# Malware, I think.



## GMO (Dec 1, 2009)

I believe I have a Malware. I get nonstop pop-ups, Mozilla crashes frequently, my media player locks up and closes when I try to synchronize it with my Sony Mp3 player, and my computer is just all around slower and crashes a LOT more often. I have done the HJT scan and the results are below. Any Ideas??
Thanks, GMO

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:47 AM, on 12/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1102874169\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\WINDOWS\system32\NVATray.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\Common Files\AOL\1102874169\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Common Files\AOL\1102874169\EE\aolsoftware.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1102874169\ee\SSCEvtHdlr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\1102874169\EE\aolsoftware.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: Shell=Explorer.exe logon.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Loader - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL Toolbar\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1102874169\ee\SSCRun.exe
O4 - HKLM\..\Run: [SpySpotter System Defender] C:\Program Files\SpySpotter3\Defender.exe -startup
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102874169\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [CIPVCJPW] C:\WINDOWS\CIPVCJPW.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1102874169\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ContentTransferWMDetector.exe] C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [hihahabor] Rundll32.exe "c:\windows\system32\viyiyini.dll",a
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/sp3.02r/spyspottercabinstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{71ECA692-9311-4A8A-A2DE-CFA12D146977}: NameServer = 83.149.115.182
O20 - AppInit_DLLs: lerosusi.dll c:\windows\system32\viyiyini.dll
O21 - SSODL: suwinumeb - {ecc1776a-bfc0-41fa-8d37-242418f348cd} - c:\windows\system32\livoguyi.dll (file missing)
O21 - SSODL: foriduviw - {dc93f5d4-09fc-442a-a267-bf772db5c4e4} - c:\windows\system32\livoguyi.dll (file missing)
O21 - SSODL: rorudaduk - {4acacf30-de56-42ef-8a9b-bb2a094e2db8} - c:\windows\system32\livoguyi.dll (file missing)
O21 - SSODL: zadejufar - {324cd457-d2d4-4a81-b4f7-f4720b2df757} - c:\windows\system32\viyiyini.dll
O22 - SharedTaskScheduler: kupuhivus - {ecc1776a-bfc0-41fa-8d37-242418f348cd} - c:\windows\system32\livoguyi.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {dc93f5d4-09fc-442a-a267-bf772db5c4e4} - c:\windows\system32\livoguyi.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {4acacf30-de56-42ef-8a9b-bb2a094e2db8} - c:\windows\system32\livoguyi.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {324cd457-d2d4-4a81-b4f7-f4720b2df757} - c:\windows\system32\viyiyini.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1102874169\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: NeroSVC - ahead software gmbh
im stoeckmaedle 6
76307 karlsbad, germany
Fax: ++49-7248-911-888
e-mail: [email protected] - C:\Program Files\ahead\Nero\NeroSVC.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 11480 bytes


----------



## eddie5659 (Mar 19, 2001)

Hiya and welcome to Tech Support Guy 

Are you still having this problem? If so, can you do the following:

Download *TFC by OldTimer* to your desktop

 Please double-click *TFC.exe* to run it. (*Note:* If you are running on Vista, right-click on the file and choose *Run As Administrator*).
It *will close all programs* when run, so make sure you have *saved all your work* before you begin.
Click the *Start* button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. *Let it run uninterrupted to completion*. 
Once it's finished it should *reboot your machine*. If it does not, please *manually reboot the machine* yourself to ensure a complete clean.

Please download Malwarebytes' Anti-Malware from *Here* or *Here*

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.*

*Download and scan with* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._)
Under "*Configuration and Preferences*", click the *Preferences* button.
Click the *Scanning Control* tab.
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._
_Scan for tracking cookies._
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen.
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*.
On the left, make sure you check *C:\Fixed Drive*.
On the right, under "*Complete Scan*", choose *Perform Complete Scan*.
Click "*Next*" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*".
Make sure everything has a checkmark next to it and click "*Next*".
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu.
If asked if you want to reboot, click "*Yes*".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._
_Please copy and paste the Scan Log results in your next reply._

Click *Close* to exit the program.

---

Download GMER from *Here*. Note the file's name and save it to your root folder, such as C:\.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
Click on *this link* to see a list of programs that should be disabled.
Double-click on *the downloaded file* to start the program. (If running Vista, right click on it and select "Run as an Administrator")
Allow the driver to load if asked.
You may be prompted to scan immediately if it detects rootkit activity.
If you are prompted to scan your system click "*No*", save the log and post back the results.
If not prompted, click the "*Rootkit/Malware*" tab.
On the right-side, all items to be scanned should be checked by default _except_ for "Show All". Leave that box *unchecked*.
Select all drives that are connected to your system to be scanned.
Click the *Scan* button to begin. _(Please be patient as it can take some time to complete)_
When the scan is finished, click *Save* to save the scan results to your Desktop.
Save the file as *Results.log* and copy/paste the contents in your next reply.
Exit the program and re-enable all active protection when done.

*Click here* to download *HJTInstall.exe*

Save *HJTInstall.exe* to your desktop.
Doubleclick on the *HJTInstall.exe* icon on your desktop.
By default it will install to *C:\Program Files\Trend Micro\HijackThis* . 
Click on *Install*.
It will create a HijackThis icon on the desktop.
Once installed, it will launch *Hijackthis*.
Click on the *Do a system scan and save a logfile* button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijackthis fix anything yet. Most of what it finds will be harmless or even required. 

---

Please include the *MBAM log, SAS log, Results.log and a fresh HijackThis log *in your next reply

Regards

eddie


----------



## GMO (Dec 1, 2009)

Eddy, Thanks a million for replying. I'll do as you have directed however there is a lot there to do so it might be a while before you hear from me again. Hopefully when you do I can report good news.
Thanks again, Gregg.


----------



## eddie5659 (Mar 19, 2001)

It no problem, anytime is fine with me 

eddie


----------



## GMO (Dec 1, 2009)

Hi Eddy, 
I didn't get very far before having some trouble. I downloaded TEC by OldTimer to my desktop, ran it and and my machine rebooted just fine.

I then downloaded Malwarebytes" Anti-Malware. When I double click mbam-setup.exe I get the usual "Open Executable File" box that warns, "mbam-setup.exe is an executable file. Executable files may contain viruses or other malicious code that could harm your computer. Use caution when opening this file Are you sure you want to launch "mbam-setup.exe?
I click "OK" and get the "Open File-Security Warning" box along with the usual question, "Do you want to run this file?" and it gives the name of the file (mbam-setup.exe) etc., etc. When I click "Run" the "Open File-Security Warning" box disappears but nothing happens. 
Any ideas what I'm doing wrong??
Thanks, Gregg


----------



## eddie5659 (Mar 19, 2001)

There may be something stopping it, so in the meantime do this:

Download *Combofix* from any of the links below but *rename it to Project before* saving it to your desktop.

*Link 1*
*Link 2*
*Link 3*


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.








Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:










Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the *C:\ComboFix.txt* in your next reply.

eddie


----------



## GMO (Dec 1, 2009)

Eddy, We'll do ASAP. Probably later today.
Thanks, Gregg


----------



## GMO (Dec 1, 2009)

Eddy, Here is the log produced by Combofix (renamed "Project"). There were a few bumps in the road but this is what it gave me. I Hope it tells you something you can use.
Thanks again, Gregg.

