ie/alttiff.cab
O16 - DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - http://www.facebook.com/fbplugin/win32/ ... 5759231109
O16 - DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} (SonyOnlineInstallerX) - http://www-cdn.freerealms.com/gamedata/ ... cab?v=1049
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} (P3DActiveX Control) - http://panda-plugin.disney.go.com/plugi ... ctivex.cab
O16 - DPF: {96695E54-ECE5-437B-81BF-D45FA9F878A0} (S3DisplayAct.UserControl1) - http://www.s3graphics.com/S3DisplayAct/S3DisplayAct.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/ ... taller.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate1c9edf74d41606c) (gupdate1c9edf74d41606c) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 11316 bytes


Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.8
Adobe Shockwave Player 11.5
Adobe® Photoshop® Album Starter Edition 3.0
Alarm 2.0.4
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG 2011
AVG 2011
AVG 2011
Citrix XenApp Plugin for Hosted Apps
Compaq Connections
Compaq Instant Support
Control Center for Kodak Webcams
Critical Update for Windows Media Player 11 (KB959772)
Google Earth
Google Update Helper
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Extreme Graphics Driver
iTunes
Lexmark 730 Series
Malwarebytes' Anti-Malware
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works 7.0
Mozilla Firefox (3.6.13)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OpenOffice.org 3.2
Picasa 3
QuickTime
RealPlayer
RealUpgrade 1.0
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Symantec KB-DocID:2003093015493306
U.S. Robotics Wireless MAXg Adapter
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
VIA/S3G Display Driver
ViewSonic Monitor Drivers
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Software Update



Thanks in advance....
lorieoreo
Active Member
 
Posts: 10
Joined: January 10th, 2011, 4:13 pm
Advertisement
Register to Remove

Re: Win32/Patched.GB virus! Please help...

Unread postby askey127 » January 10th, 2011, 9:05 pm

lorieoreo,
Please perform the sequence below exactly as given.
Please do not scan, install or remove anything unless I ask.

In all likelihood you have an infection called Bamital.D
It is quite dangerous, and difficult to remove.
DO NOT allow AVG to scan anything.
We will be replacing AVG below with Avira Antivir to give us the best chance of removing the infection
-----------------------------------------------
Download Antivir Free
This program is free for personal, non-business use.
Download AntiVir Free from here : http://www.softpedia.com/get/Antivirus/AntiVir-Personal-Edition.shtml
Save the Installer to your desktop, but don't run it yet.
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

AVG 2011

Take extra care in answering questions posed by any Uninstaller.
-----------------------------------------------
Install Antivir
Double Click the Avira Antivir Installer on your desktop, and Install the program.
Let it update itself, but don't run a scan yet.
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software after downloading but BEFORE running ComboFix.
.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • DISABLE AVIRA ANTIVIR
    Please navigate to the system tray on the bottom right hand corner and look for an open umbrella on red background (looks like this:Image )
    • Right click it and untick any of the options AntiVir Guard enable, Antivir Webguard enable, and Antivir Mailguard enable, that are present.
    • You should now see a closed umbrella on a red background (looks like this: Image )
    The AntiVir Guards are now disabled.
  • Now start ComboFix (zzz.exe)
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it. (You would).
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts.
    When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • It will run through about 50 procedures, then take a while to assemble its output log.
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Post the log in your next reply, and then Reenable your Antivir protection software
A copy of the log will be located here if you need it-> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

The Recovery Console produces a brief (2 second) black screen at bootup which allows an additional technical resource for repair in case of a major failure. In regular operation, you can ignore it.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Win32/Patched.GB virus! Please help...

Unread postby lorieoreo » January 10th, 2011, 10:32 pm

Hi Askey127,

I followed all your steps diligently. Everything went exactly according to plan except when my computer rebooted after combofix, the Antivir was already enabled again, so I did not have to do it myself. Things looked normal until I opened Internet Explorer to send this reply, then Antivir brought up a Guard message that says Malware found, a virus or unwanted program 'TR/Hijacker.Gen' was found in file 'C:\WINDOWS\system32\nt.dll'. Waiting on your advice patiently....


ComboFix 11-01-10.04 - Owner 01/10/2011 21:00:37.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.420 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\zzz.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Application Data\Microsoft
C:\install.exe
c:\program files\Common Files\Companion Wizard
c:\program files\wincmapp
c:\program files\wincmapp\Uninstall.exe
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf
c:\windows\java.exe
c:\windows\system32\stera.log
D:\Autorun.inf

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VSPF
-------\Legacy_VSPF_HK


((((((((((((((((((((((((( Files Created from 2010-12-11 to 2011-01-11 )))))))))))))))))))))))))))))))
.

2011-01-11 01:48 . 2010-12-13 13:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-11 01:48 . 2010-12-13 13:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-01-11 01:48 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-01-11 01:48 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-01-11 01:48 . 2011-01-11 01:48 -------- d-----w- c:\program files\Avira
2011-01-11 01:48 . 2011-01-11 01:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-01-10 20:26 . 2011-01-10 20:26 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-10 20:26 . 2011-01-10 20:26 -------- d-----w- c:\program files\Trend Micro
2011-01-10 17:02 . 2003-05-02 13:05 229487 ----a-w- c:\windows\system32\jpicpl32.cpl
2011-01-10 04:44 . 2011-01-10 04:45 -------- d-----w- c:\documents and settings\Administrator
2011-01-10 01:41 . 2011-01-10 01:41 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG10
2011-01-10 01:38 . 2011-01-10 01:38 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-01-09 22:02 . 2011-01-09 22:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-01-09 22:01 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-09 22:01 . 2011-01-09 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-09 22:01 . 2011-01-09 22:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-09 22:01 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-09 20:53 . 2011-01-09 20:53 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
2011-01-09 20:49 . 2011-01-09 20:49 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ESET
2011-01-09 20:49 . 2011-01-09 20:49 -------- d-----w- c:\documents and settings\Owner\Application Data\ESET
2011-01-09 20:48 . 2011-01-09 20:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2011-01-09 20:28 . 2011-01-09 20:28 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-09 20:26 . 2011-01-11 01:43 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-01-09 20:16 . 2011-01-10 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-01-02 02:01 . 2011-01-02 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Control Center for Kodak Webcams
2011-01-02 02:01 . 2011-01-02 02:13 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Control Center for Kodak Webcams
2011-01-02 02:01 . 2011-01-02 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\KodakWebcams
2011-01-02 01:59 . 2011-01-02 01:59 -------- d-----w- c:\program files\Control Center for Kodak Webcams
2010-12-28 19:12 . 2011-01-09 13:03 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2010-12-28 19:11 . 2011-01-10 16:16 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-12-28 19:11 . 2010-12-28 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-12-28 19:08 . 2008-04-13 19:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-12-28 19:08 . 2008-04-13 19:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-12-28 19:08 . 2008-04-14 01:12 20992 ----a-w- c:\windows\system32\dshowext.ax
2010-12-28 19:08 . 2008-04-13 19:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-12-28 19:08 . 2008-04-13 19:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-12-25 23:20 . 2010-12-25 23:24 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Panda3D
2010-12-15 07:32 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 07:31 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2003-10-31 20:05 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2004-08-24 01:32 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2003-10-31 20:05 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2003-10-31 20:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2003-10-31 20:06 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2003-10-31 20:04 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2003-10-11 10:06 1853312 ----a-w- c:\windows\system32\win32k.sys
2006-10-05 19:35 . 2006-10-05 19:35 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"NVIEW"="nview.dll" [2003-08-19 852038]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"U.S. Robotics Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"LTMSG"="LTMSG.exe 7" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"mvihasc"="c:\windows\mvihasc.exe" [2005-10-01 0]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"VTTimer"="VTTimer.exe" [2004-10-22 53248]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-14 202256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Chris Sawyer's Locomotion Registration.lnk - c:\documents and settings\Owner\Local Settings\Temp\{E046409E-0D6D-44ED-B177-26A8970562E6}\{77F45E76-E897-42CA-A9FE-5F56817D875C}\ATR1.EXE [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 00:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"NSCService"=3 (0x3)
"navapsvc"=2 (0x2)
"LiveUpdate"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/10/2011 8:48 PM 135336]
S2 gupdate1c9edf74d41606c;Google Update Service (gupdate1c9edf74d41606c);c:\program files\Google\Update\GoogleUpdate.exe [6/15/2009 3:24 PM 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SSMDRV
*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder

2011-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2011-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-15 20:24]

2011-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-15 20:24]

2011-01-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1332983393-1165070127-3111594433-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2011-01-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1332983393-1165070127-3111594433-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2011-01-11 c:\windows\Tasks\User_Feed_Synchronization-{5FA37B43-61A0-4E4B-94EF-9B3EE6B5BC06}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\PartyGaming\PartyCasino\RunCasino.exe
IE: {{B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - c:\program files\PartyGaming\PartyBingo\RunBingo.exe
LSP: SpSubLSP.dll
Trusted Zone: facebook.com\www
Trusted Zone: turbotax.com
Trusted Zone: yahoo.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://www.facebook.com/fbplugin/win32/ ... 5759231109
DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugi ... ctivex.cab
DPF: {96695E54-ECE5-437B-81BF-D45FA9F878A0} - hxxp://www.s3graphics.com/S3DisplayAct/S3DisplayAct.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\k04le3a0.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKCU-Run-pshower - c:\windows\system32\pshwr.exe
HKCU-Run-MoneyAgent - c:\program files\Microsoft Money\System\mnyexpr.exe
HKLM-Run-Je4EM - c:\windows\kkekpna.exe
HKLM-Run-ycejlyc - c:\windows\ycejlyc.EXE
HKLM-Run-PS2 - c:\windows\system32\ps2.exe
HKLM-Run-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
HKLM-Run-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-10 21:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(680)
c:\windows\system32\SpSubLSP.dll

- - - - - - - > 'explorer.exe'(1196)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\WLTRAY.exe
c:\windows\system32\VTTimer.exe
c:\windows\LTMSG.exe
c:\windows\ALCXMNTR.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2011-01-10 21:24:26 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-11 02:24

Pre-Run: 78,977,196,032 bytes free
Post-Run: 85,743,415,296 bytes free

- - End Of File - - BFA8CCE457CE95AA34101398BCD6EA3C
lorieoreo
Active Member
 
Posts: 10
Joined: January 10th, 2011, 4:13 pm

Re: Win32/Patched.GB virus! Please help...

