Need help with Rootkit.ZeroAccess and TR/Crypt and others

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

3 Pages
1
2
3
→

You cannot start a new topic
This topic is locked

Need help with Rootkit.ZeroAccess and TR/Crypt and others Don't know how to remove it!

#1 djw23

Member

Group: Members
Posts: 30
Joined: 14-September 05
Gender:Female

Posted 02 February 2012 - 11:22 PM

My husband's computer is apparently infected with Rootkit.ZeroAccess, TR/Crypt.XPACK.Gen, Trojan horse Crypt, ANVH, PUM.Disabled.SecurityCenter, Hijack.StartMenu Internet, Hijack.Exefile and Pum.Bad.Proxy. Also AVG Free reported that serial.sys was white listed but could not be removed.

I put Combofix at C:\ and then ran it from a Safe Mode Command Prompt. It tells me that there is rootkit activity and needs to reboot, when I do that it says..please wait...Combofix is preparing to run...and then it just hangs. I was thinking about uninstalling AVG Free because I can't get into the console to temporarily disable it. So maybe that's the reason Combofix isn't working right.

So I would greatly appreciate it if someone would pickup this post and help me just start over from the beginning

Just tell me what you need me to do and I'll post back whatever info you need and, Don't worry, I know how to follow instructions.

The computer is a Dell and running Win XP SP3, AVG Free AntiVirus. It's turned off now until I can get your advice and help.

Here's the contents of his DDS log file
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by WWAdmin at 22:28:40 on 2012-02-02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1468 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\VIRTUA~1\CitiVAN.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\OBroker.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Virtual Account Numbers Helper: {17424104-1444-4810-85d7-b4da413c5a9a} - c:\program files\virtual account numbers\CitiVANHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.0.0.7\AVG Secure Search_toolbar.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: radiojazz Toolbar: {cbf6f119-ea59-4612-96c3-efd538c88c0a} - c:\program files\radiojazz\tbradi.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: radiojazz Toolbar: {cbf6f119-ea59-4612-96c3-efd538c88c0a} - c:\program files\radiojazz\tbradi.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Virtual Account Numbers: {7a21a046-b886-4a62-9d69-ef2059b0a27b} - c:\program files\virtual account numbers\CitiVANToolbar.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.0.0.7\AVG Secure Search_toolbar.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [DMXLauncher] "c:\program files\roxio\media experience\DMXLauncher.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Citi Virtual Account Numbers] c:\progra~1\virtua~1\CitiVAN.exe /lang=en_RG /dontopenmycards
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6u21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B3F2BBB5-F5A6-4823-BFC2-9E54C4B3F974} : DhcpNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\10.0.6\ViProtocol.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys [2012-2-2 135032]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-4 297168]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-11-23 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 66632]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-8-26 10448]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\10.0.6\ToolbarUpdater.exe [2012-2-2 909152]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-8-18 7390560]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-8-21 167264]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 12872]
.
=============== Created Last 30 ================
.
2012-02-03 02:02:07 -------- d-s---w- C:\ComboFix
2012-02-02 16:01:48 -------- d-----w- c:\windows\system32\cache
2012-02-02 11:59:31 135032 ----a-w- c:\windows\system32\drivers\dwprot.sys
2012-02-02 00:02:58 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2012-02-01 16:53:21 -------- d-sha-r- C:\cmdcons
2012-02-01 16:50:38 98816 ----a-w- c:\windows\sed.exe
2012-02-01 16:50:38 518144 ----a-w- c:\windows\SWREG.exe
2012-02-01 16:50:38 256000 ----a-r- c:\windows\PEV.exe
2012-02-01 16:50:38 208896 ----a-w- c:\windows\MBR.exe
2012-02-01 16:41:48 4394330 ------r- C:\ComboFix.exe
.
==================== Find3M ====================
.
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
.
============= FINISH: 22:28:48.79 ===============

Here's the contents of the last Combofix file I have -- which the Global Moderator "boopme" instructed me to post instead of the GMER log file

\Registry\Machine\System\CurrentControlSet\Services\vkquwexg

*******************

Script file located at: \??\C:\ComboFix\ComboDel.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\QooBox
*******************

Beginning to process script file:

File move operation C:\ComboFix\MT_mqac.sys.tmp|C:\WINDOWS\system32\drivers\mqac.sys completed successfully.

Could not open file C:\WINDOWS\$NtUninstallKB49616$\3695733831 for move operation
File move operation C:\WINDOWS\$NtUninstallKB49616$\3695733831|C:\QooBox\Quarantine\C\WINDOWS\$NtUninstallKB49616$\3695733831.vir failed!

Could not process line:
C:\WINDOWS\$NtUninstallKB49616$\3695733831|C:\QooBox\Quarantine\C\WINDOWS\$NtUninstallKB49616$\3695733831.vir
Status: 0xc0000279

Program C:\ComboFix\CF23446.3XE" /c "C:\ComboFix\C.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////

\Registry\Machine\System\CurrentControlSet\Services\vkquwexg

*******************

Script file located at: \??\C:\ComboFix\ComboDel.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\QooBox
*******************

Beginning to process script file:

File move operation C:\ComboFix\MT_serial.sys.tmp|C:\WINDOWS\system32\drivers\serial.sys completed successfully.
File move operation C:\WINDOWS\system32\drivers\serial.sys|C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\serial.sys.vir_ completed successfully.

File C:\ComboFix\serial not found!
File move operation C:\ComboFix\serial|C:\WINDOWS\system32\drivers\serial.sys failed!

Could not process line:
C:\ComboFix\serial|C:\WINDOWS\system32\drivers\serial.sys
Status: 0xc0000034

Program C:\WINDOWS\Regedit.exe" /s "C:\ComboFix\SW_Serial.reg successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

Attached File(s)

attach.txt (17.63K)
Number of downloads: 0

#2 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,666
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 03 February 2012 - 03:24 AM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
Because of this, you must reply within three days failure to reply will result in the topic being closed!
Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

It appears you're infected with an infection known as ZeroAccess.

ZeroAccess (Max++) Rootkit (aka: Sirefef) is a sophisticated rootkit that uses advanced technology to hide its presence in a system and can infect both x86 and x64 platforms. ZeroAccess is similar to the TDSS rootkit but has more self-protection mechanisms that can be used to disable anti-virus software resulting in "Access Denied" messages whenever you run a security application. For more specific information about this infection, please refer to:

NEXT:

One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.

I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

NEXT:

Running TDSSKiller

Download the latest version of TDSSKiller from here and save it to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
Click the Start Scan button.
If a suspicious object is detected, the default action will be Skip, click on Continue.
If malicious objects are found, they will show in the Scan results and offer three (3) options.
Ensure SKIP is selected, then click Continue => Reboot now to finish the cleaning process.
Note: Do not choose Cure or Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

NEXT:

Farbar Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

NEXT:

Running OTL

We need to create an OTL Report

Please download OTL from one of the following mirrors:
- This is THE Mirror
- Mirror
Save it to your desktop.
Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Push the button.
Two reports will open, copy and paste them in a reply here:
- OTL.txt <-- Will be opened
- Extras.txt <-- Will be minimized

NEXT:

Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. TDSSKiller log.
3. Farbar Service Scanner log.
4. OTL.txt & Extras.txt logs.
5. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

Please let me know how the above scans go.

Kindest Regards,
Agent ST.

Have I helped you? If you'd like to assist in the fight against malware, click here

The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#3 djw23

Member

Group: Members
Posts: 30
Joined: 14-September 05
Gender:Female

Posted 03 February 2012 - 10:18 AM

Thank you Agent ST for picking up my post! I didn't get alot of sleep last night thinking about this but I feel better knowing there is someone helping and working with me to solve it. I am a professional web developer (10+ years) but this level of IT support is much more than I feel confident tackling myself.

Just so you know, I am perfectly fine with reformatting the machine and doing a clean install of Windows after we are done, if that's what you recommend because of the keylogging trojan. I can do that myself as I've done it many times before.

So, right now I just watned to let you know I received your message and I'm going to start working on all the tasks you just gave me. Just One more thing I failed to mention in the first post was that the computer can't get on the internet right now -- it has a wireless network card that is disabled and I can't get it to re-enable.

If you think I should, I will try moving the machine to another room and put a long ethernet cord to it and try connecting that way, otherwise, my plan is to download all this stuff to a thumb drive on my clean machine then use that to copy it over to the infected machine to run it.

My only area of concern is...AM I risking infection to my Clean Machine by doing this or is this approach alright to use? I scanned the thumb drive with AVG last night on the clean computer and it said it was okay.

Sorry if that's a silly paranoid question but thought I should ask anyway.

Thank you, Dona

#4 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,666
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 03 February 2012 - 10:45 AM

Hi Dona!

Quote

Thank you Agent ST for picking up my post! I didn't get alot of sleep last night thinking about this but I feel better knowing there is someone helping and working with me to solve it.

Oh noes! I'm sorry to hear you weren't able to sleep well last night! It's definitely not fun when you don't get a good nights sleep. I know that feeling and it sucks!

Hopefully tonight you'll be able to get a good nights sleep knowing that you're not battling this alone!

Quote

Just so you know, I am perfectly fine with reformatting the machine and doing a clean install of Windows after we are done, if that's what you recommend because of the keylogging trojan. I can do that myself as I've done it many times before.

Okay. We'll we can work on cleaning up the machine and at least removing the malicious files, so that if you do decide that reformatting is something you want to do, you won't be backing up infected files.

Quote

So, right now I just watned to let you know I received your message and I'm going to start working on all the tasks you just gave me. Just One more thing I failed to mention in the first post was that the computer can't get on the internet right now -- it has a wireless network card that is disabled and I can't get it to re-enable.

Okay, that's actually not something that is uncommon with this infection. ZeroAccess is notorious for messing with settings and permissions having to do with connecting to the internet successfully. The tools I'm asking you to run, are hopefully going to provide me with the information I need to diagnose and address the connection issue.

Quote

If you think I should, I will try moving the machine to another room and put a long ethernet cord to it and try connecting that way, otherwise, my plan is to download all this stuff to a thumb drive on my clean machine then use that to copy it over to the infected machine to run it.

I wouldn't worry about dragging the machine to the other room, no need to hurt yourself doing so (and I don't think it'd work anyways). We can work with transferring the files via a flash drive.

Quote

My only area of concern is...AM I risking infection to my Clean Machine by doing this or is this approach alright to use? I scanned the thumb drive with AVG last night on the clean computer and it said it was okay.

There is a risk of possibly contaminating the clean computer. It doesn't happen often, but it has been known to happen on occassion.

We can run a tool on the flash drive to protect it.

If the other computer you have is Windows XP, then please run this utility on it:

Running Flash Disinfector
Download Flash_Disinfector.exe by sUBs from HERE and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

If it's a Windows 7 or Vista machine, please let me know, and I'll provide you with instructions for a different tool.

Let me know.

Kindest Regards,
ST.

This post has been edited by SweetTech: 03 February 2012 - 10:52 AM

#5 djw23

Member

Group: Members
Posts: 30
Joined: 14-September 05
Gender:Female

Posted 03 February 2012 - 10:58 AM

AVG was complaining that the Flash Disinfector was a trojan....but I went ahead and ignored the warnings. seems to have worked alright.

Here are the results of my tasks -- I wrote FIRST - SECOND - THIRD and LAST and put a long hyphenated line like the one below between each one to separate

-----------------------------------------------------------------------------------------------------------------------------------

FIRST: I ran the TDSSKiller
please note that the Reboot computer option dialog box did NOT appear after threats were found and I clicked Continue
I closed the program and rebooted anyway.
It claimed to have found 4 threats in the order below -- all were suspicious objects of medium risk