ComboFix 09-12-10.01 - Gregg 12/10/2009 21:18:46.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.329 [GMT -6:00]
Running from: c:\documents and settings\Gregg\Desktop\Project.exe
AV: AOL Antivirus *On-access scanning enabled* (Outdated) {164FF91F-F5BD-4B74-A9DC-932CECB1603B}
FW: AOL Firewall *disabled* {6515F560-BD88-41EB-AD77-F1F3F6F80BEA}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Microsoft AData
c:\documents and settings\All Users\Microsoft AData\sysnet.dll
c:\documents and settings\All Users\Microsoft AData\t.sid
c:\documents and settings\Susan Obbink\Start Menu\Programs\Personal Guard 2009
c:\documents and settings\Susan Obbink\Start Menu\Programs\Personal Guard 2009\Personal Guard 2009.lnk
c:\program files\MyWay
c:\recycler\S-1-5-21-746137067-926492609-682003330-1003
c:\windows\certsystem.exe
c:\windows\Downloaded Program Files\UERS_0001_NI57M1124NetInstaller.exe
c:\windows\microsoftdef.dll
c:\windows\regred.exe
c:\windows\securits.com
c:\windows\spoov.exe
c:\windows\system32\_003368_.tmp.dll
c:\windows\system32\_003374_.tmp.dll
c:\windows\system32\_003377_.tmp.dll
c:\windows\system32\_003382_.tmp.dll
c:\windows\system32\_003424_.tmp.dll
c:\windows\system32\_003525_.tmp.dll
c:\windows\system32\_003526_.tmp.dll
c:\windows\system32\_003527_.tmp.dll
c:\windows\system32\_003528_.tmp.dll
c:\windows\system32\_003531_.tmp.dll
c:\windows\system32\_003532_.tmp.dll
c:\windows\system32\_003533_.tmp.dll
c:\windows\system32\_003534_.tmp.dll
c:\windows\system32\_003539_.tmp.dll
c:\windows\system32\_003540_.tmp.dll
c:\windows\system32\_003541_.tmp.dll
c:\windows\system32\_003542_.tmp.dll
c:\windows\system32\_003549_.tmp.dll
c:\windows\system32\_003550_.tmp.dll
c:\windows\system32\_003551_.tmp.dll
c:\windows\system32\_003553_.tmp.dll
c:\windows\system32\_003554_.tmp.dll
c:\windows\system32\_003557_.tmp.dll
c:\windows\system32\_003558_.tmp.dll
c:\windows\system32\_003560_.tmp.dll
c:\windows\system32\_003561_.tmp.dll
c:\windows\system32\_003562_.tmp.dll
c:\windows\system32\_003563_.tmp.dll
c:\windows\system32\_003564_.tmp.dll
c:\windows\system32\_003565_.tmp.dll
c:\windows\system32\_003570_.tmp.dll
c:\windows\system32\_003571_.tmp.dll
c:\windows\system32\_003572_.tmp.dll
c:\windows\system32\_003573_.tmp.dll
c:\windows\system32\_003578_.tmp.dll
c:\windows\system32\_003579_.tmp.dll
c:\windows\system32\_003580_.tmp.dll
c:\windows\system32\_003581_.tmp.dll
c:\windows\system32\_003586_.tmp.dll
c:\windows\system32\_003587_.tmp.dll
c:\windows\system32\_003588_.tmp.dll
c:\windows\system32\_003589_.tmp.dll
c:\windows\system32\_003594_.tmp.dll
c:\windows\system32\_003595_.tmp.dll
c:\windows\system32\_003596_.tmp.dll
c:\windows\system32\_003597_.tmp.dll
c:\windows\system32\_003602_.tmp.dll
c:\windows\system32\_003603_.tmp.dll
c:\windows\system32\_003604_.tmp.dll
c:\windows\system32\_003605_.tmp.dll
c:\windows\system32\_003610_.tmp.dll
c:\windows\system32\_003611_.tmp.dll
c:\windows\system32\_003612_.tmp.dll
c:\windows\system32\_003613_.tmp.dll
c:\windows\system32\_003618_.tmp.dll
c:\windows\system32\_003619_.tmp.dll
c:\windows\system32\_003621_.tmp.dll
c:\windows\system32\bekoduya.dll
c:\windows\system32\bidubiti.dll
c:\windows\system32\bosurezo.dll
c:\windows\system32\bulimane.dll
c:\windows\system32\busoguze.dll
c:\windows\system32\davafuhu.dll
c:\windows\system32\derinade.dll
c:\windows\system32\dirupahu.dll
c:\windows\system32\divasalo.dll
c:\windows\system32\dovinabu.dll
c:\windows\system32\drivers\H8SRTklftitexwb.sys
c:\windows\system32\dukotova.dll
c:\windows\system32\fanudugu.dll
c:\windows\system32\fegenope.dll
c:\windows\system32\fotomahi.dll
c:\windows\system32\fowerovo.dll
c:\windows\system32\genetoda.dll
c:\windows\system32\gesiwoha.dll
c:\windows\system32\golosufu.dll
c:\windows\system32\h8srtcfg.dat
c:\windows\system32\H8SRTkyqxqbebiq.dat
c:\windows\system32\H8SRTpjovmkluvk.dll
c:\windows\system32\H8SRTtmxdpqmqsa.dll
c:\windows\system32\hatijina.dll
c:\windows\system32\hedafatu.dll
c:\windows\system32\hiyoluge.dll
c:\windows\system32\hobokuzu.dll
c:\windows\system32\howiduga.dll
c:\windows\system32\jedepona.dll
c:\windows\system32\jevaziji.dll
c:\windows\system32\jiremeye.dll
c:\windows\system32\kasiyebo.dll
c:\windows\system32\kemituba.dll
c:\windows\system32\kewowupa.dll
c:\windows\system32\kofirawa.dll
c:\windows\system32\kotidemu.dll
c:\windows\system32\lamisefi.dll
c:\windows\system32\lekefoji.dll
c:\windows\system32\litunude.dll
c:\windows\system32\livoguyi.dll
c:\windows\system32\logon.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\luruwono.dll
c:\windows\system32\maligoha.dll
c:\windows\system32\melunule.dll
c:\windows\system32\mepepivu.dll
c:\windows\system32\miwajiho.dll
c:\windows\system32\MSView.exe
c:\windows\system32\mupitera.dll
c:\windows\system32\muyasera.dll
c:\windows\system32\nahilifo.dll
c:\windows\system32\nalayafi.dll
c:\windows\system32\niwogepi.dll
c:\windows\system32\novituto.dll
c:\windows\system32\nuruhola.dll
c:\windows\system32\P2P Networking
c:\windows\system32\P2P Networking\MARSHAL11.DLL
c:\windows\system32\P2P Networking\P2P Networking.exe
c:\windows\system32\P2P Networking\P2P Networking8.ENG
c:\windows\system32\panosuba.dll
c:\windows\system32\parahuri.dll
c:\windows\system32\pasugusa.dll
c:\windows\system32\pekiboba.dll
c:\windows\system32\peyumupo.dll
c:\windows\system32\poruzowo.dll
c:\windows\system32\ravuhavu.dll
c:\windows\system32\redipefe.dll
c:\windows\system32\rezalefe.dll
c:\windows\system32\rezubeza.dll
c:\windows\system32\ripagupa.dll
c:\windows\system32\rutobuki.exe
c:\windows\system32\sapawoma.dll
c:\windows\system32\sdra64.exe
c:\windows\system32\sivaforu.dll
c:\windows\system32\sojohehu.dll
c:\windows\system32\sokogufe.dll
c:\windows\system32\sosilore.dll
c:\windows\system32\srcr.dat
c:\windows\system32\susonuno.dll
c:\windows\system32\telelepu.dll
c:\windows\system32\teyesiti.dll
c:\windows\system32\tijawani.dll
c:\windows\system32\togitata.dll
c:\windows\system32\towoyila.dll
c:\windows\system32\tubivabo.dll
c:\windows\system32\vihegawu.dll
c:\windows\system32\voladeti.dll
c:\windows\system32\vuyugije.dll
c:\windows\system32\wijahupu.dll
c:\windows\system32\wijidapa.dll
c:\windows\system32\wobarale.dll
c:\windows\system32\wobupobu.dll
c:\windows\system32\wogutopa.dll
c:\windows\system32\yazeriza.dll
c:\windows\system32\yomoviya.dll
c:\windows\system32\zawibavu.dll
c:\windows\system32\zotokohu.dll
c:\windows\system32\zujopuhe.dll
c:\windows\system32\zumijasa.dll
c:\windows\Tasks\glkroiuu.job
c:\windows\usexplorer.exe

----- BITS: Possible infected sites -----

hxxp://82.98.231.98
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys

((((((((((((((((((((((((( Files Created from 2009-11-11 to 2009-12-11 )))))))))))))))))))))))))))))))
.

