Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

1st time post. Do not know name of my problem


  • This topic is locked This topic is locked
12 replies to this topic

#1 NorCalJim

NorCalJim

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 19 February 2009 - 01:42 AM

Could not run iexplorer for a while. It would simply not respond. Now it is working after Avast antivirus discovered a trojan and some viruses. I moved these to the chest. Not actually sure what that means but that is what the program recommended. Still cannot download anything from Microsoft. I get a message that says this page is unavailable. Tried to load and run Microsoft's Malicious Software Removal Tool. Cannot download it so I copied to a cd from a different computer and saved to mine. I couldn't run it. Firefox is much slower than normal. Chrome and Firefox were the only browsers that I could run but they get redirected after a short time. That is very disturbing and frustrating. I try to run Spybot SD but it doesn't respond. I have run Sophos anti-rootkit, Aboutbuster, Ad-Aware (can't get updates), Threatfire, Windows defender(can't get updates). All of them find nothing.

My HijackThis log below is from Trend Micro. I did not see any second log file for attaching, as discussed in the "Read this topic" guideline.

Any help would be greatly appreciated? I am just about willing to give up on this computer but I really want to get my pictures and music off of it. I am concerned that copying these files to an external hard drive might allow what ever the problem is to be transferred to another computer.

Thanks


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:51 PM, on 2/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\User_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SBC LightSpeed Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\User_2\Desktop\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:12080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O4 - Global Startup: 2Wire Wireless Client.lnk = C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} -
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37520.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD5C4C30-D6EC-48EE-AE2B-3CF002FF7EDA}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE462A6F-D8B7-40EE-9282-4974B69D60F7}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9174 bytes

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:28 AM

Posted 01 March 2009 - 04:11 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link


Download and run OTListIT2

We need to create an OTListIt2 Report
  • Please download OTListIt2 from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Post both logs in your next reply please.
In your next reply please include the following:
  • MBAM log
  • OTListIt.txt
  • Description of Problems you still have

Important Note: For other users who are reading this topic,the instructions provided in this topic are for the original topic starter ONLY. Even if you have similar problems or even log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic and feel free to link to any relevant topics as needed.Please Do NOT follow the instructions provided for this topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 NorCalJim

NorCalJim
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 01 March 2009 - 05:39 PM

EB,
Thanks for your assistance. You guys are providing a great service.

Please see my logs as you requested. I am not having the problems I was having before though I am not confident that my computer is clean either. Since I first posted I have run Drcureit and Combofix after looking at another posting similar to mine. They fixed alot of problems and I was then able to run Iexplorer and get windows updates as well as other updates. Avast then found several trojans and viruses. Please let me know if I need to do anything else. Thanks again.

Jim

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:28 AM

Posted 01 March 2009 - 06:20 PM

Hello.

It's difficult to read the logs when they are attached, it's easier to read and analyze the logs once they are posted as their are coloured headings to show different things.

Please post the Extras and OTListIt log here in this thread please.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 NorCalJim

NorCalJim
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 01 March 2009 - 07:00 PM

Hope this is what you wanted. Thanks

PTListIT

OTListIt logfile created on: 3/1/2009 2:30:38 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.3.1 Folder = C:\Documents and Settings\User_2\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18372)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

991.49 Mb Total Physical Memory | 274.25 Mb Available Physical Memory | 27.66% Memory free
3.81 Gb Paging File | 3.16 Gb Available in Paging File | 82.96% Paging File free
Paging file location(s): C:\pagefile.sys 3000 4096;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.67 Gb Total Space | 0.34 Gb Free Space | 1.80% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MAINCOMPUTER
Current User Name: User_2
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2009/02/05 13:01:25 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/02/24 06:47:57 | 00,950,096 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/02/05 13:08:40 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2008/04/13 16:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2004/04/13 19:45:30 | 00,290,905 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\PRISMSVR.EXE
PRC - [2007/05/08 16:24:20 | 00,054,840 | ---- | M] (Hewlett-Packard) -- C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
PRC - [2005/03/04 14:21:21 | 00,180,269 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2005/06/06 23:46:24 | 00,057,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
PRC - [2003/12/10 03:52:40 | 00,380,928 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\MotiveSB.exe
PRC - [2006/08/11 14:56:02 | 00,017,920 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\CTHELPER.EXE
PRC - [2008/11/13 15:18:56 | 00,981,904 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2009/02/24 06:47:59 | 00,509,784 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2009/02/02 13:03:47 | 00,263,440 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFTray.exe
PRC - [2008/10/09 07:52:54 | 00,333,120 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
PRC - [2009/01/06 13:06:36 | 00,290,088 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/02/11 23:45:06 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Documents and Settings\User_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
PRC - [2009/01/26 15:31:16 | 02,144,088 | ---- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2006/10/18 20:05:26 | 00,204,288 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNSCFG.exe
PRC - [2004/04/13 20:47:56 | 00,335,979 | ---- | M] (2Wire Inc.) -- C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
PRC - [2008/11/25 04:42:12 | 00,728,408 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psi.exe
PRC - [2003/10/10 08:06:10 | 00,192,512 | ---- | M] () -- C:\Program Files\SBC LightSpeed Self Support Tool\bin\mpbtn.exe
PRC - [2005/05/12 00:33:52 | 00,479,232 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
PRC - [2008/11/07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2003/01/10 06:04:00 | 00,065,536 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe
PRC - [2006/03/02 17:49:14 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2009/02/02 13:03:43 | 00,070,928 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFService.exe
PRC - [2008/11/13 15:18:56 | 02,405,776 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe
PRC - [2001/08/18 04:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\unsecapp.exe
PRC - [2008/04/13 16:12:40 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2009/02/05 13:08:26 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/02/05 13:06:04 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/01/06 13:06:24 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/01/19 21:08:36 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/03/01 14:17:39 | 00,497,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User_2\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/11/07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2004/07/15 00:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/02/05 13:01:25 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv [Auto | Running])
SRV - [2009/02/05 13:08:40 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus [Auto | Running])
SRV - [2009/02/05 13:08:26 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner [On_Demand | Running])
SRV - [2009/02/05 13:06:04 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner [On_Demand | Running])
SRV - [2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2008/04/13 16:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/04/03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2009/01/06 13:06:24 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2009/02/24 06:47:57 | 00,950,096 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service [Auto | Running])
SRV - [2003/01/10 06:04:00 | 00,065,536 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2006/03/02 17:49:14 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12 [Unknown | Running])
SRV - [2009/02/02 13:03:43 | 00,070,928 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFService.exe -- (ThreatFire [Auto | Running])
SRV - [2008/11/13 15:18:56 | 02,405,776 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- (vsmon [Auto | Running])
SRV - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend [Auto | Running])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2009/02/05 13:05:11 | 00,026,944 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4 [System | Running])
DRV - [1997/12/22 17:02:46 | 00,023,936 | ---- | M] (Adaptec) -- C:\WINDOWS\System32\drivers\aspi32.sys -- (Aspi32 [Auto | Running])
DRV - [2009/02/05 13:07:12 | 00,020,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys -- (aswFsBlk [Auto | Running])
DRV - [2009/02/05 13:08:10 | 00,094,032 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2 [Auto | Running])
DRV - [2009/02/05 13:06:10 | 00,023,152 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr [On_Demand | Running])
DRV - [2009/02/05 13:07:23 | 00,114,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP [System | Running])
DRV - [2009/02/05 13:06:20 | 00,051,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi [System | Running])
DRV - [2001/08/17 04:48:52 | 00,281,856 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\ati2mpaa.sys -- (ati2mpaa [On_Demand | Stopped])
DRV - [2004/08/03 21:29:26 | 00,327,040 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\ati2mtaa.sys -- (ati2mtaa [On_Demand | Stopped])
DRV - [2006/08/11 14:48:08 | 00,087,552 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\COMMONFX.DLL -- (COMMONFX.DLL [On_Demand | Stopped])
DRV - [2006/08/11 14:48:50 | 00,158,720 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\CT20XUT.DLL -- (CT20XUT.DLL [On_Demand | Stopped])
DRV - [2006/08/11 14:45:14 | 00,502,272 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k [On_Demand | Running])
DRV - [2006/08/11 14:45:38 | 00,499,584 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k [On_Demand | Running])
DRV - [2006/08/11 14:48:12 | 00,536,576 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTAUDFX.DLL -- (CTAUDFX.DLL [On_Demand | Stopped])
DRV - [2005/11/10 17:06:04 | 00,340,704 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k [On_Demand | Stopped])
DRV - [2006/08/11 14:48:28 | 00,160,768 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTEAPSFX.DLL -- (CTEAPSFX.DLL [On_Demand | Stopped])
DRV - [2006/08/11 14:45:40 | 00,269,824 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTEDSPFX.DLL -- (CTEDSPFX.DLL [On_Demand | Stopped])
DRV - [2006/08/11 14:45:50 | 00,115,200 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTEDSPIO.DLL -- (CTEDSPIO.DLL [On_Demand | Stopped])
DRV - [2006/08/11 14:48:06 | 00,317,952 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTEDSPSY.DLL -- (CTEDSPSY.DLL [On_Demand | Stopped])
DRV - [2006/08/11 14:48:42 | 01,170,432 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\CTEXFIFX.DLL -- (CTEXFIFX.DLL [On_Demand | Stopped])
DRV - [2006/08/11 14:48:52 | 00,061,952 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\CTHWIUT.DLL -- (CTHWIUT.DLL [On_Demand | Stopped])
DRV - [2001/08/17 12:19:20 | 00,096,256 | ---- | M] (Copyright © Creative Technology Ltd. 1994-2001) -- C:\WINDOWS\system32\drivers\ctlsb16.sys -- (ctlsb16 [On_Demand | Stopped])
DRV - [2006/08/11 14:45:40 | 00,007,168 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k [On_Demand | Running])
DRV - [2006/08/11 14:48:32 | 00,548,352 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTSBLFX.DLL -- (CTSBLFX.DLL [On_Demand | Stopped])
DRV - [2006/08/11 14:45:18 | 00,143,872 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k [On_Demand | Running])
DRV - [2001/10/17 19:03:44 | 00,025,434 | ---- | M] (D-Link Corporation. ) -- C:\WINDOWS\System32\DRIVERS\DLKRTS.SYS -- (DLKRTS [On_Demand | Stopped])
DRV - [2006/08/11 14:45:18 | 00,078,336 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia [On_Demand | Running])
DRV - [2001/08/17 04:19:34 | 00,040,704 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\es1371mp.sys -- (es1371 [On_Demand | Stopped])
DRV - [2001/08/17 11:12:32 | 00,016,074 | ---- | M] (NETGEAR Corp.) -- C:\WINDOWS\System32\DRIVERS\FA312nd5.sys -- (FA312 [On_Demand | Stopped])
DRV - [2008/04/13 10:45:29 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\gameenum.sys -- (gameenum [On_Demand | Running])
DRV - [2008/04/17 12:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2006/08/11 14:45:26 | 00,766,976 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k [On_Demand | Running])
DRV - [2006/08/11 14:45:26 | 00,154,112 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\hap16v2k.sys -- (hap16v2k [On_Demand | Stopped])
DRV - [2006/08/11 14:45:28 | 00,180,224 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\hap17v2k.sys -- (hap17v2k [On_Demand | Stopped])
DRV - [2005/03/07 20:52:26 | 00,051,120 | R--- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
DRV - [2005/03/07 20:52:27 | 00,016,496 | R--- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
DRV - [2005/03/07 20:52:28 | 00,021,744 | R--- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
DRV - [2009/01/18 13:30:13 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd [Boot | Running])
DRV - [2004/04/13 19:20:08 | 00,015,781 | R--- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\system32\DRIVERS\mdc8021x.sys -- (MDC8021X [Auto | Running])
DRV - [2003/09/11 15:30:45 | 00,028,256 | ---- | M] (MusicMatch, Inc.) -- C:\WINDOWS\System32\drivers\MxlW2k.sys -- (MxlW2k [On_Demand | Running])
DRV - [2001/08/18 04:00:00 | 00,009,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\NtApm.sys -- (NtApm [On_Demand | Stopped])
DRV - [2003/01/10 06:04:00 | 01,180,282 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2002/09/22 18:37:00 | 00,080,896 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\NVENET.sys -- (NVENET [On_Demand | Running])
DRV - [2006/08/11 14:45:24 | 00,116,224 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\System32\drivers\ctoss2k.sys -- (ossrv [On_Demand | Running])
DRV - [2002/12/23 21:52:40 | 00,054,016 | R--- | M] (OrangeWare Corporation) -- C:\WINDOWS\System32\DRIVERS\ousb2hub.sys -- (ousb2hub [On_Demand | Running])
DRV - [2002/12/23 21:52:40 | 00,039,040 | R--- | M] (OrangeWare Corporation) -- C:\WINDOWS\System32\Drivers\ousbehci.sys -- (ousbehci [Auto | Running])
DRV - [2008/11/18 05:36:52 | 00,007,808 | ---- | M] (Secunia) -- C:\WINDOWS\system32\DRIVERS\psi_mf.sys -- (PSI [On_Demand | Stopped])
DRV - [2001/08/18 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2005/01/26 02:03:00 | 00,020,576 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2007/11/13 02:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [Auto | Running])
DRV - [2008/04/21 07:19:58 | 00,051,648 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\srescan.sys -- (srescan [Boot | Running])
DRV - [2005/05/13 18:50:10 | 00,123,488 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Stopped])
DRV - [2009/02/02 13:03:58 | 00,051,472 | ---- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\TfFsMon.sys -- (TfFsMon [Boot | Running])
DRV - [2009/02/02 13:04:02 | 00,033,040 | ---- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\TfNetMon.sys -- (TfNetMon [On_Demand | Running])
DRV - [2009/02/02 13:04:04 | 00,039,184 | ---- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TfSysMon [Boot | Running])
DRV - [2008/11/13 15:19:00 | 00,353,680 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdatant.sys -- (vsdatant [System | Running])
DRV - [2005/05/12 08:26:26 | 00,347,648 | R--- | M] ( ) -- C:\WINDOWS\system32\DRIVERS\WlanUIG.sys -- (WlanUIG [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = Reg Error: Invalid data type.
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = Reg Error: Invalid data type.
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/customize/...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = Reg Error: Invalid data type.
IE - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\S-1-5-21-1454471165-507921405-1060284298-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\S-1-5-21-1454471165-507921405-1060284298-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;*.local