Unsigned file
Service: cercsr6

Forged File:
Service: P17

Unsigned File
Service: PxHelp20

Unsigned File
Service: RxFilter

HERE's the Contents of the TDSSKIller LOG

12:04:13.0640 3888 TDSS rootkit removing tool 2.7.9.0 Feb 1 2012 09:28:49
12:04:13.0890 3888 ============================================================
12:04:13.0890 3888 Current date / time: 2012/02/03 12:04:13.0890
12:04:13.0890 3888 SystemInfo:
12:04:13.0890 3888
12:04:13.0890 3888 OS Version: 5.1.2600 ServicePack: 3.0
12:04:13.0890 3888 Product type: Workstation
12:04:13.0890 3888 ComputerName: USER1-CEFFE37FC
12:04:13.0890 3888 UserName: WWAdmin
12:04:13.0890 3888 Windows directory: C:\WINDOWS
12:04:13.0890 3888 System windows directory: C:\WINDOWS
12:04:13.0890 3888 Processor architecture: Intel x86
12:04:13.0890 3888 Number of processors: 2
12:04:13.0890 3888 Page size: 0x1000
12:04:13.0890 3888 Boot type: Normal boot
12:04:13.0890 3888 ============================================================
12:04:15.0531 3888 Drive \Device\Harddisk0\DR0 - Size: 0x3A35294400 (232.83 Gb), SectorSize: 0x200, Cylinders: 0x76BA, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
12:04:15.0578 3888 \Device\Harddisk0\DR0:
12:04:15.0578 3888 MBR used
12:04:15.0578 3888 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x1B747, BlocksNum 0x1D189832
12:04:15.0593 3888 Initialize success
12:04:15.0593 3888 ============================================================
12:04:54.0546 2740 ============================================================
12:04:54.0546 2740 Scan started
12:04:54.0546 2740 Mode: Manual; SigCheck; TDLFS;
12:04:54.0546 2740 ============================================================
12:04:54.0625 2740 Scan interrupted by user!
12:04:54.0625 2740 Scan interrupted by user!
12:04:54.0625 2740 Scan interrupted by user!
12:04:54.0625 2740 ============================================================
12:04:54.0625 2740 Scan finished
12:04:54.0625 2740 ============================================================
12:04:54.0640 1604 Detected object count: 0
12:04:54.0640 1604 Actual detected object count: 0
12:05:05.0328 4060 ============================================================
12:05:05.0328 4060 Scan started
12:05:05.0328 4060 Mode: Manual; SigCheck; TDLFS;
12:05:05.0328 4060 ============================================================
12:05:05.0812 4060 Abiosdsk - ok
12:05:05.0890 4060 abp480n5 - ok
12:05:06.0031 4060 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
12:05:07.0453 4060 ACPI - ok
12:05:07.0656 4060 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
12:05:07.0843 4060 ACPIEC - ok
12:05:07.0937 4060 ADIHdAudAddService (62afc64108bbdb8d3ca32aad559e5af1) C:\WINDOWS\system32\drivers\ADIHdAud.sys
12:05:08.0015 4060 ADIHdAudAddService - ok
12:05:08.0078 4060 adpu160m - ok
12:05:08.0203 4060 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
12:05:08.0328 4060 aec - ok
12:05:08.0406 4060 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
12:05:08.0453 4060 AFD - ok
12:05:08.0593 4060 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
12:05:08.0640 4060 AFS2K - ok
12:05:08.0859 4060 Aha154x - ok
12:05:08.0937 4060 aic78u2 - ok
12:05:09.0109 4060 aic78xx - ok
12:05:09.0125 4060 AliIde - ok
12:05:09.0156 4060 amsint - ok
12:05:09.0156 4060 asc - ok
12:05:09.0171 4060 asc3350p - ok
12:05:09.0187 4060 asc3550 - ok
12:05:09.0250 4060 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
12:05:09.0375 4060 AsyncMac - ok
12:05:09.0421 4060 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
12:05:09.0562 4060 atapi - ok
12:05:09.0593 4060 Atdisk - ok
12:05:09.0781 4060 ati2mtag (f5fc6ac1e7bc776871361d463fc86be2) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
12:05:09.0953 4060 ati2mtag - ok
12:05:10.0156 4060 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
12:05:10.0281 4060 Atmarpc - ok
12:05:10.0375 4060 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
12:05:10.0468 4060 audstub - ok
12:05:10.0546 4060 AVGIDSDriver (2d18221aab3db2d408d6c55c0f23090a) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
12:05:11.0375 4060 AVGIDSDriver - ok
12:05:11.0421 4060 AVGIDSEH (1af676db3f3d4cc709cfab2571cf5fc3) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
12:05:11.0437 4060 AVGIDSEH - ok
12:05:11.0531 4060 AVGIDSFilter (4c51e233c87f9ec7598551de554bc99d) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
12:05:11.0531 4060 AVGIDSFilter - ok
12:05:11.0593 4060 AVGIDSShim (c3fc426e54f55c1cc3219e415b88e10c) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
12:05:11.0609 4060 AVGIDSShim - ok
12:05:11.0656 4060 Avgldx86 (4e796d3d2c3182b13b3e3b5a2ad4ef0a) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
12:05:11.0687 4060 Avgldx86 - ok
12:05:11.0703 4060 Avgmfx86 (5639de66b37d02bd22df4cf3155fba60) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
12:05:11.0703 4060 Avgmfx86 - ok
12:05:11.0765 4060 Avgrkx86 (d1baf652eda0ae70896276a1fb32c2d4) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
12:05:11.0765 4060 Avgrkx86 - ok
12:05:11.0796 4060 Avgtdix (aaf0ebcad95f2164cffb544e00392498) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
12:05:11.0812 4060 Avgtdix - ok
12:05:11.0875 4060 b57w2k (3a3a82ffd268bcfb7ae6a48cecf00ad9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
12:05:11.0968 4060 b57w2k - ok
12:05:12.0015 4060 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
12:05:12.0109 4060 Beep - ok
12:05:12.0406 4060 catchme - ok
12:05:12.0468 4060 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
12:05:12.0578 4060 cbidf2k - ok
12:05:12.0578 4060 cd20xrnt - ok
12:05:12.0609 4060 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
12:05:12.0703 4060 Cdaudio - ok
12:05:12.0734 4060 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
12:05:12.0843 4060 Cdfs - ok
12:05:12.0890 4060 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
12:05:12.0984 4060 Cdrom - ok
12:05:13.0062 4060 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
12:05:13.0093 4060 cercsr6 ( UnsignedFile.Multi.Generic ) - warning
12:05:13.0093 4060 cercsr6 - detected UnsignedFile.Multi.Generic (1)
12:05:13.0109 4060 Changer - ok
12:05:13.0125 4060 CmdIde - ok
12:05:13.0140 4060 Cpqarray - ok
12:05:13.0140 4060 dac2w2k - ok
12:05:13.0156 4060 dac960nt - ok
12:05:13.0156 4060 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
12:05:13.0265 4060 Disk - ok
12:05:13.0312 4060 DLABMFSM (7a1e8f722479ef934d71798ac3617ed7) C:\WINDOWS\system32\DLA\DLABMFSM.SYS
12:05:13.0328 4060 DLABMFSM - ok
12:05:13.0328 4060 DLABOIOM (2281b5c596c04645426b3771a3bd5657) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
12:05:13.0343 4060 DLABOIOM - ok
12:05:13.0343 4060 DLACDBHM (43749294a1d9f22fe164a62c1a42919d) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
12:05:13.0375 4060 DLACDBHM - ok
12:05:13.0406 4060 DLADResM (54a3f9ebd1ddc975736f8e18a9b8fce9) C:\WINDOWS\system32\DLA\DLADResM.SYS
12:05:13.0421 4060 DLADResM - ok
12:05:13.0468 4060 DLAIFS_M (e0fbaf0146bfceec29f31f07452db4ad) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
12:05:13.0484 4060 DLAIFS_M - ok
12:05:13.0484 4060 DLAOPIOM (d3ce0c76496a5332032399639485774f) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
12:05:13.0500 4060 DLAOPIOM - ok
12:05:13.0500 4060 DLAPoolM (fce1882364d4c324b937a841ef9c58ac) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
12:05:13.0515 4060 DLAPoolM - ok
12:05:13.0515 4060 DLARTL_M (14183a8eff683eb0c1774802578ed0f4) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
12:05:13.0531 4060 DLARTL_M - ok
12:05:13.0531 4060 DLAUDFAM (2ef8c92ab8411589387845f58534c7d9) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
12:05:13.0546 4060 DLAUDFAM - ok
12:05:13.0562 4060 DLAUDF_M (a2096fd7b5037085a3dc580e2891d2c4) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
12:05:13.0562 4060 DLAUDF_M - ok
12:05:13.0656 4060 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
12:05:13.0796 4060 dmboot - ok
12:05:13.0843 4060 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
12:05:13.0937 4060 dmio - ok
12:05:13.0953 4060 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
12:05:14.0062 4060 dmload - ok
12:05:14.0078 4060 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
12:05:14.0187 4060 DMusic - ok
12:05:14.0187 4060 dpti2o - ok
12:05:14.0234 4060 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
12:05:14.0328 4060 drmkaud - ok
12:05:14.0359 4060 drvmcdb (1fb11e1eac27668754fd18a079cccfb3) C:\WINDOWS\system32\drivers\drvmcdb.sys
12:05:14.0375 4060 drvmcdb - ok
12:05:14.0406 4060 DRVNDDM (9628dfa16b1a47615c65318f8776f233) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
12:05:14.0421 4060 DRVNDDM - ok
12:05:14.0468 4060 DwProt (d33cfeb3404d47ad146040af6916beb6) C:\WINDOWS\system32\drivers\dwprot.sys
12:05:14.0500 4060 DwProt - ok
12:05:14.0578 4060 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
12:05:14.0656 4060 Fastfat - ok
12:05:14.0750 4060 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
12:05:14.0843 4060 Fdc - ok
12:05:14.0859 4060 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
12:05:14.0953 4060 Fips - ok
12:05:14.0968 4060 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
12:05:15.0062 4060 Flpydisk - ok
12:05:15.0109 4060 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
12:05:15.0203 4060 FltMgr - ok
12:05:15.0203 4060 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
12:05:15.0296 4060 Fs_Rec - ok
12:05:15.0296 4060 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
12:05:15.0390 4060 Ftdisk - ok
12:05:15.0421 4060 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
12:05:15.0875 4060 GEARAspiWDM - ok
12:05:15.0906 4060 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
12:05:16.0000 4060 Gpc - ok
12:05:16.0015 4060 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
12:05:16.0109 4060 HDAudBus - ok
12:05:16.0171 4060 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
12:05:16.0265 4060 hidusb - ok
12:05:16.0296 4060 hpn - ok
12:05:16.0359 4060 HPZid412 (863cc3a82c63c9f60acf2e85d5310620) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
12:05:16.0500 4060 HPZid412 - ok
12:05:16.0546 4060 HPZipr12 (08cb72e95dd75b61f2966b311d0e4366) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
12:05:16.0593 4060 HPZipr12 - ok
12:05:16.0656 4060 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
12:05:16.0828 4060 HPZius12 - ok
12:05:16.0953 4060 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
12:05:17.0062 4060 HTTP - ok
12:05:17.0078 4060 i2omgmt - ok
12:05:17.0078 4060 i2omp - ok
12:05:17.0125 4060 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
12:05:17.0218 4060 i8042prt - ok
12:05:17.0265 4060 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
12:05:17.0375 4060 Imapi - ok
12:05:17.0390 4060 ini910u - ok
12:05:17.0390 4060 IntelIde - ok
12:05:17.0437 4060 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
12:05:17.0515 4060 intelppm - ok
12:05:17.0546 4060 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
12:05:17.0656 4060 Ip6Fw - ok
12:05:17.0671 4060 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
12:05:17.0781 4060 IpFilterDriver - ok
12:05:17.0812 4060 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
12:05:17.0921 4060 IpInIp - ok
12:05:17.0937 4060 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
12:05:18.0031 4060 IpNat - ok
12:05:18.0062 4060 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
12:05:18.0156 4060 IPSec - ok
12:05:18.0187 4060 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
12:05:18.0250 4060 IRENUM - ok
12:05:18.0296 4060 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
12:05:18.0390 4060 isapnp - ok
12:05:18.0437 4060 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
12:05:18.0531 4060 Kbdclass - ok
12:05:18.0531 4060 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
12:05:18.0625 4060 kbdhid - ok
12:05:18.0656 4060 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
12:05:18.0781 4060 kmixer - ok
12:05:18.0843 4060 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
12:05:18.0937 4060 KSecDD - ok
12:05:19.0000 4060 LBeepKE (ca63fe81705ad660e482bef210bf2c73) C:\WINDOWS\system32\Drivers\LBeepKE.sys
12:05:19.0015 4060 LBeepKE - ok
12:05:19.0015 4060 lbrtfdc - ok
12:05:19.0078 4060 LHidFilt (b68309f25c5787385da842eb5b496958) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
12:05:19.0078 4060 LHidFilt - ok
12:05:19.0109 4060 LMouFilt (63d3b1d3cd267fcc186a0146b80d453b) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
12:05:19.0125 4060 LMouFilt - ok
12:05:19.0171 4060 LUsbFilt (0c62957912d4df1e4ba9795e6be3ed38) C:\WINDOWS\system32\Drivers\LUsbFilt.Sys
12:05:19.0171 4060 LUsbFilt - ok
12:05:19.0218 4060 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
12:05:19.0312 4060 mnmdd - ok
12:05:19.0375 4060 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
12:05:19.0484 4060 Modem - ok
12:05:19.0500 4060 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
12:05:19.0625 4060 Mouclass - ok
12:05:19.0656 4060 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
12:05:19.0781 4060 mouhid - ok
12:05:19.0812 4060 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
12:05:19.0937 4060 MountMgr - ok
12:05:19.0937 4060 mraid35x - ok
12:05:19.0968 4060 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
12:05:20.0093 4060 MRxDAV - ok
12:05:20.0140 4060 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
12:05:20.0218 4060 MRxSmb - ok
12:05:20.0265 4060 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
12:05:20.0359 4060 Msfs - ok
12:05:20.0390 4060 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
12:05:20.0531 4060 MSKSSRV - ok
12:05:20.0562 4060 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
12:05:20.0687 4060 MSPCLOCK - ok
12:05:20.0734 4060 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
12:05:20.0828 4060 MSPQM - ok
12:05:20.0875 4060 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
12:05:20.0968 4060 mssmbios - ok
12:05:21.0000 4060 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
12:05:21.0046 4060 Mup - ok
12:05:21.0093 4060 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
12:05:21.0234 4060 NDIS - ok
12:05:21.0265 4060 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
12:05:21.0281 4060 NdisTapi - ok
12:05:21.0296 4060 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
12:05:21.0390 4060 Ndisuio - ok
12:05:21.0390 4060 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
12:05:21.0531 4060 NdisWan - ok
12:05:21.0562 4060 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
12:05:21.0609 4060 NDProxy - ok
12:05:21.0625 4060 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
12:05:21.0734 4060 NetBIOS - ok
12:05:21.0765 4060 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
12:05:21.0859 4060 NetBT - ok
12:05:21.0890 4060 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
12:05:22.0000 4060 Npfs - ok
12:05:22.0015 4060 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
12:05:22.0140 4060 Ntfs - ok
12:05:22.0171 4060 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
12:05:22.0265 4060 Null - ok
12:05:22.0296 4060 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
12:05:22.0406 4060 NwlnkFlt - ok
12:05:22.0437 4060 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
12:05:22.0515 4060 NwlnkFwd - ok
12:05:22.0578 4060 P17 (576b19c67e792c2545336ccc4e080ea3) C:\WINDOWS\system32\drivers\P17.sys
12:05:22.0593 4060 Suspicious file (Forged): C:\WINDOWS\system32\drivers\P17.sys. Real md5: 576b19c67e792c2545336ccc4e080ea3, Fake md5: 2aafda3f9e15a225f632f0363b194189
12:05:22.0593 4060 P17 ( ForgedFile.Multi.Generic ) - warning
12:05:22.0593 4060 P17 - detected ForgedFile.Multi.Generic (1)
12:05:22.0703 4060 P17xfi (230780e5ace287e0a550a523d494b3d0) C:\WINDOWS\system32\drivers\P17xfi.sys
12:05:22.0796 4060 P17xfi - ok
12:05:22.0921 4060 p17xfilt (0df1a51abdf6674e4bc72fc2dab2950f) C:\WINDOWS\system32\drivers\p17xfilt.sys
12:05:23.0015 4060 p17xfilt - ok
12:05:23.0046 4060 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
12:05:23.0156 4060 Parport - ok
12:05:23.0203 4060 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
12:05:23.0296 4060 PartMgr - ok
12:05:23.0328 4060 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
12:05:23.0421 4060 ParVdm - ok
12:05:23.0437 4060 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
12:05:23.0640 4060 PCI - ok
12:05:23.0734 4060 PCIDump - ok
12:05:23.0750 4060 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
12:05:23.0875 4060 PCIIde - ok
12:05:23.0906 4060 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
12:05:24.0015 4060 Pcmcia - ok
12:05:24.0031 4060 PDCOMP - ok
12:05:24.0031 4060 PDFRAME - ok
12:05:24.0046 4060 PDRELI - ok
12:05:24.0046 4060 PDRFRAME - ok
12:05:24.0062 4060 perc2 - ok
12:05:24.0062 4060 perc2hib - ok
12:05:24.0093 4060 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
12:05:24.0187 4060 PptpMiniport - ok
12:05:24.0218 4060 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
12:05:24.0312 4060 PSched - ok
12:05:24.0375 4060 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
12:05:24.0468 4060 Ptilink - ok
12:05:24.0500 4060 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\WINDOWS\system32\Drivers\PxHelp20.sys
12:05:24.0531 4060 PxHelp20 ( UnsignedFile.Multi.Generic ) - warning
12:05:24.0531 4060 PxHelp20 - detected UnsignedFile.Multi.Generic (1)
12:05:24.0531 4060 ql1080 - ok
12:05:24.0546 4060 Ql10wnt - ok
12:05:24.0546 4060 ql12160 - ok
12:05:24.0562 4060 ql1240 - ok
12:05:24.0562 4060 ql1280 - ok
12:05:24.0609 4060 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
12:05:24.0703 4060 RasAcd - ok
12:05:24.0750 4060 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
12:05:24.0843 4060 Rasl2tp - ok
12:05:24.0859 4060 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
12:05:24.0937 4060 RasPppoe - ok
12:05:24.0953 4060 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
12:05:25.0062 4060 Raspti - ok
12:05:25.0093 4060 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
12:05:25.0187 4060 Rdbss - ok
12:05:25.0203 4060 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
12:05:25.0296 4060 RDPCDD - ok
12:05:25.0312 4060 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
12:05:25.0421 4060 rdpdr - ok
12:05:25.0484 4060 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
12:05:25.0562 4060 RDPWD - ok
12:05:25.0593 4060 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
12:05:25.0703 4060 redbook - ok
12:05:25.0765 4060 RxFilter (78f204f3a885de987d41b12f9bb8dffb) C:\WINDOWS\system32\DRIVERS\RxFilter.sys
12:05:25.0765 4060 RxFilter ( UnsignedFile.Multi.Generic ) - warning
12:05:25.0765 4060 RxFilter - detected UnsignedFile.Multi.Generic (1)
12:05:25.0890 4060 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
12:05:25.0906 4060 SASDIFSV - ok
12:05:25.0953 4060 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
12:05:25.0968 4060 SASENUM - ok
12:05:26.0000 4060 SASKUTIL (67d2688756dd304af655349baad82bff) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
12:05:26.0015 4060 SASKUTIL - ok
12:05:26.0078 4060 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
12:05:26.0140 4060 Secdrv - ok
12:05:26.0203 4060 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys
12:05:26.0265 4060 SenFiltService - ok
12:05:26.0343 4060 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
12:05:26.0437 4060 serenum - ok
12:05:26.0500 4060 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
12:05:26.0625 4060 Serial - ok
12:05:26.0625 4060 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
12:05:26.0718 4060 Sfloppy - ok
12:05:26.0734 4060 Simbad - ok
12:05:26.0750 4060 Sparrow - ok
12:05:26.0765 4060 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
12:05:26.0843 4060 splitter - ok
12:05:26.0859 4060 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
12:05:26.0921 4060 sr - ok
12:05:26.0984 4060 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
12:05:27.0093 4060 Srv - ok
12:05:27.0140 4060 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
12:05:27.0250 4060 swenum - ok
12:05:27.0265 4060 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
12:05:27.0359 4060 swmidi - ok
12:05:27.0375 4060 symc810 - ok
12:05:27.0390 4060 symc8xx - ok
12:05:27.0406 4060 sym_hi - ok
12:05:27.0406 4060 sym_u3 - ok
12:05:27.0437 4060 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
12:05:27.0531 4060 sysaudio - ok
12:05:27.0609 4060 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
12:05:27.0671 4060 Tcpip - ok
12:05:27.0718 4060 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
12:05:27.0828 4060 TDPIPE - ok
12:05:27.0890 4060 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
12:05:28.0000 4060 TDTCP - ok
12:05:28.0031 4060 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
12:05:28.0125 4060 TermDD - ok
12:05:28.0140 4060 TosIde - ok
12:05:28.0187 4060 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
12:05:28.0281 4060 Udfs - ok
12:05:28.0312 4060 ultra - ok
12:05:28.0328 4060 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
12:05:28.0421 4060 Update - ok
12:05:28.0500 4060 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
12:05:28.0609 4060 USBAAPL - ok
12:05:28.0687 4060 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
12:05:28.0796 4060 usbccgp - ok
12:05:28.0828 4060 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
12:05:28.0921 4060 usbehci - ok
12:05:28.0937 4060 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
12:05:29.0046 4060 usbhub - ok
12:05:29.0109 4060 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
12:05:29.0218 4060 usbprint - ok
12:05:29.0265 4060 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
12:05:29.0359 4060 usbscan - ok
12:05:29.0390 4060 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
12:05:29.0484 4060 usbstor - ok
12:05:29.0500 4060 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
12:05:29.0593 4060 usbuhci - ok
12:05:29.0687 4060 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
12:05:29.0796 4060 VgaSave - ok
12:05:29.0796 4060 ViaIde - ok
12:05:29.0828 4060 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
12:05:29.0937 4060 VolSnap - ok
12:05:29.0984 4060 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
12:05:30.0062 4060 Wanarp - ok
12:05:30.0109 4060 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
12:05:30.0140 4060 Wdf01000 - ok
12:05:30.0187 4060 WDICA - ok
12:05:30.0203 4060 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
12:05:30.0296 4060 wdmaud - ok
12:05:30.0359 4060 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
12:05:30.0453 4060 WS2IFSL - ok
12:05:30.0531 4060 WUSB54GPV4SRV (70aeec67e87a2002e6b2cc353d56e222) C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
12:05:30.0593 4060 WUSB54GPV4SRV - ok
12:05:30.0625 4060 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
12:05:30.0843 4060 \Device\Harddisk0\DR0 - ok
12:05:30.0843 4060 Boot (0x1200) (7a36e86f30b651f92fc2867865f5cdcd) \Device\Harddisk0\DR0\Partition0
12:05:30.0843 4060 \Device\Harddisk0\DR0\Partition0 - ok
12:05:30.0843 4060 ============================================================
12:05:30.0843 4060 Scan finished
12:05:30.0843 4060 ============================================================
12:05:30.0968 2740 Detected object count: 4
12:05:30.0968 2740 Actual detected object count: 4
12:07:45.0359 2740 cercsr6 ( UnsignedFile.Multi.Generic ) - skipped by user
12:07:45.0359 2740 cercsr6 ( UnsignedFile.Multi.Generic ) - User select action: Skip
12:07:45.0359 2740 P17 ( ForgedFile.Multi.Generic ) - skipped by user
12:07:45.0359 2740 P17 ( ForgedFile.Multi.Generic ) - User select action: Skip
12:07:45.0359 2740 PxHelp20 ( UnsignedFile.Multi.Generic ) - skipped by user
12:07:45.0359 2740 PxHelp20 ( UnsignedFile.Multi.Generic ) - User select action: Skip
12:07:45.0359 2740 RxFilter ( UnsignedFile.Multi.Generic ) - skipped by user
12:07:45.0359 2740 RxFilter ( UnsignedFile.Multi.Generic ) - User select action: Skip
12:08:23.0859 3460 Deinitialize success