Unread postby askey127 » January 11th, 2011, 8:25 am

lorieoreo,
Good so far.
I will take care of that file identified by Antivir.
-----------------------------------------------------------
Remove Registry items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)
O4 - HKLM\..\Run: [Je4EM] C:\WINDOWS\kkekpna.exe
O4 - HKLM\..\Run: [ycejlyc] C:\WINDOWS\ycejlyc.EXE
O4 - HKLM\..\Run: [mvihasc] C:\WINDOWS\mvihasc.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe
O9 - Extra button: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Program Files\PartyGaming\PartyGammon\RunBackGammon.exe
O9 - Extra 'Tools' menuitem: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Program Files\PartyGaming\PartyGammon\RunBackGammon.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.8

Take extra care in answering questions posed by any Uninstaller.
-------------------------------------------------------------
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard. Do Not copy the word "Code".
    Code: Select all
    File::
    C:\WINDOWS\kkekpna.exe
    C:\WINDOWS\ycejlyc.exe
    C:\WINDOWS\mvihasc.exe
    C:\WINDOWS\system32\nt.dll
    
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe (zzz.exe) as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.

---------------------------------------------
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
    hlp.dat
    
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

So we are looking for the Combofix (zzz.exe) results, and the log from SystemLook.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Win32/Patched.GB virus! Please help...

Unread postby lorieoreo » January 11th, 2011, 11:50 am

Askey127,
Everything went as you said, except during removing registry items with HijackThis, 3 of the listed items were missing. (...kkekpna.exe, ...ycejlyc.exe, ...pshwr.exe) Not sure if this affects anything, since you mentioned some might be missing, but wanted to let you know. Also, at the start of Combofix, it asked me to update it and it restarted it's scan. And I had to disable Antivir in order to run Combofix. (All items that deviated a tad from your instructions... again, not sure if any of it matters since my computer looks good, no Guards popping up from Antivir, but just wanted you know). Here is the Combofix log & the SystemLook log:



ComboFix 11-01-10.08 - Owner 01/11/2011 10:23:52.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.419 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\zzz.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::
"c:\windows\kkekpna.exe"
"c:\windows\mvihasc.exe"
"c:\windows\system32\nt.dll"
"c:\windows\ycejlyc.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\mvihasc.exe
c:\windows\system32\nt.dll

.
((((((((((((((((((((((((( Files Created from 2010-12-11 to 2011-01-11 )))))))))))))))))))))))))))))))
.

2011-01-11 01:48 . 2010-12-13 13:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-11 01:48 . 2010-12-13 13:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-01-11 01:48 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-01-11 01:48 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-01-11 01:48 . 2011-01-11 01:48 -------- d-----w- c:\program files\Avira
2011-01-11 01:48 . 2011-01-11 01:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-01-10 20:26 . 2011-01-10 20:26 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-10 20:26 . 2011-01-10 20:26 -------- d-----w- c:\program files\Trend Micro
2011-01-10 17:02 . 2003-05-02 13:05 229487 ----a-w- c:\windows\system32\jpicpl32.cpl
2011-01-10 04:44 . 2011-01-10 04:45 -------- d-----w- c:\documents and settings\Administrator
2011-01-10 01:41 . 2011-01-10 01:41 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG10
2011-01-10 01:38 . 2011-01-10 01:38 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-01-09 22:02 . 2011-01-09 22:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-01-09 22:01 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-09 22:01 . 2011-01-09 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-09 22:01 . 2011-01-09 22:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-09 22:01 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-09 20:53 . 2011-01-09 20:53 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
2011-01-09 20:49 . 2011-01-09 20:49 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ESET
2011-01-09 20:49 . 2011-01-09 20:49 -------- d-----w- c:\documents and settings\Owner\Application Data\ESET
2011-01-09 20:48 . 2011-01-09 20:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2011-01-09 20:28 . 2011-01-09 20:28 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-09 20:26 . 2011-01-11 01:43 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-01-09 20:16 . 2011-01-10 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-01-02 02:01 . 2011-01-02 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Control Center for Kodak Webcams
2011-01-02 02:01 . 2011-01-02 02:13 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Control Center for Kodak Webcams
2011-01-02 02:01 . 2011-01-02 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\KodakWebcams
2011-01-02 01:59 . 2011-01-02 01:59 -------- d-----w- c:\program files\Control Center for Kodak Webcams
2010-12-28 19:12 . 2011-01-09 13:03 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2010-12-28 19:11 . 2011-01-10 16:16 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-12-28 19:11 . 2010-12-28 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-12-28 19:08 . 2008-04-13 19:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-12-28 19:08 . 2008-04-13 19:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-12-28 19:08 . 2008-04-14 01:12 20992 ----a-w- c:\windows\system32\dshowext.ax
2010-12-28 19:08 . 2008-04-13 19:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-12-28 19:08 . 2008-04-13 19:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-12-25 23:20 . 2010-12-25 23:24 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Panda3D
2010-12-15 07:32 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 07:31 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2003-10-31 20:05 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2004-08-24 01:32 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2003-10-31 20:05 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2003-10-31 20:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2003-10-31 20:06 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2003-10-31 20:04 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2003-10-11 10:06 1853312 ----a-w- c:\windows\system32\win32k.sys
2006-10-05 19:35 . 2006-10-05 19:35 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"NVIEW"="nview.dll" [2003-08-19 852038]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"U.S. Robotics Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"LTMSG"="LTMSG.exe 7" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"VTTimer"="VTTimer.exe" [2004-10-22 53248]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-14 202256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Chris Sawyer's Locomotion Registration.lnk - c:\documents and settings\Owner\Local Settings\Temp\{E046409E-0D6D-44ED-B177-26A8970562E6}\{77F45E76-E897-42CA-A9FE-5F56817D875C}\ATR1.EXE [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 00:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"NSCService"=3 (0x3)
"navapsvc"=2 (0x2)
"LiveUpdate"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/10/2011 8:48 PM 135336]
S2 gupdate1c9edf74d41606c;Google Update Service (gupdate1c9edf74d41606c);c:\program files\Google\Update\GoogleUpdate.exe [6/15/2009 3:24 PM 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder

2011-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2011-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-15 20:24]

2011-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-15 20:24]

2011-01-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1332983393-1165070127-3111594433-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2011-01-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1332983393-1165070127-3111594433-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2011-01-11 c:\windows\Tasks\User_Feed_Synchronization-{5FA37B43-61A0-4E4B-94EF-9B3EE6B5BC06}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
LSP: SpSubLSP.dll
Trusted Zone: facebook.com\www
Trusted Zone: turbotax.com
Trusted Zone: yahoo.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://www.facebook.com/fbplugin/win32/ ... 5759231109
DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugi ... ctivex.cab
DPF: {96695E54-ECE5-437B-81BF-D45FA9F878A0} - hxxp://www.s3graphics.com/S3DisplayAct/S3DisplayAct.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\k04le3a0.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-11 10:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(680)
c:\windows\system32\SpSubLSP.dll
.
Completion time: 2011-01-11 10:34:05
ComboFix-quarantined-files.txt 2011-01-11 15:33
ComboFix2.txt 2011-01-11 02:24

Pre-Run: 85,774,184,448 bytes free
Post-Run: 85,761,486,848 bytes free

- - End Of File - - 619BA9943F344D483B82A0141249AE5A



SystemLook 04.09.10 by jpshortstuff
Log created at 10:43 on 11/01/2011 by Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "hlp.dat"
No files found.

-= EOF =-
lorieoreo
Active Member
 
Posts: 10
Joined: January 10th, 2011, 4:13 pm

Re: Win32/Patched.GB virus! Please help...

Unread postby askey127 » January 11th, 2011, 12:56 pm

lorieoreo,
Looking better.
We will check on your present Security settings.
These infections may have corrupted the entries you made for your Antivirus and Firewall.
-----------------------------------------------
Run Defence Inspector
Download the tool from this link: http://downloads.securitycadets.com/Def ... pector.exe
Once downloaded, double-click DefenceInspector to run it.
When presented with the option to begin the scan, please press any key to continue.
When DefenceInspector has finished scanning (this should not take longer than a minute or so), a log will appear.
Please post the entire contents of this log in your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Win32/Patched.GB virus! Please help...

Unread postby lorieoreo » January 11th, 2011, 1:05 pm

Here's the DefenceInspector log:

Defence Inspector (Build 26.09.10.1)
Log created at 12:04:10 on January 11, 2011

-= System =-
Windows XP (32-bit, Service Pack 3)
Windows Update: Automatic installation
System Restore: ON (41 point(s) available)

-= User Accounts =-
Administrator (Admin)
ASPNET
Guest (Disabled)
HelpAssistant (Disabled)
Owner (Admin)
SUPPORT_388945a0 (Disabled)
SUPPORT_fddfa904 (Disabled)

-= Security Programs =-
Avira AntiVir
Malwarebytes' Anti-Malware
Windows Defender: Not found
Windows Firewall: Disabled

-= Other Programs =-
Adobe Flash Player (ActiveX) 10.0.32.18
Internet Explorer 8.0.6001.18702
Java (Version Unknown)
Mozilla Firefox 3.6.13 (en-US)

-= EOF =-


And thank you so much for all of your assistance thus far... you are definitely becoming my favorite person of all time!! ;)
lorieoreo
Active Member
 
Posts: 10
Joined: January 10th, 2011, 4:13 pm

Re: Win32/Patched.GB virus! Please help...