FF - prefs.js..extensions.enabledItems: {fce36c1e-58d8-498a-b2a5-66ad1cedebbb}:0.76
FF - prefs.js..extensions.enabledItems: {4776510a-a1f4-41f3-a3c8-35b474ecef23}:1.0.6
FF - prefs.js..extensions.enabledItems: {E9A1DEE0-C623-4439-8932-001E7D17607D}:2.1.0.5
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.6
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Components -> %ProgramFiles%\MOZILLA FIREFOX\COMPONENTS [C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] -> [2009/02/17 23:30:02 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Plugins -> %ProgramFiles%\MOZILLA FIREFOX\PLUGINS [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> [2009/02/16 10:55:14 00,000,000 | ---D | M]
FF - C:\Documents and Settings\User_2\Application Data\mozilla\Extensions [2008/08/29 15:27:37 00,000,000 | ---D | M]
FF - C:\Documents and Settings\User_2\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} [2008/08/29 15:27:37 00,000,000 | ---D | M]
FF - C:\Documents and Settings\User_2\Application Data\mozilla\Firefox\Profiles\qokx3okd.default\extensions [2009/03/01 11:45:02 00,000,000 | ---D | M]
FF - C:\Documents and Settings\User_2\Application Data\mozilla\Firefox\Profiles\qokx3okd.default\extensions\{4776510a-a1f4-41f3-a3c8-35b474ecef23} [2009/02/11 00:42:38 00,000,000 | ---D | M]
FF - C:\Documents and Settings\User_2\Application Data\mozilla\Firefox\Profiles\qokx3okd.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D} [2009/02/09 01:03:11 00,000,000 | ---D | M]
FF - C:\Documents and Settings\User_2\Application Data\mozilla\Firefox\Profiles\qokx3okd.default\extensions\{fce36c1e-58d8-498a-b2a5-66ad1cedebbb} [2009/02/07 08:15:26 00,000,000 | ---D | M]
FF - C:\Program Files\mozilla firefox\extensions [2008/08/29 15:27:41 00,000,000 | ---D | M]
FF - C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2009/02/04 19:57:48 00,000,000 | ---D | M]

O1 HOSTS File: (288733 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 hityou.com
O1 - Hosts: 127.0.0.1 www.hityou.com
O1 - Hosts: 127.0.0.1 180searchassistant.com
O1 - Hosts: 127.0.0.1 www.180searchassistant.com
O1 - Hosts: 127.0.0.1 180solutions.com
O1 - Hosts: 127.0.0.1 www.180solutions.com
O1 - Hosts: 127.0.0.1 bis.180solutions.com
O1 - Hosts: 127.0.0.1 config.180solutions.com
O1 - Hosts: 127.0.0.1 cts.180solutions.com
O1 - Hosts: 127.0.0.1 downloads.180solutions.com
O1 - Hosts: 127.0.0.1 installs.180solutions.com
O1 - Hosts: 127.0.0.1 nowhere.180solutions.com
O1 - Hosts: 127.0.0.1 ping.180solutions.com
O1 - Hosts: 127.0.0.1 tv.180solutions.com
O1 - Hosts: 127.0.0.1 uploads.180solutions.com
O1 - Hosts: 127.0.0.1 public.zangocash.com
O1 - Hosts: 127.0.0.1 www.public.zangocash.com
O1 - Hosts: 127.0.0.1 static.zangocash.com
O1 - Hosts: 127.0.0.1 www.static.zangocash.com
O1 - Hosts: 127.0.0.1 www.zangocash.com
O1 - Hosts: 127.0.0.1 zangocash.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 2search.com
O1 - Hosts: 9953 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - Reg Error: Key error. File not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - Reg Error: Key error. File not found
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - Reg Error: Key error. File not found
O3 - HKLM\..\Toolbar: (no name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [CTxfiHlp] CTXFIHLP.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe (Motive Communications, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] nwiz.exe /install (NVIDIA Corporation)
O4 - HKLM..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY (Conexant Systems, Inc.)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe (PC Tools)
O4 - HKLM..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot (BillP Studios)
O4 - HKLM..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" (Check Point Software Technologies LTD)
O4 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005..\Run: [Google Update] "C:\Documents and Settings\User_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (Google Inc.)
O4 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\2Wire Wireless Client.lnk = C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe (2Wire Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk = C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe (Motive Communications, Inc.)
O4 - Startup: C:\Documents and Settings\User_2\Start Menu\Programs\Startup\Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe (Secunia)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - File not found
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\.DEFAULT\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-19\..Trusted Domains: 32 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-20\..Trusted Domains: 32 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\..Trusted Sites: ([]msn in My Computer)
O15 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\..Trusted Domains: msn.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Reg Error: Key error.)
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} (Reg Error: Key error.)
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab (Reg Error: Key error.)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/buxus/docs/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} http://download.zonelabs.com/bin/promotion...canner37520.cab (ICSScanner Class)
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab (XML DOM Document 4.0)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/...7881.6703472222 (Reg Error: Key error.)
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\ipp Reg Error: Value error. - Reg Error: Key error. File not found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp Reg Error: Value error. - Reg Error: Key error. File not found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/04/15 12:09:32 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{c83120b3-f15d-11dc-a21d-0060b3e29e14}\Shell - "" = AutoRun
O33 - MountPoints2\{c83120b3-f15d-11dc-a21d-0060b3e29e14}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c83120b3-f15d-11dc-a21d-0060b3e29e14}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[8 C:\WINDOWS\*.tmp files]
[2009/03/01 14:17:38 | 00,497,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User_2\Desktop\OTListIt2.exe
[2009/03/01 14:10:26 | 00,180,736 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User_2\Desktop\OTCleanIt.exe
[2009/02/26 22:39:51 | 03,162,278 | ---- | C] () -- C:\WINDOWS\{00000001-00000000-00000009-00001102-00000004-00511102}.BAK
[2009/02/24 21:11:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\User_2\Application Data\Malwarebytes
[2009/02/24 21:11:30 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/02/24 21:11:29 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/02/24 21:11:27 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/02/24 21:11:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/02/24 21:11:23 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/02/24 07:35:12 | 00,000,933 | ---- | C] () -- C:\Documents and Settings\User_2\Desktop\Spybot - Search & Destroy.lnk
[2009/02/23 00:23:10 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/02/22 23:12:21 | 00,000,000 | ---D | C] -- C:\Program Files\EsetOnlineScanner
[2009/02/22 22:34:39 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/02/22 22:34:31 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/02/22 22:34:20 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/02/22 22:30:03 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/02/22 22:30:03 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/02/22 22:30:03 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/02/22 22:30:03 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/02/22 22:30:03 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\WINDOWS\fdsv.exe
[2009/02/22 22:30:03 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/02/22 22:30:03 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/02/22 22:30:03 | 00,049,152 | ---- | C] () -- C:\WINDOWS\VFIND.exe
[2009/02/22 22:30:03 | 00,029,696 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/02/22 22:29:57 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/02/22 22:29:57 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/02/22 22:29:56 | 00,000,000 | ---D | C] -- C:\ComboFix
[2009/02/22 22:24:51 | 02,924,943 | R--- | C] () -- C:\Documents and Settings\User_2\Desktop\ComboFix.exe
[2009/02/22 13:41:49 | 00,189,614 | ---- | C] () -- C:\Documents and Settings\User_2\My Documents\Malware Infection - Affects Search Engine Results.htm
[2009/02/22 12:47:11 | 00,000,434 | ---- | C] () -- C:\Documents and Settings\User_2\My Documents\DrWeb.csv
[2009/02/22 11:47:35 | 09,448,904 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\User_2\My Documents\windows-kb890830-v2.7.exe
[2009/02/18 00:50:37 | 04,012,472 | ---- | C] () -- C:\Documents and Settings\User_2\Desktop\spybotsd_includes.exe
[2009/02/16 12:03:35 | 00,090,112 | ---- | C] (Malwarebytes) -- C:\Documents and Settings\User_2\Desktop\AboutBuster.exe
[2009/02/16 11:07:01 | 00,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/02/16 10:56:35 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/02/16 10:56:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2009/02/16 10:54:11 | 00,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/02/16 00:03:39 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/02/12 20:47:01 | 00,025,992 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\System32\pgdfgsvc.exe
[2009/02/12 20:41:57 | 00,215,928 | ---- | C] (Sysinternals) -- C:\Documents and Settings\User_2\Desktop\pagedfrg.exe
[2009/02/12 15:08:34 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\User_2\Desktop\HiJackThis.exe
[2009/02/11 23:47:42 | 00,002,253 | ---- | C] () -- C:\Documents and Settings\User_2\Desktop\Google Chrome.lnk
[2009/02/11 23:45:13 | 00,000,930 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-507921405-1060284298-1005.job
[2009/02/11 00:49:50 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2009/02/11 00:42:19 | 00,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/02/11 00:39:01 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2009/02/11 00:33:06 | 05,186,048 | ---- | C] () -- C:\Documents and Settings\User_2\Desktop\WindowsDefender.msi
[2009/02/11 00:16:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\User_2\Application Data\WinPatrol
[2009/02/11 00:15:54 | 00,000,000 | ---D | C] -- C:\Program Files\BillP Studios
[2009/02/11 00:08:28 | 00,000,621 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\ThreatFire.lnk
[2009/02/11 00:08:19 | 00,051,472 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfFsMon.sys
[2009/02/11 00:08:19 | 00,039,184 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfSysMon.sys
[2009/02/11 00:08:19 | 00,033,040 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfNetMon.sys
[2009/02/11 00:08:19 | 00,012,560 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfKbMon.sys
[2009/02/11 00:08:18 | 00,000,000 | ---D | C] -- C:\Program Files\ThreatFire
[2009/02/11 00:08:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2009/02/10 23:30:23 | 00,114,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2009/02/10 23:30:23 | 00,020,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/02/10 17:57:49 | 00,015,688 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/02/10 06:47:50 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/02/10 06:43:58 | 00,064,160 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/02/10 06:43:21 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
[2009/02/10 06:43:18 | 00,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/02/10 06:43:01 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/02/10 06:43:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/02/09 01:03:11 | 00,000,000 | ---D | C] -- C:\Program Files\AskBarDis
[2009/02/08 22:21:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\User_2\My Documents\Downloads
[2009/02/08 22:18:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\User_2\Local Settings\Application Data\Google

========== Files - Modified Within 30 Days ==========

[7 C:\WINDOWS\System32\*.tmp files]
[8 C:\WINDOWS\*.tmp files]
[2009/03/01 14:17:39 | 00,497,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User_2\Desktop\OTListIt2.exe
[2009/03/01 14:10:29 | 00,180,736 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User_2\Desktop\OTCleanIt.exe
[2009/03/01 13:42:15 | 00,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-507921405-1060284298-1005.job
[2009/03/01 11:44:30 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/03/01 11:25:27 | 00,348,376 | -H-- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2009/03/01 11:24:57 | 00,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/03/01 11:23:11 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/03/01 11:22:46 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/02/28 11:12:56 | 00,030,648 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
[2009/02/28 11:12:56 | 00,030,648 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
[2009/02/28 11:12:56 | 00,029,100 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
[2009/02/28 11:12:56 | 00,029,100 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
[2009/02/28 11:12:56 | 00,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
[2009/02/28 11:12:56 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2009/02/28 11:12:56 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2009/02/28 11:11:24 | 03,162,278 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-00000009-00001102-00000004-00511102}.CDF
[2009/02/28 11:11:24 | 03,162,278 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-00000009-00001102-00000004-00511102}.BAK
[2009/02/25 08:02:02 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/02/24 21:11:30 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/02/24 07:35:12 | 00,000,933 | ---- | M] () -- C:\Documents and Settings\User_2\Desktop\Spybot - Search & Destroy.lnk
[2009/02/24 06:49:11 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/02/23 22:55:21 | 00,001,408 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/02/22 22:38:51 | 00,000,245 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/02/22 22:34:39 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/02/22 22:25:09 | 02,924,943 | R--- | M] () -- C:\Documents and Settings\User_2\Desktop\ComboFix.exe
[2009/02/22 21:22:59 | 00,000,434 | ---- | M] () -- C:\Documents and Settings\User_2\My Documents\DrWeb.csv
[2009/02/22 13:41:54 | 00,189,614 | ---- | M] () -- C:\Documents and Settings\User_2\My Documents\Malware Infection - Affects Search Engine Results.htm
[2009/02/21 16:01:09 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/02/18 22:21:57 | 00,090,112 | ---- | M] (Malwarebytes) -- C:\Documents and Settings\User_2\Desktop\AboutBuster.exe
[2009/02/18 00:51:08 | 04,012,472 | ---- | M] () -- C:\Documents and Settings\User_2\Desktop\spybotsd_includes.exe
[2009/02/17 22:58:13 | 00,025,992 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\System32\pgdfgsvc.exe
[2009/02/17 15:43:20 | 09,448,904 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\User_2\My Documents\windows-kb890830-v2.7.exe
[2009/02/16 10:54:12 | 00,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/02/16 00:39:16 | 00,636,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iexplore.exe
[2009/02/12 15:08:35 | 00,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\User_2\Desktop\HiJackThis.exe
[2009/02/11 23:47:42 | 00,002,253 | ---- | M] () -- C:\Documents and Settings\User_2\Desktop\Google Chrome.lnk
[2009/02/11 20:56:18 | 21,244,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/02/11 10:19:42 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/02/11 10:19:34 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/02/11 00:56:17 | 00,000,077 | -HS- | M] () -- C:\Documents and Settings\User_2\My Documents\desktop.ini
[2009/02/11 00:33:38 | 05,186,048 | ---- | M] () -- C:\Documents and Settings\User_2\Desktop\WindowsDefender.msi
[2009/02/11 00:08:28 | 00,000,621 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ThreatFire.lnk
[2009/02/10 23:30:23 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/02/10 06:43:18 | 00,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/02/09 01:02:43 | 00,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2009/02/05 13:11:35 | 01,256,296 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2009/02/05 13:08:19 | 00,093,296 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2009/02/05 13:08:10 | 00,094,032 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2009/02/05 13:07:23 | 00,114,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2009/02/05 13:07:12 | 00,020,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/02/05 13:06:20 | 00,051,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2009/02/05 13:06:10 | 00,023,152 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2009/02/05 13:05:11 | 00,026,944 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2009/02/05 13:04:45 | 00,097,480 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\AVASTSS.scr
[2009/02/04 20:02:00 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\User_2\Desktop\CCleaner.lnk
[2009/02/04 19:57:59 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/02/02 13:04:04 | 00,039,184 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\TfSysMon.sys
[2009/02/02 13:04:02 | 00,033,040 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\TfNetMon.sys
[2009/02/02 13:04:00 | 00,012,560 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\TfKbMon.sys
[2009/02/02 13:03:58 | 00,051,472 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\TfFsMon.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Program Files\NPSWF32.dll:SummaryInformation
@Alternate Data Stream - 88 bytes -> C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE:SummaryInformation
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\User_2\Desktop\AboutBuster.exe:SummaryInformation
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29
@Alternate Data Stream - 0 bytes -> C:\WINDOWS\Thumbs.db:encryptable
@Alternate Data Stream - 0 bytes -> C:\Program Files\NPSWF32.dll:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
@Alternate Data Stream - 0 bytes -> C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
@Alternate Data Stream - 0 bytes -> C:\Documents and Settings\User_2\Desktop\AboutBuster.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
< End of report >

Extras

OTListIt Extras logfile created on: 3/1/2009 2:30:38 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.3.1 Folder = C:\Documents and Settings\User_2\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18372)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

991.49 Mb Total Physical Memory | 274.25 Mb Available Physical Memory | 27.66% Memory free
3.81 Gb Paging File | 3.16 Gb Available in Paging File | 82.96% Paging File free
Paging file location(s): C:\pagefile.sys 3000 4096;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.67 Gb Total Space | 0.34 Gb Free Space | 1.80% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MAINCOMPUTER
Current User Name: User_2
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.js [@ = JSFile] -- Reg Error: Key error. File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 10:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2005/06/03 09:50:00 | 00,225,280 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe
[2005/06/03 09:50:14 | 00,040,960 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe
[2005/06/03 09:45:46 | 00,081,920 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe
[2005/05/10 21:50:34 | 00,200,704 | ---- | M] () -- C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe
[2005/05/10 21:07:26 | 01,081,344 | ---- | M] (Hewlett-Packard) -- C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe
[2005/06/03 10:12:34 | 00,172,032 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe
[2005/06/03 09:51:06 | 00,458,752 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe
[2005/06/03 10:06:04 | 00,057,344 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe
[2008/04/13 10:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
[2009/01/06 13:06:28 | 14,294,824 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Disc 2
"{03B1B42B-F6DE-41d9-8CFF-DC44E895C7A7}" = PhotoGallery
"{0611BD4E-4FE4-4a62-B0C0-18A4CC463428}" = CP_Package_Variety1
"{1330F885-F8E4-4c36-9B88-E19F82042C06}" = 3100_3200_3300trb
"{172975EB-9465-4861-95B5-C7BB6D3DE62A}" = DocumentViewer
"{1777A08D-668D-4A6F-8CB7-248E5547F0E4}" = ClickArt 750,000
"{17A7FDBC-FB38-4258-B623-BCBA212BC25D}" = Costco Photo Organizer
"{1C139D7D-9FEA-468d-A9C8-2A6E3BDE564A}" = CP_Package_Variety3
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{21DB3D90-D816-4092-A260-CA3F6B55A6DD}" = Sonic_PrimoSDK
"{23A7B376-BBEC-4e76-BBD7-0F155E70D74B}" = CP_Panorama1Config
"{2B65C841-EC48-4087-8021-6DBB9C1DE5E6}" = 3200
"{32BDCCB8-9DC8-496d-9DB1-F77510775BDB}" = InstantShareDevices
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36E47DA1-10E1-45d9-8B19-14D19607CDCF}" = CP_CalendarTemplates1
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{3BCC5640-5360-11D4-A44A-0000E86D2305}" = Ulead Drop Spot 1.0
"{3E386744-10FA-44b2-98C9-DF7A270DECB3}" = HP PSC & OfficeJet 5.3.A
"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer
"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
"{50E7BB78-02B4-469a-9D8B-B2F42835F90E}" = ProductContextNPI
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
"{567C23E1-7580-4185-B8C2-30805677297C}" = NewCopy_CDA
"{56EE8B17-8274-418d-89AC-C057C5DB251E}" = RandMap
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg
"{5A01C58E-B0EC-49b9-AD71-7C0468688087}" = CP_Package_Basic1
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{66BA8C26-AFE4-4408-807B-43E76B57EF53}" = SkinsHP1
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{73006B34-9743-4A39-AC37-38EDFCEB6DCE}" = Adobe Product/Adobe Studio Update 10/2001
"{7C03270C-4FAB-4F5C-B10D-52FEDA190790}" = DocumentViewerQFolder
"{7E27304E-BAA2-4d90-A34E-76641FAFABB4}" = CP_AtenaShokunin1Config
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{923A7F5A-1E8C-4FBE-8DF6-85940A60A79F}" = Readme
"{A040AC77-C1AA-4CC9-8931-9F648AF178F6}" = VC 9.0 Runtime
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A3BC5D37-30F9-4CF7-BD5C-0DFF063E4B6D}" = 2Wire Wireless Client
"{A5BB5365-EFB4-44c3-A7E2-EB59B7EFD23D}" = CueTour
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
"{B276997E-4367-4b1b-A39C-4CAE7464337A}" = AiO_Scan_CDA
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B60E7826-F117-4d26-8165-D2DC5A494AB0}" = Fax_CDA
"{B64E3AFC-59EF-4f18-BF11-E751462450D3}" = AiOSoftwareNPI
"{B824B5C9-849F-4b9e-9EA7-6FD8CD8116DA}" = CP_Package_Variety2
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{C506A18C-1469-4678-B094-F4EC9DAE6DB7}" = Scan
"{C9618743-1A5C-461E-91C4-E013A3D70F3C}" = Adobe® Photoshop® Album Starter Edition 3.0.1
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{EFCE5837-FC21-11D6-9D24-00010240CE95}" = Java 2 Runtime Environment, SE v1.4.1_02
"{F1931CAB-C7DD-4825-8A58-BC5278805200}" = 3100_3200_3300_Help
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F5C63795-2708-4D15-BF18-5ABBFF7DFFC8}" = iTunes
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"{FE57DE70-95DE-4B64-9266-84DA811053DB}" = HP Update
"3554AA4B-9B0B-451a-A269-2B5F53982209_is1" = ThreatFire
"Ad-Aware" = Ad-Aware
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 6.0" = Adobe Photoshop 6.0
"All ATI Software" = ATI - Software Uninstall Utility
"ArcSoft VideoImpression 16FP" = ArcSoft VideoImpression 1.6FP
"Ask Toolbar_is1" = ZoneAlarm Spy Blocker Toolbar
"AudioConSole" = Creative Audio Console
"AutoScribe32" = AutoScribe32
"avast!" = avast! Antivirus
"CCleaner" = CCleaner (remove only)
"EsetOnlineScanner" = ESET Online Scanner
"HijackThis" = HijackThis 2.0.2
"HP Document Viewer" = HP Document Viewer 5.3
"hp instant support" = hp instant support
"HP LaserJet 1200 Uninstaller" = HP LaserJet 1200 Uninstaller
"HP Photo & Imaging" = HP Image Zone 5.3
"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.3
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8 Release Candidate 1
"InterVideo WinDVD" = InterVideo WinDVD
"Java Web Start" = Java Web Start
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.0.6)" = Mozilla Firefox (3.0.6)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"Mutilate File Wiper_is1" = Mutilate File Wiper 2.92
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"Office8.0" = Microsoft Office 97, Professional Edition
"PokerStars.net" = PokerStars.net
"PowerDesk5.0" = PowerDesk 5.0
"RealPlayer 6.0" = RealPlayer
"SBC.MCCInstall" = SBC Self Support Tool
"Secunia PSI" = Secunia PSI
"Shockwave" = Shockwave
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.3.1
"SpywareBlaster_is1" = SpywareBlaster 4.1
"TaxACT 2005" = TaxACT 2005
"TaxACT 2006" = TaxACT 2006
"TaxACT 2007" = TaxACT 2007
"TaxACT California 2005" = TaxACT California 2005
"TaxACT California 2006" = TaxACT California 2006
"TaxACT California 2007" = TaxACT California 2007
"Virtual Slideshow Screen Saver" = Virtual Slideshow Screen Saver
"WebPost" = Microsoft Web Publishing Wizard 1.52
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinFax" = Symantec WinFax Basic Edition 10.01
"WinPatrol" = WinPatrol 2008
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"YInstHelper" = Yahoo! Install Manager
"ZoneAlarm" = ZoneAlarm

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1454471165-507921405-1060284298-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 8/14/2008 11:32:37 PM | Computer Name = MAINCOMPUTER | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://au.download.windowsupdate.com/msdow...650f4c41689.cab
failed, 00000026.

Error - 9/11/2008 5:26:40 PM | Computer Name = MAINCOMPUTER | Source = avast! | ID = 33554522
Description = AAVM - initialization error: AavmStart: avworkInitialize failed, 0000A438.


Error - 9/14/2008 6:20:05 PM | Computer Name = MAINCOMPUTER | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Program Files\InstallShield Installation Information\{1777A08D-668D-4A6F-8CB7-248E5547F0E4}\setup.ilg
failed, 00000005.

Error - 2/12/2009 11:45:41 AM | Computer Name = MAINCOMPUTER | Source = avast! | ID = 33554522
Description = Internal error has occurred in module aswar scan function failed!,
function A0000111.

Error - 2/23/2009 3:34:19 AM | Computer Name = MAINCOMPUTER | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Program Files\InstallShield Installation Information\{00FC6799-866E-44A1-A60C-DCF394CF56FD}\Setup.ilg
failed, 00000005.

Error - 2/23/2009 3:34:20 AM | Computer Name = MAINCOMPUTER | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Program Files\InstallShield Installation Information\{1777A08D-668D-4A6F-8CB7-248E5547F0E4}\setup.ilg
failed, 00000005.

Error - 2/23/2009 3:34:20 AM | Computer Name = MAINCOMPUTER | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Program Files\InstallShield Installation Information\{3FB8348A-CAF2-4B8D-B663-A0D76B26B611}\Setup.ilg
failed, 00000005.

Error - 2/23/2009 3:34:22 AM | Computer Name = MAINCOMPUTER | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Program Files\InstallShield Installation Information\{9705A7E1-3DD1-4BAC-8CA9-FE7B1473BEC9}\Setup.ilg
failed, 00000005.

Error - 2/23/2009 3:34:23 AM | Computer Name = MAINCOMPUTER | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Program Files\InstallShield Installation Information\{BE20E2F5-1903-4AAE-B1AF-2046E586C925}\Setup.ilg
failed, 00000005.

Error - 2/23/2009 3:34:25 AM | Computer Name = MAINCOMPUTER | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Program Files\InstallShield Installation Information\{EFCE5837-FC21-11D6-9D24-00010240CE95}\setup.ilg
failed, 00000005.

[ Application Events ]
Error - 2/22/2009 12:46:19 AM | Computer Name = MAINCOMPUTER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/22/2009 12:46:19 AM | Computer Name = MAINCOMPUTER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/22/2009 1:11:18 PM | Computer Name = MAINCOMPUTER | Source = Google Update | ID = 20
Description =

Error - 2/22/2009 2:47:02 PM | Computer Name = MAINCOMPUTER | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18372, faulting
module unknown, version 0.0.0.0, fault address 0x10002a5f.

Error - 2/22/2009 2:47:08 PM | Computer Name = MAINCOMPUTER | Source = Application Error | ID = 1001
Description = Fault bucket 1118505219.

Error - 2/22/2009 3:41:48 PM | Computer Name = MAINCOMPUTER | Source = Application Hang | ID = 1002
Description = Hanging application chrome.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/22/2009 7:22:21 PM | Computer Name = MAINCOMPUTER | Source = Google Update | ID = 20
Description =

Error - 2/22/2009 8:21:47 PM | Computer Name = MAINCOMPUTER | Source = Google Update | ID = 20
Description =

Error - 2/23/2009 2:50:30 AM | Computer Name = MAINCOMPUTER | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 2/23/2009 2:50:30 AM | Computer Name = MAINCOMPUTER | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

[ System Events ]
Error - 2/22/2009 8:00:20 PM | Computer Name = MAINCOMPUTER | Source = Service Control Manager | ID = 7028
Description = The BITS Registry key denied access to SYSTEM account programs so
the Service Control Manager took ownership of the Registry key.

Error - 2/22/2009 8:00:20 PM | Computer Name = MAINCOMPUTER | Source = Service Control Manager | ID = 7028
Description = The BITS Registry key denied access to SYSTEM account programs so
the Service Control Manager took ownership of the Registry key.

Error - 2/22/2009 8:00:20 PM | Computer Name = MAINCOMPUTER | Source = Service Control Manager | ID = 7028
Description = The BITS Registry key denied access to SYSTEM account programs so
the Service Control Manager took ownership of the Registry key.

Error - 2/22/2009 8:00:20 PM | Computer Name = MAINCOMPUTER | Source = Service Control Manager | ID = 7028
Description = The BITS Registry key denied access to SYSTEM account programs so
the Service Control Manager took ownership of the Registry key.

Error - 2/22/2009 8:00:20 PM | Computer Name = MAINCOMPUTER | Source = Service Control Manager | ID = 7028
Description = The BITS Registry key denied access to SYSTEM account programs so
the Service Control Manager took ownership of the Registry key.

Error - 2/22/2009 8:00:20 PM | Computer Name = MAINCOMPUTER | Source = Service Control Manager | ID = 7028
Description = The BITS Registry key denied access to SYSTEM account programs so
the Service Control Manager took ownership of the Registry key.

Error - 2/22/2009 8:00:35 PM | Computer Name = MAINCOMPUTER | Source = Service Control Manager | ID = 7028
Description = The BITS Registry key denied access to SYSTEM account programs so
the Service Control Manager took ownership of the Registry key.

Error - 2/23/2009 1:27:55 AM | Computer Name = MAINCOMPUTER | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Application Layer Gateway
Service service to connect.

Error - 2/23/2009 1:29:04 AM | Computer Name = MAINCOMPUTER | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%1053

Error - 2/25/2009 10:32:07 AM | Computer Name = MAINCOMPUTER | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Driver Helper Service service terminated unexpectedly.
It has done this 1 time(s).


< End of report >

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:28 AM

Posted 01 March 2009 - 08:39 PM

Hello.

Thanks.

Backup Registry with ERUNT

This tool will create a complete backup of your registry. A backup is created to ensure we have backup so encase anything goes wrong we can deal with it. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

How to Restore from the ERUNT Backup

Only restore from the backups if instructed to, or you need to do so. You need it if after doing something, your computer will only boot in Safe Mode and you are unable to contact us (or anyone else) for help by other means, or if your computer will not boot into Windows at all.

To restore if you can boot, navigate to C:\WINDOWS\erdnt, choose the folder with the most recent date, and double click ERDNT.EXE. Check all boxes in the restoration options.

To restore from the Recovery Console using the Windows CD:
  • Turn on your machine with the disk in the drive.
  • Type in the number of the Windows installation you want to repair (usually 1), then press Enter.
  • Type in the Administrator password (leave blank if you are unsure what it is or if you do not have one) and press Enter.
  • Type without quotes "cd erdnt" followed by Enter.
  • Type without quotes "dir" followed by Enter. This will list out the available folders, whose names are the date on which the backup was taken in (M)M-DD-YYYY format. Try the most recent dates first.
  • Type without quotes "cd **name of the folder**" followed by Enter.
  • Type without quotes "batch erdnt.con" followed by Enter.
  • Type without quotes "exit" followed by Enter.
  • Remove your CD from the drive and reboot your computer into the restored registry. If you still cannot boot, try again with an earlier restore date.


Poker Related Programs Warning

I see you have installed some Poker related programs on your machine.

The one I am referring to is:
  • PokerStars.net <- This one is also bundled with Malware
Not all poker games are considered "bad", but most are. With that said many of them are bundled with spyware and other nasties that can steal passwords and etc... Even if it is considered "good" you are going to websites that you might not necessarily trust and hosted by someone else for you to join. I do not know how those programs work so I will not criticize what they do and if they are bad or not.

Some of them are fine to have, but if you didn't intensionally installed it or to play it, it is best to remove them.
Poker related programs usually are bundled with malware and other nasties as described above. The best option would to remove them via Add/Remove if it is still there.

Run Script with OTListIT2

We need to run an OTListIt2 Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    :OTLI
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - Reg Error: Key error. File not found
    O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - Reg Error: Key error. File not found
    O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - Reg Error: Key error. File not found
    O3 - HKLM\..\Toolbar: (no name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - Reg Error: Key error. File not found
    O9 - Extra Button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - File not found
    O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
    O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} (Reg Error: Key error.)
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
    O18 - Protocol\Handler\ipp Reg Error: Value error. - Reg Error: Key error. File not found
    @Alternate Data Stream - 88 bytes -> C:\Program Files\NPSWF32.dll:SummaryInformation
    @Alternate Data Stream - 88 bytes -> C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE:SummaryInformation
    @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\User_2\Desktop\AboutBuster.exe:SummaryInformation
    @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
    @Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29
    @Alternate Data Stream - 0 bytes -> C:\WINDOWS\Thumbs.db:encryptable
    @Alternate Data Stream - 0 bytes -> C:\Program Files\NPSWF32.dll:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
    @Alternate Data Stream - 0 bytes -> C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
    @Alternate Data Stream - 0 bytes -> C:\Documents and Settings\User_2\Desktop\AboutBuster.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
    :commands
    [EmptyTemp]
    [Reboot]
  • Push Posted Image
  • OTLI2 may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
Update Java to Version 6 Update 12

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 Update 12 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 12.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.
*If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
** If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
*** The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Post back with:
-OTListIT Fix log
-Kaspersky log
-New OTListIT Scan logs


With Regards,
Extremeboy

Edited by extremeboy, 01 March 2009 - 08:44 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 NorCalJim

NorCalJim
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 03 March 2009 - 11:23 AM

EB,

I don't know why the website is not letting me repsond from my home computer, it just keeps maiking me log in and gives me an error saying I am not autorized to reply to this post. So I am logged in from work and it seems to be allowing me to post a reply. Here are the logs you requested. The Kapersky scan saved as a Firefox html file which I do not have on my work computer so I copied it to notepad and will copy and post below. Hopefully that works for you. Thanks again.


OTListIT Fix log

========== OTLISTIT ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{0BF43445-2F28-4351-9252-17FE6E806AA0} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BF43445-2F28-4351-9252-17FE6E806AA0}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\Extra Button: PokerStars.net\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\Extra Button: Messenger\ not found.
Starting removal of ActiveX control {33564D57-9980-0010-8000-00AA00389B71} (Reg Error: Key error.)
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{33564D57-9980-0010-8000-00AA00389B71} (Reg Error: Key error.)\Contains\Files\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{33564D57-9980-0010-8000-00AA00389B71} (Reg Error: Key error.)\DownloadInformation\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{33564D57-9980-0010-8000-00AA00389B71} (Reg Error: Key error.)\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33564D57-9980-0010-8000-00AA00389B71} (Reg Error: Key error.)\ not found.
File oft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java \Contains\Files\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java \DownloadInformation\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java \ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ipp Reg Error: Value error.\ not found.
File Protocol\Handler\ipp Reg Error: Value error. - Reg Error: Key error. File not found not found.
ADS C:\Program Files\NPSWF32.dll:SummaryInformation deleted successfully.
ADS C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE:SummaryInformation deleted successfully.
ADS C:\Documents and Settings\User_2\Desktop\AboutBuster.exe:SummaryInformation deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29 deleted successfully.
ADS C:\WINDOWS\Thumbs.db:encryptable deleted successfully.
ADS C:\Program Files\NPSWF32.dll:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} deleted successfully.
ADS C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} deleted successfully.
ADS C:\Documents and Settings\User_2\Desktop\AboutBuster.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} deleted successfully.
========== COMMANDS ==========
File delete failed. C:\Documents and Settings\User_2\Local Settings\Temp\etilqs_Um97wboe8F3TBG0wgFSX scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User_2\Local Settings\Temp\~DF3A9A.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User_2\Local Settings\Temp\~DFBAAB.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User_2\Local Settings\Temp\~DFC6CA.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User_2\Local Settings\Temp\~DFCFA5.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_d0.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT0290b.TMP scheduled to be deleted on reboot.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\User_2\Local Settings\Application Data\Mozilla\Firefox\Profiles\qokx3okd.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User_2\Local Settings\Application Data\Mozilla\Firefox\Profiles\qokx3okd.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User_2\Local Settings\Application Data\Mozilla\Firefox\Profiles\qokx3okd.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User_2\Local Settings\Application Data\Mozilla\Firefox\Profiles\qokx3okd.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User_2\Local Settings\Application Data\Mozilla\Firefox\Profiles\qokx3okd.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User_2\Local Settings\Application Data\Mozilla\Firefox\Profiles\qokx3okd.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTListIt2 by OldTimer - Version 2.0.3.1 log created on 03012009_192136

Files moved on Reboot...
File C:\Documents and Settings\User_2\Local Settings\Temp\etilqs_Um97wboe8F3TBG0wgFSX not found!
C:\Documents and Settings\User_2\Local Settings\Temp\~DF3A9A.tmp moved successfully.
File C:\Documents and Settings\User_2\Local Settings\Temp\~DFBAAB.tmp not found!
File C:\Documents and Settings\User_2\Local Settings\Temp\~DFC6CA.tmp not found!
File C:\Documents and Settings\User_2\Local Settings\Temp\~DFCFA5.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_d0.dat not found!
File C:\WINDOWS\temp\ZLT0290b.TMP not found!
C:\Documents and Settings\User_2\Local Settings\Application Data\Mozilla\Firefox\Profiles\qokx3okd.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\User_2\Local Settings\Application Data\Mozilla\Firefox\Profiles\qokx3okd.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\User_2\Local Settings\Application Data\Mozilla\Firefox\Profiles\qokx3okd.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\User_2\Local Settings\Application Data\Mozilla\Firefox\Profiles\qokx3okd.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\User_2\Local Settings\Application Data\Mozilla\Firefox\Profiles\qokx3okd.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\User_2\Local Settings\Application Data\Mozilla\Firefox\Profiles\qokx3okd.default\XUL.mfl moved successfully.

Registry entries deleted on Reboot...



New OTListIT log

OTListIt logfile created on: 3/2/2009 6:59:20 AM - Run 5
OTListIt2 by OldTimer - Version 2.0.3.1 Folder = C:\Documents and Settings\User_2\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18372)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

991.49 Mb Total Physical Memory | 445.80 Mb Available Physical Memory | 44.96% Memory free
3.81 Gb Paging File | 3.23 Gb Available in Paging File | 84.85% Paging File free
Paging file location(s): C:\pagefile.sys 3000 4096;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.67 Gb Total Space | 0.18 Gb Free Space | 0.99% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MAINCOMPUTER
Current User Name: User_2
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2009/02/05 13:01:25 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/02/24 06:47:57 | 00,950,096 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/02/05 13:08:40 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2008/04/13 16:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2004/04/13 19:45:30 | 00,290,905 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\PRISMSVR.EXE
PRC - [2007/05/08 16:24:20 | 00,054,840 | ---- | M] (Hewlett-Packard) -- C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
PRC - [2005/03/04 14:21:21 | 00,180,269 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2005/06/06 23:46:24 | 00,057,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
PRC - [2003/12/10 03:52:40 | 00,380,928 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\MotiveSB.exe
PRC - [2006/08/11 14:56:02 | 00,017,920 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\CTHELPER.EXE
PRC - [2008/11/13 15:18:56 | 00,981,904 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2009/02/24 06:47:59 | 00,509,784 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2009/02/02 13:03:47 | 00,263,440 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFTray.exe
PRC - [2008/10/09 07:52:54 | 00,333,120 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
PRC - [2009/01/06 13:06:36 | 00,290,088 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/03/01 20:10:02 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/02/11 23:45:06 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Documents and Settings\User_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
PRC - [2008/11/07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2006/10/18 20:05:26 | 00,204,288 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNSCFG.exe
PRC - [2009/01/26 15:31:16 | 02,144,088 | ---- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2004/04/13 20:47:56 | 00,335,979 | ---- | M] (2Wire Inc.) -- C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
PRC - [2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/11/25 04:42:12 | 00,728,408 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psi.exe
PRC - [2009/03/01 20:10:02 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2003/10/10 08:06:10 | 00,192,512 | ---- | M] () -- C:\Program Files\SBC LightSpeed Self Support Tool\bin\mpbtn.exe
PRC - [2006/03/02 17:49:14 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2005/05/12 00:33:52 | 00,479,232 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
PRC - [2009/02/02 13:03:43 | 00,070,928 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFService.exe
PRC - [2008/11/13 15:18:56 | 02,405,776 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe
PRC - [2001/08/18 04:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\unsecapp.exe
PRC - [2009/02/05 13:08:26 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2008/04/13 16:12:40 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2009/02/05 13:06:04 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/01/06 13:06:24 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/03/01 14:17:39 | 00,497,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User_2\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/11/07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2004/07/15 00:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/02/05 13:01:25 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv [Auto | Running])
SRV - [2009/02/05 13:08:40 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus [Auto | Running])
SRV - [2009/02/05 13:08:26 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner [On_Demand | Running])
SRV - [2009/02/05 13:06:04 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner [On_Demand | Running])
SRV - [2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2008/04/13 16:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/04/03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2009/01/06 13:06:24 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2009/03/01 20:10:02 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2009/02/24 06:47:57 | 00,950,096 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service [Auto | Running])
SRV - [2003/01/10 06:04:00 | 00,065,536 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Stopped])
SRV - [2006/03/02 17:49:14 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12 [Unknown | Running])
SRV - [2009/02/02 13:03:43 | 00,070,928 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFService.exe -- (ThreatFire [Auto | Running])
SRV - [2008/11/13 15:18:56 | 02,405,776 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- (vsmon [Auto | Running])
SRV - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend [Auto | Running])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2009/02/05 13:05:11 | 00,026,944 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4 [System | Running])
DRV - [1997/12/22 17:02:46 | 00,023,936 | ---- | M] (Adaptec) -- C:\WINDOWS\System32\drivers\aspi32.sys -- (Aspi32 [Auto | Running])
DRV - [2009/02/05 13:07:12 | 00,020,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys -- (aswFsBlk [Auto | Running])
DRV - [2009/02/05 13:08:10 | 00,094,032 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2 [Auto | Running])
DRV - [2009/02/05 13:06:10 | 00,023,152 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr [On_Demand | Running])
DRV - [2009/02/05 13:07:23 | 00,114,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP [System | Running])
DRV - [2009/02/05 13:06:20 | 00,051,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi [System | Running])
DRV - [2001/08/17 04:48:52 | 00,281,856 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\ati2mpaa.sys -- (ati2mpaa [On_Demand | Stopped])
DRV - [2004/08/03 21:29:26 | 00,327,040 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\ati2mtaa.sys -- (ati2mtaa [On_Demand | Stopped])
DRV - [2006/08/11 14:48:08 | 00,087,552 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\COMMONFX.DLL -- (COMMONFX.DLL [On_Demand | Stopped])
DRV - [2006/08/11 14:48:50 | 00,158,720 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\CT20XUT.DLL -- (CT20XUT.DLL [On_Demand | Stopped])
DRV - [2006/08/11 14:45:14 | 00,502,272 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k [On_Demand | Running])
DRV - [2006/08/11 14:45:38 | 00,499,584 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k [On_Demand | Running])
DRV - [2006/08/11 14:48:12 | 00,536,576 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTAUDFX.DLL -- (CTAUDFX.DLL [On_Demand | Stopped])
DRV - [2005/11/10 17:06:04 | 00,340,704 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k [On_Demand | Stopped])
DRV - [2006/08/11 14:48:28 | 00,160,768 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTEAPSFX.DLL -- (CTEAPSFX.DLL [On_Demand | Stopped])
DRV - [2006/08/11 14:45:40 | 00,269,824 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTEDSPFX.DLL -- (CTEDSPFX.DLL [On_Demand | Stopped])
DRV - [2006/08/11 14:45:50 | 00,115,200 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTEDSPIO.DLL -- (CTEDSPIO.DLL [On_Demand | Stopped])
DRV - [2006/08/11 14:48:06 | 00,317,952 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTEDSPSY.DLL -- (CTEDSPSY.DLL [On_Demand | Stopped])
DRV - [2006/08/11 14:48:42 | 01,170,432 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\CTEXFIFX.DLL -- (CTEXFIFX.DLL [On_Demand | Stopped])
DRV - [2006/08/11 14:48:52 | 00,061,952 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\CTHWIUT.DLL -- (CTHWIUT.DLL [On_Demand | Stopped])
DRV - [2001/08/17 12:19:20 | 00,096,256 | ---- | M] (Copyright © Creative Technology Ltd. 1994-2001) -- C:\WINDOWS\system32\drivers\ctlsb16.sys -- (ctlsb16 [On_Demand | Stopped])
DRV - [2006/08/11 14:45:40 | 00,007,168 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k [On_Demand | Running])
DRV - [2006/08/11 14:48:32 | 00,548,352 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTSBLFX.DLL -- (CTSBLFX.DLL [On_Demand | Stopped])
DRV - [2006/08/11 14:45:18 | 00,143,872 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k [On_Demand | Running])
DRV - [2001/10/17 19:03:44 | 00,025,434 | ---- | M] (D-Link Corporation. ) -- C:\WINDOWS\System32\DRIVERS\DLKRTS.SYS -- (DLKRTS [On_Demand | Stopped])
DRV - [2006/08/11 14:45:18 | 00,078,336 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia [On_Demand | Running])
DRV - [2001/08/17 04:19:34 | 00,040,704 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\es1371mp.sys -- (es1371 [On_Demand | Stopped])
DRV - [2001/08/17 11:12:32 | 00,016,074 | ---- | M] (NETGEAR Corp.) -- C:\WINDOWS\System32\DRIVERS\FA312nd5.sys -- (FA312 [On_Demand | Stopped])
DRV - [2008/04/13 10:45:29 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\gameenum.sys -- (gameenum [On_Demand | Running])
DRV - [2008/04/17 12:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2006/08/11 14:45:26 | 00,766,976 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k [On_Demand | Running])
DRV - [2006/08/11 14:45:26 | 00,154,112 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\hap16v2k.sys -- (hap16v2k [On_Demand | Stopped])
DRV - [2006/08/11 14:45:28 | 00,180,224 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\hap17v2k.sys -- (hap17v2k [On_Demand | Stopped])
DRV - [2005/03/07 20:52:26 | 00,051,120 | R--- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
DRV - [2005/03/07 20:52:27 | 00,016,496 | R--- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
DRV - [2005/03/07 20:52:28 | 00,021,744 | R--- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
DRV - [2009/01/18 13:30:13 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd [Boot | Running])
DRV - [2004/04/13 19:20:08 | 00,015,781 | R--- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\system32\DRIVERS\mdc8021x.sys -- (MDC8021X [Auto | Running])
DRV - [2003/09/11 15:30:45 | 00,028,256 | ---- | M] (MusicMatch, Inc.) -- C:\WINDOWS\System32\drivers\MxlW2k.sys -- (MxlW2k [On_Demand | Running])
DRV - [2001/08/18 04:00:00 | 00,009,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\NtApm.sys -- (NtApm [On_Demand | Stopped])
DRV - [2003/01/10 06:04:00 | 01,180,282 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2002/09/22 18:37:00 | 00,080,896 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\NVENET.sys -- (NVENET [On_Demand | Running])
DRV - [2006/08/11 14:45:24 | 00,116,224 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\System32\drivers\ctoss2k.sys -- (ossrv [On_Demand | Running])
DRV - [2002/12/23 21:52:40 | 00,054,016 | R--- | M] (OrangeWare Corporation) -- C:\WINDOWS\System32\DRIVERS\ousb2hub.sys -- (ousb2hub [On_Demand | Running])
DRV - [2002/12/23 21:52:40 | 00,039,040 | R--- | M] (OrangeWare Corporation) -- C:\WINDOWS\System32\Drivers\ousbehci.sys -- (ousbehci [Auto | Running])
DRV - [2008/11/18 05:36:52 | 00,007,808 | ---- | M] (Secunia) -- C:\WINDOWS\system32\DRIVERS\psi_mf.sys -- (PSI [On_Demand | Stopped])
DRV - [2001/08/18 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2005/01/26 02:03:00 | 00,020,576 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2007/11/13 02:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [Auto | Running])
DRV - [2008/04/21 07:19:58 | 00,051,648 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\srescan.sys -- (srescan [Boot | Running])
DRV - [2005/05/13 18:50:10 | 00,123,488 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Stopped])
DRV - [2009/02/02 13:03:58 | 00,051,472 | ---- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\TfFsMon.sys -- (TfFsMon [Boot | Running])
DRV - [2009/02/02 13:04:02 | 00,033,040 | ---- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\TfNetMon.sys -- (TfNetMon [On_Demand | Running])
DRV - [2009/02/02 13:04:04 | 00,039,184 | ---- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TfSysMon [Boot | Running])
DRV - [2008/11/13 15:19:00 | 00,353,680 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdatant.sys -- (vsdatant [System | Running])
DRV - [2005/05/12 08:26:26 | 00,347,648 | R--- | M] ( ) -- C:\WINDOWS\system32\DRIVERS\WlanUIG.sys -- (WlanUIG [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = Reg Error: Invalid data type.
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = Reg Error: Invalid data type.
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/customize/...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = Reg Error: Invalid data type.
IE - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\S-1-5-21-1454471165-507921405-1060284298-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\S-1-5-21-1454471165-507921405-1060284298-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;*.local

FF - prefs.js..extensions.enabledItems: {fce36c1e-58d8-498a-b2a5-66ad1cedebbb}:0.76
FF - prefs.js..extensions.enabledItems: {4776510a-a1f4-41f3-a3c8-35b474ecef23}:1.0.6
FF - prefs.js..extensions.enabledItems: {E9A1DEE0-C623-4439-8932-001E7D17607D}:2.1.0.5
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}:6.0.12
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.6
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com -> %ProgramFiles%\JAVA\JRE6\LIB\DEPLOY\JQS\FF [C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF] -> [2009/03/01 20:10:15 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Components -> %ProgramFiles%\MOZILLA FIREFOX\COMPONENTS [C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] -> [2009/02/17 23:30:02 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Plugins -> %ProgramFiles%\MOZILLA FIREFOX\PLUGINS [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> [2009/03/01 20:12:00 00,000,000 | ---D | M]
FF - C:\Documents and Settings\User_2\Application Data\mozilla\Extensions [2008/08/29 15:27:37 00,000,000 | ---D | M]
FF - C:\Documents and Settings\User_2\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} [2008/08/29 15:27:37 00,000,000 | ---D | M]
FF - C:\Documents and Settings\User_2\Application Data\mozilla\Firefox\Profiles\qokx3okd.default\extensions [2009/03/01 20:17:20 00,000,000 | ---D | M]
FF - C:\Documents and Settings\User_2\Application Data\mozilla\Firefox\Profiles\qokx3okd.default\extensions\{4776510a-a1f4-41f3-a3c8-35b474ecef23} [2009/02/11 00:42:38 00,000,000 | ---D | M]
FF - C:\Documents and Settings\User_2\Application Data\mozilla\Firefox\Profiles\qokx3okd.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D} [2009/02/09 01:03:11 00,000,000 | ---D | M]
FF - C:\Documents and Settings\User_2\Application Data\mozilla\Firefox\Profiles\qokx3okd.default\extensions\{fce36c1e-58d8-498a-b2a5-66ad1cedebbb} [2009/02/07 08:15:26 00,000,000 | ---D | M]
FF - C:\Program Files\mozilla firefox\extensions [2009/03/01 20:17:20 00,000,000 | ---D | M]
FF - C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2009/02/04 19:57:48 00,000,000 | ---D | M]
FF - C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [2009/03/01 20:12:08 00,000,000 | ---D | M]

O1 HOSTS File: (288733 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 hityou.com
O1 - Hosts: 127.0.0.1 www.hityou.com
O1 - Hosts: 127.0.0.1 180searchassistant.com
O1 - Hosts: 127.0.0.1 www.180searchassistant.com
O1 - Hosts: 127.0.0.1 180solutions.com
O1 - Hosts: 127.0.0.1 www.180solutions.com
O1 - Hosts: 127.0.0.1 bis.180solutions.com
O1 - Hosts: 127.0.0.1 config.180solutions.com
O1 - Hosts: 127.0.0.1 cts.180solutions.com
O1 - Hosts: 127.0.0.1 downloads.180solutions.com
O1 - Hosts: 127.0.0.1 installs.180solutions.com
O1 - Hosts: 127.0.0.1 nowhere.180solutions.com
O1 - Hosts: 127.0.0.1 ping.180solutions.com
O1 - Hosts: 127.0.0.1 tv.180solutions.com
O1 - Hosts: 127.0.0.1 uploads.180solutions.com
O1 - Hosts: 127.0.0.1 public.zangocash.com
O1 - Hosts: 127.0.0.1 www.public.zangocash.com
O1 - Hosts: 127.0.0.1 static.zangocash.com
O1 - Hosts: 127.0.0.1 www.static.zangocash.com
O1 - Hosts: 127.0.0.1 www.zangocash.com
O1 - Hosts: 127.0.0.1 zangocash.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 2search.com
O1 - Hosts: 9953 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [CTxfiHlp] CTXFIHLP.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe (Motive Communications, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] nwiz.exe /install (NVIDIA Corporation)
O4 - HKLM..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY (Conexant Systems, Inc.)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe (PC Tools)
O4 - HKLM..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot (BillP Studios)
O4 - HKLM..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" (Check Point Software Technologies LTD)
O4 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005..\Run: [Google Update] "C:\Documents and Settings\User_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (Google Inc.)
O4 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\2Wire Wireless Client.lnk = C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe (2Wire Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk = C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe (Motive Communications, Inc.)
O4 - Startup: C:\Documents and Settings\User_2\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\User_2\Start Menu\Programs\Startup\Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe (Secunia)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\.DEFAULT\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-19\..Trusted Domains: 32 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-20\..Trusted Domains: 32 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\..Trusted Sites: ([]msn in My Computer)
O15 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\..Trusted Domains: msn.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-1454471165-507921405-1060284298-1005\..Trusted Domains: 497 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Reg Error: Key error.)
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} (Reg Error: Key error.)
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab (Reg Error: Key error.)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/buxus/docs/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} http://download.zonelabs.com/bin/promotion...canner37520.cab (ICSScanner Class)
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab (XML DOM Document 4.0)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/...7881.6703472222 (Reg Error: Key error.)
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\ipp Reg Error: Value error. - Reg Error: Key error. File not found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp Reg Error: Value error. - Reg Error: Key error. File not found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/04/15 12:09:32 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{c83120b3-f15d-11dc-a21d-0060b3e29e14}\Shell - "" = AutoRun
O33 - MountPoints2\{c83120b3-f15d-11dc-a21d-0060b3e29e14}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c83120b3-f15d-11dc-a21d-0060b3e29e14}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[8 C:\WINDOWS\*.tmp files]
[2009/03/02 01:51:43 | 00,002,924 | ---- | C] () -- C:\Documents and Settings\User_2\Desktop\Kapersky scan.html
[2009/03/01 21:11:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2009/03/01 20:06:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\User_2\Application Data\Sun
[2009/03/01 19:44:06 | 00,116,890 | ---- | C] () -- C:\Documents and Settings\User_2\My Documents\topic204714.html
[2009/03/01 19:21:36 | 00,000,000 | ---D | C] -- C:\_OTListIt
[2009/03/01 18:02:30 | 00,000,767 | ---- | C] () -- C:\Documents and Settings\User_2\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/03/01 18:00:17 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\User_2\Desktop\NTREGOPT.lnk
[2009/03/01 18:00:17 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\User_2\Desktop\ERUNT.lnk
[2009/03/01 18:00:15 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/03/01 17:59:22 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\User_2\Desktop\erunt-setup.exe
[2009/03/01 16:10:44 | 12,781,856 | ---- | C] (Doctor Web, Ltd.) -- C:\Documents and Settings\User_2\Desktop\launch.exe
[2009/03/01 14:17:38 | 00,497,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User_2\Desktop\OTListIt2.exe
[2009/03/01 14:10:26 | 00,180,736 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User_2\Desktop\OTCleanIt.exe
[2009/02/26 22:39:51 | 03,162,278 | ---- | C] () -- C:\WINDOWS\{00000001-00000000-00000009-00001102-00000004-00511102}.BAK
[2009/02/24 21:11:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\User_2\Application Data\Malwarebytes
[2009/02/24 21:11:30 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/02/24 21:11:29 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/02/24 21:11:27 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/02/24 21:11:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/02/24 21:11:23 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/02/24 07:35:12 | 00,000,933 | ---- | C] () -- C:\Documents and Settings\User_2\Desktop\Spybot - Search & Destroy.lnk
[2009/02/23 00:23:10 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/02/22 23:12:21 | 00,000,000 | ---D | C] -- C:\Program Files\EsetOnlineScanner
[2009/02/22 22:34:39 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/02/22 22:34:31 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/02/22 22:34:20 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/02/22 22:30:03 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/02/22 22:30:03 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/02/22 22:30:03 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/02/22 22:30:03 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/02/22 22:30:03 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\WINDOWS\fdsv.exe
[2009/02/22 22:30:03 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/02/22 22:30:03 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/02/22 22:30:03 | 00,049,152 | ---- | C] () -- C:\WINDOWS\VFIND.exe
[2009/02/22 22:30:03 | 00,029,696 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/02/22 22:29:57 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/02/22 22:29:57 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/02/22 22:29:56 | 00,000,000 | ---D | C] -- C:\ComboFix
[2009/02/22 22:24:51 | 02,924,943 | R--- | C] () -- C:\Documents and Settings\User_2\Desktop\ComboFix.exe
[2009/02/22 13:41:49 | 00,189,614 | ---- | C] () -- C:\Documents and Settings\User_2\My Documents\Malware Infection - Affects Search Engine Results.htm
[2009/02/22 12:47:11 | 00,000,434 | ---- | C] () -- C:\Documents and Settings\User_2\My Documents\DrWeb.csv
[2009/02/22 11:47:35 | 09,448,904 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\User_2\My Documents\windows-kb890830-v2.7.exe
[2009/02/16 12:03:35 | 00,090,112 | ---- | C] (Malwarebytes) -- C:\Documents and Settings\User_2\Desktop\AboutBuster.exe
[2009/02/16 11:07:01 | 00,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/02/16 10:56:35 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/02/16 10:56:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2009/02/16 10:54:11 | 00,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/02/16 00:03:39 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/02/12 20:47:01 | 00,025,992 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\System32\pgdfgsvc.exe
[2009/02/12 20:41:57 | 00,215,928 | ---- | C] (Sysinternals) -- C:\Documents and Settings\User_2\Desktop\pagedfrg.exe
[2009/02/12 15:08:34 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\User_2\Desktop\HiJackThis.exe
[2009/02/11 23:47:42 | 00,002,253 | ---- | C] () -- C:\Documents and Settings\User_2\Desktop\Google Chrome.lnk
[2009/02/11 23:45:13 | 00,000,930 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-507921405-1060284298-1005.job
[2009/02/11 00:49:50 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2009/02/11 00:42:19 | 00,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/02/11 00:39:01 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2009/02/11 00:33:06 | 05,186,048 | ---- | C] () -- C:\Documents and Settings\User_2\Desktop\WindowsDefender.msi
[2009/02/11 00:16:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\User_2\Application Data\WinPatrol
[2009/02/11 00:15:54 | 00,000,000 | ---D | C] -- C:\Program Files\BillP Studios
[2009/02/11 00:08:28 | 00,000,621 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\ThreatFire.lnk
[2009/02/11 00:08:19 | 00,051,472 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfFsMon.sys
[2009/02/11 00:08:19 | 00,039,184 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfSysMon.sys
[2009/02/11 00:08:19 | 00,033,040 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfNetMon.sys
[2009/02/11 00:08:19 | 00,012,560 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfKbMon.sys
[2009/02/11 00:08:18 | 00,000,000 | ---D | C] -- C:\Program Files\ThreatFire
[2009/02/11 00:08:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2009/02/10 23:30:23 | 00,114,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2009/02/10 23:30:23 | 00,020,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/02/10 17:57:49 | 00,015,688 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/02/10 06:47:50 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/02/10 06:43:58 | 00,064,160 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/02/10 06:43:21 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
[2009/02/10 06:43:18 | 00,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/02/10 06:43:01 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/02/10 06:43:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/02/09 01:03:11 | 00,000,000 | ---D | C] -- C:\Program Files\AskBarDis
[2009/02/08 22:21:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\User_2\My Documents\Downloads
[2009/02/08 22:18:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\User_2\Local Settings\Application Data\Google

========== Files - Modified Within 30 Days ==========

[7 C:\WINDOWS\System32\*.tmp files]
[8 C:\WINDOWS\*.tmp files]
[2009/03/02 06:55:47 | 00,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-507921405-1060284298-1005.job
[2009/03/02 06:51:16 | 00,348,376 | -H-- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2009/03/02 06:50:59 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/03/02 06:49:22 | 00,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/03/02 06:46:47 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/03/02 06:46:36 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/03/02 02:03:44 | 00,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
[2009/03/02 02:03:44 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2009/03/02 02:03:44 | 00,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2009/03/02 02:03:43 | 00,030,648 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
[2009/03/02 02:03:43 | 00,030,648 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
[2009/03/02 02:03:43 | 00,029,100 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
[2009/03/02 02:03:43 | 00,029,100 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000001-00000000-00000009-00001102-00000004-00511102}.rfx
[2009/03/02 02:01:59 | 03,162,278 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-00000009-00001102-00000004-00511102}.CDF
[2009/03/02 02:01:59 | 03,162,278 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-00000009-00001102-00000004-00511102}.BAK
[2009/03/02 01:51:43 | 00,002,924 | ---- | M] () -- C:\Documents and Settings\User_2\Desktop\Kapersky scan.html
[2009/03/01 23:17:37 | 07,782,400 | ---- | M] () -- C:\WINDOWS\outlook.pst
[2009/03/01 19:44:08 | 00,116,890 | ---- | M] () -- C:\Documents and Settings\User_2\My Documents\topic204714.html
[2009/03/01 18:02:30 | 00,000,767 | ---- | M] () -- C:\Documents and Settings\User_2\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/03/01 18:00:17 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\User_2\Desktop\NTREGOPT.lnk
[2009/03/01 18:00:17 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\User_2\Desktop\ERUNT.lnk
[2009/03/01 17:59:31 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\User_2\Desktop\erunt-setup.exe
[2009/03/01 16:14:10 | 12,781,856 | ---- | M] (Doctor Web, Ltd.) -- C:\Documents and Settings\User_2\Desktop\launch.exe
[2009/03/01 14:17:39 | 00,497,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User_2\Desktop\OTListIt2.exe
[2009/03/01 14:10:29 | 00,180,736 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User_2\Desktop\OTCleanIt.exe
[2009/02/25 08:02:02 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/02/24 21:11:30 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/02/24 07:35:12 | 00,000,933 | ---- | M] () -- C:\Documents and Settings\User_2\Desktop\Spybot - Search & Destroy.lnk
[2009/02/24 06:49:11 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/02/23 22:55:21 | 00,001,408 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/02/22 22:38:51 | 00,000,245 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/02/22 22:34:39 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/02/22 22:25:09 | 02,924,943 | R--- | M] () -- C:\Documents and Settings\User_2\Desktop\ComboFix.exe
[2009/02/22 21:22:59 | 00,000,434 | ---- | M] () -- C:\Documents and Settings\User_2\My Documents\DrWeb.csv
[2009/02/22 13:41:54 | 00,189,614 | ---- | M] () -- C:\Documents and Settings\User_2\My Documents\Malware Infection - Affects Search Engine Results.htm
[2009/02/21 16:01:09 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/02/18 22:21:57 | 00,090,112 | ---- | M] (Malwarebytes) -- C:\Documents and Settings\User_2\Desktop\AboutBuster.exe
[2009/02/17 22:58:13 | 00,025,992 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\System32\pgdfgsvc.exe
[2009/02/17 15:43:20 | 09,448,904 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\User_2\My Documents\windows-kb890830-v2.7.exe
[2009/02/16 10:54:12 | 00,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/02/16 00:39:16 | 00,636,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iexplore.exe
[2009/02/12 15:08:35 | 00,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\User_2\Desktop\HiJackThis.exe
[2009/02/11 23:47:42 | 00,002,253 | ---- | M] () -- C:\Documents and Settings\User_2\Desktop\Google Chrome.lnk
[2009/02/11 20:56:18 | 21,244,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/02/11 10:19:42 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/02/11 10:19:34 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/02/11 00:56:17 | 00,000,077 | -HS- | M] () -- C:\Documents and Settings\User_2\My Documents\desktop.ini
[2009/02/11 00:33:38 | 05,186,048 | ---- | M] () -- C:\Documents and Settings\User_2\Desktop\WindowsDefender.msi
[2009/02/11 00:08:28 | 00,000,621 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ThreatFire.lnk
[2009/02/10 23:30:23 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/02/10 06:43:18 | 00,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/02/09 01:02:43 | 00,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2009/02/05 13:11:35 | 01,256,296 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2009/02/05 13:08:19 | 00,093,296 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2009/02/05 13:08:10 | 00,094,032 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2009/02/05 13:07:23 | 00,114,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2009/02/05 13:07:12 | 00,020,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/02/05 13:06:20 | 00,051,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2009/02/05 13:06:10 | 00,023,152 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2009/02/05 13:05:11 | 00,026,944 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2009/02/05 13:04:45 | 00,097,480 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\AVASTSS.scr
[2009/02/04 20:02:00 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\User_2\Desktop\CCleaner.lnk
[2009/02/04 19:57:59 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/02/02 13:04:04 | 00,039,184 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\TfSysMon.sys
[2009/02/02 13:04:02 | 00,033,040 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\TfNetMon.sys
[2009/02/02 13:04:00 | 00,012,560 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\TfKbMon.sys
[2009/02/02 13:03:58 | 00,051,472 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\TfFsMon.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29
< End of report >




Kapersky scan log

Monday, March 2, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, March 02, 2009 00:25:54
Records in database: 1860751
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
Scan statistics
Files scanned 57882
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 01:51:10

File name Threat name Threats count
C:\Documents and Settings\User_2\DoctorWeb\Quarantine\11D2587F Infected: not-a-virus:AdWare.Win32.VirtualBouncer.d 1
The selected area was scanned.

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:28 AM

Posted 03 March 2009 - 01:12 PM

That's fine.

What problems do you still have? I will analyze the log once I come back but I would like you to tell me if anything is still not working properly on your computer relating to malware. Anything would be helpful, if not that's fine and we will do a final checkup.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 NorCalJim

NorCalJim
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 03 March 2009 - 01:34 PM

I am not noting any obvious at the moment. I haven't detected any trojans or viruses in several days now. Browsers seem to working okay and I am able to get updates without any problem. I reinstalled spybot and that seems to be working okay as well. It would not open at all before. I have so many security programs on there now I am a little concerned that they might start interfereing with each other. If you have any recommendations on what to keep and what to dump I would appreciate it. Other than that I am just hoping to confirm that I don't have any other hidden malware or ? waiting to spring into destructive action. Thanks

jim

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:28 AM

Posted 03 March 2009 - 03:34 PM

Hello.

Yes, I do indeed see a lot of security programs you have installed. From the tools you have installed it will NOT conflict with any of them, so you are fine. However, do not scan with them at the same time. Run them separately if you are going to scan your system. To me, I think have 2 real-time protection is a waste of resources and space. You could either remove Spybot or ad-aware or remove one of their real-time protection as that's not necessary. MBAM is a very good anti-malware scanner, so keeping a program like that without real-time protection is worthwhile. If you want real-time protection then you will need to buy their product. If you do wish to buy it, having spybot's real-time is not necessary. Having a real-time protection on your Anti-Virus program and your anti-spyware program is enough :)

Please remove everything that was quarantined by DoctorWeb:

C:\Documents and Settings\User_2\DoctorWeb\Quarantine<- Delete everything in this folder

Empty your Recycling bin afterwards

Those log looks clean so let's wrap up then. No need to spring into any destructive action when your log is fine :step1:



Please follow/read the steps below to remove the tools we used, purge a system restore and for some more information. :)

Download and Run OTCleanIt

We will now remove the tools we used during this fix.
  • Download OTCleanIt by OldTimer to your desktop.
  • Double click OTCleanIt.exe to start the program.
  • Click the big CleanUp! button.
  • When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
Create a New System Restore Point<- Very Important

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.


Congratulations! You now appear clean! :step5: :) :thumbup2:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :step4:


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks :)

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 NorCalJim

NorCalJim
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 03 March 2009 - 04:13 PM

I am so grateful to you and the Bleeping Computer website. You have helped me tremendously. I was ready to bury my computer. I will definately tell other about my experience here. You guys rock!!

This topic, crossing my fingers, is resolved. Thanks again.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:28 AM

Posted 03 March 2009 - 04:19 PM

You're welcome.

Glad I was able to help. Happy surfing and good luck in the future! :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:28 AM

Posted 03 March 2009 - 04:22 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed.
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users