-----------------------------------------------------------------------------------------------------------------------------------

SECOND: Here's the contents of the FARBAR Service Scanner Log

Farbar Service Scanner Version: 02-02-2012
Ran by WWAdmin (administrator) on 03-02-2012 at 12:13:23
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled. The default start type is Auto.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
===========
BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS: "C:\WINDOWS\system32\qmgr.dll".

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Avgtdix(9) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x09000000050000000100000002000000030000000400000008000000090000000600000007000000
IpSec Tag value is correct.

**** End of log ****

-----------------------------------------------------------------------------------------------------------------------------------

THIRD: Here's the contents of the OTL REPORT

OTL logfile created on: 2/3/2012 12:14:12 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\WWAdmin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.41 Gb Available Physical Memory | 70.42% Memory free
3.85 Gb Paging File | 3.35 Gb Available in Paging File | 87.08% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.77 Gb Total Space | 203.92 Gb Free Space | 87.60% Space Free | Partition Type: NTFS
Drive I: | 3.72 Gb Total Space | 1.88 Gb Free Space | 50.48% Space Free | Partition Type: FAT32

Computer Name: USER1-CEFFE37FC | User Name: WWAdmin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/03 11:56:06 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\WWAdmin\Desktop\OTL.exe
PRC - [2012/02/02 11:01:45 | 000,909,152 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
PRC - [2012/02/02 11:01:43 | 000,939,872 | ---- | M] () -- C:\Program Files\AVG Secure Search\vprot.exe
PRC - [2012/01/31 15:02:52 | 007,391,072 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
PRC - [2012/01/17 20:03:24 | 002,339,168 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgtray.exe
PRC - [2011/09/09 02:10:56 | 001,082,208 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgnsx.exe
PRC - [2011/08/18 00:33:26 | 000,659,296 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgrsx.exe
PRC - [2011/05/23 13:13:04 | 000,657,248 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgchsvx.exe
PRC - [2011/02/10 06:55:18 | 001,148,256 | ---- | M] () -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
PRC - [2011/02/08 04:33:42 | 000,269,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe
PRC - [2010/06/25 19:15:32 | 001,311,312 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPointP\SetPoint.exe
PRC - [2010/06/22 14:09:20 | 000,112,208 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
PRC - [2009/07/10 16:53:52 | 000,372,736 | ---- | M] (Orbiscom Ltd. All rights reserved.) -- C:\Program Files\Virtual Account Numbers\CitiVAN.exe
PRC - [2009/07/10 16:50:36 | 000,145,920 | ---- | M] (Orbiscom Ltd.) -- C:\WINDOWS\system32\OBroker.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/28 16:50:50 | 000,180,224 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
PRC - [2006/08/14 00:07:00 | 000,102,400 | ---- | M] () -- C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
PRC - [2006/08/10 11:10:14 | 000,221,184 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
PRC - [2006/08/10 10:38:54 | 000,010,752 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
PRC - [2006/07/31 08:00:00 | 001,116,920 | ---- | M] (Sonic Solutions) -- C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
PRC - [2006/01/02 16:41:22 | 000,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PRC - [2003/05/15 00:19:50 | 000,217,193 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
PRC - [2003/04/06 00:17:18 | 000,147,456 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
PRC - [2003/04/06 00:06:58 | 000,028,672 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
PRC - [2003/04/05 23:55:04 | 000,311,296 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
PRC - [2003/04/05 23:45:10 | 000,286,720 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

========== Modules (No Company Name) ==========

MOD - [2012/02/02 11:01:45 | 000,909,152 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
MOD - [2012/02/02 11:01:43 | 000,939,872 | ---- | M] () -- C:\Program Files\AVG Secure Search\vprot.exe
MOD - [2012/01/01 12:08:51 | 003,391,488 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_a0bcddf0\mscorlib.dll
MOD - [2012/01/01 12:08:48 | 000,835,584 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.drawing\1.0.5000.0__b03f5f7f11d50a3a_37b9e16a\system.drawing.dll
MOD - [2012/01/01 12:08:39 | 002,088,960 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_33d3209a\system.xml.dll
MOD - [2012/01/01 12:08:31 | 003,035,136 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_f21d6765\system.windows.forms.dll
MOD - [2012/01/01 12:08:16 | 001,966,080 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_82ed1ae6\system.dll
MOD - [2012/01/01 12:07:48 | 001,232,896 | ---- | M] () -- c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll
MOD - [2012/01/01 12:07:47 | 001,269,760 | ---- | M] () -- c:\windows\assembly\gac\system.web\1.0.5000.0__b03f5f7f11d50a3a\system.web.dll
MOD - [2012/01/01 12:07:42 | 002,064,384 | ---- | M] () -- c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll
MOD - [2011/09/27 07:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 07:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/02/10 06:55:18 | 001,148,256 | ---- | M] () -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
MOD - [2009/09/19 20:57:55 | 000,372,736 | ---- | M] () -- c:\windows\assembly\gac\system.management\1.0.5000.0__b03f5f7f11d50a3a\system.management.dll
MOD - [2009/09/19 20:57:54 | 001,339,392 | ---- | M] () -- c:\windows\assembly\gac\system.xml\1.0.5000.0__b77a5c561934e089\system.xml.dll
MOD - [2009/09/19 20:57:54 | 000,466,944 | ---- | M] () -- c:\windows\assembly\gac\system.drawing\1.0.5000.0__b03f5f7f11d50a3a\system.drawing.dll
MOD - [2009/09/19 20:57:54 | 000,323,584 | ---- | M] () -- c:\windows\assembly\gac\system.runtime.remoting\1.0.5000.0__b77a5c561934e089\system.runtime.remoting.dll
MOD - [2009/07/10 16:50:24 | 000,039,424 | ---- | M] () -- C:\Program Files\Virtual Account Numbers\VANRes.dll
MOD - [2007/05/07 19:59:08 | 000,137,216 | R--- | M] () -- C:\WINDOWS\system32\OemSpi.dll
MOD - [2006/08/14 00:07:00 | 000,102,400 | ---- | M] () -- C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
MOD - [2006/08/10 10:42:00 | 000,516,096 | ---- | M] () -- C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\LayoutDll9.dll
MOD - [2006/08/10 10:37:06 | 004,587,520 | R--- | M] () -- C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\ROXIPP41.dll
MOD - [2006/08/09 03:27:36 | 000,037,376 | ---- | M] () -- C:\Program Files\Common Files\Roxio Shared\DLLShared\apm.dll
MOD - [2006/08/08 08:18:18 | 000,056,056 | ---- | M] () -- C:\WINDOWS\system32\DLAAPI_W.DLL

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2012/02/02 11:01:45 | 000,909,152 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe -- (vToolbarUpdater)
SRV - [2012/01/31 15:02:52 | 007,391,072 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/11/10 08:17:31 | 000,167,264 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2011/02/08 04:33:42 | 000,269,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
SRV - [2010/05/06 04:29:12 | 000,293,456 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\LogiShrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2006/08/10 03:11:14 | 000,057,344 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe -- (Roxio UPnP Renderer 9)
SRV - [2006/08/10 03:10:50 | 000,294,912 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe -- (Roxio Upnp Server 9)
SRV - [2003/03/09 15:31:02 | 000,065,795 | R--- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)