Unread postby askey127 » January 11th, 2011, 2:08 pm

lorieoreo
Much better. We still have a few more things to do.
Please go to Start > Control Panel > Windows Firewall.
You need to click "ON (recommended)", and then click OK.
--------------------------------------------------------
Download and Install the newest version of Adobe Reader for reading pdf files, due to the vulnerabilities in earlier versions.
All versions numbered lower than 9.4 are vulnerable.
Go HERE and click on AdbeRdr940_en_US.exe to download the latest version of Adobe Acrobat Reader.
Save this file to your desktop and run it to install the latest version of Adobe Reader.

Now we will check for items that may have been corrupted, or are set incorrectly
---------------------------------------------
Run a Scan with OTL
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
  • When the window appears, In the Standard Registry box, click All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location
      as OTL (should be on your desktop).
    • Make sure Notepad's Format, Wordwrap is unchecked.
    • Please copy the contents of each of these files, one at a time, and post them in your next reply.
  • Use separate replies if you wish.

Let me know how it goes.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Win32/Patched.GB virus! Please help...

Unread postby lorieoreo » January 11th, 2011, 2:54 pm

Thanks Askey127,

Ok, here are the OTL.txt & Extras.txt logs:



OTL logfile created on: 1/11/2011 1:45:03 PM - Run 1
OTL by OldTimer - Version 3.2.20.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

703.00 Mb Total Physical Memory | 350.00 Mb Available Physical Memory | 50.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 106.65 Gb Total Space | 79.62 Gb Free Space | 74.65% Space Free | Partition Type: NTFS
Drive D: | 5.14 Gb Total Space | 0.96 Gb Free Space | 18.71% Space Free | Partition Type: FAT32
Drive F: | 46.30 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive L: | 106.65 Gb Total Space | 58.02 Gb Free Space | 54.40% Space Free | Partition Type: NTFS

Computer Name: LORIE | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/01/11 13:43:32 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2010/12/13 08:40:07 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/12/13 08:39:54 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/12/13 08:39:54 | 000,267,944 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/08/13 11:58:56 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/03/14 08:55:19 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/02/23 08:05:34 | 000,111,856 | ---- | M] (Yahoo! Inc) -- C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/20 14:05:46 | 001,247,600 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
PRC - [2005/07/29 13:38:38 | 000,176,128 | ---- | M] () -- C:\WINDOWS\system32\spool\drivers\w32x86\3\lxcfpswx.exe
PRC - [2005/07/25 14:25:18 | 000,491,520 | ---- | M] ( ) -- C:\WINDOWS\system32\lxcfcoms.exe
PRC - [2004/10/22 11:53:06 | 000,053,248 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\system32\VTTimer.exe
PRC - [2003/07/14 19:52:44 | 000,040,960 | ---- | M] (Agere Systems) -- C:\WINDOWS\ltmsg.exe


========== Modules (SafeList) ==========

MOD - [2011/01/11 13:43:32 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/12/13 08:40:07 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/12/13 08:39:54 | 000,267,944 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/08/13 11:58:56 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/09/20 14:05:46 | 001,247,600 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)
SRV - [2005/07/25 14:25:18 | 000,491,520 | ---- | M] ( ) [On_Demand | Running] -- C:\WINDOWS\System32\lxcfcoms.exe -- (lxcf_device)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\DRIVERS\szkg.sys -- (szkg)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\PCAMPR5.SYS -- (PCAMPR5)
DRV - File not found [Kernel | Auto | Stopped] -- C:\Program Files\LogMeIn\x86\RaInfo.sys -- (LMIInfo)
DRV - File not found [Kernel | On_Demand | Running] -- C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/12/13 08:40:21 | 000,135,096 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/12/13 08:40:21 | 000,061,960 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/11/17 11:31:28 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/06/17 14:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/06/17 14:27:12 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008/10/16 19:35:58 | 000,083,288 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2008/07/24 17:46:10 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2008/04/13 14:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 13:56:49 | 000,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usb8023.sys -- (USB_RNDIS)
DRV - [2007/10/05 19:40:44 | 000,102,664 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2006/08/14 20:25:44 | 000,010,344 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2004/10/07 20:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/10/01 10:24:02 | 002,279,424 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/09/07 15:42:02 | 000,017,664 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PCASp50.sys -- (PCASp50)
DRV - [2004/08/04 00:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/08/04 00:29:54 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/08/04 00:29:51 | 000,166,912 | ---- | M] (S3 Graphics, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3gnbm.sys -- (S3Psddr)
DRV - [2004/02/17 06:49:14 | 000,391,424 | ---- | M] (Sensaura Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/07/30 04:15:00 | 000,126,348 | ---- | M] () [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\nvcap.sys -- (nvcap) nVidia WDM Video Capture (universal)
DRV - [2003/07/30 04:15:00 | 000,013,006 | ---- | M] (NVIDIA Corporation) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\nvxbar.sys -- (NVXBAR)
DRV - [2003/07/02 13:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2003/07/02 01:33:00 | 000,652,497 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ltmdmnt.sys -- (ltmodem5)
DRV - [2003/06/19 03:59:00 | 000,140,800 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys -- (fasttx2k)
DRV - [2003/06/12 04:56:44 | 000,098,304 | R--- | M] (ATMEL) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vnet558x.sys -- (FVNETusb)
DRV - [2003/05/06 17:34:56 | 000,394,752 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2003/04/11 10:51:30 | 000,010,624 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
DRV - [2003/02/20 18:18:36 | 000,036,608 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\SISAGPX.sys -- (SISAGP)
DRV - [2002/07/30 00:43:50 | 000,023,808 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)
DRV - [2001/08/23 14:00:00 | 000,022,400 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SbcpHid.sys -- (SbcpHid)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/def ... earch.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Search Bar = http://search.msn.com/spbasic.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.13
FF - prefs.js..network.proxy.no_proxies_on: "localhost"
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 11:31:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/03/14 08:56:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/24 12:06:38 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/01/11 13:42:40 | 000,000,000 | ---D | M]

[2010/12/24 12:06:54 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/12/24 12:06:54 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2011/01/10 15:14:18 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k04le3a0.default\extensions
[2010/12/24 12:21:35 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k04le3a0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/01/10 15:04:15 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/12/24 12:06:24 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2010/03/14 08:56:53 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT
[2010/12/03 14:35:08 | 000,025,048 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2010/12/03 14:35:08 | 000,140,248 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2007/08/07 13:35:32 | 000,049,152 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\np32dsw.dll
[2010/12/03 14:35:08 | 000,066,520 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2010/09/22 18:10:52 | 000,103,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2008/12/05 16:39:47 | 000,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2008/12/05 16:39:47 | 000,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2008/12/05 16:39:47 | 000,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2008/12/05 16:39:47 | 000,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2008/12/05 16:39:47 | 000,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2008/12/05 16:39:48 | 000,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2008/12/05 16:39:48 | 000,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2010/12/03 12:36:32 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2010/12/03 12:36:32 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2010/12/03 12:36:32 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2010/12/03 12:36:32 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2010/12/03 12:36:32 | 000,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2010/12/03 12:36:32 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml

O1 HOSTS File: ([2011/01/11 10:31:13 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AlcxMonitor] C:\WINDOWS\ALCXMNTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [hpsysdrv] c:\WINDOWS\system\hpsysdrv.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [LTMSG] C:\WINDOWS\ltmsg.exe (Agere Systems)
O4 - HKLM..\Run: [LXCFCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.DLL ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe (U.S. Robotics Corporation)
O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [NVIEW] C:\WINDOWS\System32\nview.dll (NVIDIA Corporation)
O4 - HKCU..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Chris Sawyer's Locomotion Registration.lnk = C:\Documents and Settings\Owner\Local Settings\Temp\{E046409E-0D6D-44ED-B177-26A8970562E6}\{77F45E76-E897-42CA-A9FE-5F56817D875C}\ATR1.EXE File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000030 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000031 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: facebook.com ([www] https in Trusted sites)
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: yahoo.com ([www] https in Trusted sites)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} http://www.alternatiff.com/install-ie/alttiff.cab (AlternaTIFF ActiveX)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shoc ... tor/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} http://www.facebook.com/fbplugin/win32/ ... 5759231109 (Reg Error: Key error.)
O16 - DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} http://www-cdn.freerealms.com/gamedata/ ... cab?v=1049 (SonyOnlineInstallerX)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photo.walgreens.com/WalgreensActivia.cab (Snapfish Activia)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader.cab (MySpace Uploader Control)
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} http://www.slide.com/uploader/SlideImageUploader.cab (Slide Image Uploader Control)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab (HP Download Manager)
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} http://www.nick.com/common/groove/gx/GrooveAX27.cab (Reg Error: Key error.)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/200 ... ader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.4.1/jinsta ... s-i586.cab (Java Plug-in 1.4.1)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/fl ... rashim.cab (Reg Error: Key error.)
O16 - DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} http://panda-plugin.disney.go.com/plugi ... ctivex.cab (P3DActiveX Control)
O16 - DPF: {96695E54-ECE5-437B-81BF-D45FA9F878A0} http://www.s3graphics.com/S3DisplayAct/S3DisplayAct.cab (S3DisplayAct.UserControl1)
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.4.1/jinsta ... s-i586.cab (Java Plug-in 1.4.1)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/fl ... wflash.cab (Shockwave Flash Object)
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://a532.g.akamai.net/f/532/6712/5m/ ... taller.exe (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (zwebauth.dll) - C:\WINDOWS\System32\ZWebAuth.dll ()
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/10/11 05:16:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 06:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2010/03/10 06:35:12 | 000,000,097 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (stera) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/01/11 13:43:28 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/01/11 13:41:12 | 027,634,824 | ---- | C] ( ) -- C:\Documents and Settings\Owner\Desktop\AdbeRdr940_en_US.exe
[2011/01/11 10:34:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/01/10 20:56:39 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/01/10 20:56:39 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/01/10 20:56:39 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/01/10 20:56:39 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/01/10 20:56:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/01/10 20:56:08 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/01/10 20:48:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Avira
[2011/01/10 20:48:09 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2011/01/10 20:48:08 | 000,135,096 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2011/01/10 20:48:08 | 000,061,960 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2011/01/10 20:48:08 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2011/01/10 20:48:08 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2011/01/10 20:48:07 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2011/01/10 20:48:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2011/01/10 15:26:09 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/01/10 15:26:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\HiJackThis
[2011/01/10 12:02:57 | 000,229,487 | ---- | C] (Sun Microsystems) -- C:\WINDOWS\System32\jpicpl32.cpl
[2011/01/09 20:41:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\AVG10
[2011/01/09 20:38:58 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/01/09 17:02:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2011/01/09 17:01:59 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/01/09 17:01:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/01/09 17:01:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/01/09 17:01:54 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/01/09 17:01:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/01/09 15:53:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\ESET
[2011/01/09 15:49:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\ESET
[2011/01/09 15:49:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\ESET
[2011/01/09 15:48:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ESET
[2011/01/09 15:26:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2011/01/09 15:25:54 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2011/01/09 15:16:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/01/01 21:01:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Control Center for Kodak Webcams
[2011/01/01 21:01:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Control Center for Kodak Webcams
[2011/01/01 21:01:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\KodakWebcams
[2011/01/01 21:01:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Control Center for Kodak Webcams
[2011/01/01 20:59:40 | 000,000,000 | ---D | C] -- C:\Program Files\Control Center for Kodak Webcams
[2010/12/28 14:12:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\skypePM
[2010/12/28 14:11:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Skype
[2010/12/28 14:11:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype
[2010/12/28 14:08:52 | 000,060,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\USBAUDIO.sys
[2010/12/28 14:08:52 | 000,060,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbaudio.sys
[2010/12/28 14:08:43 | 000,020,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dshowext.ax
[2010/12/28 14:08:43 | 000,020,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dshowext.ax
[2010/12/28 14:08:36 | 000,032,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbccgp.sys
[2010/12/25 18:20:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Panda3D
[2010/12/24 12:06:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Mozilla
[2010/12/24 12:06:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox
[2010/12/15 02:32:33 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2010/12/15 02:31:19 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2006/10/05 14:35:32 | 000,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll
[2005/07/25 14:31:30 | 001,183,744 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfserv.dll
[2005/07/25 14:27:22 | 000,483,328 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcflmpm.dll
[2005/07/25 14:26:58 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfcomm.dll
[2005/07/25 14:25:26 | 000,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfpplc.dll
[2005/07/25 14:24:46 | 000,704,512 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfcomc.dll
[2005/07/25 14:24:14 | 000,155,648 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfprox.dll
[2005/07/25 14:19:36 | 001,134,592 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfusb1.dll
[2003/12/09 13:16:52 | 000,442,368 | ---- | C] ( ) -- C:\WINDOWS\System32\comintfs.dll
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/11 13:49:00 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{5FA37B43-61A0-4E4B-94EF-9B3EE6B5BC06}.job
[2011/01/11 13:46:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/01/11 13:44:31 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1332983393-1165070127-3111594433-1003.job
[2011/01/11 13:44:30 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1332983393-1165070127-3111594433-1003.job
[2011/01/11 13:43:32 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/01/11 13:42:42 | 000,001,737 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/01/11 13:41:13 | 027,634,824 | ---- | M] ( ) -- C:\Documents and Settings\Owner\Desktop\AdbeRdr940_en_US.exe
[2011/01/11 12:03:55 | 000,339,456 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\DefenceInspector.exe
[2011/01/11 10:42:55 | 000,075,264 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SystemLook.exe
[2011/01/11 10:31:13 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/01/11 10:19:36 | 004,152,479 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\zzz.exe
[2011/01/11 10:07:50 | 000,000,189 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.DAT
[2011/01/11 10:07:45 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/01/11 10:07:27 | 737,726,464 | -HS- | M] () -- C:\hiberfil.sys
[2011/01/11 10:07:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/01/11 10:01:40 | 000,002,677 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
[2011/01/10 20:48:24 | 000,001,715 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2011/01/10 20:37:03 | 059,325,912 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\avira_antivir_personal_en.exe
[2011/01/10 15:25:11 | 001,402,880 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.msi
[2011/01/10 12:29:54 | 000,000,057 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2011/01/10 12:09:11 | 000,000,897 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI
[2011/01/10 12:06:51 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/01/10 11:30:17 | 000,200,936 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/01/09 18:55:58 | 000,017,408 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\virus summary jan82011.wps
[2011/01/09 17:02:00 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/01/09 14:33:08 | 000,699,904 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\CHARGE RECEIPT SHEET.wps
[2011/01/06 14:21:06 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/01/01 21:01:06 | 000,001,740 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Control Center for Kodak Webcams.lnk
[2010/12/28 14:13:03 | 000,000,056 | -H-- | M] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/12/24 12:06:28 | 000,001,628 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/12/24 12:06:28 | 000,001,610 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/12/22 23:21:35 | 000,019,688 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Mikes poem.odt
[2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/12/13 08:40:21 | 000,135,096 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/12/13 08:40:21 | 000,061,960 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/11 13:42:41 | 000,001,737 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/01/11 12:03:55 | 000,339,456 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\DefenceInspector.exe
[2011/01/11 10:42:54 | 000,075,264 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SystemLook.exe
[2011/01/10 20:56:39 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/01/10 20:56:39 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/01/10 20:56:39 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/01/10 20:56:39 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/01/10 20:56:39 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/01/10 20:54:54 | 004,152,479 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\zzz.exe
[2011/01/10 20:48:24 | 000,001,715 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2011/01/10 20:36:47 | 059,325,912 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\avira_antivir_personal_en.exe
[2011/01/10 15:26:09 | 000,002,677 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
[2011/01/10 15:25:10 | 001,402,880 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.msi
[2011/01/10 09:58:16 | 737,726,464 | -HS- | C] () -- C:\hiberfil.sys
[2011/01/09 18:55:57 | 000,017,408 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\virus summary jan82011.wps
[2011/01/09 17:02:00 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/01/01 21:01:06 | 000,001,740 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Control Center for Kodak Webcams.lnk
[2010/12/28 14:13:03 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/12/24 12:06:28 | 000,001,628 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/12/24 12:06:28 | 000,001,610 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/12/22 23:21:35 | 000,019,688 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Mikes poem.odt
[2010/06/22 07:30:10 | 000,602,112 | ---- | C] () -- C:\WINDOWS\System32\xvid.dll
[2008/05/16 22:49:44 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/04/09 13:10:50 | 000,000,036 | ---- | C] () -- C:\WINDOWS\webica.ini
[2008/01/12 17:52:24 | 000,000,478 | ---- | C] () -- C:\WINDOWS\iScreensaver.ini
[2007/10/05 16:18:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ka.ini
[2007/08/21 10:58:43 | 000,217,088 | ---- | C] () -- C:\WINDOWS\System32\Cylon.dll
[2007/08/21 10:58:43 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2007/08/21 10:58:43 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\usrnicvw.dll
[2007/08/21 10:57:49 | 000,000,133 | ---- | C] () -- C:\WINDOWS\usrwiz.ini
[2006/10/21 18:29:02 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2006/08/12 18:37:20 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\BJAXSecurityManager.dll
[2006/08/12 18:37:18 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\BJInstaller.dll
[2005/09/18 20:43:28 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/08/28 16:31:58 | 000,000,007 | ---- | C] () -- C:\WINDOWS\offnm.ini
[2005/08/24 15:26:55 | 000,000,045 | ---- | C] () -- C:\WINDOWS\HGFEIHJ.ini
[2005/08/24 15:21:22 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2005/07/07 04:12:28 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxcfvs.dll
[2005/04/09 14:39:55 | 000,000,425 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2004/12/12 19:31:38 | 000,000,012 | ---- | C] () -- C:\WINDOWS\dirsaver.ini
[2004/12/12 19:31:14 | 000,028,672 | ---- | C] () -- C:\WINDOWS\gscr.dll
[2004/12/03 10:26:25 | 000,002,560 | ---- | C] () -- C:\Program Files\ClearSearchcsie_tsb_edomains.dat
[2004/12/03 10:26:18 | 000,002,976 | ---- | C] () -- C:\Program Files\ClearSearchcsie_tsb_patterns.dat
[2004/12/03 10:26:18 | 000,000,136 | ---- | C] () -- C:\Program Files\ClearSearchcsie_tsb_campaigns.dat
[2004/12/03 10:26:16 | 000,000,104 | ---- | C] () -- C:\Program Files\ClearSearchcsie_tsb_rules.dat
[2004/11/12 12:46:11 | 000,000,351 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/09/17 17:37:42 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2004/08/13 11:50:47 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2004/07/01 01:14:58 | 000,001,195 | ---- | C] () -- C:\WINDOWS\System32\imbrmute.ini
[2004/05/22 12:35:57 | 000,000,021 | ---- | C] () -- C:\WINDOWS\System32\mchnieasy.sys
[2004/04/08 11:18:47 | 000,000,557 | ---- | C] () -- C:\WINDOWS\HEGames.ini
[2004/04/08 11:17:55 | 000,000,067 | ---- | C] () -- C:\WINDOWS\encore_launcher.ini
[2004/04/07 23:17:53 | 000,001,721 | ---- | C] () -- C:\WINDOWS\disney.ini
[2004/03/22 20:49:47 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/03/10 15:32:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2004/02/24 00:46:04 | 000,016,973 | ---- | C] () -- C:\WINDOWS\System32\ZWebAuth.dll
[2004/02/23 20:29:24 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2004/02/23 17:48:06 | 000,004,165 | ---- | C] () -- C:\WINDOWS\hpdj3600.ini
[2004/02/23 17:47:46 | 000,000,470 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2004/02/23 01:17:47 | 000,000,102 | ---- | C] () -- C:\WINDOWS\VSWizard.ini
[2003/10/14 08:52:37 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/10/14 08:51:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\iAlmcoin.dll
[2003/10/14 08:35:01 | 000,000,051 | ---- | C] () -- C:\WINDOWS\System32\mshrml.ini
[2003/10/11 07:47:42 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2003/10/11 07:45:41 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2003/10/11 07:40:57 | 000,029,222 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2003/10/11 07:40:38 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\syscontr.dll
[2003/10/11 07:40:02 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2003/10/11 07:29:14 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/10/11 07:16:42 | 000,000,897 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2003/10/11 06:25:06 | 000,003,205 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2003/10/11 06:15:11 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2003/10/11 06:07:05 | 000,126,348 | ---- | C] () -- C:\WINDOWS\System32\drivers\nvcap.sys
[2003/10/11 05:47:37 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/10/11 05:39:21 | 000,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2003/10/11 05:39:21 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2003/10/11 05:39:04 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2003/10/11 05:19:00 | 000,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/10/11 05:06:45 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/10/11 02:10:46 | 000,000,438 | ---- | C] () -- C:\WINDOWS\System32\1_ssetup.ini
[2003/10/11 02:10:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\sunistlog.ini
[2003/10/10 22:10:25 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/01/08 00:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/23 14:00:00 | 000,022,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\SbcpHid.sys