2009-12-02 15:16 . 2009-12-02 15:16 -------- d-----w- c:\program files\Trend Micro
2009-12-01 14:58 . 2009-12-01 14:58 -------- d-----w- c:\documents and settings\Gregg\Application Data\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-22 16:27 . 2007-01-08 05:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-19 17:48 . 2009-12-01 15:41 872960 ----a-w- c:\documents and settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 17:48 . 2009-12-01 15:41 43008 ----a-w- c:\documents and settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 17:48 . 2009-12-01 15:41 340480 ----a-w- c:\documents and settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 17:48 . 2009-12-01 15:41 346624 ----a-w- c:\documents and settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-11-04 14:57 . 2003-11-08 15:29 -------- d-----w- c:\program files\QuickTime
2005-01-07 05:16 . 2005-01-07 05:16 3763883 -c--a-w- c:\program files\wace26i4.exe
2009-07-26 13:48 . 2009-07-26 13:48 163840 --sha-w- c:\windows\system32\bakivige.dll
2009-08-17 14:16 . 2009-08-17 14:16 4096 --sha-w- c:\windows\system32\raditile.dll
2009-07-30 13:07 . 2009-07-30 13:07 65536 --sha-w- c:\windows\system32\tomavita.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-20 32881]
"sscRun"="c:\program files\Common Files\AOL\1102874169\ee\SSCRun.exe" [2007-01-25 153168]
"PCTVOICE"="pctspk.exe" [2001-06-15 155648]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"OASClnt"="c:\program files\mcafee.com\antivirus\oasclnt.exe" [2006-07-28 116272]
"nwiz"="nwiz.exe" [2002-05-03 364544]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [2001-11-28 45056]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2002-08-15 155648]
"MPFExe"="c:\program files\mcafee.com\personal firewall\MPfTray.exe" [2006-03-07 992808]
"InCD"="c:\program files\ahead\InCD\InCD.exe" [2002-08-15 995328]
"HostManager"="c:\program files\Common Files\AOL\1102874169\ee\AOLSoftware.exe" [2008-11-06 41264]
"EmailScan"="c:\program files\mcafee.com\antivirus\mcvsescn.exe" [2006-07-28 460336]
"AOLSPScheduler"="c:\program files\Common Files\AOL\1102874169\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe" [2007-01-25 8784]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-12-18 278528]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Monitor.lnk - c:\program files\ArcSoft\Media Card Companion\MCC Monitor.exe [2006-1-4 110592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\documents and settings\Susan Obbink\My Documents\Greggs Work Transfers\EUDORA\EuShlExt.dll" [2006-01-09 86016]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\NVATray.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater.exe"=
"c:\\WINDOWS\\msagent\\agentsvr.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [8/15/2002 8:51 AM 9088]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [8/15/2002 8:51 AM 328448]
S2 NeroSVC;NeroSVC;c:\program files\ahead\Nero\NeroSVC.exe [3/30/2001 5:10 PM 73728]
S3 NetMate;CATC USB/Ethernet Link device driver;c:\windows\system32\drivers\netmate2.sys [4/25/2000 6:01 AM 35694]
.
------- Supplementary Scan -------
.
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: amaena.com
Trusted Zone: drivecleaner.com
Trusted Zone: errorprotector.com
Trusted Zone: errorsafe.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: systemdoctor.com
Trusted Zone: winantispyware.com
Trusted Zone: winantivirus.com
Trusted Zone: winfixer.com
TCP: {71ECA692-9311-4A8A-A2DE-CFA12D146977} = 83.149.115.182
FF - ProfilePath - c:\documents and settings\Gregg\Application Data\Mozilla\Firefox\Profiles\cmbb5emw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

BHO-{47819c8d-9718-44cf-a007-9b54a818e833} - davafuhu.dll
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
HKCU-Run-MsgCenterExe - c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
HKLM-Run-SpySpotter System Defender - c:\program files\SpySpotter3\Defender.exe
HKLM-Run-Ink Monitor - c:\program files\EPSON\Ink Monitor\InkMonitor.exe
HKLM-Run-ConMgr.exe - c:\program files\EarthLink 5.0\ConMgr.exe
HKLM-Run-CIPVCJPW - c:\windows\CIPVCJPW.exe
HKLM-Run-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
HKLM-Run-hihahabor - c:\windows\system32\howiduga.dll
HKLM-Run-pafokowowu - fotomahi.dll
SharedTaskScheduler-{ecc1776a-bfc0-41fa-8d37-242418f348cd} - c:\windows\system32\livoguyi.dll
SharedTaskScheduler-{dc93f5d4-09fc-442a-a267-bf772db5c4e4} - c:\windows\system32\livoguyi.dll
SharedTaskScheduler-{4acacf30-de56-42ef-8a9b-bb2a094e2db8} - c:\windows\system32\livoguyi.dll
SharedTaskScheduler-{2eba96d9-b0f7-4b97-bee8-65faf9a677e9} - c:\windows\system32\siwipuyo.dll
SharedTaskScheduler-{b938fce1-556c-424e-8f19-48ba40ec8c31} - c:\windows\system32\howiduga.dll
SSODL-suwinumeb-{ecc1776a-bfc0-41fa-8d37-242418f348cd} - c:\windows\system32\livoguyi.dll
SSODL-foriduviw-{dc93f5d4-09fc-442a-a267-bf772db5c4e4} - c:\windows\system32\livoguyi.dll
SSODL-rorudaduk-{4acacf30-de56-42ef-8a9b-bb2a094e2db8} - c:\windows\system32\livoguyi.dll
SSODL-yahulevef-{2eba96d9-b0f7-4b97-bee8-65faf9a677e9} - c:\windows\system32\siwipuyo.dll
SSODL-sehivivak-{b938fce1-556c-424e-8f19-48ba40ec8c31} - c:\windows\system32\howiduga.dll
SafeBoot-WinDefend
AddRemove-AOL Regclient - c:\program files\AOL\RC\uninstall.exe
AddRemove-AOL Toolbar for Firefox - c:\documents and settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\uninstall.exe
AddRemove-BearShare - c:\progra~1\BEARSH~1\UNWISE.EXE
AddRemove-CCleaner - c:\program files\CCleaner\uninst.exe
AddRemove-Ink Monitor - c:\program files\EPSON\Ink Monitor\InkMonitor.exe
AddRemove-TurboTax Home & Business 2006 - c:\documents and settings\Susan Obbink\Desktop\TurboTax Home & Business 2006\TaxUnst.EXE
AddRemove-TurboTax Premier 2004 - c:\documents and settings\Susan Obbink\My Documents\TaxUnst.EXE

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-10 21:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3428)
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\program files\mcafee.com\antivirus\McVSSkt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\AOL\1102874169\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\CA\PPRT\bin\ITMRTSVC.exe
c:\progra~1\mcafee.com\ANTIVI~1\mcshield.exe
c:\progra~1\mcafee.com\ANTIVI~1\OasClnt.exe
c:\windows\System32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\pctspk.exe
c:\program files\Common Files\AOL\1102874169\ee\SSCEvtHdlr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-10 21:41:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-11 03:41

Pre-Run: 9,621,676,032 bytes free
Post-Run: 9,392,668,672 bytes free

- - End Of File - - 866E8934F641292679919691F4875BA3


----------



## eddie5659 (Mar 19, 2001)

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to *Step 1*, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

* Note: If you have SP3, use the SP2 package.*

-------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools











Drag the setup package onto ComboFix.exe and drop it.

Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.










At the next prompt, click 'No' to run the full ComboFix scan.


-------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open *notepad* and copy/paste the text in the quotebox below into it:



> File::
> c:\windows\system32\bakivige.dll
> c:\windows\system32\raditile.dll
> c:\windows\system32\tomavita.dll


Save this as *CFScript.txt*, in the same location as ComboFix.exe










Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at *C:\ComboFix.txt* which I will require in your next reply.