========== Driver Services (SafeList) ==========

DRV - [2012/02/02 06:59:31 | 000,135,032 | ---- | M] (Doctor Web, Ltd.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\dwprot.sys -- (DwProt)
DRV - [2011/05/27 18:05:44 | 000,134,480 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2011/04/04 23:59:56 | 000,297,168 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/03/16 15:03:20 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/03/01 13:25:18 | 000,034,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/02/22 07:13:02 | 000,022,992 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2011/02/10 06:53:54 | 000,027,216 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/02/10 06:53:52 | 000,024,144 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2011/01/07 05:41:46 | 000,248,656 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2010/03/18 04:02:32 | 000,028,624 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV - [2010/03/18 04:02:08 | 000,037,328 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2010/03/18 04:01:52 | 000,038,864 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2010/03/18 04:01:12 | 000,010,448 | ---- | M] (Logitech, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2010/02/26 05:18:10 | 000,066,632 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/26 05:18:10 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010/02/26 05:18:10 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2007/06/13 00:58:16 | 001,131,520 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\P17.sys -- (P17)
DRV - [2007/03/22 11:35:40 | 001,659,008 | R--- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\p17xfilt.sys -- (p17xfilt)
DRV - [2006/09/25 04:58:54 | 001,173,504 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\P17xfi.sys -- (P17xfi)
DRV - [2006/08/09 03:30:42 | 000,050,688 | ---- | M] (Sonic Solutions) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\RxFilter.sys -- (RxFilter)
DRV - [2006/08/08 08:18:50 | 000,009,432 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/08 08:18:28 | 000,035,128 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/08 08:18:26 | 000,097,880 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/08 08:18:26 | 000,094,680 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/08 08:18:24 | 000,026,136 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/08 08:18:22 | 000,032,504 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/08 08:18:20 | 000,104,504 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/08 08:18:20 | 000,014,552 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/01 19:06:20 | 000,012,952 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/01 19:06:18 | 000,028,216 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2006/06/07 16:08:58 | 001,580,544 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/05/10 14:00:16 | 000,156,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2006/03/17 17:18:58 | 000,392,960 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
DRV - [2005/10/17 17:50:06 | 000,245,376 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rt2500usb.sys -- (WUSB54GPV4SRV)
DRV - [2004/10/07 20:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\.DEFAULT\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1220945662-73586283-682003330-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-1220945662-73586283-682003330-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1220945662-73586283-682003330-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 84 40 D9 96 87 02 CC 01 [binary data]
IE - HKU\S-1-5-21-1220945662-73586283-682003330-1005\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-21-1220945662-73586283-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1220945662-73586283-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG10\Firefox4\ [2012/02/03 12:07:53 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\citius@orbiscom: C:\Program Files\Virtual Account Numbers [2011/12/04 12:42:17 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@toolbar: C:\Documents and Settings\All Users\Application Data\AVG Secure Search\10.0.0.7\ [2012/02/02 11:01:53 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2004/08/04 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Virtual Account Numbers Helper) - {17424104-1444-4810-85D7-B4DA413C5A9A} - C:\Program Files\Virtual Account Numbers\CitiVANHelper.dll (Orbiscom Ltd. All rights reserved.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll ()
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O2 - BHO: (radiojazz Toolbar) - {cbf6f119-ea59-4612-96c3-efd538c88c0a} - C:\Program Files\radiojazz\tbradi.dll (Conduit Ltd.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKLM\..\Toolbar: (Virtual Account Numbers) - {7A21A046-B886-4A62-9D69-EF2059B0A27B} - C:\Program Files\Virtual Account Numbers\CitiVANToolbar.dll (Orbiscom Ltd. All rights reserved.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll ()
O3 - HKLM\..\Toolbar: (radiojazz Toolbar) - {cbf6f119-ea59-4612-96c3-efd538c88c0a} - C:\Program Files\radiojazz\tbradi.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-1220945662-73586283-682003330-1005\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Citi Virtual Account Numbers] C:\Program Files\Virtual Account Numbers\CitiVAN.exe (Orbiscom Ltd. All rights reserved.)
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Roxio\Media Experience\DMXLauncher.exe ()
O4 - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
O4 - HKLM..\Run: [P17Helper] C:\WINDOWS\System32\SPIRun.dll (Creative Technology Ltd.)
O4 - HKLM..\Run: [ROC_roc_dec12] C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe ()
O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe (Sonic Solutions)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [VolPanel] C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [vProt] C:\Program Files\AVG Secure Search\vprot.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (Adobe Systems Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1220945662-73586283-682003330-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1220945662-73586283-682003330-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} http://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab (Device Detection)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA} http://javadl-esd.sun.com/update/1.6.0/jinstall-6u21-windows-i586.cab (Java Plug-in)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: vzTCPConfig http://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B3F2BBB5-F5A6-4823-BFC2-9E54C4B3F974}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\10.0.6\ViProtocol.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.dll) - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\LBTWlgn: DllName - (c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll) - c:\Program Files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\WWAdmin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\WWAdmin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/09/19 19:18:25 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2012/02/03 11:29:28 | 000,000,000 | RHSD | M] - I:\autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/03 12:12:21 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\WWAdmin\Desktop\OTL.exe
[2012/02/03 12:03:50 | 002,059,312 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\WWAdmin\Desktop\tdsskiller.exe
[2012/02/02 21:02:07 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/02/02 11:01:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\cache
[2012/02/02 06:59:31 | 000,135,032 | ---- | C] (Doctor Web, Ltd.) -- C:\WINDOWS\System32\drivers\dwprot.sys
[2012/02/01 11:56:59 | 000,092,544 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\mqac.svs
[2012/02/01 11:53:21 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/02/01 11:50:38 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/02/01 11:50:38 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/02/01 11:50:38 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/02/01 11:50:38 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/02/01 11:48:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/02/01 11:42:13 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/02/01 11:42:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\WWAdmin\My Documents\My Videos
[2012/02/01 11:42:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\WWAdmin\Start Menu\Programs\Administrative Tools
[2012/02/01 11:41:48 | 004,394,330 | R--- | C] (Swearware) -- C:\ComboFix.exe
[2009/09/19 21:18:05 | 000,065,536 | R--- | C] ( ) -- C:\WINDOWS\System32\A3d.dll
[2006/07/11 13:29:00 | 000,028,672 | R--- | C] ( ) -- C:\WINDOWS\System32\DivXGraphBuilderCallback.dll
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/03 12:14:00 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{99796CAB-0E9B-437F-A13D-980353FC50B3}.job
[2012/02/03 12:11:07 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2012/02/03 12:10:23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/02/03 12:07:54 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 2011.lnk
[2012/02/03 12:06:07 | 088,091,593 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/02/03 11:56:06 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\WWAdmin\Desktop\OTL.exe
[2012/02/03 11:55:10 | 000,335,593 | ---- | M] () -- C:\Documents and Settings\WWAdmin\Desktop\FSS.exe
[2012/02/03 11:53:38 | 002,059,312 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\WWAdmin\Desktop\tdsskiller.exe
[2012/02/02 22:21:18 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\WWAdmin\defogger_reenable
[2012/02/02 21:36:59 | 000,256,000 | R--- | M] () -- C:\WINDOWS\PEV.exe
[2012/02/02 18:22:33 | 000,231,993 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2012/02/02 07:18:04 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2012/02/02 06:59:31 | 000,135,032 | ---- | M] (Doctor Web, Ltd.) -- C:\WINDOWS\System32\drivers\dwprot.sys
[2012/02/01 19:08:23 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/01 13:13:32 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/01 12:06:41 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/02/01 11:53:25 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/02/01 11:49:10 | 004,394,330 | R--- | M] (Swearware) -- C:\ComboFix.exe
[2012/02/01 11:39:43 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/11 16:56:54 | 000,004,202 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\yvx3lv0pbgdpv47i85rbk44
[2012/01/08 18:45:00 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/03 12:12:17 | 000,335,593 | ---- | C] () -- C:\Documents and Settings\WWAdmin\Desktop\FSS.exe
[2012/02/02 22:21:18 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\WWAdmin\defogger_reenable
[2012/02/01 19:08:23 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/01 11:53:25 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/02/01 11:53:23 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/02/01 11:50:38 | 000,256,000 | R--- | C] () -- C:\WINDOWS\PEV.exe
[2012/02/01 11:50:38 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/02/01 11:50:38 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/02/01 11:50:38 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/02/01 11:50:38 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/01/11 16:53:01 | 000,004,202 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\yvx3lv0pbgdpv47i85rbk44
[2011/05/09 18:13:01 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/06 18:34:47 | 000,013,696 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\wnl7uf0s50u5286
[2011/04/24 17:45:43 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/04/24 17:45:43 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2010/05/14 17:33:21 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\WWAdmin\Local Settings\Application Data\fusioncache.dat
[2010/04/19 21:05:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2010/03/27 09:07:14 | 000,029,452 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/10/02 16:36:07 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2009/10/02 16:21:07 | 000,020,454 | ---- | C] () -- C:\WINDOWS\hpoins01.dat
[2009/10/02 16:21:07 | 000,016,618 | ---- | C] () -- C:\WINDOWS\hpomdl01.dat
[2009/09/20 08:17:59 | 000,373,248 | ---- | C] () -- C:\WINDOWS\EyeCand3.INI
[2009/09/19 22:17:06 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/09/19 22:09:24 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2009/09/19 21:59:14 | 000,000,210 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/09/19 21:31:55 | 000,003,118 | ---- | C] () -- C:\WINDOWS\System32\AudioDrv.ini
[2009/09/19 21:31:23 | 000,008,251 | R--- | C] () -- C:\WINDOWS\sfsyn.ini
[2009/09/19 21:31:22 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\P17CPI.dll
[2009/09/19 21:31:21 | 000,137,216 | R--- | C] () -- C:\WINDOWS\System32\OemSpi.dll
[2009/09/19 20:50:38 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2009/09/19 20:50:04 | 000,129,112 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2009/09/19 19:20:23 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/09/19 19:15:41 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/09/19 14:54:29 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/09/19 14:53:25 | 000,159,544 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2007/07/02 00:58:14 | 000,001,970 | ---- | C] () -- C:\WINDOWS\P17EP.ini
[2007/06/13 00:58:16 | 001,131,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\P17.sys
[2007/06/06 00:24:24 | 000,022,478 | R--- | C] () -- C:\WINDOWS\System32\ludap17.ini
[2007/04/09 00:42:00 | 000,148,480 | ---- | C] () -- C:\WINDOWS\System32\OemSpiE.dll
[2007/04/09 00:40:00 | 000,014,848 | ---- | C] () -- C:\WINDOWS\System32\P17RunE.dll
[2006/12/15 01:41:26 | 000,008,192 | ---- | C] () -- C:\WINDOWS\ResDefE.exe
[2006/08/15 14:54:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/08/09 03:19:50 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/08/09 03:19:50 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2006/08/09 00:00:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\besch.exe
[2006/08/09 00:00:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\besched.dll
[2005/07/15 13:36:35 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\DivXsm.exe
[2005/07/15 13:35:56 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/07/15 13:35:56 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/07/15 13:35:24 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/03/21 18:48:05 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/03/21 18:48:05 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2005/03/08 05:17:00 | 000,000,054 | R--- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2004/08/04 05:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 05:00:00 | 000,380,702 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 05:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 05:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 05:00:00 | 000,052,936 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 05:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 05:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 05:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 05:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 05:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/10/02 00:00:00 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lockout.dll
[2003/10/02 00:00:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\lockres.dll
[2003/03/09 15:31:04 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll

< End of report >

-----------------------------------------------------------------------------------------------------------------------------------

LAST: Here's the contents of the Extras.txt report

OTL Extras logfile created on: 2/3/2012 12:14:12 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\WWAdmin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.41 Gb Available Physical Memory | 70.42% Memory free
3.85 Gb Paging File | 3.35 Gb Available in Paging File | 87.08% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.77 Gb Total Space | 203.92 Gb Free Space | 87.60% Space Free | Partition Type: NTFS
Drive I: | 3.72 Gb Total Space | 1.88 Gb Free Space | 50.48% Space Free | Partition Type: FAT32

Computer Name: USER1-CEFFE37FC | User Name: WWAdmin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG10\avgmfapx.exe" = C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Program Files\AVG\AVG10\avgdiagex.exe" = C:\Program Files\AVG\AVG10\avgdiagex.exe:*:Enabled:AVG Diagnostics 2011 -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG10\avgnsx.exe" = C:\Program Files\AVG\AVG10\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG10\avgemcx.exe" = C:\Program Files\AVG\AVG10\avgemcx.exe:*:Enabled:Personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java™ 6 Update 21
"{2CA41BA1-9842-4819-8ABB-76FDC14AB9EA}" = ATI Catalyst Control Center
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{3127F76D-5335-4AC7-BD1E-2F5247A23C24}" = iTunes
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = eReg
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{53E2DCBB-E6F7-4C83-B1EF-F78435B9814E}" = Sound Blaster X-Fi Xtreme Audio
"{625304B0-2976-473B-AD81-5CA376093F03}" = Xingtone Ringtone Maker
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}" = HP Photo and Imaging 2.0 - All-in-One Drivers
"{73AA12E1-5FFD-4545-9A28-CE7C318F284E}" = AVG 2011
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{7E369B27-13E2-41A5-9879-358EE1C8B5AD}" = Broadcom Gigabit Integrated Controller
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{938B1CD7-7C60-491E-AA90-1F1888168240}" = Roxio Easy Media Creator 9 Suite
"{9867A917-5D17-40DE-83BA-BEA5293194B1}" = HP Photo and Imaging 2.0 - All-in-One
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9C411DC9-B8B8-45F3-B688-073BF4B59094}" = Virtual Account Numbers
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{AC76BA86-1033-F400-BA7E-000000000001}" = Adobe Acrobat 6.0 Standard - English, Français, Deutsch
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B376402D-58EA-45EA-BD50-DD924EB67A70}" = HP Memories Disc
"{C900EF06-2E76-49C7-8DB0-41F629B21DC5}" = hp psc 1200 series
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{DE700910-58F7-4D2E-B7E6-3BA2DA1B6806}" = Virtual Account Numbers
"{E533E637-FB3E-4F28-8B18-449CC9AB7235}" = AVG 2011
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FCD9CD52-7222-4672-94A0-A722BA702FD0}" = Dell Resource CD
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Photoshop 6.0" = Adobe Photoshop 6.0
"Adobe SVG Viewer" = Adobe SVG Viewer
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"AVG" = AVG 2011
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Eye Candy 3" = Eye Candy 3
"HP PSC 1200 Series" = HP Photo and Imaging 2.0 - hp psc 1200 series
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"MSNINST" = MSN
"radiojazz Toolbar" = radiojazz Toolbar
"SP6" = Logitech SetPoint 6.15
"SysInfo" = Creative System Information
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"Yahoo! Companion" = Yahoo! Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/2/2012 9:22:33 PM | Computer Name = USER1-CEFFE37FC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/2/2012 9:22:33 PM | Computer Name = USER1-CEFFE37FC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/2/2012 9:22:35 PM | Computer Name = USER1-CEFFE37FC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/2/2012 10:06:32 PM | Computer Name = USER1-CEFFE37FC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 2/2/2012 10:06:32 PM | Computer Name = USER1-CEFFE37FC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/2/2012 10:06:32 PM | Computer Name = USER1-CEFFE37FC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/2/2012 10:06:33 PM | Computer Name = USER1-CEFFE37FC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/2/2012 10:06:33 PM | Computer Name = USER1-CEFFE37FC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/2/2012 10:06:33 PM | Computer Name = USER1-CEFFE37FC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/2/2012 10:06:34 PM | Computer Name = USER1-CEFFE37FC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 2/2/2012 9:23:19 PM | Computer Name = USER1-CEFFE37FC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/2/2012 10:01:31 PM | Computer Name = USER1-CEFFE37FC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/2/2012 10:02:29 PM | Computer Name = USER1-CEFFE37FC | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 2/2/2012 10:02:29 PM | Computer Name = USER1-CEFFE37FC | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 2/2/2012 10:02:29 PM | Computer Name = USER1-CEFFE37FC | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 2/2/2012 10:02:29 PM | Computer Name = USER1-CEFFE37FC | Source = Service Control Manager | ID = 7001
Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 2/2/2012 10:02:29 PM | Computer Name = USER1-CEFFE37FC | Source = Service Control Manager | ID = 7001
Description = The Bonjour Service service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 2/2/2012 10:02:29 PM | Computer Name = USER1-CEFFE37FC | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 2/2/2012 10:02:29 PM | Computer Name = USER1-CEFFE37FC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Avgldx86 Avgmfx86 Avgtdix Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV
SASKUTIL
Tcpip
WS2IFSL

Error - 2/2/2012 10:28:27 PM | Computer Name = USER1-CEFFE37FC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

< End of report >

-----------------------------------------------------------------------------------------------------------------------------------

computer seems to be running about the same as it was last night.
not sure I would have noticed anything different though because I wasn't trying to do anything else with it other than what you asked.

other than the reboot computer dialog box being absent after clicking Continue for the TDSSKiller application, everything seemed to run alright.

Thank you, Dona

This post has been edited by djw23: 03 February 2012 - 12:39 PM

#6 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,666
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 04 February 2012 - 08:25 AM

Hi Dona!

Quote

AVG was complaining that the Flash Disinfector was a trojan....but I went ahead and ignored the warnings. seems to have worked alright.

Yeah, AVG may throw up some warnings about some of the tools we run.

Please ignore the warnings AVG may provide you about any tools I ask you to run.
OTL Fix

We need to run an OTL Fix

Note: If you have Malwarebytes 1.6 or higher installed please disable it for the duration of this fix as it may interfere with the successfully execution of the script below.

Please reopen on your desktop.

Copy and Paste the following code into the Posted Image

textbox.

:Services
:Processes
KILLALLPROCESSES
:OTL
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-21-1220945662-73586283-682003330-1005\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-1220945662-73586283-682003330-1005\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA} http://javadl-esd.sun.com/update/1.6.0/jinstall-6u21-windows-i586.cab (Java Plug-in)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: vzTCPConfig http://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB (Reg Error: Key error.)
[2012/01/11 16:56:54 | 000,004,202 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\yvx3lv0pbgdpv47i85rbk44
[2012/01/11 16:53:01 | 000,004,202 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\yvx3lv0pbgdpv47i85rbk44
[2011/05/06 18:34:47 | 000,013,696 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\wnl7uf0s50u5286
:Reg

:Files
NETSH WINSOCK RESET CATALOG /c
echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[CreateRestorePoint]
[EMPTYFLASH]
[EMPTYJAVA]

Push
OTL may ask to reboot the machine. Please do so if asked.
Click the OK button.
A report will open. Copy and Paste that report in your next reply.
If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

NEXT:

OTL Custom Scan

We need to create a new OTL Report

Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Click on the NONE button at the top.

In the custom scan box paste the following:

msconfig
safebootminimal
activex
drivers32
netsvcs
"%WinDir%\$NtUninstallKB*$." /30
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\system32\drivers\*.sys /90
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.sys
atapi.sys
explorer.exe
winlogon.exe
wininit.exe
cercsr6.sys
P17.sys
PxHelp20.sys
RxFilter.sys
/md5stop
hklm\software\clients\startmenuinternet|command /rs

Push the button.
One report will open, copy and paste it in a reply here:
- OTL.txt <-- Will be opened

NEXT:

Running aswMBR.exe

Download aswMBR.exe (4.5mb) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image

#7 djw23

Member

Group: Members
Posts: 30
Joined: 14-September 05
Gender:Female

Posted 04 February 2012 - 11:35 AM

Hello Agent ST! Thank you for your timely reply!
I'm working on my husband's computer this morning and helping my neice put a dynamic RSS feed on her web site this afternoon.