========== LOP Check ==========

[2011/01/10 20:43:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2007/03/19 21:51:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund Software
[2011/01/09 20:38:58 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/01/01 21:01:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Control Center for Kodak Webcams
[2009/07/27 12:27:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverScanner
[2004/02/21 23:53:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightboxSA
[2009/07/14 13:24:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2011/01/09 20:29:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2005/08/24 12:00:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Netscape Internet Service
[2006/10/14 11:43:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2007/03/19 21:52:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Riverdeep Interactive Learning Limited
[2006/10/23 14:31:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sandlot Games
[2006/08/14 21:25:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2007/03/16 20:54:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo
[2010/10/28 19:34:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/02/18 14:46:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/08/26 19:41:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2005/08/24 15:22:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Aim
[2011/01/09 20:41:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AVG10
[2009/03/03 17:29:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\eMusic
[2011/01/09 15:49:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ESET
[2009/09/21 18:57:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ICAClient
[2004/11/12 12:51:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\interMute
[2004/10/07 08:57:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\InterVideo
[2008/01/12 17:52:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\iScreensaver
[2004/02/23 01:18:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Leadertech
[2008/01/12 17:44:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\LEGO Company
[2007/11/03 16:32:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\LucasArts
[2004/11/12 12:40:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Lycos
[2010/04/26 07:31:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\OpenOffice.org
[2006/10/14 11:43:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\PlayFirst
[2003/10/11 08:03:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2007/04/07 14:28:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SBTT
[2006/12/10 20:26:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Snapfish
[2010/02/20 10:57:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Sony Online Entertainment
[2006/08/13 19:27:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\STOPzilla!
[2005/08/08 00:13:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Template
[2009/07/27 12:27:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Uniblue
[2009/03/06 19:36:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Unity
[2004/03/19 14:36:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\VCOM
[2006/11/02 18:58:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Wildfire
[2011/01/11 13:49:00 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{5FA37B43-61A0-4E4B-94EF-9B3EE6B5BC06}.job

========== Purity Check ==========



< End of report >





OTL Extras logfile created on: 1/11/2011 1:45:04 PM - Run 1
OTL by OldTimer - Version 3.2.20.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

703.00 Mb Total Physical Memory | 350.00 Mb Available Physical Memory | 50.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 106.65 Gb Total Space | 79.62 Gb Free Space | 74.65% Space Free | Partition Type: NTFS
Drive D: | 5.14 Gb Total Space | 0.96 Gb Free Space | 18.71% Space Free | Partition Type: FAT32
Drive F: | 46.30 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive L: | 106.65 Gb Total Space | 58.02 Gb Free Space | 54.40% Space Free | Partition Type: NTFS

Computer Name: LORIE | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE File not found
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE File not found
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE File not found

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 File not found
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 File not found
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 File not found
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 File not found
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 File not found
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 File not found
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 File not found
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 File not found
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 File not found
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 File not found
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 File not found
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 File not found
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 File not found
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 File not found
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" File not found
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 File not found
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 File not found
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 File not found
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe" = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe:*:Enabled:BackWeb-1940576 -- ()
"C:\Program Files\Real\RealOne Player\realplay.exe" = C:\Program Files\Real\RealOne Player\realplay.exe:*:Disabled:RealOne Player -- (RealNetworks, Inc.)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}" = Symantec KB-DocID:2003093015493306
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2A267BC6-F77F-4DD4-825F-7AEB1F68B4B1}" = HpSdpAppCoreApp
"{2B43252C-A1E3-4C47-927C-9F2C276D3515}" = S3GSetup
"{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}" = iTunes
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{388C130B-0079-46B4-A0D5-DC2DD7A89A7B}" = Citrix XenApp Plugin for Hosted Apps
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{483616D1-867E-46F8-BEC7-3C6475933908}" = Adobe Photoshop Album Starter Edition
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6ADD0603-16EF-400D-9F9E-486432835002}" = OpenOffice.org 3.2
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics Driver
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.0
"{B4FEA924-630D-11D4-B78E-005004566E4D}" = ViewSonic Monitor Drivers
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}" = Apple Mobile Device Support
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Alarm_is1" = Alarm 2.0.4
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"BackWeb-1940576 Uninstaller" = Compaq Connections
"Compaq Instant Support" = Compaq Instant Support
"Control Center for Kodak Webcams" = Control Center for Kodak Webcams
"ie8" = Windows Internet Explorer 8
"Lexmark 730 Series" = Lexmark 730 Series
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MetaFrame Presentation Server Web Client for Win32" = MetaFrame Presentation Server Web Client for Win32
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA" =
"Picasa 3" = Picasa 3
"RealPlayer 12.0" = RealPlayer
"S3" = VIA/S3G Display Driver
"U.S. Robotics Wireless MAXg Adapter" = U.S. Robotics Wireless MAXg Adapter
"VIA/S3G UniChrome Family Win2K/XP Display" = VIA/S3G Display Driver
"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast Ethernet Adapter
"VTDisplay" = S3 S3Display
"VTGamma2" = S3 S3Gamma2
"VTInfo2" = S3 S3Info2
"VTOverlay" = S3 S3Overlay
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Search Defender" = Yahoo! Search Protection
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/30/2010 11:06:23 PM | Computer Name = LORIE | Source = Application Hang | ID = 1002
Description = Hanging application AcroRd32.exe, version 7.0.8.218, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/9/2010 1:05:27 PM | Computer Name = LORIE | Source = Application Hang | ID = 1002
Description = Hanging application AcroRd32.exe, version 7.0.8.218, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/13/2010 9:28:58 PM | Computer Name = LORIE | Source = Ci | ID = 4126
Description = Cleaning up corrupt content index metadata on c:\system volume information\catalog.wci.
Index will be automatically restored by refiltering all documents.

Error - 12/20/2010 5:30:44 PM | Computer Name = LORIE | Source = Application Hang | ID = 1002
Description = Hanging application RobloxApp.exe, version 0.30.0.4, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/1/2011 9:21:06 PM | Computer Name = LORIE | Source = Application Error | ID = 1000
Description = Faulting application setup.exe, version 0.0.0.0, faulting module setup.exe,
version 0.0.0.0, fault address 0x00005c1b.

Error - 1/1/2011 10:15:16 PM | Computer Name = LORIE | Source = Application Error | ID = 1000
Description = Faulting application kodakwebcams.exe, version 0.0.0.0, faulting module
kodakwebcams.exe, version 0.0.0.0, fault address 0x00021019.

Error - 1/5/2011 6:33:42 PM | Computer Name = LORIE | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/6/2011 11:21:17 PM | Computer Name = LORIE | Source = Application Hang | ID = 1002
Description = Hanging application AcroRd32.exe, version 7.0.8.218, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/9/2011 9:39:54 PM | Computer Name = LORIE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 1/9/2011 9:39:54 PM | Computer Name = LORIE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

[ System Events ]
Error - 1/11/2011 11:13:57 AM | Computer Name = LORIE | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 1/11/2011 11:13:57 AM | Computer Name = LORIE | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 1/11/2011 11:13:57 AM | Computer Name = LORIE | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 1/11/2011 11:13:57 AM | Computer Name = LORIE | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 1/11/2011 11:13:57 AM | Computer Name = LORIE | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 1/11/2011 11:13:57 AM | Computer Name = LORIE | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 1/11/2011 11:13:57 AM | Computer Name = LORIE | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 1/11/2011 11:13:58 AM | Computer Name = LORIE | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 1/11/2011 11:13:58 AM | Computer Name = LORIE | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 1/11/2011 11:23:39 AM | Computer Name = LORIE | Source = Service Control Manager | ID = 7034
Description = The U.S. Robotics Wireless LAN Service service terminated unexpectedly.
It has done this 1 time(s).


< End of report >
lorieoreo
Active Member
 
Posts: 10
Joined: January 10th, 2011, 4:13 pm

Re: Win32/Patched.GB virus! Please help...