Also, post a fresh HijackThis log


----------



## GMO (Dec 1, 2009)

Hi Eddy,
I don't think things went as planned. I got the Windows Recovery Console loaded OK and at the "What's next" box I clicked "No" (although that seemed counterintuitive) copy and pasted the text in the quote box into the notepad and here is what I saved and attempted to drag and drop onto the Combofix.exe (still named "Project").

File::
c:\windows\system32\bakivige.dll
c:\windows\system32\raditile.dll
c:\windows\system32\tomavita.dll 
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

At this point combofix seems to start up but I never see any progress beyond combofix "green bar" progress window. It looks like things are progressing but I don't see anything but the blue box with a yellow flashing prompt (for lack of a better term) in the upper left corner of the blue box. 
Here is a fresh Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:54 AM, on 12/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1102874169\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\Common Files\AOL\1102874169\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Program Files\Common Files\AOL\1102874169\ee\SSCEvtHdlr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1102874169\EE\aolssc.exe
C:\Project\ComboFix-Download.cfxxe
C:\Program Files\Common Files\AOL\1102874169\EE\anotify.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Project18688P\ComboFix-Download.cfxxe
C:\Project17412P\ComboFix-Download.cfxxe
C:\Project12228P\ComboFix-Download.cfxxe
C:\Project24901P\ComboFix-Download.cfxxe
C:\Project20042P\ComboFix-Download.cfxxe
C:\Project29781P\ComboFix-Download.cfxxe
C:\Project21027P\ComboFix-Download.cfxxe
C:\Project9686P\ComboFix-Download.cfxxe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Loader - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL Toolbar\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1102874169\ee\SSCRun.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102874169\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1102874169\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ContentTransferWMDetector.exe] C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{71ECA692-9311-4A8A-A2DE-CFA12D146977}: NameServer = 83.149.115.182
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1102874169\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: NeroSVC - ahead software gmbh
im stoeckmaedle 6
76307 karlsbad, germany
Fax: ++49-7248-911-888
e-mail: [email protected] - C:\Program Files\ahead\Nero\NeroSVC.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 9666 bytes

Did I do something wrong??
Thanks, Gregg.


----------



## eddie5659 (Mar 19, 2001)

Not sure what has happened as this part:



> WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
> [boot loader]
> timeout=2
> default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
> ...


is part of the boot.ini file 

It may have had a little fit, due to me saying no, which is strange so I'll check with the developer.

I'll be back soon

eddie


----------



## eddie5659 (Mar 19, 2001)

There's a problem with ComboFix at the moment, so can you re-run Malwarebytes' Anti-Malware again, after updating it and post the results.

Also, can you do this:


Download *OTL* to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath *Output* at the top change it to *Minimal Output*.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. *OTListIt.Txt* and *Extras.Txt*. These are saved in the same location as OTL.
Please copy *(Edit->Select All, Edit->Copy)* the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.


eddie


----------



## GMO (Dec 1, 2009)

OK I'll do that. But just to keep you informed. I thought I might have been being too impatient last night, so I tried to drag and drop the CF-RC log onto the cat icon (with the text from the quote box pasted into it) and I let it run overnight. No joy in the AM so I re-booted and tried again, again no joy. I then did the first drag and drop (Windows Recovery Console onto the cat icon) and let it run. Below is a copy of the log. One other thing I noticed. The Windows Recovery Console that I downloaded is named "Windows XP-KB 310994-SP2-Home-BootDisk-ENU". I noticed in the example you gave It is name starts with "Windows XP-KB-310994-SP2-Pr, I don't know if this matters??

ComboFix 09-12-10.01 - Gregg 12/14/2009 8:24.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.232 [GMT -6:00]
Running from: c:\documents and settings\Gregg\Desktop\Project.exe
Command switches used :: c:\documents and settings\Gregg\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: AOL Antivirus *On-access scanning disabled* (Outdated) {164FF91F-F5BD-4B74-A9DC-932CECB1603B}
FW: AOL Firewall *enabled* {6515F560-BD88-41EB-AD77-F1F3F6F80BEA}
.

((((((((((((((((((((((((( Files Created from 2009-11-14 to 2009-12-14 )))))))))))))))))))))))))))))))
.

2009-12-14 06:29 . 2009-12-14 06:40 -------- d-----w- C:\Project3681P
2009-12-14 06:04 . 2009-12-14 06:29 -------- d-----w- C:\Project9686P
2009-12-14 06:02 . 2009-12-14 06:04 -------- d-----w- C:\Project21027P
2009-12-14 06:01 . 2009-12-14 06:02 -------- d-----w- C:\Project29781P
2009-12-14 06:00 . 2009-12-14 06:01 -------- d-----w- C:\Project20042P
2009-12-14 05:59 . 2009-12-14 06:00 -------- d-----w- C:\Project24901P
2009-12-14 05:56 . 2009-12-14 05:59 -------- d-----w- C:\Project12228P
2009-12-14 05:55 . 2009-12-14 05:56 -------- d-----w- C:\Project17412P
2009-12-14 05:52 . 2009-12-14 05:55 -------- d-----w- C:\Project18688P
2009-12-14 05:38 . 2009-12-14 05:42 -------- d-----w- C:\Project28979P
2009-12-14 05:13 . 2009-12-14 05:38 -------- d-----w- C:\Project
2009-12-02 15:16 . 2009-12-02 15:16 -------- d-----w- c:\program files\Trend Micro
2009-12-01 15:41 . 2009-11-19 17:48 43008 ----a-w- c:\documents and settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-01 15:41 . 2009-11-19 17:48 340480 ----a-w- c:\documents and settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-01 15:41 . 2009-11-19 17:48 346624 ----a-w- c:\documents and settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-01 15:41 . 2009-11-19 17:48 872960 ----a-w- c:\documents and settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-01 14:58 . 2009-12-01 14:58 -------- d-----w- c:\documents and settings\Gregg\Application Data\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-22 16:27 . 2007-01-08 05:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-04 14:57 . 2003-11-08 15:29 -------- d-----w- c:\program files\QuickTime
2005-01-07 05:16 . 2005-01-07 05:16 3763883 -c--a-w- c:\program files\wace26i4.exe
2009-07-26 13:48 . 2009-07-26 13:48 163840 --sha-w- c:\windows\system32\bakivige.dll
2009-08-17 14:16 . 2009-08-17 14:16 4096 --sha-w- c:\windows\system32\raditile.dll
2009-07-30 13:07 . 2009-07-30 13:07 65536 --sha-w- c:\windows\system32\tomavita.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-20 32881]
"sscRun"="c:\program files\Common Files\AOL\1102874169\ee\SSCRun.exe" [2007-01-25 153168]
"PCTVOICE"="pctspk.exe" [2001-06-15 155648]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"OASClnt"="c:\program files\mcafee.com\antivirus\oasclnt.exe" [2006-07-28 116272]
"nwiz"="nwiz.exe" [2002-05-03 364544]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [2001-11-28 45056]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2002-08-15 155648]
"MPFExe"="c:\program files\mcafee.com\personal firewall\MPfTray.exe" [2006-03-07 992808]
"InCD"="c:\program files\ahead\InCD\InCD.exe" [2002-08-15 995328]
"HostManager"="c:\program files\Common Files\AOL\1102874169\ee\AOLSoftware.exe" [2008-11-06 41264]
"EmailScan"="c:\program files\mcafee.com\antivirus\mcvsescn.exe" [2006-07-28 460336]
"AOLSPScheduler"="c:\program files\Common Files\AOL\1102874169\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe" [2007-01-25 8784]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-12-18 278528]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Monitor.lnk - c:\program files\ArcSoft\Media Card Companion\MCC Monitor.exe [2006-1-4 110592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\documents and settings\Susan Obbink\My Documents\Greggs Work Transfers\EUDORA\EuShlExt.dll" [2006-01-09 86016]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\NVATray.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater.exe"=
"c:\\WINDOWS\\msagent\\agentsvr.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [8/15/2002 8:51 AM 9088]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [8/15/2002 8:51 AM 328448]
S2 NeroSVC;NeroSVC;c:\program files\ahead\Nero\NeroSVC.exe [3/30/2001 5:10 PM 73728]
S3 NetMate;CATC USB/Ethernet Link device driver;c:\windows\system32\drivers\netmate2.sys [4/25/2000 6:01 AM 35694]
.
------- Supplementary Scan -------
.
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: amaena.com
Trusted Zone: drivecleaner.com
Trusted Zone: errorprotector.com
Trusted Zone: errorsafe.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: systemdoctor.com
Trusted Zone: winantispyware.com
Trusted Zone: winantivirus.com
Trusted Zone: winfixer.com
TCP: {71ECA692-9311-4A8A-A2DE-CFA12D146977} = 83.149.115.182
FF - ProfilePath - c:\documents and settings\Gregg\Application Data\Mozilla\Firefox\Profiles\cmbb5emw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-14 08:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1336)
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\program files\mcafee.com\antivirus\McVSSkt.dll
.
Completion time: 2009-12-14 08:35:40
ComboFix-quarantined-files.txt 2009-12-14 14:35
ComboFix2.txt 2009-12-11 03:41

Pre-Run: 9,150,181,376 bytes free
Post-Run: 9,116,106,752 bytes free

- - End Of File - - F9151D041A07B8A6CF4AC2FAA6850950

I will proceed with your latest instructions.
Thanks, Gregg.