FIRST I uninstalled Malwarebytes from his computer altogether because I wasn't sure how to disable it. I will reinstall it when we are all finished. Hope you like that decision.

---------------------------------------------------------------------------------------------------------

SECOND Here is the report from the OTL fix. It did require a reboot to finish the fix. Looks like one of the things your were trying to fix was the internet connection problem and that WORKED! YAY! :-))) I'm using my computer for this post but I guess I can start working directly from his computer now? Please confirm that is ok.

========== SERVICES/DRIVERS ==========
========== PROCESSES ==========
All processes killed
========== OTL ==========
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry value HKEY_USERS\S-1-5-21-1220945662-73586283-682003330-1005\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_USERS\S-1-5-21-1220945662-73586283-682003330-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}
C:\WINDOWS\Downloaded Program Files\jinstall-6u21.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Starting removal of ActiveX control vzTCPConfig
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\vzTCPConfig\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\vzTCPConfig\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\vzTCPConfig\ not found.
C:\Documents and Settings\All Users\Application Data\yvx3lv0pbgdpv47i85rbk44 moved successfully.
File C:\Documents and Settings\All Users\Application Data\yvx3lv0pbgdpv47i85rbk44 not found.
C:\Documents and Settings\All Users\Application Data\wnl7uf0s50u5286 moved successfully.
========== REGISTRY ==========
========== FILES ==========
< NETSH WINSOCK RESET CATALOG /c >
Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset.
C:\Documents and Settings\WWAdmin\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\WWAdmin\Desktop\cmd.txt deleted successfully.
< echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c >
Are you sure (Y/N)?processed file: C:\WINDOWS\system32\drivers\etc\hosts
C:\Documents and Settings\WWAdmin\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\WWAdmin\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
An internal error occurred: A device attached to the system is not functioning.

Please contact Microsoft Product Support Services for further help.
Additional information: Unknown media status code.
C:\Documents and Settings\WWAdmin\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\WWAdmin\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

[EMPTYFLASH]

User: All Users

User: Default User
->Flash cache emptied: 41044 bytes

User: LocalService

User: NetworkService

User: User1
->Flash cache emptied: 183189 bytes

User: WWAdmin
->Flash cache emptied: 41655 bytes

Total Flash Files Cleaned = 0.00 mb

[EMPTYJAVA]

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: User1
->Java cache emptied: 38742 bytes

User: WWAdmin
->Java cache emptied: 46940 bytes

Total Java Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.31.0 log created on 02042012_104753

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

---------------------------------------------------------------------------------------------------------

THIRD Here's the copy of the OTL Custom Scan

OTL logfile created on: 2/4/2012 11:04:29 AM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\WWAdmin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.43 Gb Available Physical Memory | 71.42% Memory free
3.85 Gb Paging File | 3.38 Gb Available in Paging File | 87.90% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.77 Gb Total Space | 203.89 Gb Free Space | 87.59% Space Free | Partition Type: NTFS
Drive I: | 3.72 Gb Total Space | 1.88 Gb Free Space | 50.36% Space Free | Partition Type: FAT32

Computer Name: USER1-CEFFE37FC | User Name: WWAdmin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: mcmscsvc - Service
SafeBootMin: MCODS - Service
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PEVSystemStart - Service
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: procexp90.Sys - Driver
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {0213C6AF-5562-4D09-884C-2ADCFC8C2F35} - Microsoft .NET Framework 1.1 Security Update (KB2656353)
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\INF\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivXNetworks)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivXNetworks)

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Custom Scans ==========

< "%WinDir%\$NtUninstallKB*$." /30 >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\system32\drivers\*.sys /90 >
[2012/02/02 06:59:31 | 000,135,032 | ---- | M] (Doctor Web, Ltd.) -- C:\WINDOWS\system32\drivers\dwprot.sys

< %SYSTEMDRIVE%\*.exe >
[2012/02/01 11:49:10 | 004,394,330 | R--- | M] (Swearware) -- C:\ComboFix.exe

< MD5 for: ATAPI.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/09/27 08:49:30 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/09/27 08:49:30 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 21:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 05:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys
[2004/08/03 21:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys

< MD5 for: CERCSR6.SYS >
[2004/12/13 16:14:00 | 000,039,904 | ---- | M] (Adaptec, Inc.) MD5=84853B3FD012251690570E9E7E43343F -- C:\WINDOWS\dell\cercsr6\cercsr6.sys
[2004/12/13 16:14:00 | 000,039,904 | ---- | M] (Adaptec, Inc.) MD5=84853B3FD012251690570E9E7E43343F -- C:\WINDOWS\system32\drivers\cercsr6.sys

< MD5 for: EXPLORER.EXE >
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2004/08/04 05:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: P17.SYS >
[2007/06/13 00:58:16 | 001,131,520 | ---- | M] () MD5=2AAFDA3F9E15A225F632F0363B194189 -- C:\WINDOWS\system32\drivers\P17.sys
[2007/04/04 21:47:20 | 001,126,400 | ---- | M] (Creative Technology Ltd.) MD5=68BD22788B679A30FFCEA1D2EC141AF1 -- C:\Program Files\Creative\Sound Blaster X-Fi\Program\vista\Win2k_xp\I386\p17.sys
[2007/04/04 21:40:36 | 001,265,152 | ---- | M] (Creative Technology Ltd.) MD5=D22F07F40D3C7681CF373B325BDFBFFD -- C:\Program Files\Creative\Sound Blaster X-Fi\Program\vista\Win2k_xp\AMD64\P17.sys

< MD5 for: PXHELP20.SYS >
[2006/07/24 02:00:00 | 000,036,528 | ---- | M] (Sonic Solutions) MD5=FEFFCFDC528764A04C8ED63D5FA6E711 -- C:\WINDOWS\system32\drivers\pxhelp20.sys

< MD5 for: RXFILTER.SYS >
[2006/08/09 03:30:42 | 000,050,688 | ---- | M] (Sonic Solutions) MD5=78F204F3A885DE987D41B12F9BB8DFFB -- C:\WINDOWS\system32\drivers\RxFilter.sys

< MD5 for: VOLSNAP.SYS >
[2008/04/13 13:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\ServicePackFiles\i386\volsnap.sys
[2008/04/13 13:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\system32\drivers\volsnap.sys
[2004/08/04 05:00:00 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=EE4660083DEBA849FF6C485D944B379B -- C:\WINDOWS\$NtServicePackUninstall$\volsnap.sys

< MD5 for: WINLOGON.EXE >
[2004/08/04 05:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/11/04 06:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/11/04 06:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/11/04 06:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: iexplore.exe

< End of report >

---------------------------------------------------------------------------------------------------------

LAST, Here's the copy of the aswMBR log. When I clicked on the file, it asked me if I wanted to download the latest Avast! Free AntiVirus and virus definitions, I declined as I assume you had me download the latest tool you wanted me to work with.

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-04 11:15:39
-----------------------------
11:15:39.125 OS Version: Windows 5.1.2600 Service Pack 3
11:15:39.125 Number of processors: 2 586 0xF02
11:15:39.125 ComputerName: USER1-CEFFE37FC UserName: WWAdmin
11:15:40.812 Initialize success
11:16:35.125 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:16:35.125 Disk 0 Vendor: WDC_WD2500JS-75NCB3 10.02E04 Size: 238418MB BusType: 3
11:16:35.125 Disk 0 MBR read successfully
11:16:35.125 Disk 0 MBR scan
11:16:35.125 Disk 0 Windows XP default MBR code
11:16:35.125 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 54 MB offset 63
11:16:35.140 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 238355 MB offset 112455
11:16:35.140 Disk 0 scanning sectors +488263545
11:16:35.218 Disk 0 scanning C:\WINDOWS\system32\drivers
11:16:42.359 Service scanning
11:16:43.265 Modules scanning
11:16:49.750 Disk 0 trace - called modules:
11:16:49.781 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
11:16:49.781 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a680ab8]
11:16:49.781 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a634d98]
11:16:49.781 Scan finished successfully
11:17:07.046 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\WWAdmin\Desktop\MBR.dat"
11:17:07.046 The log file has been saved successfully to "C:\Documents and Settings\WWAdmin\Desktop\aswMBR.txt"
11:17:14.906 Disk 0 MBR has been saved successfully to "I:\MBR.dat"
11:17:14.921 The log file has been saved successfully to "I:\aswMBR.txt"

---------------------------------------------------------------------------------------------------------

The computer seems to be doing what you need it to do for these tasks. The only thing I did extra was to quickly check if I could get online and browse the internet. Loaded at 2 pages on MSN.com and closed browser. Hope that was ok.

Thank you very much, Dona

This post has been edited by djw23: 04 February 2012 - 11:37 AM

#8 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,666
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 05 February 2012 - 05:53 AM

Hi Dona!

Quote

I'm working on my husband's computer this morning and helping my neice put a dynamic RSS feed on her web site this afternoon.

I hope that everything with helping your neice with the dynamic RSS feed went well.

Do you do more of the backend Web developing stuff like the dynamic RSS feed or do you also do things like creating images/animations in Photoshop?

Quote

FIRST I uninstalled Malwarebytes from his computer altogether because I wasn't sure how to disable it. I will reinstall it when we are all finished. Hope you like that decision.

Okay, that's fine.

Quote

SECOND Here is the report from the OTL fix. It did require a reboot to finish the fix. Looks like one of the things your were trying to fix was the internet connection problem and that WORKED! YAY! :-))) I'm using my computer for this post but I guess I can start working directly from his computer now? Please confirm that is ok.

Yay! That's great news! I'm so glad to hear you're able to connect back to the internet again!!

Quote

LAST, Here's the copy of the aswMBR log. When I clicked on the file, it asked me if I wanted to download the latest Avast! Free AntiVirus and virus definitions, I declined as I assume you had me download the latest tool you wanted me to work with.

That was fine.

Your OTL log is showing me a file that is potentially patched by malware.

This file in particular: C:\WINDOWS\system32\drivers\P17.sys

So this is something we are going to need to check into.

---------

I'm going to ask that you download a new copy of ComboFix and run a scan with it.

Running ComboFix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon.
They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.
Accept the disclaimer and allow to update if it asks
When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

#9 djw23

Member

Group: Members
Posts: 30
Joined: 14-September 05
Gender:Female

Posted 05 February 2012 - 11:27 AM

hello Agent ST
The dynamic RSS feed for my niece's page went well...the page is still not validating 100% correctly so I need to look at tweaking the JavaScript code I think. I was up until midnight fooling around with it and another website I just launched for a client so...kinda tired today. I create things with Photoshop as well; like header banners, toolbars, logos and favicons. I found a good website where you can buy cheap graphics as well...sometimes I use and/or modify those. I bought 18 really great images for the last web site I designed for only $50.00, my client was thrilled. 123rf.com

Anyway..back to the issue at hand...

I set AVG to be temporarily disabled for 15 minutes then downloaded Combofix from your link, saved it to the Desktop and ran it. A dialog box came up which said something to the effect of...

You are infected with rootkit.ZeroAccess. It has inserted itself into the TCP/IP stack. This is a particularly difficult infection to fix. If your internet connection gets broken, run Combofix again... something like that.

I'd seen this message before I contacted you and this time I was feeling like I wanted to see what happened if I didn't click on OK -- because maybe it's the infection trying to trick me into clicking. Then two other dialog boxes came up..One saying that Rootkit access had been detected and Combofix needed to reboot...again I didn't click on anything

so then the machine finally rebooted w/o any intervention from me and it hung up displaying a blue box with C:\ in the upper left corner that says "Please wait....Combofix is preparing to run." It had been like that for the last 2 hours or so... I ran out to the gym for my class....didn't get there yesterday with all that was going on...figured maybe...just maybe..it would run while I was gone... No dice...So when I got back I "X"ed out to close it and then Windows returned normally to the desktop. I checked to make sure I can still browse...I can but I'm posting back to you on my own computer because then I shut that one off. No logfile popped up for me to post.

2 more things...I peeked into the contents in the root of the Qoobox folder and all the folders show dates of 2/1/12 so I'm not thinking it ran completely. Also..right
before I turned the computer off AVG complained about C:\Combofix\CF32286.3XE being a virus but I went ahead and said Allow that. The guy who helps out with virus support at work when it's over my head told me last week that AVG throws that up after running Combofix so I thought it was okay to Allow??

this is basically what happened when I first decided to post here. Bummer...do you know what's going on? Are we getting anywhere? I think yes because I can still browse.

Thank you very much, Dona

P.S. Are you really in Antartica?

This post has been edited by djw23: 05 February 2012 - 05:24 PM

#10 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,666
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 06 February 2012 - 03:01 AM

Hi Dona!

Quote

I create things with Photoshop as well; like header banners, toolbars, logos and favicons. I found a good website where you can buy cheap graphics as well...sometimes I use and/or modify those. I bought 18 really great images for the last web site I designed for only $50.00, my client was thrilled. 123rf.com

Very nice.

Quote

I'd seen this message before I contacted you and this time I was feeling like I wanted to see what happened if I didn't click on OK -- because maybe it's the infection trying to trick me into clicking. Then two other dialog boxes came up..One saying that Rootkit access had been detected and Combofix needed to reboot...again I didn't click on anything

This message is from ComboFix and it's not the infection throwing that up there.

Quote

before I turned the computer off AVG complained about C:\Combofix\CF32286.3XE being a virus but I went ahead and said Allow that. The guy who helps out with virus support at work when it's over my head told me last week that AVG throws that up after running Combofix so I thought it was okay to Allow??

Yes, that file is related to ComboFix and is not malicious.

Quote

do you know what's going on? Are we getting anywhere? I think yes because I can still browse

Yes, the infection you are infected with is very stubborn and looks like it's causing some havoc right now with trying to get ComboFix to run for us.

I'd like to have you try and download a new copy of ComboFix and save it to your C:\ drive and name it svchost.exe and try running it then, and see if you have better luck running a scan with it then.

Let me know.

Agent ST.

#11 djw23

Member

Group: Members
Posts: 30
Joined: 14-September 05
Gender:Female

Posted 07 February 2012 - 10:12 PM

Hi Agent ST
Sorry for the delay - I just finished working two really long days but here I am finally again, back to try and deal with this virus. My boss at work has the same one on his laptop I discovered on Monday (plus about 5 other things), so I really felt like I was in ZeroAccess hell on Monday. I tried a few things but his keeps freezing up for what seems like no reason so I called in the guy we use to come and get it and straighten it out, so at least I don't have to deal with trying to clean it off of two machines. It's not been a great start to the week with these virus troubles and the Patriots losing the Superbowl...everyone is in a grumpy mood.

The sort of good news is, The internet was not working when I came back to this computer and turned it on this evening, but after running Combofix, it is working now.

The bad news is that apparently the virus was not fooled by downloading a new copy of the file, naming the file as svchost.exe and running it from the root of C:\.
I ran it from a windows Admin account logged onto safe mode with command prompt and Again, everything seemed fine until the reboot
When I tried to go back into Windows normally, click to login to the Admin account, it hangs at Please wait....combofix is preparing to run.

okay so I figured...what the heck...this thing is really irritating me...I'll be naughty and just try one more time and trying logging back into safe mode vs normal on the reboot this time....ta da!

what does the cat found it mean? seems like some good stuff may have happened?