Unread postby askey127 » January 11th, 2011, 5:35 pm

lorieoreo,
----------------------------------------------
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
    Code: Select all
    :processes
    killallprocesses
    
    :OTL
    [2009/07/27 12:27:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Uniblue
    [2006/08/13 19:27:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\STOPzilla!
    [2011/01/09 20:41:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AVG10
    [2006/08/14 21:25:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
    [2011/01/10 20:43:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
    [2011/01/09 15:26:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG10
    [2011/01/09 20:41:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\AVG10
    O18 - Protocol\Handler\msdaipp - No CLSID value found
    O18 - Protocol\Handler\ipp - No CLSID value found
    O15 - HKCU\..Trusted Domains: facebook.com ([www] https in Trusted sites)
    O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
    O15 - HKCU\..Trusted Domains: yahoo.com ([www] https in Trusted sites)
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://a532.g.akamai.net/f/532/6712/5m/ ... taller.exe (Reg Error: Key error.)
    O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost
    DRV - [2001/08/23 14:00:00 | 000,022,400 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SbcpHid.sys -- (SbcpHid)
    SRV - [2007/09/20 14:05:46 | 001,247,600 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)
    
    :Commands
    [EMPTYTEMP]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    
  • Then click the Run Fix button at the top.
  • Let the program run unhindered and reboot the PC when it is done.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Win32/Patched.GB virus! Please help...

Unread postby lorieoreo » January 11th, 2011, 6:08 pm

Hey Askey127,
Ok, so I think I've made my first booboo with ya. ;) I ran OTL as directed, then noticed that the Internet Explorer window from wence I was reading your reply was still open, so I closed it. Unfortunately everything froze up for a bit, but the scan started back in few seconds... then froze up at the end. OTL said all processes done, or something like that, but just sat there. Wouldn't reboot the computer. So I manually turned the computer off, and when it rebooted, it gave me an OTL Run command. I clicked Run and it produced the following log:


All processes killed
========== PROCESSES ==========
========== OTL ==========
C:\Documents and Settings\Owner\Application Data\Uniblue folder moved successfully.
C:\Documents and Settings\Owner\Application Data\STOPzilla! folder moved successfully.
C:\Documents and Settings\Owner\Application Data\AVG10\cfgall folder moved successfully.
C:\Documents and Settings\Owner\Application Data\AVG10 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\STOPzilla!\Quarantine folder moved successfully.
C:\Documents and Settings\All Users\Application Data\STOPzilla! folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AVG10\lsdb\prev folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AVG10\lsdb folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AVG10\IDS\config\EN_US folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AVG10\IDS\config folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AVG10\IDS folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AVG10\Dumps folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AVG10\Chjw\4a18a1a418a1900d folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AVG10\Chjw folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AVG10\admincli folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AVG10 folder moved successfully.
Folder C:\Documents and Settings\All Users\Application Data\AVG10\ not found.
Folder C:\Documents and Settings\Owner\Application Data\AVG10\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp\ deleted successfully.
File Protocol\Handler\msdaipp - No CLSID value found not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ipp\ deleted successfully.
File Protocol\Handler\ipp - No CLSID value found not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\facebook.com\www\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\turbotax.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\yahoo.com\www\ deleted successfully.
Starting removal of ActiveX control {D4323BF2-006A-4440-A2F5-27E3E7AB25F8}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D4323BF2-006A-4440-A2F5-27E3E7AB25F8}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D4323BF2-006A-4440-A2F5-27E3E7AB25F8}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4323BF2-006A-4440-A2F5-27E3E7AB25F8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D4323BF2-006A-4440-A2F5-27E3E7AB25F8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4323BF2-006A-4440-A2F5-27E3E7AB25F8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
Service SbcpHid stopped successfully!
Service SbcpHid deleted successfully!
C:\WINDOWS\system32\drivers\SbcpHid.sys moved successfully.
Service Symantec Core LC stopped successfully!
Service Symantec Core LC deleted successfully!
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41 bytes

User: All

User: All Users

User: Application

User: Application Data

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 41 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 1995 bytes

User: LocalService
->Temp folder emptied: 65536 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Owner
->Temp folder emptied: 187719 bytes
->Temporary Internet Files folder emptied: 7931251 bytes
->Java cache emptied: 481676294 bytes
->FireFox cache emptied: 74434051 bytes
->Google Chrome cache emptied: 444929283 bytes
->Flash cache emptied: 2752283 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 39097 bytes
%systemroot%\System32 .tmp files removed: 1162769 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 966.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.20.1 log created on 01112011_164050

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF7E11.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF892E.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5CKW27WG\viewtopic[1].php not found!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\SuggestedSites.dat moved successfully.

Registry entries deleted on Reboot...



Now, after copying you that report, I did the Quick Scan like you suggested and here's that log. Hope I didn't mess things up! ;)


OTL logfile created on: 1/11/2011 4:59:57 PM - Run 2
OTL by OldTimer - Version 3.2.20.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

703.00 Mb Total Physical Memory | 334.00 Mb Available Physical Memory | 48.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 106.65 Gb Total Space | 82.77 Gb Free Space | 77.61% Space Free | Partition Type: NTFS
Drive D: | 5.14 Gb Total Space | 0.96 Gb Free Space | 18.71% Space Free | Partition Type: FAT32
Drive F: | 46.30 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: LORIE | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/01/11 13:43:32 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2010/12/13 08:40:07 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/12/13 08:39:54 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/12/13 08:39:54 | 000,267,944 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/08/13 11:58:56 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/03/14 08:55:19 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/02/23 08:05:34 | 000,111,856 | ---- | M] (Yahoo! Inc) -- C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/10/22 11:53:06 | 000,053,248 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\system32\VTTimer.exe
PRC - [2003/07/14 19:52:44 | 000,040,960 | ---- | M] (Agere Systems) -- C:\WINDOWS\ltmsg.exe


========== Modules (SafeList) ==========

MOD - [2011/01/11 13:43:32 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/12/13 08:40:07 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/12/13 08:39:54 | 000,267,944 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/08/13 11:58:56 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2005/07/25 14:25:18 | 000,491,520 | ---- | M] ( ) [On_Demand | Stopped] -- C:\WINDOWS\System32\lxcfcoms.exe -- (lxcf_device)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\DRIVERS\szkg.sys -- (szkg)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\PCAMPR5.SYS -- (PCAMPR5)
DRV - File not found [Kernel | Auto | Stopped] -- C:\Program Files\LogMeIn\x86\RaInfo.sys -- (LMIInfo)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/12/13 08:40:21 | 000,135,096 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/12/13 08:40:21 | 000,061,960 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/11/17 11:31:28 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/06/17 14:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/06/17 14:27:12 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008/10/16 19:35:58 | 000,083,288 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2008/07/24 17:46:10 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2008/04/13 14:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 13:56:49 | 000,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usb8023.sys -- (USB_RNDIS)
DRV - [2007/10/05 19:40:44 | 000,102,664 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2006/08/14 20:25:44 | 000,010,344 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2004/10/07 20:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/10/01 10:24:02 | 002,279,424 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/09/07 15:42:02 | 000,017,664 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PCASp50.sys -- (PCASp50)
DRV - [2004/08/04 00:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/08/04 00:29:54 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/08/04 00:29:51 | 000,166,912 | ---- | M] (S3 Graphics, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3gnbm.sys -- (S3Psddr)
DRV - [2004/02/17 06:49:14 | 000,391,424 | ---- | M] (Sensaura Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/07/30 04:15:00 | 000,126,348 | ---- | M] () [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\nvcap.sys -- (nvcap) nVidia WDM Video Capture (universal)
DRV - [2003/07/30 04:15:00 | 000,013,006 | ---- | M] (NVIDIA Corporation) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\nvxbar.sys -- (NVXBAR)
DRV - [2003/07/02 13:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2003/07/02 01:33:00 | 000,652,497 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ltmdmnt.sys -- (ltmodem5)
DRV - [2003/06/19 03:59:00 | 000,140,800 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys -- (fasttx2k)
DRV - [2003/06/12 04:56:44 | 000,098,304 | R--- | M] (ATMEL) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vnet558x.sys -- (FVNETusb)
DRV - [2003/05/06 17:34:56 | 000,394,752 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2003/04/11 10:51:30 | 000,010,624 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
DRV - [2003/02/20 18:18:36 | 000,036,608 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\SISAGPX.sys -- (SISAGP)
DRV - [2002/07/30 00:43:50 | 000,023,808 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/def ... earch.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Search Bar = http://search.msn.com/spbasic.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.1
FF - prefs.js..network.proxy.no_proxies_on: "localhost"
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/03/14 08:56:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/24 12:06:38 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/01/11 13:42:40 | 000,000,000 | ---D | M]

[2010/12/24 12:06:54 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2011/01/10 15:14:18 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k04le3a0.default\extensions
[2010/12/24 12:21:35 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k04le3a0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/01/10 15:04:15 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/14 08:56:53 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT

O1 HOSTS File: ([2011/01/11 10:31:13 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [LTMSG] C:\WINDOWS\ltmsg.exe (Agere Systems)
O4 - HKLM..\Run: [LXCFCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.DLL ()
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [NVIEW] C:\WINDOWS\System32\nview.dll (NVIDIA Corporation)
O4 - HKCU..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Chris Sawyer's Locomotion Registration.lnk = C:\Documents and Settings\Owner\Local Settings\Temp\{E046409E-0D6D-44ED-B177-26A8970562E6}\{77F45E76-E897-42CA-A9FE-5F56817D875C}\ATR1.EXE File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} http://www.alternatiff.com/install-ie/alttiff.cab (AlternaTIFF ActiveX)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shoc ... tor/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} http://www.facebook.com/fbplugin/win32/ ... 5759231109 (Reg Error: Key error.)
O16 - DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} http://www-cdn.freerealms.com/gamedata/ ... cab?v=1049 (SonyOnlineInstallerX)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photo.walgreens.com/WalgreensActivia.cab (Snapfish Activia)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader.cab (MySpace Uploader Control)
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} http://www.slide.com/uploader/SlideImageUploader.cab (Slide Image Uploader Control)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab (HP Download Manager)
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} http://www.nick.com/common/groove/gx/GrooveAX27.cab (Reg Error: Key error.)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/200 ... ader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.4.1/jinsta ... s-i586.cab (Java Plug-in 1.4.1)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/fl ... rashim.cab (Reg Error: Key error.)
O16 - DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} http://panda-plugin.disney.go.com/plugi ... ctivex.cab (P3DActiveX Control)
O16 - DPF: {96695E54-ECE5-437B-81BF-D45FA9F878A0} http://www.s3graphics.com/S3DisplayAct/S3DisplayAct.cab (S3DisplayAct.UserControl1)
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.4.1/jinsta ... s-i586.cab (Java Plug-in 1.4.1)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/fl ... wflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O29 - HKLM SecurityProviders - (zwebauth.dll) - C:\WINDOWS\System32\ZWebAuth.dll ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/10/11 05:16:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 06:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2010/03/10 06:35:12 | 000,000,097 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (stera) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/01/11 16:44:33 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/01/11 16:40:50 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/01/11 13:43:28 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/01/11 13:41:12 | 027,634,824 | ---- | C] ( ) -- C:\Documents and Settings\Owner\Desktop\AdbeRdr940_en_US.exe
[2011/01/11 10:34:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/01/10 20:56:39 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/01/10 20:56:39 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/01/10 20:56:39 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/01/10 20:56:39 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/01/10 20:56:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/01/10 20:56:08 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/01/10 20:48:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Avira
[2011/01/10 20:48:09 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2011/01/10 20:48:08 | 000,135,096 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2011/01/10 20:48:08 | 000,061,960 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2011/01/10 20:48:08 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2011/01/10 20:48:08 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2011/01/10 20:48:07 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2011/01/10 20:48:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2011/01/10 15:26:09 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/01/10 15:26:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\HiJackThis
[2011/01/09 20:38:58 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/01/09 17:02:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2011/01/09 17:01:59 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/01/09 17:01:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/01/09 17:01:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/01/09 17:01:54 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/01/09 17:01:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/01/09 15:53:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\ESET
[2011/01/09 15:49:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\ESET
[2011/01/09 15:49:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\ESET
[2011/01/09 15:48:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ESET
[2011/01/09 15:25:54 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2011/01/09 15:16:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/01/01 21:01:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Control Center for Kodak Webcams
[2011/01/01 21:01:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Control Center for Kodak Webcams
[2011/01/01 21:01:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\KodakWebcams
[2011/01/01 21:01:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Control Center for Kodak Webcams
[2011/01/01 20:59:40 | 000,000,000 | ---D | C] -- C:\Program Files\Control Center for Kodak Webcams
[2010/12/28 14:12:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\skypePM
[2010/12/28 14:11:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Skype
[2010/12/28 14:11:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype
[2010/12/25 18:20:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Panda3D
[2010/12/24 12:06:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Mozilla
[2010/12/24 12:06:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox
[2006/10/05 14:35:32 | 000,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll
[2005/07/25 14:31:30 | 001,183,744 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfserv.dll
[2005/07/25 14:27:22 | 000,483,328 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcflmpm.dll
[2005/07/25 14:26:58 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfcomm.dll
[2005/07/25 14:25:26 | 000,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfpplc.dll
[2005/07/25 14:24:46 | 000,704,512 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfcomc.dll
[2005/07/25 14:24:14 | 000,155,648 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfprox.dll
[2005/07/25 14:19:36 | 001,134,592 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfusb1.dll
[2003/12/09 13:16:52 | 000,442,368 | ---- | C] ( ) -- C:\WINDOWS\System32\comintfs.dll

========== Files - Modified Within 30 Days ==========

[2011/01/11 16:59:00 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{5FA37B43-61A0-4E4B-94EF-9B3EE6B5BC06}.job
[2011/01/11 16:56:37 | 000,000,189 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.DAT
[2011/01/11 16:55:26 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1332983393-1165070127-3111594433-1003.job
[2011/01/11 16:55:25 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/01/11 16:55:11 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/01/11 16:55:09 | 737,726,464 | -HS- | M] () -- C:\hiberfil.sys
[2011/01/11 16:46:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/01/11 16:42:37 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1332983393-1165070127-3111594433-1003.job
[2011/01/11 14:33:24 | 000,686,592 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\CHARGE RECEIPT SHEET.wps
[2011/01/11 13:43:32 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/01/11 13:42:42 | 000,001,737 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/01/11 13:41:13 | 027,634,824 | ---- | M] ( ) -- C:\Documents and Settings\Owner\Desktop\AdbeRdr940_en_US.exe
[2011/01/11 12:03:55 | 000,339,456 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\DefenceInspector.exe
[2011/01/11 10:42:55 | 000,075,264 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SystemLook.exe
[2011/01/11 10:31:13 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/01/11 10:19:36 | 004,152,479 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\zzz.exe
[2011/01/11 10:01:40 | 000,002,677 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
[2011/01/10 20:48:24 | 000,001,715 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2011/01/10 20:37:03 | 059,325,912 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\avira_antivir_personal_en.exe
[2011/01/10 15:25:11 | 001,402,880 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.msi
[2011/01/10 12:29:54 | 000,000,057 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2011/01/10 12:09:11 | 000,000,897 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI
[2011/01/10 12:06:51 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/01/10 11:30:17 | 000,200,936 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/01/09 18:55:58 | 000,017,408 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\virus summary jan82011.wps
[2011/01/09 17:02:00 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/01/06 14:21:06 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/01/01 21:01:06 | 000,001,740 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Control Center for Kodak Webcams.lnk
[2010/12/28 14:13:03 | 000,000,056 | -H-- | M] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/12/24 12:06:28 | 000,001,628 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/12/24 12:06:28 | 000,001,610 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/12/22 23:21:35 | 000,019,688 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Mikes poem.odt
[2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/12/13 08:40:21 | 000,135,096 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/12/13 08:40:21 | 000,061,960 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys

========== Files Created - No Company Name ==========

[2011/01/11 13:42:41 | 000,001,737 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/01/11 12:03:55 | 000,339,456 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\DefenceInspector.exe
[2011/01/11 10:42:54 | 000,075,264 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SystemLook.exe
[2011/01/10 20:56:39 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/01/10 20:56:39 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/01/10 20:56:39 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/01/10 20:56:39 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/01/10 20:56:39 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/01/10 20:54:54 | 004,152,479 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\zzz.exe
[2011/01/10 20:48:24 | 000,001,715 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2011/01/10 20:36:47 | 059,325,912 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\avira_antivir_personal_en.exe
[2011/01/10 15:26:09 | 000,002,677 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
[2011/01/10 15:25:10 | 001,402,880 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.msi
[2011/01/10 09:58:16 | 737,726,464 | -HS- | C] () -- C:\hiberfil.sys
[2011/01/09 18:55:57 | 000,017,408 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\virus summary jan82011.wps
[2011/01/09 17:02:00 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/01/01 21:01:06 | 000,001,740 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Control Center for Kodak Webcams.lnk
[2010/12/28 14:13:03 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/12/24 12:06:28 | 000,001,628 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/12/24 12:06:28 | 000,001,610 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/12/22 23:21:35 | 000,019,688 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Mikes poem.odt
[2010/06/22 07:30:10 | 000,602,112 | ---- | C] () -- C:\WINDOWS\System32\xvid.dll
[2008/05/16 22:49:44 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/04/09 13:10:50 | 000,000,036 | ---- | C] () -- C:\WINDOWS\webica.ini
[2008/01/12 17:52:24 | 000,000,478 | ---- | C] () -- C:\WINDOWS\iScreensaver.ini
[2007/10/05 16:18:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ka.ini
[2007/08/21 10:58:43 | 000,217,088 | ---- | C] () -- C:\WINDOWS\System32\Cylon.dll
[2007/08/21 10:58:43 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2007/08/21 10:58:43 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\usrnicvw.dll
[2007/08/21 10:57:49 | 000,000,133 | ---- | C] () -- C:\WINDOWS\usrwiz.ini
[2006/10/21 18:29:02 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2006/08/12 18:37:20 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\BJAXSecurityManager.dll
[2006/08/12 18:37:18 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\BJInstaller.dll
[2005/09/18 20:43:28 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/08/28 16:31:58 | 000,000,007 | ---- | C] () -- C:\WINDOWS\offnm.ini
[2005/08/24 15:26:55 | 000,000,045 | ---- | C] () -- C:\WINDOWS\HGFEIHJ.ini
[2005/08/24 15:21:22 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2005/07/07 04:12:28 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxcfvs.dll
[2005/04/09 14:39:55 | 000,000,425 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2004/12/12 19:31:38 | 000,000,012 | ---- | C] () -- C:\WINDOWS\dirsaver.ini
[2004/12/12 19:31:14 | 000,028,672 | ---- | C] () -- C:\WINDOWS\gscr.dll
[2004/12/03 10:26:25 | 000,002,560 | ---- | C] () -- C:\Program Files\ClearSearchcsie_tsb_edomains.dat
[2004/12/03 10:26:18 | 000,002,976 | ---- | C] () -- C:\Program Files\ClearSearchcsie_tsb_patterns.dat
[2004/12/03 10:26:18 | 000,000,136 | ---- | C] () -- C:\Program Files\ClearSearchcsie_tsb_campaigns.dat
[2004/12/03 10:26:16 | 000,000,104 | ---- | C] () -- C:\Program Files\ClearSearchcsie_tsb_rules.dat
[2004/11/12 12:46:11 | 000,000,351 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/09/17 17:37:42 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2004/08/13 11:50:47 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2004/07/01 01:14:58 | 000,001,195 | ---- | C] () -- C:\WINDOWS\System32\imbrmute.ini
[2004/05/22 12:35:57 | 000,000,021 | ---- | C] () -- C:\WINDOWS\System32\mchnieasy.sys
[2004/04/08 11:18:47 | 000,000,557 | ---- | C] () -- C:\WINDOWS\HEGames.ini
[2004/04/08 11:17:55 | 000,000,067 | ---- | C] () -- C:\WINDOWS\encore_launcher.ini
[2004/04/07 23:17:53 | 000,001,721 | ---- | C] () -- C:\WINDOWS\disney.ini
[2004/03/22 20:49:47 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/03/10 15:32:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2004/02/24 00:46:04 | 000,016,973 | ---- | C] () -- C:\WINDOWS\System32\ZWebAuth.dll
[2004/02/23 20:29:24 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2004/02/23 17:48:06 | 000,004,165 | ---- | C] () -- C:\WINDOWS\hpdj3600.ini
[2004/02/23 17:47:46 | 000,000,470 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2004/02/23 01:17:47 | 000,000,102 | ---- | C] () -- C:\WINDOWS\VSWizard.ini
[2003/10/14 08:52:37 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/10/14 08:51:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\iAlmcoin.dll
[2003/10/14 08:35:01 | 000,000,051 | ---- | C] () -- C:\WINDOWS\System32\mshrml.ini
[2003/10/11 07:47:42 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2003/10/11 07:45:41 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2003/10/11 07:40:57 | 000,029,222 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2003/10/11 07:40:38 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\syscontr.dll
[2003/10/11 07:40:02 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2003/10/11 07:29:14 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/10/11 07:16:42 | 000,000,897 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2003/10/11 06:25:06 | 000,003,205 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2003/10/11 06:15:11 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2003/10/11 06:07:05 | 000,126,348 | ---- | C] () -- C:\WINDOWS\System32\drivers\nvcap.sys
[2003/10/11 05:47:37 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/10/11 05:39:21 | 000,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2003/10/11 05:39:21 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2003/10/11 05:39:04 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2003/10/11 05:19:00 | 000,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/10/11 05:06:45 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/10/11 02:10:46 | 000,000,438 | ---- | C] () -- C:\WINDOWS\System32\1_ssetup.ini
[2003/10/11 02:10:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\sunistlog.ini
[2003/10/10 22:10:25 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/01/08 00:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2007/03/19 21:51:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund Software
[2011/01/09 20:38:58 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/01/01 21:01:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Control Center for Kodak Webcams
[2009/07/27 12:27:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverScanner
[2004/02/21 23:53:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightboxSA
[2009/07/14 13:24:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2011/01/09 20:29:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2005/08/24 12:00:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Netscape Internet Service
[2006/10/14 11:43:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2007/03/19 21:52:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Riverdeep Interactive Learning Limited
[2006/10/23 14:31:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sandlot Games
[2007/03/16 20:54:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo
[2010/10/28 19:34:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/02/18 14:46:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/08/26 19:41:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2005/08/24 15:22:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Aim
[2009/03/03 17:29:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\eMusic
[2011/01/09 15:49:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ESET
[2009/09/21 18:57:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ICAClient
[2004/11/12 12:51:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\interMute
[2004/10/07 08:57:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\InterVideo
[2008/01/12 17:52:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\iScreensaver
[2004/02/23 01:18:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Leadertech
[2008/01/12 17:44:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\LEGO Company
[2007/11/03 16:32:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\LucasArts
[2004/11/12 12:40:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Lycos
[2010/04/26 07:31:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\OpenOffice.org
[2006/10/14 11:43:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\PlayFirst
[2003/10/11 08:03:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2007/04/07 14:28:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SBTT
[2006/12/10 20:26:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Snapfish
[2010/02/20 10:57:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Sony Online Entertainment
[2005/08/08 00:13:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Template
[2009/03/06 19:36:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Unity
[2004/03/19 14:36:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\VCOM
[2006/11/02 18:58:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Wildfire
[2011/01/11 16:59:00 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{5FA37B43-61A0-4E4B-94EF-9B3EE6B5BC06}.job

========== Purity Check ==========



< End of report >
lorieoreo
Active Member
 
Posts: 10
Joined: January 10th, 2011, 4:13 pm

Re: Win32/Patched.GB virus! Please help...

Unread postby askey127 » January 12th, 2011, 8:49 am

lorieoreo,
No problem. You did well.
Looking quite good.

To increase your protection going forward I would recommend use of a HOSTS file.
It blocks inadvertent access to thousands of harmful websites.
Be sure to follow the whole two-part procedure, and get the DNS Client service disabled before installing the HOSTS file.
-----------------------------------------------------------
Replace the Current HOSTS File with MVPs
If you wish, you can read about HOSTS files here : http://www.mvps.org/winhelp2002/hosts.htm

  • Disable DNS Client Service. This is necessary when installing a large HOSTS file.
    From Start, or Start, Run
    Type services.msc in the box and hit <Enter>
    Give permission to continue if necessary.
    Scroll down to DNS Client on the list, Right Click it and choose Properties.
    Under Service Status, click Stop. Wait until it reports the service stopped.
    Under Startup Type, choose Disabled.
    Then click Apply, OK
    If this procedure was successful, proceed with the installation as follows:
  • Use HostsXpert to Install the HOSTS File
    Download HostsXpert and unzip (extract) it to your computer, somewhere where you can find it.
    • Double click on HostsXpert.exe to launch the program. Give whatever Permissions are required.
    • In the bottom half of the left pane, click on File Handling
    • If the first button at the top is labeled Make Writeable?, click on it so the label changes to Make Read Only
    • Click third button from the bottom, labeled Download. A couple new buttons will appear at the top.
    • Click on the top button labeled MVPs Hosts and choose Replace
    • When asked to verify if you want to Replace present Hosts file, click OK.
    • When it finishes, click on File Handling again.
    • Click the button at the top labeled Make Read Only, so the label changes to Make Writeable?
    • Hit the X in the upper right corner to exit HostsXpert

If you have a separate third party firewall, or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

If you have no other issues with your machine, you should be good to go.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Win32/Patched.GB virus! Please help...

Unread postby lorieoreo » January 12th, 2011, 10:52 am

Thanks Askey127.... did as you said. All looks well, the only odd thing that's happened since yesterday is that I accidentally left the PC on overnight and it was frozen when I came in this morning. Had to manually restart it. ??? Does this have anything to do with the viruses I had?
Also, one last question... my son was playing a website called Roblox.com for the past few months. Do you know if this website can be trusted? Or if it was partly responsible for my infection?

**Oh, and one more thing... can I delete all these programs that I have installed on my desktop throughout this process? Or should I keep them?

***Sorry, I've had to edit this post twice now. ;) Just noticed after surfing the net for the 1st time since the infection that I can't go to Facebook. It says cookies are required. Tried to update that myself in Internet Options/Security... but it looks much different than normal. Do you think you could help with this topic before we part ways?



Thanks so much! :)
lorieoreo
Active Member
 
Posts: 10
Joined: January 10th, 2011, 4:13 pm

Re: Win32/Patched.GB virus! Please help...

Unread postby askey127 » January 12th, 2011, 12:28 pm

lorieoreo,
You have done well.
Start OTL on your desktop and click the "Clean Up" button. It will take care of removing the programs.

Roblox is a hosting site. I don't see anything bad about it in the site blocklists (that's good).

About Facebook: Your new HOSTS file will not allow any page like facebook to load any ads or other banners, etc. from websites on the HOSTS blocklist. Some websites will have some blank spaces. These are the places where ads or infections get dumped on your machine if you click.

You may have to remake some settings in Internet Explorer because we had to change some settings in removing the infections.

-------------------------------------------------------
Fix Firefox like this and adware popups will not be a problem:

Update Firefox and Improve Security
Open Firefox. Hit an <Alt> key to pop up the File menu at the top.
Click Help in the top menu, and choose Check for Updates
Let it install any updates it wants.

Install Adblock Plus
Open Firefox if its not running. Hit an <Alt> key again, to pop up the File menu at the top.
Click on Tools, then Add-ons
When the Add-ons dialog comes up, type "Adblock Plus" into the search box, then click on it, and click the Add to Firefox button.
When asked to choose a filter, choose the first one.

Install NoScript
Open Firefox if its not running. Hit an <Alt> key again, to pop up the File menu at the top.
Click on Tools, then Add-ons
When the Add-ons dialog comes up, type "NoScript" into the search box, then click on it, and click the Add to Firefox button.
This blocks scripts from running on any website unless you click on the little "S" in the lower right corner of the screen and choose Allow scripts this page.
You should only allows scripts on trusted websites. (I wouldn't allow scripts on social networking sites, but it's your call.)

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Win32/Patched.GB virus! Please help...

Unread postby lorieoreo » January 12th, 2011, 2:40 pm

Okie doke... did as you said. Installed Adblock & Noscript on Firefox. I definitely want to keep my system clean from here on out, thanks for the tips.
However, I am still not able to get to Facebook via IE or Firefox. IE says cookies aren't enabled and Firefox says Javascript isn't enabled. (I'm guessing this is the Noscript I installed) Anyhow... sorry to sound like an idiot... I'm sure I could figure this out my own, but I don't want to do anything unknowingly that might undo some of the infection removal we just completed. So can you please advise me on a safe to way to add Facebook as a useable website for both IE & Firefox? Without letting it possibly infect me in the future as well? LOl... is that possible?

Thanks so much...
lorieoreo
Active Member
 
Posts: 10
Joined: January 10th, 2011, 4:13 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 340 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware