Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer infected by windows defender


  • This topic is locked This topic is locked
38 replies to this topic

#1 firefightertom

firefightertom

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Springfield Illinois
  • Local time:10:00 AM

Posted 31 May 2011 - 02:08 PM

I think the virus was removed using avast and malwarebytes. Now all sorts of crazy things are going on. When I go to Start, Programs. it said empty. I did reload a couple of programs and they show up but the rest are hidden. I can find them by going to my computer and searching. Also, most of my desk top icons are transparent. the icon itself, not the name underneath. anso if I double click an icon it defaults to search. to open most I have to right click and hit open. I am a little computer savy, but this has me scratching my head. please help.Attached File  ark.txt   134.83KB   3 downloadsAttached File  attach.txt   15.37KB   4 downloadsAttached File  dds.txt   13.01KB   3 downloads

BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:00 AM

Posted 09 June 2011 - 11:24 AM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Please download UnHide.exe by Grinler.

It will unhide folders/files that were set to be hidden by the infection you had.



NEXT:



Rootkit UnHooker (RkU)
Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth Code, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



NEXT:


Running OTL

We need to create a FULL OTL Report
  • Please download OTL from here:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

NEXT:


Please provide an update on how things are running in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 firefightertom

firefightertom
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Springfield Illinois
  • Local time:10:00 AM

Posted 10 June 2011 - 01:45 PM

Thanks S.T. You have definately got me on the right track. The Desktop icons and folders look good. The programs are back at the start menu, but when I slide my cursor over them many say empty. Hoping that a look at my posted logs may reveal a simple fix. Thank Tom. look forward to hearing from you.

Attached Files



#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:00 AM

Posted 10 June 2011 - 01:50 PM

Hi Tom!

When posting future logs please note the following from my Intro Speech;

Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.


OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :OTL
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Reg Error: Key error.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB (Reg Error: Key error.)
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
    O33 - MountPoints2\{0648b52b-1f0e-11de-b7ac-00c0a8801a53}\Shell - "" = AutoRun
    O33 - MountPoints2\{0648b52b-1f0e-11de-b7ac-00c0a8801a53}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{0648b52b-1f0e-11de-b7ac-00c0a8801a53}\Shell\AutoRun\command - "" = G:\Imageviewer.exe
    O33 - MountPoints2\{64e9b2b6-815d-11e0-9cc0-00c0a8801a53}\Shell - "" = AutoRun
    O33 - MountPoints2\{64e9b2b6-815d-11e0-9cc0-00c0a8801a53}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{64e9b2b6-815d-11e0-9cc0-00c0a8801a53}\Shell\AutoRun\command - "" = G:\Autorun\Autorun.exe
    O33 - MountPoints2\{f6af0066-2662-11df-b7f4-00c0a8801a53}\Shell - "" = AutoRun
    O33 - MountPoints2\{f6af0066-2662-11df-b7f4-00c0a8801a53}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{f6af0066-2662-11df-b7f4-00c0a8801a53}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -a
    O37 - HKU\S-1-5-21-1343024091-484763869-725345543-1004\...exe [@ = exefile] -- Reg Error: Key error. File not found
    [2011/05/23 23:07:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\The Dodd Family\Start Menu\Programs\Windows XP Recovery
    [2011/05/24 05:47:17 | 000,000,120 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~16637732
    [2011/05/24 05:47:16 | 000,000,152 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~16637732r
    [2011/05/23 23:07:18 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\16637732
    [2011/05/23 23:15:50 | 000,000,152 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~16637732r
    [2011/05/23 23:07:41 | 000,000,120 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~16637732
    [2011/05/23 23:07:18 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\16637732
    [2011/05/08 09:07:02 | 000,000,152 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~17948452r
    [2011/05/08 09:07:01 | 000,000,232 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~17948452
    [2011/05/08 09:04:55 | 000,000,344 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\17948452
    [2011/05/07 10:05:19 | 000,000,232 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~19586852
    [2011/05/07 10:05:19 | 000,000,152 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~19586852r
    [2011/05/07 10:03:54 | 000,000,392 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\19586852
    [2010/02/24 14:28:19 | 000,013,136 | -HS- | C] () -- C:\Documents and Settings\The Dodd Family\Local Settings\Application Data\u4i2Y4q7
    @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:


Running ComboFix
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
  • IMPORTANT - Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

    Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 firefightertom

firefightertom
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Springfield Illinois
  • Local time:10:00 AM

Posted 10 June 2011 - 03:33 PM

Sorry about the attachment earlier. Here are the logs
========== SERVICES/DRIVERS ==========
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Starting removal of ActiveX control {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}\ not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-1343024091-484763869-725345543-1007\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-1343024091-484763869-725345543-1007\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-1343024091-484763869-725345543-1007\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-1343024091-484763869-725345543-1007\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Starting removal of ActiveX control Garmin Communicator Plug-In
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Garmin Communicator Plug-In\ not found.
File oft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0648b52b-1f0e-11de-b7ac-00c0a8801a53}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0648b52b-1f0e-11de-b7ac-00c0a8801a53}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0648b52b-1f0e-11de-b7ac-00c0a8801a53}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0648b52b-1f0e-11de-b7ac-00c0a8801a53}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0648b52b-1f0e-11de-b7ac-00c0a8801a53}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0648b52b-1f0e-11de-b7ac-00c0a8801a53}\ not found.
File G:\Imageviewer.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{64e9b2b6-815d-11e0-9cc0-00c0a8801a53}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64e9b2b6-815d-11e0-9cc0-00c0a8801a53}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{64e9b2b6-815d-11e0-9cc0-00c0a8801a53}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64e9b2b6-815d-11e0-9cc0-00c0a8801a53}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{64e9b2b6-815d-11e0-9cc0-00c0a8801a53}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64e9b2b6-815d-11e0-9cc0-00c0a8801a53}\ not found.
File G:\Autorun\Autorun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f6af0066-2662-11df-b7f4-00c0a8801a53}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f6af0066-2662-11df-b7f4-00c0a8801a53}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f6af0066-2662-11df-b7f4-00c0a8801a53}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f6af0066-2662-11df-b7f4-00c0a8801a53}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f6af0066-2662-11df-b7f4-00c0a8801a53}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f6af0066-2662-11df-b7f4-00c0a8801a53}\ not found.
File H:\LaunchU3.exe -a not found.
Registry key HKEY_USERS\S-1-5-21-1343024091-484763869-725345543-1004_Classes\.exe\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-1343024091-484763869-725345543-1004_Classes\exefile\ not found.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
C:\Documents and Settings\The Dodd Family\Start Menu\Programs\Windows XP Recovery folder moved successfully.
C:\Documents and Settings\All Users\Application Data\~16637732 moved successfully.
C:\Documents and Settings\All Users\Application Data\~16637732r moved successfully.
C:\Documents and Settings\All Users\Application Data\16637732 moved successfully.
File C:\Documents and Settings\All Users\Application Data\~16637732r not found.
File C:\Documents and Settings\All Users\Application Data\~16637732 not found.
File C:\Documents and Settings\All Users\Application Data\16637732 not found.
C:\Documents and Settings\All Users\Application Data\~17948452r moved successfully.
C:\Documents and Settings\All Users\Application Data\~17948452 moved successfully.
C:\Documents and Settings\All Users\Application Data\17948452 moved successfully.
C:\Documents and Settings\All Users\Application Data\~19586852 moved successfully.
C:\Documents and Settings\All Users\Application Data\~19586852r moved successfully.
C:\Documents and Settings\All Users\Application Data\19586852 moved successfully.
C:\Documents and Settings\The Dodd Family\Local Settings\Application Data\u4i2Y4q7 moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\The Dodd Family\Desktop\Virus Removal\cmd.bat deleted successfully.
C:\Documents and Settings\The Dodd Family\Desktop\Virus Removal\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (56029978680098816)

OTL by OldTimer - Version 3.2.23.0 log created on 06102011_142808




ComboFix 11-06-10.05 - The Dodd Family 06/10/2011 14:46:31.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.542 [GMT -5:00]
Running from: c:\documents and settings\The Dodd Family\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\The Dodd Family\WINDOWS
c:\windows\system\REGSVR32.EXE
c:\windows\system32\service
c:\windows\system32\service\03102010_TIS17_SfFniAU.log
c:\windows\system32\service\19082009_TIS17_SfFniAU.log
.
.
((((((((((((((((((((((((( Files Created from 2011-05-10 to 2011-06-10 )))))))))))))))))))))))))))))))
.
.
2011-06-10 19:28 . 2011-06-10 19:28 -------- d-----w- C:\_OTL
2011-06-10 18:21 . 2011-06-10 18:21 -------- d-----w- c:\documents and settings\Dodd Family\Local Settings\Application Data\ArcSoft
2011-06-10 18:21 . 2011-06-10 18:21 -------- d-----w- c:\documents and settings\Dodd Family\Local Settings\Application Data\Ahead
2011-06-10 18:20 . 2011-06-10 18:21 -------- d-----w- c:\documents and settings\Dodd Family\Application Data\ArcSoft
2011-05-31 03:58 . 2011-06-08 19:55 -------- d-----w- c:\documents and settings\The Dodd Family\Application Data\XnView
2011-05-31 03:20 . 2011-05-31 03:20 -------- d-----w- c:\documents and settings\The Dodd Family\Application Data\RegistryKeys
2011-05-31 03:20 . 2011-05-31 03:35 -------- d-----w- c:\program files\PC Ultra Speed
2011-05-31 03:01 . 2011-05-31 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\FileCure
2011-05-25 20:13 . 2011-05-25 20:13 -------- d-----w- c:\documents and settings\The Dodd Family\Local Settings\Application Data\KodakGallery
2011-05-25 20:12 . 2011-05-25 20:12 -------- d-----w- c:\documents and settings\The Dodd Family\Application Data\Skinux
2011-05-25 20:08 . 2011-05-25 20:08 -------- d-----w- c:\documents and settings\The Dodd Family\Local Settings\Application Data\ArcSoft
2011-05-25 20:08 . 2011-05-25 20:08 -------- d-----w- c:\documents and settings\The Dodd Family\Application Data\Arcsoft
2011-05-25 20:08 . 2011-06-10 18:23 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2011-05-25 20:07 . 2011-05-25 20:07 -------- d-----w- c:\program files\Common Files\ArcSoft
2011-05-25 20:07 . 2011-05-25 20:07 -------- d-----w- c:\program files\ArcSoft
2011-05-25 19:59 . 2008-05-02 13:25 465920 -c----w- c:\windows\system32\dllcache\imapi2fs.dll
2011-05-25 19:59 . 2008-05-02 13:25 465920 ------w- c:\windows\system32\imapi2fs.dll
2011-05-25 19:59 . 2008-05-02 13:25 317952 -c----w- c:\windows\system32\dllcache\imapi2.dll
2011-05-25 19:59 . 2008-05-02 13:25 317952 ------w- c:\windows\system32\imapi2.dll
2011-05-25 19:57 . 2011-05-25 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2011-05-25 19:49 . 2011-05-25 19:51 -------- d-----w- c:\windows\BWKDLogs
2011-05-25 19:48 . 2011-05-25 19:48 -------- d-----w- C:\KPCMS
2011-05-25 19:48 . 2001-07-18 21:25 86016 ----a-w- c:\windows\system32\PrintAPI.dll
2011-05-25 19:48 . 2000-09-08 18:53 73839 ----a-w- c:\windows\system32\KodakOneTouch.dll
2011-05-25 19:48 . 2000-04-14 15:24 133120 ----a-w- c:\windows\system32\sprof32.dll
2011-05-25 19:48 . 2000-04-14 15:23 37376 ----a-w- c:\windows\system32\kpsys32.dll
2011-05-25 19:48 . 2000-04-14 15:23 197632 ----a-w- c:\windows\system32\kpcp32.dll
2011-05-25 19:48 . 2000-04-14 15:23 19456 ----a-w- c:\windows\system32\kcm2sp.dll
2011-05-25 19:48 . 2011-05-25 19:48 -------- d-----w- c:\windows\system32\color
2011-05-25 06:35 . 2011-05-25 06:35 -------- d-----w- c:\documents and settings\The Dodd Family\Application Data\Webshots
2011-05-25 06:35 . 2011-05-25 21:13 -------- d-----w- c:\documents and settings\The Dodd Family\Application Data\AGI
2011-05-25 06:35 . 2011-05-25 06:35 -------- d-----w- c:\program files\AGI
2011-05-25 06:31 . 2011-05-25 06:35 -------- d-----w- c:\documents and settings\All Users\Application Data\agi
2011-05-19 16:43 . 2011-05-19 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe
2011-05-19 02:33 . 2011-05-19 02:33 -------- d-----w- c:\documents and settings\The Dodd Family\Application Data\Logitech
2011-05-19 02:32 . 2011-05-19 02:32 -------- d-----w- c:\program files\Common Files\LogiShared
2011-05-19 02:29 . 2007-04-23 09:00 69632 ----a-w- c:\windows\system32\KemXML.dll
2011-05-19 02:29 . 2007-04-23 09:00 163840 ----a-w- c:\windows\system32\kemutb.dll
2011-05-19 02:29 . 2007-04-23 09:00 135168 ----a-w- c:\windows\system32\KemUtil.dll
2011-05-19 02:29 . 2007-04-23 09:00 110592 ----a-w- c:\windows\system32\KemWnd.dll
2011-05-19 02:29 . 2011-05-19 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2011-05-19 02:29 . 2011-05-19 02:29 -------- d-----w- c:\program files\Logitech
2011-05-19 02:29 . 2011-05-19 02:30 -------- d-----w- c:\program files\Common Files\Logitech
2011-05-18 14:49 . 2011-05-18 14:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2011-05-18 14:49 . 2011-05-18 14:49 -------- d-----w- c:\program files\Nero
2011-05-18 14:40 . 2011-05-18 14:40 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-05-18 14:40 . 2011-05-18 14:40 -------- d-----w- c:\documents and settings\The Dodd Family\Application Data\DAEMON Tools
2011-05-18 03:10 . 2011-05-18 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2011-05-18 03:04 . 2011-05-18 03:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-12 18:55 . 2011-05-12 18:55 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-12 18:55 . 2011-05-12 18:55 -------- d-----r- c:\program files\Skype
2011-05-12 18:50 . 2011-05-12 19:07 -------- d-s---w- c:\documents and settings\Dodd
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-25 19:49 . 2008-07-31 13:44 90112 ------r- c:\windows\bwUnin-6.1.2.93-7288971L.exe
2011-05-10 12:10 . 2011-02-23 13:57 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:10 . 2011-02-23 13:57 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-10 12:03 . 2011-03-29 14:52 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-10 12:03 . 2011-02-23 13:57 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2011-02-23 13:57 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-10 12:02 . 2011-02-23 13:57 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-05-10 12:02 . 2011-02-23 13:57 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-05-10 11:59 . 2011-02-23 13:57 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2011-02-23 13:57 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-05-10 11:59 . 2011-02-23 13:57 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-03-25 13:54 . 2011-03-25 13:54 117752 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2011-03-15 13:46 . 2011-03-15 13:46 97648 ----a-w- c:\windows\system32\ElbyCDIO.dll
2008-11-11 23:32 318976 --sha-w- c:\windows\system32\22.tmp
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2010-03-18 297808]
.
[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agihelper.AGUtils]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2010-03-18 16:09 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-04-06 18:26 238968 ----a-w- c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2011-05-04 93816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2011-03-15 650080]
"avast"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-05-10 3459712]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
.
c:\documents and settings\The Dodd Family\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\3.1.5.7619\Launcher.exe [2011-5-25 157088]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 3746856]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
KODAK Software Updater.lnk - c:\program files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2011-5-25 16384]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/29/2011 9:52 AM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/23/2011 8:57 AM 307928]
R2 AGCoreService;AG Core Services;c:\program files\AGI\core\4.2.0.10754\AGCoreService.exe [5/25/2011 1:35 AM 20480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/23/2011 8:57 AM 19544]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [4/20/2011 6:20 PM 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [4/20/2011 6:20 PM 545088]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 mrtRate;mrtRate; [x]
S3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [4/20/2011 6:20 PM 19232]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/18/2011 9:40 AM 717296]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-17 13:20]
.
2011-06-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-17 13:20]
.
2011-06-10 c:\windows\Tasks\User_Feed_Synchronization-{6FB14E22-009A-43AF-BCAA-7C6726CE8DE7}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: microsoft.com\www.update
TCP: DhcpNameServer = 68.87.72.134 68.87.77.134
.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-10 15:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1343024091-484763869-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{090AA22F-27A3-E86C-2009-166EFE7C1FB9}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abljkoglabkmncbdbchiphkpebfgjhegee"=hex:61,61,00,00
"bbljkoglabkmncbdbcaionjbbfiamekjfhik"=hex:61,61,00,00
.
Completion time: 2011-06-10 15:18:43
ComboFix-quarantined-files.txt 2011-06-10 20:18
ComboFix2.txt 2011-02-20 05:57
.
Pre-Run: 101,023,498,240 bytes free
Post-Run: 101,082,316,800 bytes free
.
- - End Of File - - EFF6355F99611F9BC0DB44D83AF96288

#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:00 AM

Posted 10 June 2011 - 03:35 PM

Hi!

No worries!

Please run through these scans and let me know how things are running in your next reply.


Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:


Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 firefightertom

firefightertom
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Springfield Illinois
  • Local time:10:00 AM

Posted 11 June 2011 - 09:11 AM

Eset took a long time to run but found 1 trojan. I think were getting closer.

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6832

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/10/2011 5:16:47 PM
mbam-log-2011-06-10 (17-16-46).txt

Scan type: Quick scan
Objects scanned: 189934
Time elapsed: 14 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


C:\Documents and Settings\The Dodd Family\Application Data\Sun\Java\Deployment\cache\6.0\31\377111f-134988f5 a variant of Java/Agent.AR trojan


Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Free Antivirus
ESET Online Scanner v3
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 11
Out of date Java installed!
Adobe Flash Player
Adobe Reader 8.2.5
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 avastUI.exe
``````````End of Log````````````

#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:00 AM

Posted 11 June 2011 - 09:35 AM

Hi!

Update Adobe Reader
Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, visit: <<here>> and download the latest version of Adobe Reader
Alternative Option: after uninstalling Adobe Reader, you could try installing Foxit Reader from >here< Foxit Reader has fewer add-ons therefore loads more quickly.



NEXT:



Java Outdated

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u26-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


NEXT



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :OTL
    
    :Reg
    
    :Files
    C:\Documents and Settings\The Dodd Family\Application Data\Sun\Java\Deployment\cache\6.0\31\377111f-134988f5
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



OTL Custom Scan

We need to run an OTL Custom Scan
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.


    netsvcs
    drivers32
    hklm\software\clients\startmenuinternet|command /rs
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Push the Posted Image button.
  • A report will open. Copy and Paste that report in your next reply.


NEXT:



What outstanding issues (if any) are you still experiencing with your computer?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 firefightertom

firefightertom
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Springfield Illinois
  • Local time:10:00 AM

Posted 11 June 2011 - 12:09 PM

All that I can tell that is still acting funny, is when I click on desktop folders to open them, and some other files, I get the What program would you like to use to open this file question instead of it just opening. If I left click and hit open, they open fine. How do I get windows to default open them?

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\The Dodd Family\Application Data\Sun\Java\Deployment\cache\6.0\31\377111f-134988f5 moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\The Dodd Family\Desktop\Virus Removal\cmd.bat deleted successfully.
C:\Documents and Settings\The Dodd Family\Desktop\Virus Removal\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully


[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56466 bytes

User: Dodd
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 456 bytes

User: Dodd Family
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: The Dodd Family
->Temp folder emptied: 147381 bytes
->Temporary Internet Files folder emptied: 26632843 bytes
->Java cache emptied: 461 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 2287 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1268584 bytes
%systemroot%\System32 .tmp files removed: 3182609 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 159972 bytes
RecycleBin emptied: 1077683 bytes

Total Files Cleaned = 31.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: Dodd
->Flash cache emptied: 0 bytes

User: Dodd Family
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

User: The Dodd Family
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.23.0 log created on 06112011_113646

Files\Folders moved on Reboot...
C:\Documents and Settings\The Dodd Family\Local Settings\Temporary Internet Files\Content.IE5\TL0IF740\page__pid__2287530[1].htm moved successfully.
C:\Documents and Settings\The Dodd Family\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Documents and Settings\The Dodd Family\Local Settings\Temporary Internet Files\SuggestedSites.dat moved successfully.
C:\WINDOWS\temp\_avast_\Webshlock.txt moved successfully.

Registry entries deleted on Reboot...



OTL logfile created on: 6/11/2011 11:50:35 AM - Run 2
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\The Dodd Family\Desktop\Virus Removal
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.80 Mb Total Physical Memory | 570.75 Mb Available Physical Memory | 55.80% Memory free
2.03 Gb Paging File | 1.73 Gb Available in Paging File | 85.06% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 127.99 Gb Total Space | 93.53 Gb Free Space | 73.08% Space Free | Partition Type: NTFS
Drive D: | 170.10 Gb Total Space | 118.46 Gb Free Space | 69.64% Space Free | Partition Type: NTFS
Drive E: | 189.92 Gb Total Space | 31.78 Gb Free Space | 16.73% Space Free | Partition Type: NTFS

Computer Name: DODD-NETWORK | User Name: The Dodd Family | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/10 09:37:49 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\The Dodd Family\Desktop\Virus Removal\OTL.exe
PRC - [2011/05/25 14:49:23 | 000,016,384 | ---- | M] () -- C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
PRC - [2011/05/10 07:10:58 | 003,459,712 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2011/05/10 07:10:57 | 000,042,184 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2011/05/04 02:40:15 | 004,980,344 | ---- | M] (SlySoft, Inc.) -- C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
PRC - [2011/03/15 14:44:30 | 000,428,384 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
PRC - [2011/03/15 14:44:28 | 000,650,080 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
PRC - [2010/07/27 00:01:58 | 003,474,848 | ---- | M] (Webshots.com) -- C:\Program Files\Webshots\3.1.5.7619\Webshots.scr
PRC - [2010/06/29 08:04:18 | 000,020,480 | ---- | M] (AG Interactive) -- C:\Program Files\AGI\core\4.2.0.10754\AGCoreService.exe
PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2008/07/14 14:43:04 | 000,069,632 | ---- | M] () -- C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/11 17:34:48 | 003,746,856 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
PRC - [2003/05/05 20:30:22 | 000,065,536 | ---- | M] (Brother Industries, Ltd.) -- C:\WINDOWS\system32\Brmfrmps.exe


========== Modules (SafeList) ==========

MOD - [2011/06/10 09:37:49 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\The Dodd Family\Desktop\Virus Removal\OTL.exe
MOD - [2011/05/25 14:49:22 | 000,024,576 | ---- | M] (BackWeb) -- C:\Documents and Settings\The Dodd Family\Local Settings\temp\IadHide3.dll
MOD - [2011/05/10 07:10:55 | 000,199,792 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\snxhk.dll
MOD - [2011/04/18 11:10:29 | 000,130,680 | ---- | M] (SlySoft, Inc.) -- C:\Program Files\SlySoft\AnyDVD\ADvdDiscHlp.dll
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/05/10 07:10:57 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2011/03/15 14:44:30 | 000,428,384 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe -- (PMBDeviceInfoProvider)
SRV - [2010/06/29 08:04:18 | 000,020,480 | ---- | M] (AG Interactive) [Auto | Running] -- C:\Program Files\AGI\core\4.2.0.10754\AGCoreService.exe -- (AGCoreService)
SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2008/07/14 14:43:04 | 000,069,632 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe -- (DTSRVC)
SRV - [2003/05/05 20:30:22 | 000,065,536 | ---- | M] (Brother Industries, Ltd.) [Auto | Running] -- C:\WINDOWS\System32\Brmfrmps.exe -- (brmfrmps)


========== Driver Services (SafeList) ==========

DRV - [2011/05/18 09:40:26 | 000,717,296 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2011/05/10 07:03:54 | 000,441,176 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/05/10 07:03:44 | 000,307,928 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/05/10 07:02:37 | 000,049,240 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/05/10 07:02:25 | 000,102,616 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/05/10 06:59:56 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/05/10 06:59:37 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/05/10 06:59:35 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2011/03/25 08:54:31 | 000,117,752 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AnyDVD.sys -- (AnyDVD)
DRV - [2008/09/26 10:53:00 | 000,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2008/09/26 10:53:00 | 000,028,816 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV - [2008/09/26 10:52:00 | 000,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2008/04/13 13:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2007/06/12 12:27:00 | 000,011,776 | ---- | M] (Portrait Displays, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pdiddcci.sys -- (pdiddcci)
DRV - [2007/04/11 15:33:06 | 000,079,376 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouKE.Sys -- (LMouKE)
DRV - [2007/04/11 15:32:38 | 000,063,248 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042mou.Sys -- (L8042mou)
DRV - [2007/04/11 15:32:30 | 000,020,496 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd)
DRV - [2006/11/16 18:20:48 | 000,015,920 | ---- | M] (Portrait Displays, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PdiPorts.sys -- (PdiPorts)
DRV - [2004/08/04 00:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2002/04/03 11:51:15 | 000,545,088 | ---- | M] (Voyetra Turtle Beach) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tbcwdm.sys -- (tbcwdm)
DRV - [2002/04/03 11:51:11 | 000,144,768 | ---- | M] (Voyetra Turtle Beach) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tbcspud.sys -- (tbcspud)
DRV - [2002/03/21 19:44:32 | 000,019,232 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Turtle Beach\Santa Cruz\Control Panel\vtdg46xx.sys -- (vtdg46xx)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [2001/08/17 08:28:10 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_MSFT.sys -- (hsf_msft)
DRV - [2001/07/25 18:58:28 | 000,584,336 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hsf_cnxt.sys -- (winachsf)
DRV - [2001/07/18 20:07:00 | 000,080,449 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\spkpnt.sys -- (SpeakerPhone)
DRV - [2001/07/18 20:06:40 | 000,426,783 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\k56nt.sys -- (K56)
DRV - [2001/07/18 20:06:12 | 000,127,405 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fsksnt.sys -- (Fsks)
DRV - [2001/07/18 20:05:26 | 000,217,019 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\faxnt.sys -- (SoftFax)
DRV - [2001/07/18 20:04:26 | 000,056,607 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tonesnt.sys -- (Tones)
DRV - [2001/07/18 20:04:04 | 000,310,899 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fallback.sys -- (Fallback)
DRV - [2001/07/18 20:01:56 | 000,077,426 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\basic2.sys -- (basic2)
DRV - [2001/07/18 20:01:38 | 000,067,654 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rksample.sys -- (Rksample)
DRV - [2001/07/18 20:01:20 | 000,534,125 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\v124nt.sys -- (V124)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



O1 HOSTS File: ([2011/06/11 11:37:03 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [avast] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [PMBVolumeWatcher] C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe (Sony Corporation)
O4 - HKCU..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe (SlySoft, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe ()
O4 - Startup: C:\Documents and Settings\The Dodd Family\Start Menu\Programs\Startup\Webshots.lnk = C:\Program Files\Webshots\3.1.5.7619\Launcher.exe (Webshots.com)
O4 - Startup: C:\Documents and Settings\The Dodd Family\Start Menu\Programs\Startup\Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe (Yahoo! Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: microsoft.com ([www.update] https in Trusted sites)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} http://webiq005.webiqonline.com/WebIQ/DataServer/Pub/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9} (WebIQ Engine Application Object)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photos.walmart.com/WalmartActivia.cab (Snapfish Activia)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1266345539953 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1266345527140 (MUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab (GMNRev Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.72.134 68.87.77.134
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\The Dodd Family\Application Data\Webshots\The Webshots Desktop\Webshots Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\The Dodd Family\Application Data\Webshots\The Webshots Desktop\Webshots Wallpaper.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/18 17:22:55 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.ac3acm - C:\WINDOWS\System32\AC3ACM.acm (fccHandler)
Drivers32: msacm.alf2cd - C:\WINDOWS\System32\alf2cd.acm (NCT Company)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.scg726 - C:\WINDOWS\System32\Scg726.acm (SHARP Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: msacm.voxacm160 - C:\WINDOWS\System32\vct3216.acm (Voxware, Inc.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\divx.dll (DivXNetworks, Inc.)
Drivers32: vidc.dvsd - C:\WINDOWS\System32\mcdvd_32.dll (MainConcept)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.VP60 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.VP61 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.xvid - C:\WINDOWS\System32\xvidvfw.dll ()
Drivers32: wave - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2011/06/11 11:33:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2011/06/11 11:33:00 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/06/11 10:18:47 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2011/06/11 09:46:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\The Dodd Family\My Documents
[2011/06/10 21:01:33 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/06/10 15:42:07 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/06/10 14:35:37 | 004,119,014 | R--- | C] (Swearware) -- C:\Documents and Settings\The Dodd Family\Desktop\ComboFix.exe
[2011/06/10 14:28:08 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/06/08 14:54:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\The Dodd Family\Desktop\graduation
[2011/06/07 09:37:18 | 000,000,000 | R--D | C] -- C:\Documents and Settings\The Dodd Family\Recent
[2011/05/30 22:58:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\The Dodd Family\Application Data\XnView
[2011/05/30 22:20:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\The Dodd Family\Application Data\RegistryKeys
[2011/05/30 22:20:34 | 000,000,000 | ---D | C] -- C:\Program Files\PC Ultra Speed
[2011/05/30 22:01:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FileCure
[2011/05/29 15:15:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\The Dodd Family\Desktop\flag
[2011/05/27 21:14:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\The Dodd Family\Desktop\valerie's bday
[2011/05/26 10:07:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\The Dodd Family\Desktop\Virus Removal
[2011/05/25 18:30:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\The Dodd Family\Desktop\P90X
[2011/05/25 15:13:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\The Dodd Family\Local Settings\Application Data\KodakGallery
[2011/05/25 15:12:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\The Dodd Family\Application Data\Skinux
[2011/05/25 15:08:32 | 000,000,000 | ---D | C] -- D:\My Print Creations
[2011/05/25 15:08:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\The Dodd Family\Local Settings\Application Data\ArcSoft
[2011/05/25 15:08:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ArcSoft Connect
[2011/05/25 15:08:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\The Dodd Family\Application Data\Arcsoft
[2011/05/25 15:08:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ArcSoft Print Creations
[2011/05/25 15:08:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ArcSoft
[2011/05/25 15:07:07 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ArcSoft
[2011/05/25 15:07:07 | 000,000,000 | ---D | C] -- C:\Program Files\ArcSoft
[2011/05/25 14:57:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kodak
[2011/05/25 14:49:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\BWKDLogs
[2011/05/25 14:48:56 | 000,197,632 | ---- | C] (Eastman Kodak Company) -- C:\WINDOWS\System32\kpcp32.dll
[2011/05/25 14:48:56 | 000,133,120 | ---- | C] (Eastman Kodak Company) -- C:\WINDOWS\System32\sprof32.dll
[2011/05/25 14:48:56 | 000,086,016 | ---- | C] (Eastman Kodak Company) -- C:\WINDOWS\System32\PrintAPI.dll
[2011/05/25 14:48:56 | 000,037,376 | ---- | C] (Eastman Kodak Company) -- C:\WINDOWS\System32\kpsys32.dll
[2011/05/25 14:48:56 | 000,019,456 | ---- | C] (Eastman Kodak Company) -- C:\WINDOWS\System32\kcm2sp.dll
[2011/05/25 14:48:56 | 000,000,000 | ---D | C] -- C:\KPCMS
[2011/05/25 14:48:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\color
[2011/05/25 01:35:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\The Dodd Family\Application Data\Webshots
[2011/05/25 01:35:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\The Dodd Family\Application Data\AGI
[2011/05/25 01:35:12 | 000,000,000 | ---D | C] -- C:\Program Files\AGI
[2011/05/25 01:31:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\agi
[2011/05/22 08:55:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PMB
[2011/05/19 11:43:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2011/05/18 21:33:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\The Dodd Family\Application Data\Logitech
[2011/05/18 21:32:51 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\LogiShared
[2011/05/18 21:29:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Logitech
[2011/05/18 21:29:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Logitech
[2011/05/18 21:29:28 | 000,000,000 | ---D | C] -- C:\Program Files\Logitech
[2011/05/18 21:29:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Logitech
[2011/05/18 09:53:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Nero 7 Essentials
[2011/05/18 09:49:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Nero
[2011/05/18 09:49:28 | 000,000,000 | ---D | C] -- C:\Program Files\Nero
[2011/05/18 09:40:26 | 000,717,296 | ---- | C] (Duplex Secure Ltd.) -- C:\WINDOWS\System32\drivers\sptd.sys
[2011/05/18 09:40:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\The Dodd Family\Application Data\DAEMON Tools
[2011/05/17 22:20:54 | 000,000,000 | ---D | C] -- D:\Desktop
[2011/05/17 22:10:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\nView_Profiles
[2011/05/12 13:55:41 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2011/05/12 13:55:40 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2011/05/12 13:55:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\The Dodd Family\Application Data\Google
[3 D:\*.tmp files -> D:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/06/11 11:45:56 | 000,475,740 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/06/11 11:45:56 | 000,076,648 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/06/11 11:41:12 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/11 11:39:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/11 11:37:03 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/06/11 11:35:00 | 000,000,904 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/11 10:26:01 | 000,001,744 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/06/11 08:49:20 | 000,000,442 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{6FB14E22-009A-43AF-BCAA-7C6726CE8DE7}.job
[2011/06/10 16:59:55 | 000,000,794 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/10 14:35:36 | 004,119,014 | R--- | M] (Swearware) -- C:\Documents and Settings\The Dodd Family\Desktop\ComboFix.exe
[2011/06/10 14:06:28 | 000,000,133 | ---- | M] () -- C:\WINDOWS\QBWCD.INI
[2011/06/10 13:10:20 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\The Dodd Family\Desktop\Microsoft Office Word 2003.lnk
[2011/06/10 13:09:36 | 000,002,323 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI
[2011/06/10 12:54:49 | 000,000,787 | ---- | M] () -- C:\Documents and Settings\The Dodd Family\Start Menu\Programs\Startup\Webshots.lnk
[2011/06/07 09:36:03 | 000,000,145 | ---- | M] () -- C:\Documents and Settings\The Dodd Family\default.pls
[2011/06/07 09:35:55 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/06/06 18:34:28 | 000,000,166 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2011/06/02 22:32:48 | 000,000,777 | ---- | M] () -- C:\WINDOWS\Brpfx04a.ini
[2011/05/31 10:51:03 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/05/30 21:41:58 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\The Dodd Family\defogger_reenable
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/29 09:11:20 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/05/25 15:12:54 | 000,027,648 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mb
[2011/05/25 15:12:36 | 000,003,072 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mbb
[2011/05/25 14:52:39 | 000,001,033 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
[2011/05/25 14:49:22 | 000,090,112 | R--- | M] () -- C:\WINDOWS\bwUnin-6.1.2.93-7288971L.exe
[2011/05/25 14:47:15 | 000,001,559 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\KODAK Memory Albums.lnk
[2011/05/25 14:46:17 | 000,001,829 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\KODAK Picture Software.lnk
[2011/05/25 14:33:35 | 000,020,238 | ---- | M] () -- C:\logfile
[2011/05/25 02:10:49 | 000,000,862 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CloneDVD2.lnk
[2011/05/25 02:06:19 | 000,000,764 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AnyDVD.lnk
[2011/05/25 01:35:46 | 000,000,741 | ---- | M] () -- C:\Documents and Settings\The Dodd Family\Desktop\Webshots Desktop.lnk
[2011/05/22 12:31:59 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\The Dodd Family\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/19 11:48:43 | 000,285,550 | ---- | M] () -- C:\Documents and Settings\The Dodd Family\Desktop\dodd 2009.nri
[2011/05/19 11:48:04 | 000,320,992 | ---- | M] () -- C:\Documents and Settings\The Dodd Family\Desktop\dodd 2010.nri
[2011/05/19 11:36:02 | 002,890,718 | ---- | M] () -- C:\Documents and Settings\The Dodd Family\Desktop\Catherine at Bowling Alley.JPG
[2011/05/18 21:37:32 | 000,000,760 | ---- | M] () -- C:\Documents and Settings\The Dodd Family\Application Data\setup_ldm.iss
[2011/05/18 10:59:53 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/18 10:49:59 | 000,338,648 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/05/18 10:40:56 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2011/05/18 10:00:22 | 000,000,162 | ---- | M] () -- C:\WINDOWS\MicroCase.INI
[2011/05/18 09:24:42 | 000,000,798 | ---- | M] () -- C:\Documents and Settings\The Dodd Family\Desktop\Windows Media Player.lnk
[2011/05/18 00:33:38 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/05/17 23:37:31 | 000,000,806 | ---- | M] () -- C:\Documents and Settings\The Dodd Family\Desktop\Malwarebytes.lnk
[2011/05/12 14:04:42 | 000,000,813 | ---- | M] () -- C:\Documents and Settings\The Dodd Family\Desktop\Internet Explorer.lnk
[3 D:\*.tmp files -> D:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/06/11 10:26:01 | 000,001,744 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/06/11 10:25:59 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2011/06/10 16:59:55 | 000,000,794 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/10 14:40:21 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/06/10 14:40:21 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/05/30 21:41:33 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\The Dodd Family\defogger_reenable
[2011/05/25 15:12:54 | 000,027,648 | R--- | C] () -- C:\Documents and Settings\All Users\Documents\ESBK.mb
[2011/05/25 15:12:54 | 000,003,072 | R--- | C] () -- C:\Documents and Settings\All Users\Documents\ESBK.mbb
[2011/05/25 14:52:39 | 000,001,033 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
[2011/05/25 14:48:56 | 000,073,839 | ---- | C] () -- C:\WINDOWS\System32\KodakOneTouch.dll
[2011/05/25 14:47:15 | 000,001,559 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\KODAK Memory Albums.lnk
[2011/05/25 14:46:17 | 000,001,829 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\KODAK Picture Software.lnk
[2011/05/25 02:10:49 | 000,000,862 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CloneDVD2.lnk
[2011/05/25 02:06:19 | 000,000,764 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AnyDVD.lnk
[2011/05/25 01:48:56 | 000,000,692 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/05/25 01:35:46 | 000,000,741 | ---- | C] () -- C:\Documents and Settings\The Dodd Family\Desktop\Webshots Desktop.lnk
[2011/05/25 01:35:45 | 000,000,787 | ---- | C] () -- C:\Documents and Settings\The Dodd Family\Start Menu\Programs\Startup\Webshots.lnk
[2011/05/25 01:35:45 | 000,000,747 | ---- | C] () -- C:\Documents and Settings\The Dodd Family\Start Menu\Programs\Webshots Desktop.lnk
[2011/05/19 10:00:31 | 000,000,806 | ---- | C] () -- C:\Documents and Settings\The Dodd Family\Desktop\Malwarebytes.lnk
[2011/05/19 00:25:09 | 000,000,145 | ---- | C] () -- C:\Documents and Settings\The Dodd Family\default.pls
[2011/05/19 00:21:31 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2011/05/18 21:37:32 | 000,000,760 | ---- | C] () -- C:\Documents and Settings\The Dodd Family\Application Data\setup_ldm.iss
[2011/05/18 10:39:33 | 000,002,497 | ---- | C] () -- C:\Documents and Settings\The Dodd Family\Desktop\Microsoft Office Word 2003.lnk
[2011/05/18 09:34:34 | 000,065,832 | ---- | C] () -- C:\WINDOWS\Santa Fe Stucco.bmp
[2011/05/18 09:34:34 | 000,026,680 | ---- | C] () -- C:\WINDOWS\River Sumida.bmp
[2011/05/18 09:34:34 | 000,017,362 | ---- | C] () -- C:\WINDOWS\Rhododendron.bmp
[2011/05/18 09:34:34 | 000,009,522 | ---- | C] () -- C:\WINDOWS\Zapotec.bmp
[2011/05/18 09:34:33 | 000,065,954 | ---- | C] () -- C:\WINDOWS\Prairie Wind.bmp
[2011/05/18 09:34:33 | 000,026,582 | ---- | C] () -- C:\WINDOWS\Greenstone.bmp
[2011/05/18 09:34:33 | 000,017,336 | ---- | C] () -- C:\WINDOWS\Gone Fishing.bmp
[2011/05/18 09:34:33 | 000,017,062 | ---- | C] () -- C:\WINDOWS\Coffee Bean.bmp
[2011/05/18 09:34:33 | 000,016,730 | ---- | C] () -- C:\WINDOWS\FeatherTexture.bmp
[2011/05/18 09:34:32 | 000,065,978 | ---- | C] () -- C:\WINDOWS\Soap Bubbles.bmp
[2011/05/18 09:34:32 | 000,001,272 | ---- | C] () -- C:\WINDOWS\Blue Lace 16.bmp
[2011/05/18 09:24:42 | 000,000,798 | ---- | C] () -- C:\Documents and Settings\The Dodd Family\Desktop\Windows Media Player.lnk
[2011/05/12 14:06:16 | 000,000,813 | ---- | C] () -- C:\Documents and Settings\The Dodd Family\Desktop\Internet Explorer.lnk
[2011/04/20 18:20:48 | 000,000,012 | ---- | C] () -- C:\WINDOWS\WinInit.INI
[2011/04/20 16:47:11 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\The Dodd Family\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/13 20:04:23 | 000,000,056 | ---- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2011/02/24 14:56:55 | 000,225,280 | ---- | C] () -- C:\WINDOWS\System32\nvwrsda.dll
[2011/02/20 00:47:09 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/02/20 00:47:08 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/02/20 00:47:08 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/02/13 18:49:19 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\The Dodd Family\Local Settings\Application Data\housecall.guid.cache
[2010/12/28 19:21:07 | 000,315,278 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2010/01/08 18:07:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\brdfxspd.dat
[2009/12/27 18:24:42 | 000,069,608 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/06/14 20:52:58 | 000,000,162 | ---- | C] () -- C:\WINDOWS\MicroCase.INI
[2009/05/17 17:40:09 | 000,000,164 | ---- | C] () -- C:\WINDOWS\install.dat
[2009/01/01 21:23:24 | 000,000,036 | ---- | C] () -- C:\WINDOWS\System32\swk.ini
[2008/12/09 19:43:45 | 000,091,520 | ---- | C] () -- C:\WINDOWS\System32\WebIQEngineSetup.exe
[2008/07/31 08:44:25 | 000,090,112 | R--- | C] () -- C:\WINDOWS\bwUnin-6.1.2.93-7288971L.exe
[2008/07/26 23:28:26 | 000,000,064 | ---- | C] () -- C:\WINDOWS\qwimp.ini
[2008/05/30 21:38:04 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/05/30 21:38:04 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/05/04 19:46:51 | 000,000,165 | ---- | C] () -- C:\WINDOWS\kodakPS.The Dodd Family.ini
[2008/05/03 21:30:25 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2008/04/27 12:53:30 | 000,000,040 | ---- | C] () -- C:\WINDOWS\opt_2460.ini
[2008/04/27 12:53:24 | 000,000,051 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2008/04/25 15:42:26 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2008/04/23 11:44:02 | 000,000,030 | ---- | C] () -- C:\WINDOWS\INTURS.DAT
[2008/04/23 11:43:14 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ICOA.INI
[2008/04/23 11:42:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QFN.ini
[2008/04/23 11:30:39 | 000,002,323 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2008/04/23 11:30:39 | 000,000,071 | ---- | C] () -- C:\WINDOWS\QFP.INI
[2008/04/23 11:30:38 | 000,000,947 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2008/04/23 11:30:34 | 000,207,872 | ---- | C] () -- C:\WINDOWS\System32\RDMWIN32.DLL
[2008/04/23 11:30:31 | 000,000,252 | ---- | C] () -- C:\WINDOWS\ADDRBOOK.INI
[2008/04/23 11:30:30 | 000,006,472 | ---- | C] () -- C:\WINDOWS\ICOADB32.DAT
[2008/04/23 10:38:28 | 000,000,166 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2008/04/23 09:43:33 | 000,001,380 | ---- | C] () -- C:\WINDOWS\QfnOnl.ini
[2008/04/23 09:43:33 | 000,000,133 | ---- | C] () -- C:\WINDOWS\QBWCD.INI
[2008/04/23 09:43:24 | 000,008,724 | ---- | C] () -- C:\WINDOWS\QFNOAD16.DAT
[2008/04/23 09:43:24 | 000,000,362 | ---- | C] () -- C:\WINDOWS\QDQICK.INI
[2008/04/23 09:43:24 | 000,000,021 | ---- | C] () -- C:\WINDOWS\QFNOA.INI
[2008/04/23 09:43:23 | 000,000,038 | ---- | C] () -- C:\WINDOWS\ACCWIZ.INI
[2008/04/22 22:18:55 | 000,003,654 | ---- | C] () -- C:\WINDOWS\System32\drivers\Sonyhcp.dll
[2008/04/22 17:39:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2008/04/22 17:27:57 | 000,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2008/04/22 17:26:13 | 000,000,777 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2008/04/22 17:26:13 | 000,000,463 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2008/04/22 17:26:13 | 000,000,092 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2008/04/22 17:26:13 | 000,000,079 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2008/04/22 17:26:13 | 000,000,050 | ---- | C] () -- C:\WINDOWS\System32\BRIDF04A.dat
[2008/04/19 19:42:12 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/04/19 19:34:35 | 000,000,020 | ---- | C] () -- C:\WINDOWS\InfModM.ini
[2008/04/19 19:31:21 | 000,057,344 | ---- | C] () -- C:\WINDOWS\uninstBVRP.dll
[2008/04/19 19:18:54 | 000,000,015 | ---- | C] () -- C:\WINDOWS\wgedit.ini
[2008/04/18 18:35:48 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/18 17:38:53 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2008/04/18 17:25:58 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/04/18 17:18:58 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/04/18 11:57:06 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/04/18 11:55:47 | 000,338,648 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/10/22 13:22:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/10/22 13:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/10/22 13:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/22 13:22:00 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2003/10/06 14:16:00 | 000,027,136 | ---- | C] () -- C:\WINDOWS\System32\nvcod.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/18 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/18 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/18 07:00:00 | 000,475,740 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/18 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/18 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/18 07:00:00 | 000,076,648 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/18 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/18 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/18 07:00:00 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/18 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/18 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2011/05/25 01:35:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\agi
[2011/02/23 08:57:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2008/04/27 12:48:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund Software
[2008/12/24 11:47:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
[2011/05/30 22:01:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FileCure
[2011/05/19 11:43:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2011/01/19 21:46:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RegWork
[2011/01/05 21:29:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Seagate
[2010/12/17 00:41:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SlySoft
[2009/01/06 04:42:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/04/22 19:28:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/12/25 12:31:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2008/05/08 19:14:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Dodd Family\Application Data\.BitTornado
[2011/05/25 16:13:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Dodd Family\Application Data\AGI
[2011/04/19 16:25:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Dodd Family\Application Data\AltrixSoft
[2008/06/01 17:28:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Dodd Family\Application Data\AVSMedia
[2011/05/19 10:37:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Dodd Family\Application Data\BitTorrent
[2008/11/05 15:00:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Dodd Family\Application Data\ClickFreeBackup
[2009/09/26 19:31:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Dodd Family\Application Data\com.comcast.callerid.13A1FA90F0FC9DC009FB0956ADD0F13F8608561B.1
[2011/05/18 09:40:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Dodd Family\Application Data\DAEMON Tools
[2008/12/24 23:49:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Dodd Family\Application Data\DisplayTune
[2011/02/24 16:12:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Dodd Family\Application Data\ElevatedDiagnostics
[2010/12/28 11:23:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Dodd Family\Application Data\GARMIN
[2011/01/05 20:27:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Dodd Family\Application Data\Leadertech
[2008/04/22 23:52:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Dodd Family\Application Data\LimeWire
[2008/07/26 13:29:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Dodd Family\Application Data\MSNInstaller
[2008/05/02 20:39:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Dodd Family\Application Data\Ofoto
[2011/05/30 22:20:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Dodd Family\Application Data\RegistryKeys
[2011/05/25 15:12:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Dodd Family\Application Data\Skinux
[2008/05/02 21:20:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Dodd Family\Application Data\Snapfish
[2008/12/24 11:22:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Dodd Family\Application Data\uTorrent
[2011/05/25 01:35:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Dodd Family\Application Data\Webshots
[2008/11/29 14:39:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Dodd Family\Application Data\Windows Search
[2011/06/08 14:55:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\The Dodd Family\Application Data\XnView
[2011/06/11 08:49:20 | 000,000,442 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{6FB14E22-009A-43AF-BCAA-7C6726CE8DE7}.job

========== Purity Check ==========



========== Custom Scans ==========


< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\shell\open\command\\: "C:\Program Files\Google\Chrome\Application\chrome.exe" [2011/06/06 00:28:58 | 001,011,768 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --show-icons [2011/06/06 00:28:58 | 001,011,768 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --hide-icons [2011/06/06 00:28:58 | 001,011,768 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --make-default-browser [2011/06/06 00:28:58 | 001,011,768 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Program Files\Google\Chrome\Application\chrome.exe" [2011/06/06 00:28:58 | 001,011,768 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/02/18 06:49:53 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/02/18 06:49:53 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/02/18 06:49:53 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 15:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2009/03/08 15:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-05-18 15:22:59

< >

< >

< >

< End of report >

#10 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:00 AM

Posted 11 June 2011 - 12:25 PM

Hi!

All that I can tell that is still acting funny, is when I click on desktop folders to open them, and some other files, I get the What program would you like to use to open this file question instead of it just opening. If I left click and hit open, they open fine. How do I get windows to default open them?


When this box opens there should be a way to click a box to set it so that it always opens that type of file that way.

Do you see this option?

We can also try this tool;

FixPolicies
Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here: http://downloads.malwareremoval.com/BillCastner/FixPolicies.exe
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box should briefly appear and then close. This will enable your Control Panel and stop the Administrative warnings, at least until the malware infection resets the registry policy keys again. You can run this as many times as you like. A permanent fix requires removing the infection.

Edited by SweetTech, 11 June 2011 - 12:27 PM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#11 firefightertom

firefightertom
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Springfield Illinois
  • Local time:10:00 AM

Posted 11 June 2011 - 02:10 PM

I tried the fix policies but it didn't work, I guess I'm still infected. I'll stand by for your next post.

#12 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:00 AM

Posted 11 June 2011 - 02:25 PM

You may want to try this; http://support.microsoft.com/mats/system_maintenance_for_windows

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#13 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:00 AM

Posted 14 June 2011 - 01:04 PM

Hi!

It's been several days since I last posted instructions for you to complete. Do you still require assistance in getting your computer cleaned up?

Please Note: Unless notified in advance, threads with no response in 3 days get closed.

Thanks,
SweetTech.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#14 firefightertom

firefightertom
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Springfield Illinois
  • Local time:10:00 AM

Posted 15 June 2011 - 02:02 AM

I think so. The problems I'm still having are #1 have to open programs by right clicking and then clicking open. #2 (almost) all of the icons seem to be generic, instead of program specific. #3 Several of the programs that can be found by searching through My Computer, then the specific drive, say the program is empty if you look for it by going to start, programs, and then that program.

#15 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:11:00 AM

Posted 15 June 2011 - 03:14 PM

The problems I'm still having are #1 have to open programs by right clicking and then clicking open.

Take a screenshot of what happens when you double click on an icon to run it.

#2 (almost) all of the icons seem to be generic, instead of program specific.

Take a screenshot of this.

Please take a screenshot of that window.
  • You can do this by pressing the PrintScreen key.
  • Then go to Start > All Programs > Accessories > Paint
  • In Paint, go up to Edit > Paste
  • Then Go up to File > Save As. Click the drop-down box to change the "Save As Type" to "JPEG", name it what you want, and save it where you want.
  • Then click Reply in this topic.
  • Scroll down to Attachments.
  • Click the Browse button.
  • Locate the file you just saved, click on it, then click Open.
  • Click Upload and submit the reply.


----------

Several of the programs that can be found by searching through My Computer, then the specific drive, say the program is empty if you look for it by going to start, programs, and then that program.

See the following:

You can restore the defaults for the Start Menu, Accessories and Administrative Tools as follows:
For any other missing program shortcuts you will probably need to reinstall the application or manually create new shortcuts.


To manually recreate "All Programs" entries, follow these steps...

  • Download App Paths
  • Double click on AppPaths.exe to run the program.
  • Keep the program open.

In this example I'll recreate an entry for Avast antivirus program.
  • Go Start>All Programs.
  • Right click on Avast entry, click "Properties".

Posted Image
NOTE. Make sure, you right click on Avast program, NOT on Avast folder.

  • You'll see this window:

Posted Image

Due to the damage caused by the infection, you'll find "Target" box empty.

  • Go back to AppPaths window and find Avast entry.
  • Right click on Avast line, click "Edit".
  • A pop-up window will open:

Posted Image

  • Highlight everything in "Path" box, right click on it, click "Copy"
  • Go back to Avast "Properties" window, right click inside "Target" box, click "Paste".
  • IMPORTANT! Add quotation marks at the beginning of the path and at the end
  • Click OK and you're done.

Posted Image


In case, program's link shows as (empty):

Posted Image

  • Open Windows Explorer, navigate to Avast folder in Program Files
  • Right click on Avast ".exe" file, click "Create shortcut":

Posted Image

  • Copy that shortcut, go back to Start menu.
  • Right click on avast!Free Antivirus, click "Paste".
  • You'll see Avast shortcut recreated replacing (empty) entry.

Alternatively....
...you paste that shortcut in:
(XP) - C:\Documents and Settings\All Users\Start Menu\Programs\Avast
(Vista/7) - C:\Program Data\Start Menu\Programs\Avast


Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users