Here's the copy of the combofix file:

__________________________________________

ComboFix 12-02-07.01 - WWAdmin 02/07/2012 22:31:15.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1799 [GMT -5:00]
Running from: C:\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\DragToDiscUserNameH.txt
c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
c:\documents and settings\User1\Local Settings\Temp\_iu14D2N.tmp
c:\documents and settings\User1\Local Settings\Temp\jre-6u26-windows-i586-iftw-rv.exe
c:\documents and settings\User1\Local Settings\Temp\SSUPDATE.EXE
c:\windows\system32\Cache
c:\windows\system32\Cache\1db840403f23ee15.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\tmp3A.tmp
.
Infected copy of c:\windows\system32\drivers\mqac.sys was found and disinfected
Restored copy from - The cat found it

Infected copy of c:\windows\system32\drivers\serial.sys was found and disinfected
Restored copy from - The cat found it

.
((((((((((((((((((((((((( Files Created from 2012-01-08 to 2012-02-08 )))))))))))))))))))))))))))))))
.
.
2012-02-04 15:47 . 2012-02-04 15:47 -------- d-----w- C:\_OTL
2012-02-02 11:59 . 2012-02-02 11:59 135032 ----a-w- c:\windows\system32\drivers\dwprot.sys
2012-02-02 00:02 . 2008-04-13 19:15 64512 ----a-w- c:\windows\system32\drivers\serial.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2004-08-04 10:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-04 10:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-04 10:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2004-08-04 10:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-04 10:00 152064 ----a-w- c:\windows\system32\schannel.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-02-02 16:01 1811296 ----a-w- c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll" [2012-02-02 1811296]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-02-28 180224]
"P17Helper"="SPIRun.dll" [2006-07-03 10752]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-08-10 221184]
"DMXLauncher"="c:\program files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 102400]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-07-31 1116920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2012-01-18 2339168]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"Citi Virtual Account Numbers"="c:\progra~1\VIRTUA~1\CitiVAN.exe" [2009-07-10 372736]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-02-02 939872]
"ROC_roc_dec12"="c:\program files\AVG Secure Search\ROC_roc_dec12.exe" [2012-02-02 928096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 7:13 AM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [3/16/2011 3:03 PM 32592]
R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys [2/2/2012 6:59 AM 135032]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [4/4/2011 11:59 PM 297168]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 5:41 AM 248656]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/23/2009 8:43 AM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 66632]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [1/31/2012 3:02 PM 7391072]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 4:33 AM 269520]
S2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [8/26/2010 8:01 AM 10448]
S2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe [2/2/2012 11:01 AM 909152]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [8/21/2011 1:54 PM 167264]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [4/14/2011 8:28 PM 134480]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 6:53 AM 24144]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 6:53 AM 27216]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 12872]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - LBEEPKE
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
2010-01-07 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8254518909.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 04:52]
.
2012-02-08 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
2012-02-08 c:\windows\Tasks\User_Feed_Synchronization-{99796CAB-0E9B-437F-A13D-980353FC50B3}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.0.6\ViProtocol.dll
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-07 22:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
P17Helper = Rundll32 SPIRun.dll,RunDLLEntry?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(792)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
Completion time: 2012-02-07 22:39:27
ComboFix-quarantined-files.txt 2012-02-08 03:39
.
Pre-Run: 219,027,443,712 bytes free
Post-Run: 219,860,746,240 bytes free
.
- - End Of File - - BA85CE653453949005547EB5109BAAAC

_____________________________

Good Night. thank very much for your help, Dona

This post has been edited by djw23: 07 February 2012 - 10:49 PM

#12 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,666
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 08 February 2012 - 03:44 AM

Good Morning Dona!

Quote

Sorry for the delay - I just finished working two really long days but here I am finally again, back to try and deal with this virus. My boss at work has the same one on his laptop I discovered on Monday (plus about 5 other things), so I really felt like I was in ZeroAccess hell on Monday. I tried a few things but his keeps freezing up for what seems like no reason so I called in the guy we use to come and get it and straighten it out, so at least I don't have to deal with trying to clean it off of two machines. It's not been a great start to the week with these virus troubles and the Patriots losing the Superbowl...everyone is in a grumpy mood.

Oh noes! That does not seem like a good start to the week at all!! I hope it gets better!

Quote

what does the cat found it mean? seems like some good stuff may have happened?

Without getting into specifics, it just means that you had some infected files on your computer and ComboFix addressed them.

I'm glad to hear that you were able to get ComboFix to run! It looks like we are making some progress!

How are things running on your end with your computer?

Lets see what these scans find, and see where we stand then.

Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.
Select Perform quick scan, then click on Scan
Leave the default options as it is and click on Start Scan
When done, you will be prompted. Click OK, then click on Show Results
Checked (ticked) all items and click on Remove Selected
After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

NEXT:

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Make sure that the option "Remove found threats" is Unchecked
When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
- Enable Anti-Stealth technology
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

NEXT:

Security Check
Download Security Check by screen317 from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

#13 djw23

Member

Group: Members
Posts: 30
Joined: 14-September 05
Gender:Female

Posted 08 February 2012 - 03:39 PM

Hi Agent ST

I had to run Combofix again before starting these tasks because the internet connection was broken again. So here's the contents of the most recent Combofix file in case you want to see that:

ComboFix 12-02-07.01 - WWAdmin 02/08/2012 11:43:38.2.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1799 [GMT -5:00]
Running from: C:\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((( Files Created from 2012-01-08 to 2012-02-08 )))))))))))))))))))))))))))))))
.
.
2012-02-04 15:47 . 2012-02-04 15:47 -------- d-----w- C:\_OTL
2012-02-02 11:59 . 2012-02-02 11:59 135032 ----a-w- c:\windows\system32\drivers\dwprot.sys
2012-02-02 00:02 . 2008-04-13 19:15 64512 ----a-w- c:\windows\system32\drivers\serial.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2004-08-04 10:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-04 10:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-04 10:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2004-08-04 10:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-04 10:00 152064 ----a-w- c:\windows\system32\schannel.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-02-02 16:01 1811296 ----a-w- c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll" [2012-02-02 1811296]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-02-28 180224]
"P17Helper"="SPIRun.dll" [2006-07-03 10752]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-08-10 221184]
"DMXLauncher"="c:\program files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 102400]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-07-31 1116920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2012-01-18 2339168]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"Citi Virtual Account Numbers"="c:\progra~1\VIRTUA~1\CitiVAN.exe" [2009-07-10 372736]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-02-02 939872]
"ROC_roc_dec12"="c:\program files\AVG Secure Search\ROC_roc_dec12.exe" [2012-02-02 928096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 7:13 AM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [3/16/2011 3:03 PM 32592]
R0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys [2/2/2012 6:59 AM 135032]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [4/4/2011 11:59 PM 297168]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 5:41 AM 248656]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/23/2009 8:43 AM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 66632]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [1/31/2012 3:02 PM 7391072]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 4:33 AM 269520]
S2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [8/26/2010 8:01 AM 10448]
S2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe [2/2/2012 11:01 AM 909152]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [8/21/2011 1:54 PM 167264]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [4/14/2011 8:28 PM 134480]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 6:53 AM 24144]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 6:53 AM 27216]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 12872]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
2010-01-07 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8254518909.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 04:52]
.
2012-02-08 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
2012-02-08 c:\windows\Tasks\User_Feed_Synchronization-{99796CAB-0E9B-437F-A13D-980353FC50B3}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.0.6\ViProtocol.dll
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-08 11:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
P17Helper = Rundll32 SPIRun.dll,RunDLLEntry?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(788)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
- - - - - - - > 'explorer.exe'(1940)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2012-02-08 11:51:17
ComboFix-quarantined-files.txt 2012-02-08 16:51
ComboFix2.txt 2012-02-08 03:39
.
Pre-Run: 219,861,250,048 bytes free
Post-Run: 219,854,118,912 bytes free
.
- - End Of File - - BB874CD99F535A42FC5419D7C65C39D9

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Next I had to install the latest Malwarebytes from their web site -- remember I uninstalled it when you asked me to disable it awhile ago and I didn't know how to do that. I downloaded it from here: http://www.malwarebytes.org/products/malwarebytes_free -- updated it and then ran it. Everything seemed fine. I didn't see anything unusual. Did not have to remove selected or reboot.

So Here's the contents of the log file for that:
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.08.03

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
WWAdmin :: USER1-CEFFE37FC [administrator]

2/8/2012 12:01:36 PM
mbam-log-2012-02-08 (12-01-36).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 226078
Time elapsed: 12 minute(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Here's the contents of the ESETScan log file -- this took a very long time to run - well over an hour -- Doesn't this one just look so LOVELY?:

C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\R3NSKT4M\how-to-draw-courage-the-cowardly-dog-characters&page=3[1].htm JS/Redirector.NIF trojan
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\RKYMOJ0J\in[1].htm JS/Exploit.Agent.NCQ trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\serial.sys.vir Win32/Sirefef.DA trojan

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Last, here's the Security Checkup checkup.txt

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG 2011
ESET Online Scanner v3
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
SUPERAntiSpyware Free Edition
Java™ 6 Update 21
Out of date Java installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

I guess I should leave this computer on because it seems to lose the internet if I turn it off...

So That's what I'll do until I hear back from you but please let me know if you think it is better to turn it off in between posts...

Thank you, Dona

This post has been edited by djw23: 08 February 2012 - 03:49 PM

#14 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,666
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 09 February 2012 - 08:48 AM

Hi Dona!

Thanks for posting that ComboFix log.

Quote

Next I had to install the latest Malwarebytes from their web site -- remember I uninstalled it when you asked me to disable it awhile ago and I didn't know how to do that. I downloaded it from here: http://www.malwarebytes.org/products/malwarebytes_free -- updated it and then ran it. Everything seemed fine. I didn't see anything unusual. Did not have to remove selected or reboot.

Sorry about that! I forgot about you removing it earlier.

These threat(s) below are currently in Quarantine/System Restore and shall be removed when we clean up our tools later on.

Quote

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\serial.sys.vir Win32/Sirefef.DA trojan

These threat(s) below will be removed very shortly:

Quote

C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\R3NSKT4M\how-to-draw-courage-the-cowardly-dog-characters&page=3[1].htm JS/Redirector.NIF trojan
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\RKYMOJ0J\in[1].htm JS/Exploit.Agent.NCQ trojan

NEXT:

Java Outdated

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

Please follow these steps to remove older version Java components and update:

Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
Look for "Java Platform, Standard Edition".
Click the "Download JRE" button to the right.
Read the License Agreement, and then check the box that says: "Accept License Agreement".
From the list, select your OS and Platform:
- 32-bit Select: Windows x86 Offline.
- 64-bit Select: Windows x64.
If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
Close any programs you may have running - especially your web browser.

Go to

> Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.

Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-7u2-windows-i586-s.exe (or jre-7u2-windows-x64.exe for 64-bit) to install the newest version.
If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
When the Java Setup - Welcome window opens, click the Install > button.
If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:

Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
Click Ok and reboot your computer.

NEXT

OTL Fix

We need to run an OTL Fix

Note: If you have Malwarebytes 1.6 or higher installed please disable it for the duration of this fix as it may interfere with the successfully execution of the script below.

Please reopen on your desktop.

Copy and Paste the following code into the Posted Image

textbox.

:Services
:Processes
:OTL

:Reg

:Files
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\R3NSKT4M\how-to-draw-courage-the-cowardly-dog-characters&page=3[1].htm
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\RKYMOJ0J\in[1].htm
:Commands
[purity]
[CreateRestorePoint]
[emptytemp]
[EMPTYFLASH]
[EMPTYJAVA]

Push
OTL may ask to reboot the machine. Please do so if asked.
Click the OK button.
A report will open. Copy and Paste that report in your next reply.
If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

NEXT:

OTL Custom Scan

We need to run an OTL Custom Scan

Please reopen on your desktop.
Copy and Paste the following code into the textbox.

CREATERESTOREPOINT
msconfig
safebootminimal
activex
drivers32
netsvcs
"%WinDir%\$NtUninstallKB*$."
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
Push the Quick Scan button.
A report will open. Copy and Paste that report in your next reply.

NEXT:

What outstanding issues (if any) are you still experiencing with your computer?

#15 djw23

Member

Group: Members
Posts: 30
Joined: 14-September 05
Gender:Female

Posted 10 February 2012 - 11:33 AM

Hi Agent ST
Hope you are having a nice day. :-) Just finished the last tasks you assigned:

1. Removed Java 6 via Control Panel Add/Remove Programs-->rebooted
2. Downloaded jre-7u2-windows-i586.exe to desktop and installed Java 7 update 2-->rebooted
3. Disabled Java Quick Starter-->rebooted
4. Uninstalled Malwarebytes-->not sure how to disable
5. ran OTL Fix Here's the contents of that log file:

-----------------------------------------------------------------------------------------------------------------------------------

All processes killed
========== SERVICES/DRIVERS ==========
========== PROCESSES ==========
========== OTL ==========
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\R3NSKT4M\how-to-draw-courage-the-cowardly-dog-characters&page=3[1].htm moved successfully.
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\RKYMOJ0J\in[1].htm moved successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point (0)

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: User1
->Temp folder emptied: 503561698 bytes
->Temporary Internet Files folder emptied: 854794799 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: WWAdmin
->Temp folder emptied: 956326 bytes
->Temporary Internet Files folder emptied: 15828473 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 681 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2195181 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 85297 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 51704210 bytes
RecycleBin emptied: 7734956 bytes

Total Files Cleaned = 1,370.00 mb

[EMPTYFLASH]

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

User: User1
->Flash cache emptied: 0 bytes

User: WWAdmin
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

[EMPTYJAVA]

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: User1
->Java cache emptied: 0 bytes

User: WWAdmin
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.31.0 log created on 02102012_104947

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

-----------------------------------------------------------------------------------------------------------------------------------

FYI: Reboot was required for the OTL fix so I rebooted

LAST, I ran the OTL custom scan and here is the logfile for that:

-----------------------------------------------------------------------------------------------------------------------------------

OTL logfile created on: 2/10/2012 11:04:03 AM - Run 3
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\WWAdmin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.39 Gb Available Physical Memory | 69.47% Memory free
3.85 Gb Paging File | 3.34 Gb Available in Paging File | 86.87% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.77 Gb Total Space | 206.03 Gb Free Space | 88.51% Space Free | Partition Type: NTFS

Computer Name: USER1-CEFFE37FC | User Name: WWAdmin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/03 11:56:06 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\WWAdmin\Desktop\OTL.exe
PRC - [2012/02/02 11:01:45 | 000,909,152 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
PRC - [2012/02/02 11:01:43 | 000,939,872 | ---- | M] () -- C:\Program Files\AVG Secure Search\vprot.exe
PRC - [2012/01/31 15:02:52 | 007,391,072 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
PRC - [2012/01/17 20:03:24 | 002,339,168 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgtray.exe
PRC - [2011/09/09 02:10:56 | 001,082,208 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgnsx.exe
PRC - [2011/08/18 00:33:26 | 000,659,296 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgrsx.exe
PRC - [2011/05/23 13:13:04 | 000,657,248 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgchsvx.exe
PRC - [2011/02/10 06:55:18 | 001,148,256 | ---- | M] () -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
PRC - [2011/02/08 04:33:42 | 000,269,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe
PRC - [2010/06/25 19:15:32 | 001,311,312 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPointP\SetPoint.exe
PRC - [2010/06/22 14:09:20 | 000,112,208 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
PRC - [2009/07/10 16:53:52 | 000,372,736 | ---- | M] (Orbiscom Ltd. All rights reserved.) -- C:\Program Files\Virtual Account Numbers\CitiVAN.exe
PRC - [2009/07/10 16:50:36 | 000,145,920 | ---- | M] (Orbiscom Ltd.) -- C:\WINDOWS\system32\OBroker.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/28 16:50:50 | 000,180,224 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
PRC - [2006/08/14 00:07:00 | 000,102,400 | ---- | M] () -- C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
PRC - [2006/08/10 11:10:14 | 000,221,184 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
PRC - [2006/08/10 10:38:54 | 000,010,752 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
PRC - [2006/07/31 08:00:00 | 001,116,920 | ---- | M] (Sonic Solutions) -- C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
PRC - [2006/01/02 16:41:22 | 000,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PRC - [2003/05/15 00:19:50 | 000,217,193 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
PRC - [2003/04/06 00:17:18 | 000,147,456 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
PRC - [2003/04/05 23:55:04 | 000,311,296 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
PRC - [2003/04/05 23:45:10 | 000,286,720 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

========== Modules (No Company Name) ==========

MOD - [2012/02/02 11:01:45 | 000,909,152 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
MOD - [2012/02/02 11:01:43 | 000,939,872 | ---- | M] () -- C:\Program Files\AVG Secure Search\vprot.exe
MOD - [2012/01/01 12:08:51 | 003,391,488 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_a0bcddf0\mscorlib.dll
MOD - [2012/01/01 12:08:48 | 000,835,584 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.drawing\1.0.5000.0__b03f5f7f11d50a3a_37b9e16a\system.drawing.dll
MOD - [2012/01/01 12:08:39 | 002,088,960 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_33d3209a\system.xml.dll
MOD - [2012/01/01 12:08:31 | 003,035,136 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_f21d6765\system.windows.forms.dll
MOD - [2012/01/01 12:08:16 | 001,966,080 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_82ed1ae6\system.dll
MOD - [2012/01/01 12:07:48 | 001,232,896 | ---- | M] () -- c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll
MOD - [2012/01/01 12:07:47 | 001,269,760 | ---- | M] () -- c:\windows\assembly\gac\system.web\1.0.5000.0__b03f5f7f11d50a3a\system.web.dll
MOD - [2012/01/01 12:07:42 | 002,064,384 | ---- | M] () -- c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll
MOD - [2011/09/27 07:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 07:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/02/10 06:55:18 | 001,148,256 | ---- | M] () -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
MOD - [2009/09/19 20:57:55 | 000,372,736 | ---- | M] () -- c:\windows\assembly\gac\system.management\1.0.5000.0__b03f5f7f11d50a3a\system.management.dll
MOD - [2009/09/19 20:57:54 | 001,339,392 | ---- | M] () -- c:\windows\assembly\gac\system.xml\1.0.5000.0__b77a5c561934e089\system.xml.dll
MOD - [2009/09/19 20:57:54 | 000,466,944 | ---- | M] () -- c:\windows\assembly\gac\system.drawing\1.0.5000.0__b03f5f7f11d50a3a\system.drawing.dll
MOD - [2009/09/19 20:57:54 | 000,323,584 | ---- | M] () -- c:\windows\assembly\gac\system.runtime.remoting\1.0.5000.0__b77a5c561934e089\system.runtime.remoting.dll
MOD - [2009/07/10 16:50:24 | 000,039,424 | ---- | M] () -- C:\Program Files\Virtual Account Numbers\VANRes.dll
MOD - [2007/05/07 19:59:08 | 000,137,216 | R--- | M] () -- C:\WINDOWS\system32\OemSpi.dll
MOD - [2006/08/14 00:07:00 | 000,102,400 | ---- | M] () -- C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
MOD - [2006/08/10 10:42:00 | 000,516,096 | ---- | M] () -- C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\LayoutDll9.dll
MOD - [2006/08/10 10:37:06 | 004,587,520 | R--- | M] () -- C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\ROXIPP41.dll
MOD - [2006/08/09 03:27:36 | 000,037,376 | ---- | M] () -- C:\Program Files\Common Files\Roxio Shared\DLLShared\apm.dll
MOD - [2006/08/08 08:18:18 | 000,056,056 | ---- | M] () -- C:\WINDOWS\system32\DLAAPI_W.DLL

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2012/02/02 11:01:45 | 000,909,152 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe -- (vToolbarUpdater)
SRV - [2012/01/31 15:02:52 | 007,391,072 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/11/10 08:17:31 | 000,167,264 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2011/02/08 04:33:42 | 000,269,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
SRV - [2010/05/06 04:29:12 | 000,293,456 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\LogiShrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2006/08/10 03:11:14 | 000,057,344 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe -- (Roxio UPnP Renderer 9)
SRV - [2006/08/10 03:10:50 | 000,294,912 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe -- (Roxio Upnp Server 9)
SRV - [2003/03/09 15:31:02 | 000,065,795 | R--- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)

========== Driver Services (SafeList) ==========

DRV - [2012/02/02 06:59:31 | 000,135,032 | ---- | M] (Doctor Web, Ltd.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\dwprot.sys -- (DwProt)
DRV - [2011/05/27 18:05:44 | 000,134,480 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2011/04/04 23:59:56 | 000,297,168 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/03/16 15:03:20 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/03/01 13:25:18 | 000,034,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/02/22 07:13:02 | 000,022,992 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2011/02/10 06:53:54 | 000,027,216 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/02/10 06:53:52 | 000,024,144 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2011/01/07 05:41:46 | 000,248,656 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2010/03/18 04:02:32 | 000,028,624 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV - [2010/03/18 04:02:08 | 000,037,328 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2010/03/18 04:01:52 | 000,038,864 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2010/03/18 04:01:12 | 000,010,448 | ---- | M] (Logitech, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2010/02/26 05:18:10 | 000,066,632 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/26 05:18:10 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010/02/26 05:18:10 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2007/06/13 00:58:16 | 001,131,520 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\P17.sys -- (P17)
DRV - [2007/03/22 11:35:40 | 001,659,008 | R--- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\p17xfilt.sys -- (p17xfilt)
DRV - [2006/09/25 04:58:54 | 001,173,504 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\P17xfi.sys -- (P17xfi)
DRV - [2006/08/09 03:30:42 | 000,050,688 | ---- | M] (Sonic Solutions) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\RxFilter.sys -- (RxFilter)
DRV - [2006/08/08 08:18:50 | 000,009,432 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/08 08:18:28 | 000,035,128 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/08 08:18:26 | 000,097,880 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/08 08:18:26 | 000,094,680 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/08 08:18:24 | 000,026,136 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/08 08:18:22 | 000,032,504 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/08 08:18:20 | 000,104,504 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/08 08:18:20 | 000,014,552 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/01 19:06:20 | 000,012,952 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/01 19:06:18 | 000,028,216 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2006/06/07 16:08:58 | 001,580,544 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/05/10 14:00:16 | 000,156,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2006/03/17 17:18:58 | 000,392,960 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
DRV - [2005/10/17 17:50:06 | 000,245,376 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rt2500usb.sys -- (WUSB54GPV4SRV)
DRV - [2004/10/07 20:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 54 61 F9 19 82 E6 CC 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG10\Firefox4\ [2012/02/03 12:07:53 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\citius@orbiscom: C:\Program Files\Virtual Account Numbers [2011/12/04 12:42:17 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@toolbar: C:\Documents and Settings\All Users\Application Data\AVG Secure Search\10.0.0.7\ [2012/02/02 11:01:53 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2012/02/07 22:37:32 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Virtual Account Numbers Helper) - {17424104-1444-4810-85D7-B4DA413C5A9A} - C:\Program Files\Virtual Account Numbers\CitiVANHelper.dll (Orbiscom Ltd. All rights reserved.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll ()
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O2 - BHO: (radiojazz Toolbar) - {cbf6f119-ea59-4612-96c3-efd538c88c0a} - C:\Program Files\radiojazz\tbradi.dll (Conduit Ltd.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKLM\..\Toolbar: (Virtual Account Numbers) - {7A21A046-B886-4A62-9D69-EF2059B0A27B} - C:\Program Files\Virtual Account Numbers\CitiVANToolbar.dll (Orbiscom Ltd. All rights reserved.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll ()
O3 - HKLM\..\Toolbar: (radiojazz Toolbar) - {cbf6f119-ea59-4612-96c3-efd538c88c0a} - C:\Program Files\radiojazz\tbradi.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Citi Virtual Account Numbers] C:\Program Files\Virtual Account Numbers\CitiVAN.exe (Orbiscom Ltd. All rights reserved.)
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Roxio\Media Experience\DMXLauncher.exe ()
O4 - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
O4 - HKLM..\Run: [P17Helper] C:\WINDOWS\System32\SPIRun.dll (Creative Technology Ltd.)
O4 - HKLM..\Run: [ROC_roc_dec12] C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe ()
O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe (Sonic Solutions)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [VolPanel] C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [vProt] C:\Program Files\AVG Secure Search\vprot.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (Adobe Systems Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe (Hewlett-Packard Co.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} http://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab (Device Detection)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab (Java Plug-in 1.7.0_02)
O16 - DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab (Java Plug-in 1.7.0_02)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab (Java Plug-in 1.7.0_02)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B3F2BBB5-F5A6-4823-BFC2-9E54C4B3F974}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\10.0.6\ViProtocol.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.dll) - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\LBTWlgn: DllName - (c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll) - c:\Program Files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\WWAdmin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\WWAdmin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/09/19 19:18:25 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {0213C6AF-5562-4D09-884C-2ADCFC8C2F35} - Microsoft .NET Framework 1.1 Security Update (KB2656353)
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\INF\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivXNetworks)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivXNetworks)

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/02/10 11:06:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WWAdmin\Local Settings\Application Data\Sun
[2012/02/10 11:02:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WWAdmin\Desktop\Bleepingcomputer
[2012/02/10 10:40:01 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/02/10 10:38:38 | 000,637,848 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\npdeployJava1.dll
[2012/02/10 10:38:38 | 000,223,112 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2012/02/10 10:38:38 | 000,141,312 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2012/02/10 10:38:37 | 000,173,960 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/02/10 10:38:37 | 000,173,960 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/02/10 10:35:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2012/02/10 10:29:52 | 020,290,952 | ---- | C] (Oracle Corporation) -- C:\Documents and Settings\WWAdmin\Desktop\jre-7u2-windows-i586.exe
[2012/02/08 13:26:14 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/02/08 13:19:02 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/02/08 11:59:22 | 009,502,424 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\WWAdmin\Desktop\mbam--setup-1.60.1.1000.exe
[2012/02/08 11:51:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/02/05 08:32:57 | 004,396,367 | R--- | C] (Swearware) -- C:\Documents and Settings\WWAdmin\Desktop\ComboFix.exe
[2012/02/04 11:15:23 | 004,733,440 | ---- | C] (AVAST Software) -- C:\Documents and Settings\WWAdmin\Desktop\aswMBR.exe
[2012/02/04 10:47:53 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/02/03 12:12:21 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\WWAdmin\Desktop\OTL.exe
[2012/02/03 12:03:50 | 002,059,312 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\WWAdmin\Desktop\tdsskiller.exe
[2012/02/02 06:59:31 | 000,135,032 | ---- | C] (Doctor Web, Ltd.) -- C:\WINDOWS\System32\drivers\dwprot.sys
[2012/02/01 11:56:59 | 000,092,544 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\mqac.svs
[2012/02/01 11:53:21 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/02/01 11:50:38 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/02/01 11:50:38 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/02/01 11:50:38 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/02/01 11:50:38 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/02/01 11:48:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/02/01 11:42:13 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/02/01 11:42:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\WWAdmin\My Documents\My Videos
[2012/02/01 11:42:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\WWAdmin\Start Menu\Programs\Administrative Tools
[2012/02/01 11:41:48 | 004,398,288 | R--- | C] (Swearware) -- C:\ComboFix.exe
[2009/09/19 21:18:05 | 000,065,536 | R--- | C] ( ) -- C:\WINDOWS\System32\A3d.dll
[2006/07/11 13:29:00 | 000,028,672 | R--- | C] ( ) -- C:\WINDOWS\System32\DivXGraphBuilderCallback.dll

========== Files - Modified Within 30 Days ==========

[2012/02/10 11:06:00 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{99796CAB-0E9B-437F-A13D-980353FC50B3}.job
[2012/02/10 11:01:09 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2012/02/10 11:00:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/02/10 10:38:24 | 000,223,112 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2012/02/10 10:38:24 | 000,173,960 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/02/10 10:38:24 | 000,173,960 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/02/10 10:38:24 | 000,141,312 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2012/02/10 10:38:23 | 000,637,848 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\npdeployJava1.dll
[2012/02/10 10:38:22 | 000,567,184 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\deployJava1.dll
[2012/02/10 10:30:05 | 020,290,952 | ---- | M] (Oracle Corporation) -- C:\Documents and Settings\WWAdmin\Desktop\jre-7u2-windows-i586.exe
[2012/02/10 09:37:38 | 088,614,619 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/02/08 15:23:34 | 000,869,194 | ---- | M] () -- C:\Documents and Settings\WWAdmin\Desktop\SecurityCheck.exe
[2012/02/08 13:22:43 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/02/08 11:59:25 | 009,502,424 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\WWAdmin\Desktop\mbam--setup-1.60.1.1000.exe
[2012/02/07 22:37:32 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/02/07 21:37:22 | 004,398,288 | R--- | M] (Swearware) -- C:\ComboFix.exe
[2012/02/05 08:32:59 | 004,396,367 | R--- | M] (Swearware) -- C:\Documents and Settings\WWAdmin\Desktop\ComboFix.exe
[2012/02/04 14:46:40 | 000,233,013 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2012/02/04 11:17:07 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\WWAdmin\Desktop\MBR.dat
[2012/02/04 10:09:48 | 004,733,440 | ---- | M] (AVAST Software) -- C:\Documents and Settings\WWAdmin\Desktop\aswMBR.exe
[2012/02/03 12:07:54 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 2011.lnk
[2012/02/03 11:56:06 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\WWAdmin\Desktop\OTL.exe
[2012/02/03 11:55:10 | 000,335,593 | ---- | M] () -- C:\Documents and Settings\WWAdmin\Desktop\FSS.exe
[2012/02/03 11:53:38 | 002,059,312 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\WWAdmin\Desktop\tdsskiller.exe
[2012/02/02 22:21:18 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\WWAdmin\defogger_reenable
[2012/02/02 21:36:59 | 000,256,000 | R--- | M] () -- C:\WINDOWS\PEV.exe
[2012/02/02 07:18:04 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2012/02/02 06:59:31 | 000,135,032 | ---- | M] (Doctor Web, Ltd.) -- C:\WINDOWS\System32\drivers\dwprot.sys
[2012/02/01 13:13:32 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/01 12:06:41 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/02/01 11:53:25 | 000,000,327 | RHS- | M] () -- C:\boot.ini

========== Files Created - No Company Name ==========

[2012/02/08 15:23:31 | 000,869,194 | ---- | C] () -- C:\Documents and Settings\WWAdmin\Desktop\SecurityCheck.exe
[2012/02/04 11:17:07 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\WWAdmin\Desktop\MBR.dat
[2012/02/03 12:12:17 | 000,335,593 | ---- | C] () -- C:\Documents and Settings\WWAdmin\Desktop\FSS.exe
[2012/02/02 22:21:18 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\WWAdmin\defogger_reenable
[2012/02/01 11:53:25 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/02/01 11:53:23 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/02/01 11:50:38 | 000,256,000 | R--- | C] () -- C:\WINDOWS\PEV.exe
[2012/02/01 11:50:38 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/02/01 11:50:38 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/02/01 11:50:38 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/02/01 11:50:38 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/05/09 18:13:01 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/24 17:45:43 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/04/24 17:45:43 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2010/05/14 17:33:21 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\WWAdmin\Local Settings\Application Data\fusioncache.dat
[2010/04/19 21:05:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2010/03/27 09:07:14 | 000,029,452 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/10/02 16:36:07 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2009/10/02 16:21:07 | 000,020,454 | ---- | C] () -- C:\WINDOWS\hpoins01.dat
[2009/10/02 16:21:07 | 000,016,618 | ---- | C] () -- C:\WINDOWS\hpomdl01.dat
[2009/09/20 08:17:59 | 000,373,248 | ---- | C] () -- C:\WINDOWS\EyeCand3.INI
[2009/09/19 22:17:06 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/09/19 22:09:24 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2009/09/19 21:59:14 | 000,000,210 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/09/19 21:31:55 | 000,003,118 | ---- | C] () -- C:\WINDOWS\System32\AudioDrv.ini
[2009/09/19 21:31:23 | 000,008,251 | R--- | C] () -- C:\WINDOWS\sfsyn.ini
[2009/09/19 21:31:22 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\P17CPI.dll
[2009/09/19 21:31:21 | 000,137,216 | R--- | C] () -- C:\WINDOWS\System32\OemSpi.dll
[2009/09/19 20:50:38 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2009/09/19 20:50:04 | 000,129,112 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2009/09/19 19:20:23 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/09/19 19:15:41 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/09/19 14:54:29 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/09/19 14:53:25 | 000,159,544 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2007/07/02 00:58:14 | 000,001,970 | ---- | C] () -- C:\WINDOWS\P17EP.ini
[2007/06/13 00:58:16 | 001,131,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\P17.sys
[2007/06/06 00:24:24 | 000,022,478 | R--- | C] () -- C:\WINDOWS\System32\ludap17.ini
[2007/04/09 00:42:00 | 000,148,480 | ---- | C] () -- C:\WINDOWS\System32\OemSpiE.dll
[2007/04/09 00:40:00 | 000,014,848 | ---- | C] () -- C:\WINDOWS\System32\P17RunE.dll
[2006/12/15 01:41:26 | 000,008,192 | ---- | C] () -- C:\WINDOWS\ResDefE.exe
[2006/08/15 14:54:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/08/09 03:19:50 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/08/09 03:19:50 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2006/08/09 00:00:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\besch.exe
[2006/08/09 00:00:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\besched.dll
[2005/07/15 13:36:35 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\DivXsm.exe
[2005/07/15 13:35:56 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/07/15 13:35:56 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/07/15 13:35:24 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/03/21 18:48:05 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/03/21 18:48:05 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2005/03/08 05:17:00 | 000,000,054 | R--- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2004/08/04 05:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 05:00:00 | 000,380,702 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 05:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 05:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 05:00:00 | 000,052,936 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 05:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 05:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 05:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 05:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 05:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/10/02 00:00:00 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lockout.dll
[2003/10/02 00:00:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\lockres.dll
[2003/03/09 15:31:04 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll

========== Custom Scans ==========

< "%WinDir%\$NtUninstallKB*$." >
[2010/08/12 02:03:37 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2079403$
[2010/08/12 02:04:01 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2115168$
[2010/09/16 02:03:07 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2121546$
[2010/09/16 02:00:45 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2141007$
[2010/09/30 16:13:44 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2158563$
[2010/08/12 02:03:11 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2160329$
[2010/07/15 02:02:48 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2229593$
[2010/09/16 02:03:34 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2259922$
[2010/10/13 02:04:13 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2279986$
[2010/08/04 02:00:39 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2286198$
[2010/10/13 02:04:03 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2296011$
[2010/12/15 03:04:01 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2296199$
[2010/10/13 02:04:08 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2345886$
[2010/09/16 02:03:12 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2347290$
[2010/10/13 02:00:44 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2360937$
[2010/10/13 02:03:58 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2378111_WM9$
[2010/10/13 02:04:19 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2387149$
[2011/02/10 03:00:43 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2393802$
[2011/04/13 02:04:04 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2412687$
[2011/01/12 03:00:59 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2419632$
[2010/12/15 03:01:00 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2423089$
[2010/12/15 03:03:21 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2436673$
[2010/12/15 03:03:29 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2440591$
[2010/12/15 03:03:57 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2443105$
[2010/12/15 03:03:24 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2443685$
[2010/12/15 03:03:07 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2467659$
[2011/06/15 21:16:51 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2476490$
[2011/02/10 03:01:00 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2476687$
[2011/02/10 03:00:56 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2478960$
[2011/02/10 03:03:53 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2478971$
[2011/02/10 03:03:43 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2479628$
[2011/03/10 03:03:42 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2479943$
[2011/03/10 03:01:30 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2481109$
[2011/02/10 03:03:34 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2483185$
[2011/02/10 03:03:48 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2485376$
[2011/04/13 02:04:50 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2485663$
[2011/04/13 02:03:54 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2503658$
[2011/06/15 21:16:47 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2503665$
[2011/04/13 02:03:33 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2506212$
[2011/04/13 02:04:34 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2506223$
[2011/04/13 02:03:48 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2507618$
[2011/07/13 20:23:52 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2507938$
[2011/04/13 02:04:01 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2508272$
[2011/04/13 02:03:43 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2508429$
[2011/04/13 02:01:14 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2509553$
[2011/04/13 02:03:38 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2511455$
[2011/03/24 02:00:47 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2524375$
[2011/06/15 21:16:43 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2535512$
[2011/06/15 21:16:39 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2536276$
[2011/08/10 02:03:06 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2536276-v2$
[2011/06/29 02:00:44 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2541763$
[2011/06/15 21:16:14 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2544893$
[2011/11/09 03:03:13 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2544893-v2$
[2011/07/13 20:22:03 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2555917$
[2011/08/10 02:00:41 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2562937$
[2011/10/13 02:05:13 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2564958$
[2011/08/10 02:00:49 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2566454$
[2011/10/13 02:03:04 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2567053$
[2011/08/10 02:03:10 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2567680$
[2011/08/10 02:03:02 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2570222$
[2011/08/23 21:02:16 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2570791$
[2011/09/16 02:00:46 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2570947$
[2012/02/01 12:02:45 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2584146$
[2012/02/01 12:33:45 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2585542$
[2011/10/13 02:02:59 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2592799$
[2012/02/01 12:03:30 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2598479$
[2012/02/01 12:03:19 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2603381$
[2011/09/07 15:43:12 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2607712$
[2011/09/16 02:02:44 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2616676$
[2011/12/14 21:56:00 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2618451$
[2011/12/14 21:56:06 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2619339$
[2011/12/14 21:55:53 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2620712$
[2011/12/14 21:59:17 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2624667$
[2012/02/01 12:06:32 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2631813$
[2011/12/14 21:55:22 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2633171$
[2011/12/14 21:56:12 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2633952$
[2011/12/14 21:59:24 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2639417$
[2011/11/11 03:01:21 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2641690$
[2012/02/01 12:06:39 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB2646524$
[2009/09/27 08:53:51 | 000,000,000 | -HSD | M] -- C:\WINDOWS\$NtUninstallKB49616$
[2009/09/19 21:19:36 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB835221WXP$
[2009/09/21 21:08:03 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB885884$
[2009/09/19 22:40:18 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB898461$
[2009/09/27 08:58:57 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB923561$
[2009/09/20 10:10:11 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB923561_0$
[2009/09/22 21:35:32 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB932823-v3$
[2009/09/27 08:59:01 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB938464-v2$
[2009/09/20 10:13:26 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB938464-v2_0$
[2009/09/21 21:08:33 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB941569$
[2009/09/20 10:10:17 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB944338-v2$
[2009/09/27 08:59:06 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB946648$
[2009/09/20 10:15:09 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB946648_0$
[2009/09/27 08:59:11 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB950762$
[2009/09/20 10:12:01 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB950762_0$
[2009/09/27 08:59:15 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB950974$
[2009/09/20 10:14:20 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB950974_0$
[2009/09/27 08:59:20 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951066$
[2009/09/20 10:11:30 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951066_0$
[2009/09/27 08:59:24 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951376-v2$
[2009/09/20 10:15:23 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951376-v2_0$
[2009/09/27 08:59:29 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951748$
[2009/09/20 10:11:24 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951748_0$
[2009/09/28 21:29:10 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB951978$
[2009/09/27 08:59:34 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB952004$
[2009/09/20 10:12:54 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB952004_0$
[2009/09/20 10:13:15 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB952069_WM9$
[2009/09/27 08:59:39 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB952287$
[2009/09/20 10:11:48 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB952287_0$
[2009/09/27 08:59:44 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB952954$
[2009/09/20 10:15:19 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB952954_0$
[2009/10/14 21:38:41 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB954155_WM9$
[2009/09/28 21:28:46 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB954459$
[2009/09/27 08:59:48 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB954600$
[2009/09/20 10:10:36 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB954600_0$
[2009/09/27 08:59:53 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB955069$
[2009/09/20 10:10:26 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB955069_0$
[2010/01/12 22:42:03 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB955759$
[2009/09/27 08:59:59 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956572$
[2009/09/20 10:13:50 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956572_0$
[2009/09/28 21:29:04 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956744$
[2009/09/27 09:00:08 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956802$
[2009/09/20 10:10:22 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956802_0$
[2009/09/27 09:00:13 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956803$
[2009/09/20 10:15:04 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956803_0$
[2009/09/27 09:00:17 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956844$
[2009/09/20 10:13:36 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB956844_0$
[2009/09/27 09:00:21 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB957097$
[2009/09/20 10:11:57 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB957097_0$
[2009/09/20 10:11:06 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB958470$
[2009/09/27 09:00:26 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB958644$
[2009/09/20 10:10:31 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB958644_0$
[2009/09/27 09:00:30 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB958687$
[2009/09/20 10:11:52 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB958687_0$
[2009/10/14 21:38:50 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB958869$
[2009/09/27 09:00:35 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB959426$
[2009/09/20 10:15:14 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB959426_0$
[2009/09/27 09:00:39 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB960225$
[2009/09/20 10:14:07 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB960225_0$
[2009/09/27 09:00:44 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB960803$
[2009/09/20 10:11:00 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB960803_0$
[2009/09/27 09:00:48 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB960859$
[2009/09/20 10:15:00 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB960859_0$
[2009/09/27 09:00:53 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB961371-v2$
[2009/09/20 10:14:44 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB961371-v2_0$
[2009/09/27 09:00:57 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB961501$
[2009/09/20 10:13:31 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB961501_0$
[2009/09/27 09:01:02 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB967715$
[2009/09/20 10:11:36 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB967715_0$
[2009/10/14 21:37:27 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB968389$
[2009/09/27 09:01:09 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB968537$
[2009/09/20 10:10:50 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB968537_0$
[2009/09/20 10:13:23 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB968816_WM9$
[2009/10/14 21:38:46 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB969059$
[2009/11/11 22:29:37 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB969947$
[2009/09/27 09:01:13 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB970238$
[2009/09/20 10:11:14 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB970238_0$
[2009/12/09 03:02:11 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB970430$
[2009/09/20 10:10:03 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB970653-v3$
[2011/03/18 02:00:52 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB971029$
[2009/09/20 10:10:42 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB971032$
[2010/02/10 22:10:27 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB971468$
[2011/05/08 09:01:03 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB971486$
[2009/09/27 09:01:18 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB971557$
[2009/09/20 10:14:11 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB971557_0$
[2009/09/27 09:01:23 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB971633$
[2009/09/20 10:13:20 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB971633_0$
[2009/09/27 09:01:27 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB971657$
[2009/09/20 10:14:16 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB971657_0$
[2009/12/09 03:01:29 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB971737$
[2009/09/20 10:11:18 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB971961$
[2009/09/20 10:14:32 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB972260$
[2010/01/13 05:39:30 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB972270$
[2009/09/20 10:14:02 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB973346$
[2009/09/27 09:01:35 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB973354$
[2009/09/20 10:11:43 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB973354_0$
[2009/09/27 09:01:39 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB973507$
[2009/09/20 10:12:06 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB973507_0$
[2009/10/14 21:37:43 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB973525$
[2009/09/28 21:28:56 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB973540_WM9$
[2009/09/20 10:13:02 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB973540_WM9L$
[2009/11/25 03:01:10 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB973687$
[2009/09/27 09:01:44 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB973815$
[2009/09/20 10:10:55 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB973815_0$
[2009/09/27 09:01:49 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB973869$
[2009/09/20 10:13:11 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB973869_0$
[2009/12/09 03:01:41 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB973904$
[2009/10/14 21:38:37 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB974112$
[2009/12/09 03:02:06 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB974318$
[2009/12/09 03:01:36 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB974392$
[2009/10/14 21:38:27 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB974571$
[2009/10/14 21:38:32 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB975025$
[2009/10/14 21:37:38 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB975467$
[2010/09/16 02:03:28 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB975558_WM8$
[2010/02/10 22:08:58 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB975560$
[2010/03/11 03:01:59 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB975561$
[2010/06/12 02:00:55 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB975562$
[2010/02/10 22:09:07 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB975713$
[2009/11/25 03:01:18 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB976098-v2$
[2010/02/10 22:08:08 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB977165$
[2010/04/15 02:00:59 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB977816$
[2010/02/10 22:08:27 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB977914$
[2010/02/10 22:09:12 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB978037$
[2010/02/10 22:09:03 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB978251$
[2010/02/10 22:10:31 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB978262$
[2010/04/15 02:01:03 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB978338$
[2010/05/12 02:00:29 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB978542$
[2010/04/15 02:00:55 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB978601$
[2010/06/12 02:01:07 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB978695_WM9$
[2010/02/10 22:08:19 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB978706$
[2010/02/24 03:00:16 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB979306$
[2010/04/15 02:00:32 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB979309$
[2010/04/15 02:02:13 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB979402_WM9$
[2010/06/12 02:01:03 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB979482$
[2010/06/12 02:02:54 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB979559$
[2010/04/15 02:02:25 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB979683$
[2010/10/13 02:03:45 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB979687$
[2010/06/12 02:04:01 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB980195$
[2010/06/12 02:04:07 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB980218$
[2010/04/15 02:02:18 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB980232$
[2010/08/12 02:03:06 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB980436$
[2010/09/16 02:02:58 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB981322$
[2010/05/26 05:39:31 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB981793$
[2010/08/12 02:03:45 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB981852$
[2010/10/13 02:01:19 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB981957$
[2010/08/12 02:00:51 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB981997$
[2010/10/13 02:03:54 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB982132$
[2010/08/12 02:04:05 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB982214$
[2010/08/12 02:00:41 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB982665$
[2010/09/16 02:03:03 | 000,000,000 | -H-D | M] -- C:\WINDOWS\$NtUninstallKB982802$

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/11/04 06:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/11/04 06:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/11/04 06:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/11/04 06:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/11/04 06:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/11/04 06:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2012-02-01 17:33:51

< >

< >

< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\WWAdmin\Desktop\Bleepingcomputer:Roxio EMC Stream

< End of report >

-----------------------------------------------------------------------------------------------------------------------------------

Machine seems to be doing everything we need it to do anyway but Right now when I'm typing this reply, there seems to be a typing delay ( the letters are appearing slower then I am typing them ) and the hour glass is flashing off and on where the mouse cursor is on the screen. So that's a bit weird. not sure I ever noticed that before.

Is that normal behavior when typing in a reply?

It looks as if the two trojans were moved on reboot...that's great.. I guess we still need to worry about removing ZeroAccess and P17 and then set about cleaning up all the quarantined stuff?

Yay we're getting closer...which is fabulous!

Please let me know what's next.

Thank you, Dona

P.S. I told my husband it is DEFINITELY NOT okay to ignore Java update requests in the future.
What can I say,,,he is not very computer saavy -- which is why I always end up fixing it when he screws it up.

This post has been edited by djw23: 10 February 2012 - 11:41 AM