----------



## GMO (Dec 1, 2009)

Hi Eddy, Here is the OLT.Txt Notepad

OTL logfile created on: 12/14/2009 9:18:32 AM - Run 1
OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\Gregg\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.49 Mb Total Physical Memory | 292.64 Mb Available Physical Memory | 57.21% Memory free
1.22 Gb Paging File | 0.92 Gb Available in Paging File | 75.88% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 8.51 Gb Free Space | 15.23% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SUSAN
Current User Name: Gregg
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Gregg\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\AOL\1102874169\EE\aolsoftware.exe (AOL LLC)
PRC - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)
PRC - C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe (Sony Corporation)
PRC - C:\Program Files\Common Files\AOL\1102874169\EE\services\safetyCore\ver210_5_4_1\aolavupd.exe (AOL LLC)
PRC - C:\Program Files\Common Files\AOL\1102874169\EE\SSCEvtHdlr.exe (America Online)
PRC - C:\Program Files\Common Files\AOL\1102874169\EE\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe (AOL LLC)
PRC - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe (CA, Inc.)
PRC - C:\Program Files\McAfee.com\antivirus\mcvsescn.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee.com\antivirus\oasclnt.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe (McAfee Security)
PRC - C:\Program Files\McAfee.com\Personal Firewall\MpfService.exe (McAfee Corporation)
PRC - C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe (Arcsoft, Inc.)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Computer, Inc.)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc.)
PRC - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (America Online, Inc)
PRC - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe (America Online Inc)
PRC - C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe (ScanSoft, Inc.)
PRC - C:\Program Files\ahead\InCD\InCD.exe (Copyright (C) ahead software gmbh and its licensors)
PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\WINDOWS\system32\pctspk.exe ()

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Gregg\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Program Files\McAfee.com\antivirus\mcvsskt.dll (McAfee, Inc.)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll (Microsoft Corporation)
MOD - C:\Program Files\ScanSoft\OmniPageSE2.0\OpHookSE2.dll (ScanSoft, Inc.)

========== Win32 Services (SafeList) ==========

SRV - (gusvc) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (IntuitUpdateService) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)
SRV - (aolavupd) -- C:\Program Files\Common Files\AOL\1102874169\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe (AOL LLC)
SRV - (ITMRTSVC) -- C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe (CA, Inc.)
SRV - (AOL ACS) -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (AOL LLC)
SRV - (MpfService) -- C:\Program Files\mcafee.com\personal firewall\MPFService.exe (McAfee Corporation)
SRV - (McShield) -- C:\Program Files\McAfee.com\antivirus\McShield.exe (McAfee Inc.)
SRV - (iPodService) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Computer, Inc.)
SRV - (AOL TopSpeedMonitor) -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (America Online, Inc)
SRV - (NVSvc) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (NeroSVC) -- C:\Program Files\ahead\Nero\NeroSVC.exe (ahead software gmbh
im stoeckmaedle 6
76307 karlsbad, germany
Fax: ++49-7248-911-888
e-mail: [email protected])

========== Driver Services (SafeList) ==========

DRV - (catchme) -- File not found
DRV - (MPFIREWL) -- C:\WINDOWS\system32\drivers\MpFirewall.sys (McAfee)
DRV - (NaiAvFilter1) -- C:\WINDOWS\system32\drivers\naiavf5x.sys (McAfee Inc.)
DRV - (GEARAspiWDM) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)
DRV - (BsUDF) -- C:\WINDOWS\system32\drivers\bsudf.sys (ahead software)
DRV - (BsStor) -- C:\WINDOWS\System32\DRIVERS\bsstor.sys (B.H.A Co.,Ltd.)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (NVENET) -- C:\WINDOWS\system32\drivers\NVENET.sys (NVIDIA Corporation)
DRV - (nvnforce) Service for NVIDIA® nForce(TM) -- C:\WINDOWS\system32\drivers\nvapu.sys (NVIDIA® Corporation)
DRV - (nvax) Service for NVIDIA® nForce(TM) -- C:\WINDOWS\system32\drivers\nvax.sys (NVIDIA® Corporation)
DRV - (nv_agp) -- C:\WINDOWS\System32\DRIVERS\nv_agp.sys (NVIDIA Corporation)
DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys ()
DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (ms_mpu401) -- C:\WINDOWS\system32\drivers\msmpu401.sys (Microsoft Corporation)
DRV - (Ptserial) -- C:\WINDOWS\system32\drivers\ptserial.sys (PCTEL, INC.)
DRV - (Vvoice) -- C:\WINDOWS\System32\DRIVERS\vvoice.sys (PCtel, Inc.)
DRV - (Vmodem) -- C:\WINDOWS\System32\DRIVERS\vmodem.sys (PCTEL, INC.)
DRV - (Vpctcom) -- C:\WINDOWS\System32\DRIVERS\vpctcom.sys (PCtel, Inc.)
DRV - (NetMate) -- C:\WINDOWS\system32\drivers\netmate2.sys (CATC (Computer Access Technology Corp.))

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL LLC)

IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-4025279379-3476069405-3446040989-1007\S-1-5-21-4025279379-3476069405-3446040989-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial"
FF - prefs.js..extensions.enabledItems: {3e0e7d2a-070f-4a47-b019-91fe5385ba79}:2.1.1

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/23 19:47:43 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/22 10:36:28 | 00,000,000 | ---D | M]

[2009/02/16 23:43:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Gregg\Application Data\Mozilla\Extensions
[2009/12/13 21:29:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Gregg\Application Data\Mozilla\Firefox\Profiles\cmbb5emw.default\extensions
[2009/11/21 08:32:28 | 00,000,000 | ---D | M] (AddThis) -- C:\Documents and Settings\Gregg\Application Data\Mozilla\Firefox\Profiles\cmbb5emw.default\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79}
[2009/12/13 21:29:24 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/04/08 10:37:16 | 00,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AOL Toolbar Loader) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL LLC)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKLM\..\Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL LLC)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-4025279379-3476069405-3446040989-1007\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-4025279379-3476069405-3446040989-1007\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL LLC)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe (AOL LLC)
O4 - HKLM..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1102874169\EE\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe (AOL LLC)
O4 - HKLM..\Run: [ContentTransferWMDetector.exe] C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe (Sony Corporation)
O4 - HKLM..\Run: [EmailScan] C:\Program Files\McAfee.com\antivirus\mcvsescn.exe (McAfee, Inc.)
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102874169\EE\aolsoftware.exe (AOL LLC)
O4 - HKLM..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe (Copyright (C) ahead software gmbh and its licensors)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [MPFExe] C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe (McAfee Security)
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NVIDIA nForce APU1 Utilities] C:\WINDOWS\System32\NVATray.exe (NVIDIA® Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [OASClnt] C:\Program Files\McAfee.com\antivirus\oasclnt.exe (McAfee, Inc.)
O4 - HKLM..\Run: [OpwareSE2] C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [PCTVOICE] C:\WINDOWS\System32\pctspk.exe ()
O4 - HKLM..\Run: [sscRun] C:\Program Files\Common Files\AOL\1102874169\EE\sscRun.exe (AOL LLC)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe (Arcsoft, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-4025279379-3476069405-3446040989-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4025279379-3476069405-3446040989-1007\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-4025279379-3476069405-3446040989-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-4025279379-3476069405-3446040989-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-4025279379-3476069405-3446040989-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-4025279379-3476069405-3446040989-1007_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4025279379-3476069405-3446040989-1007_Classes\Software\Policies\Microsoft\Internet Explorer\Recovery present
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra Button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - Reg Error: Key error. File not found
O15 - HKLM\..Trusted Domains: amaena.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: drivecleaner.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: errorprotector.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: errorsafe.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: imageservr.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: imagesrvr.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: systemdoctor.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: winantispyware.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: winantivirus.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: winfixer.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-4025279379-3476069405-3446040989-1007\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKU\S-1-5-21-4025279379-3476069405-3446040989-1007\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} http://www.spywarestormer.com/files2/Install.cab (CInstall Class)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photo.walgreens.com/WalgreensActivia.cab (Snapfish Activia)
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} http://aolcc.aol.com/computercheckup/qdiagcc.cab (Reg Error: Key error.)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} http://upload.facebook.com/controls/FacebookPhotoUploader.cab (Facebook Photo Uploader Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab (FujifilmUploader Class)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} http://fdl.msn.com/public/investor/v13/ticker.cab (MSN Money Ticker)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 74.60.80.5 75.95.21.12
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Documents and Settings\Susan Obbink\My Documents\Greggs Work Transfers\EUDORA\EuShlExt.dll (Qualcomm Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/08/15 08:30:09 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/14 09:15:07 | 00,538,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Gregg\Desktop\OTL.exe
[2009/12/14 08:35:43 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/12/14 08:24:06 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/12/14 00:29:30 | 00,000,000 | ---D | C] -- C:\Project3681P
[2009/12/14 00:04:55 | 00,000,000 | ---D | C] -- C:\Project9686P
[2009/12/14 00:02:41 | 00,000,000 | ---D | C] -- C:\Project21027P
[2009/12/14 00:01:54 | 00,000,000 | ---D | C] -- C:\Project29781P
[2009/12/14 00:00:54 | 00,000,000 | ---D | C] -- C:\Project20042P
[2009/12/13 23:59:43 | 00,000,000 | ---D | C] -- C:\Project24901P
[2009/12/13 23:56:44 | 00,000,000 | ---D | C] -- C:\Project12228P
[2009/12/13 23:55:36 | 00,000,000 | ---D | C] -- C:\Project17412P
[2009/12/13 23:52:20 | 00,000,000 | ---D | C] -- C:\Project18688P
[2009/12/13 23:39:35 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/12/13 23:38:19 | 00,000,000 | ---D | C] -- C:\Project28979P
[2009/12/13 23:13:51 | 00,000,000 | ---D | C] -- C:\Project
[2009/12/13 22:56:24 | 04,614,888 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Gregg\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[2009/12/10 21:07:20 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/12/10 21:07:20 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/12/10 21:07:20 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/12/10 21:06:49 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/12/10 20:59:09 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/12/10 10:20:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Gregg\My Documents\Computer Help By Eddy
[2009/12/09 20:58:17 | 04,844,296 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Gregg\My Documents\mbam-setup.exe
[2009/12/09 19:45:39 | 04,844,296 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Gregg\Desktop\mbam-setup.exe
[2009/12/09 19:21:33 | 00,343,040 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Gregg\Desktop\TFC.exe
[2009/12/02 09:16:12 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/12/01 08:58:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Gregg\Application Data\Uniblue
[2009/11/24 21:00:05 | 00,000,000 | ---D | C] -- C:\Config.Msi
[2009/11/23 23:29:59 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/01/29 08:01:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\AOL
[2007/08/31 11:12:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2007/04/08 12:03:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
[2006/08/27 09:20:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2005/01/06 23:16:44 | 03,763,883 | ---- | C] (e-merge GmbH) -- C:\Program Files\wace26i4.exe
[2004/12/16 00:59:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2002/08/15 08:32:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2002/08/15 08:29:48 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/14 09:19:00 | 00,000,412 | ---- | M] () -- C:\WINDOWS\tasks\Symantec NetDetect.job
[2009/12/14 09:15:10 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Gregg\Desktop\OTL.exe
[2009/12/14 09:12:15 | 00,020,480 | ---- | M] () -- C:\Documents and Settings\Gregg\My Documents\There is a problem with ComboFix.doc
[2009/12/14 08:35:41 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/14 08:32:37 | 00,000,265 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/12/14 08:15:59 | 00,251,808 | ---- | M] () -- C:\WINDOWS\System32\Status.MPF
[2009/12/14 08:15:42 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/14 08:15:41 | 53,640,3968 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/14 08:14:01 | 02,883,584 | -H-- | M] () -- C:\Documents and Settings\Gregg\NTUSER.DAT
[2009/12/14 08:13:36 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Gregg\ntuser.ini
[2009/12/13 23:39:44 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/12/13 22:59:57 | 04,614,888 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Gregg\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[2009/12/13 21:11:22 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/10 21:52:13 | 00,063,488 | ---- | M] () -- C:\Documents and Settings\Gregg\My Documents\ComboFix 09log.doc
[2009/12/10 21:30:01 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/12/10 21:22:14 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\zatunuyi
[2009/12/10 20:54:50 | 03,848,506 | R--- | M] () -- C:\Documents and Settings\Gregg\Desktop\Project.exe
[2009/12/10 09:35:48 | 03,966,838 | R--- | M] () -- C:\Documents and Settings\Gregg\Desktop\AussieGlobalWarming.pdf
[2009/12/10 09:33:05 | 00,094,184 | ---- | M] () -- C:\VETlog.dmp
[2009/12/10 09:31:59 | 00,000,800 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/09 22:54:07 | 00,261,632 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/12/09 21:24:55 | 00,023,552 | ---- | M] () -- C:\Documents and Settings\Gregg\Desktop\Jason Lewis Pod Cast site.doc
[2009/12/09 20:14:01 | 04,844,296 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Gregg\My Documents\mbam-setup.exe
[2009/12/09 19:53:12 | 04,844,296 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Gregg\Desktop\mbam-setup.exe
[2009/12/09 19:21:33 | 00,343,040 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Gregg\Desktop\TFC.exe
[2009/12/08 19:28:57 | 00,019,456 | ---- | M] () -- C:\Documents and Settings\Gregg\My Documents\M & P Lento.doc
[2009/12/08 19:26:48 | 00,019,456 | ---- | M] () -- C:\Documents and Settings\Gregg\My Documents\Mario.doc
[2009/12/04 09:42:32 | 00,020,480 | ---- | M] () -- C:\Documents and Settings\Gregg\My Documents\To whom it may concern.doc
[2009/12/02 09:16:14 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Gregg\Desktop\HijackThis.lnk
[2009/12/02 09:15:23 | 00,000,909 | ---- | M] () -- C:\Documents and Settings\Gregg\Desktop\Shortcut to HJTsetup.lnk
[2009/12/01 12:44:06 | 00,009,830 | ---- | M] () -- C:\Documents and Settings\Gregg\Desktop\exefix.reg
[2009/11/24 20:27:23 | 00,023,552 | ---- | M] () -- C:\Documents and Settings\Gregg\Desktop\http.doc
[2009/11/24 20:21:46 | 00,010,240 | ---- | M] () -- C:\Documents and Settings\Gregg\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/23 22:08:20 | 00,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2009/11/22 10:36:33 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/11/18 12:10:30 | 00,021,882 | ---- | M] () -- C:\Documents and Settings\Gregg\My Documents\Branson B-200.pdf
[2009/11/18 10:58:01 | 00,029,184 | ---- | M] () -- C:\Documents and Settings\Gregg\My Documents\VSP Benefits.doc
[2009/11/18 10:41:59 | 00,138,998 | ---- | M] () -- C:\Documents and Settings\Gregg\My Documents\vsp_spd_06.pdf
[2009/11/17 21:38:07 | 00,552,680 | ---- | M] () -- C:\Documents and Settings\Gregg\Desktop\Oliver-Wyman-Report-Showing-Impact-of-Healthcare-Reform-on-Premiums-pdf.pdf
[2009/11/17 20:25:49 | 00,021,504 | ---- | M] () -- C:\Documents and Settings\Gregg\My Documents\We have about 600 coal.doc
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

This post requires a second post. 
Thanks Gregg.


----------



## GMO (Dec 1, 2009)

Eddy OTL-Txt. second post.

========== Files Created - No Company Name ==========

[2009/12/14 09:12:15 | 00,020,480 | ---- | C] () -- C:\Documents and Settings\Gregg\My Documents\There is a problem with ComboFix.doc
[2009/12/13 23:39:44 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/12/13 23:39:39 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/12/10 21:52:12 | 00,063,488 | ---- | C] () -- C:\Documents and Settings\Gregg\My Documents\ComboFix 09log.doc
[2009/12/10 21:07:20 | 00,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/12/10 21:07:20 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/12/10 21:07:20 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/12/10 21:07:20 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/12/10 21:07:20 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/12/10 20:53:45 | 03,848,506 | R--- | C] () -- C:\Documents and Settings\Gregg\Desktop\Project.exe
[2009/12/10 09:35:48 | 03,966,838 | R--- | C] () -- C:\Documents and Settings\Gregg\Desktop\AussieGlobalWarming.pdf
[2009/12/09 21:24:55 | 00,023,552 | ---- | C] () -- C:\Documents and Settings\Gregg\Desktop\Jason Lewis Pod Cast site.doc
[2009/12/08 19:28:56 | 00,019,456 | ---- | C] () -- C:\Documents and Settings\Gregg\My Documents\M & P Lento.doc
[2009/12/08 19:26:48 | 00,019,456 | ---- | C] () -- C:\Documents and Settings\Gregg\My Documents\Mario.doc
[2009/12/04 09:42:31 | 00,020,480 | ---- | C] () -- C:\Documents and Settings\Gregg\My Documents\To whom it may concern.doc
[2009/12/02 09:16:14 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Gregg\Desktop\HijackThis.lnk
[2009/12/02 09:15:23 | 00,000,909 | ---- | C] () -- C:\Documents and Settings\Gregg\Desktop\Shortcut to HJTsetup.lnk
[2009/12/01 12:44:06 | 00,009,830 | ---- | C] () -- C:\Documents and Settings\Gregg\Desktop\exefix.reg
[2009/11/24 19:54:27 | 00,023,552 | ---- | C] () -- C:\Documents and Settings\Gregg\Desktop\http.doc
[2009/11/20 09:09:07 | 00,010,240 | ---- | C] () -- C:\Documents and Settings\Gregg\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/18 12:10:30 | 00,021,882 | ---- | C] () -- C:\Documents and Settings\Gregg\My Documents\Branson B-200.pdf
[2009/11/18 10:58:00 | 00,029,184 | ---- | C] () -- C:\Documents and Settings\Gregg\My Documents\VSP Benefits.doc
[2009/11/18 10:41:59 | 00,138,998 | ---- | C] () -- C:\Documents and Settings\Gregg\My Documents\vsp_spd_06.pdf
[2009/11/17 21:38:07 | 00,552,680 | ---- | C] () -- C:\Documents and Settings\Gregg\Desktop\Oliver-Wyman-Report-Showing-Impact-of-Healthcare-Reform-on-Premiums-pdf.pdf
[2009/11/17 20:22:00 | 00,021,504 | ---- | C] () -- C:\Documents and Settings\Gregg\My Documents\The ACLU has gone from being a good liberty seeking origination.doc
[2009/08/17 08:16:14 | 00,004,096 | -HS- | C] () -- C:\WINDOWS\System32\raditile.dll
[2009/07/30 07:07:56 | 00,065,536 | -HS- | C] () -- C:\WINDOWS\System32\tomavita.dll
[2009/07/26 07:48:37 | 00,163,840 | -HS- | C] () -- C:\WINDOWS\System32\bakivige.dll
[2009/03/21 15:20:33 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/03/21 20:42:02 | 00,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS7K.DLL
[2006/03/21 20:28:16 | 00,000,532 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2005/06/12 12:21:31 | 00,155,136 | ---- | C] () -- C:\WINDOWS\System32\shawn_1.dll
[2005/06/11 10:35:59 | 00,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2004/12/12 11:40:01 | 00,000,179 | ---- | C] () -- C:\WINDOWS\upst.ini
[2004/08/19 19:42:50 | 00,000,047 | ---- | C] () -- C:\WINDOWS\upth.ini
[2004/08/19 19:42:50 | 00,000,030 | ---- | C] () -- C:\WINDOWS\atid.ini
[2004/07/04 14:47:08 | 00,003,380 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/02/04 22:15:19 | 00,000,048 | ---- | C] () -- C:\WINDOWS\PerWin.ini
[2004/01/22 13:00:28 | 00,012,635 | ---- | C] () -- C:\WINDOWS\System32\DAntivirus.ini
[2003/11/08 09:04:19 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\coinst.dll
[2003/09/07 13:35:52 | 00,000,026 | ---- | C] () -- C:\WINDOWS\UP9ASP.INI
[2003/06/29 18:19:51 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2002/11/27 13:42:33 | 00,004,816 | ---- | C] () -- C:\WINDOWS\CDPlayer.ini
[2002/08/25 11:48:59 | 00,000,023 | ---- | C] () -- C:\WINDOWS\EPSC80.ini
[2002/08/15 12:19:09 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2001/09/15 14:06:36 | 00,001,406 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[1979/12/31 18:00:00 | 00,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Gregg\Desktop\mbam-setup.exe:SummaryInformation
< End of report >


----------



## GMO (Dec 1, 2009)

Eddy, Extras.Txt-Notepad

OTL Extras logfile created on: 12/14/2009 9:18:32 AM - Run 1
OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\Gregg\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.49 Mb Total Physical Memory | 292.64 Mb Available Physical Memory | 57.21% Memory free
1.22 Gb Paging File | 0.92 Gb Available in Paging File | 75.88% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 8.51 Gb Free Space | 15.23% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SUSAN
Current User Name: Gregg
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-4025279379-3476069405-3446040989-1007\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- 
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe"

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AOL 9.5\waol.exe" = C:\Program Files\AOL 9.5\waol.exe:*:Enabled:AOL 9.5 -- (AOL, LLC.)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNetisabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\Program Files\iPod\bin\iPodService.exe" = C:\Program Files\iPod\bin\iPodService.exe:*:Enabled:iPodService -- (Apple Computer, Inc.)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:firefox -- (Mozilla Corporation)
"C:\WINDOWS\system32\NVATray.exe" = C:\WINDOWS\system32\NVATray.exe:*:Enabled:NVATray -- (NVIDIA® Corporation)
"C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" = C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe:*:Enabled:AdobeUpdater -- (Adobe Systems Incorporated)
"C:\WINDOWS\msagent\agentsvr.exe" = C:\WINDOWS\msagent\agentsvr.exe:*:Enabled:AgentSvr -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00030409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Small Business
"{0594472B-42DC-4E29-A161-2CCC011AE7DE}" = TurboTax 2008 wmniper
"{0878E100-C0BB-41E8-B4C6-C486B61FDA7B}" = Canon PhotoRecord
"{178BAABD-0C95-4EB6-9E12-29A039EA27F6}" = Qwest eChat Support Tools
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}" = Google Earth
"{218BBBE3-FE63-4BB2-81A8-7435575A84FA}" = PhotoStitch
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{28291BD5-92D2-4685-82DC-CCA925C53CCA}" = RemoteCapture Task 1.1
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005
"{2E819828-BC8D-4177-BEBB-425FAFF89E6B}" = Microsoft XML Parser SDK
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36495C59-089C-49D1-BD15-9E5BD86DC9A1}" = ItsDeductible Express
"{3CB41017-F5CA-4C56-934C-ED02156251E6}" = iTunes
"{3E908702-AF35-4611-9518-955DA24B7E07}" = Microsoft XML Parser and SDK
"{45EF4EE3-F591-4B74-A477-0CAE12934CE7}" = RAW Image Task 1.2
"{4C96958A-6562-4143-B820-FF4890D3B734}" = Camera Window DVC
"{4F1CECBC-670F-4DAA-81D6-944B12450917}" = DIGOpt
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{797EE0CA-8165-405C-B5CE-F11EC20F1BB0}" = Microsoft VC9 runtime libraries
"{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}" = OmniPage SE 2.0
"{7C40DB7D-5049-4E15-ACB8-71F3C6C32DDA}" = Eudora
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{85309D89-7BE9-4094-BB17-24999C6118FC}" = ArcSoft PhotoStudio 5.5
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{8AF1E098-1A5C-4336-BBE2-D047ABB401ED}" = MovieEdit Task
"{91203BD3-6C3E-472F-ADBD-F60FDC7C4010}" = Camera Window DS
"{91F1A0D6-23AD-49FE-8D4E-379485652214}" = Camera Support Core Library
"{9692FD03-6662-4E62-B08C-30DFF51651E1}" = Actiontec Gateway
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}" = TurboTax ItsDeductible 2006
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B6ACFF51-248A-4290-B50B-E50C81F25B97}" = iPod for Windows 2005-02-22
"{C1939820-A945-11D4-86F6-0001031E5712}" = InterVideo WinDVD
"{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}" = Canon ZoomBrowser EX
"{C7281207-4AA4-425E-B57A-0E9EF8445635}" = Camera Window MC
"{CA9A3609-3ECC-4574-8824-A8161A71A603}" = Canon MP150
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CEC2A5B9-CE19-4F2E-9C8F-F310C0EAB993}" = ArcSoft Media Card Companion
"{CF6F8056-3EC3-4582-A915-9BF11A82097A}" = TurboTax 2008 wnmiper
"{CFADE4AF-C0CF-4A04-A776-741318F1658F}" = Content Transfer
"{D167DA32-32AB-45FC-AEC1-7380BE2221A2}" = QuickConnect
"{D3EE034D-5B92-4A55-AA02-2E6D0A6A96EE}" = Windows Resource Kit Tools - SubInAcl.exe
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"{F05A5232-CE5E-4274-AB27-44EB8105898D}" = CA Pest Patrol Realtime Protection
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"AdobeESD" = Adobe Download Manager 1.2 (Remove Only)
"AOL Deskbar" = AOL Deskbar
"AOL Toolbar" = AOL Toolbar 
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"AOL YGP Screensaver" = AOL You've Got Pictures Screensaver
"AolCoach" = AOL Coach Version 1.0(Build:20040229.1 en)
"AolCoach2_en" = AOL Coach Version 2.0(Build:20041026.5 en)
"Broadband Blaster 8012U" = Broadband Blaster 8012U
"dBpowerAMP Music Converter" = dBpowerAMP Music Converter
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"Easy-WebPrint" = Easy-WebPrint
"Fonts" = Fonts
"Google Updater" = Google Updater
"GrabEasy2" = GrabEasy2
"HijackThis" = HijackThis 2.0.2
"InCD!UninstallKey" = InCD (Ahead Software)
"Installing HSP56 MicroModem Drivers" = Aztech MSP5950-U Modem Drivers
"InstallShield_{218BBBE3-FE63-4BB2-81A8-7435575A84FA}" = Canon Utilities PhotoStitch 3.1
"InstallShield_{28291BD5-92D2-4685-82DC-CCA925C53CCA}" = Canon RemoteCapture Task for ZoomBrowser EX
"InstallShield_{3CB41017-F5CA-4C56-934C-ED02156251E6}" = iTunes
"InstallShield_{45EF4EE3-F591-4B74-A477-0CAE12934CE7}" = Canon RAW Image Task for ZoomBrowser EX
"InstallShield_{4C96958A-6562-4143-B820-FF4890D3B734}" = Canon Camera Window DVC for ZoomBrowser EX
"InstallShield_{8AF1E098-1A5C-4336-BBE2-D047ABB401ED}" = Canon MovieEdit Task for ZoomBrowser EX
"InstallShield_{91203BD3-6C3E-472F-ADBD-F60FDC7C4010}" = Canon Camera Window DS for ZoomBrowser EX
"InstallShield_{91F1A0D6-23AD-49FE-8D4E-379485652214}" = Canon Camera Support Core Library
"InstallShield_{B6ACFF51-248A-4290-B50B-E50C81F25B97}" = iPod for Windows 2005-02-22
"InstallShield_{C7281207-4AA4-425E-B57A-0E9EF8445635}" = Canon Camera Window for ZoomBrowser EX
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate" = LiveUpdate 1.80 (Symantec Corporation)
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"MP Navigator 2.0" = Canon MP Navigator 2.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero - Burning Rom!UninstallKey" = Nero - Burning Rom (Web installer)
"NVAUtils" = NVIDIA nForce APU1 Utilities
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"SSC Uninstaller" = Safety and Security Center Uninstaller
"StreetPlugin" = Learn2 Player (Uninstall Only)
"Super Collapse! from GameHouse" = Super Collapse! from GameHouse
"TurboTax 2008" = TurboTax 2008
"TurboTax Home & Business 2007" = TurboTax Home & Business 2007
"TurboTax Premier 2005" = TurboTax Premier 2005
"TurboTax Premier Home & Business 2003" = TurboTax Premier Home & Business 2003
"ViewpointMediaPlayer" = Viewpoint Media Player
"WinAce Archiver" = WinAce Archiver
"Windows Media Format Runtime" = Windows Media Format Runtime
"WinMX" = WinMX
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Toolbar" = Yahoo! Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/8/2009 11:34:14 PM | Computer Name = SUSAN | Source = Application Error | ID = 1001
Description = Fault bucket 1596258004.

Error - 12/9/2009 5:46:52 PM | Computer Name = SUSAN | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3593, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/9/2009 5:46:52 PM | Computer Name = SUSAN | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3593, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/10/2009 12:02:33 AM | Computer Name = SUSAN | Source = Application Error | ID = 1000
Description = Faulting application wmplayer.exe, version 10.0.0.3646, faulting module
unknown, version 0.0.0.0, fault address 0x00574c0b.

Error - 12/10/2009 12:02:40 AM | Computer Name = SUSAN | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.

Error - 12/10/2009 12:03:04 AM | Computer Name = SUSAN | Source = Application Hang | ID = 1002
Description = Hanging application wmplayer.exe, version 10.0.0.3646, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/10/2009 11:07:01 PM | Computer Name = SUSAN | Source = Application Error | ID = 1000
Description = Faulting application combofix-download.cfxxe, version 0.0.0.0, faulting
module unknown, version 0.0.0.0, fault address 0x010b4c00.

Error - 12/10/2009 11:07:10 PM | Computer Name = SUSAN | Source = Application Error | ID = 1000
Description = Faulting application combofix-download.cfxxe, version 0.0.0.0, faulting
module unknown, version 0.0.0.0, fault address 0x010b4c00.

Error - 12/10/2009 11:08:36 PM | Computer Name = SUSAN | Source = Application Error | ID = 1000
Description = Faulting application combofix-download.cfxxe, version 0.0.0.0, faulting
module unknown, version 0.0.0.0, fault address 0x010b4c00.

Error - 12/10/2009 11:08:43 PM | Computer Name = SUSAN | Source = Application Error | ID = 1000
Description = Faulting application combofix-download.cfxxe, version 0.0.0.0, faulting
module unknown, version 0.0.0.0, fault address 0x010b4c00.

[ System Events ]
Error - 12/10/2009 10:40:50 PM | Computer Name = SUSAN | Source = PlugPlayManager | ID = 12
Description = The device 'Microsoft Kernel Acoustic Echo Canceller' (Root\LEGACY_AEC\0000)
disappeared from the system without first being prepared for removal.

Error - 12/10/2009 10:47:22 PM | Computer Name = SUSAN | Source = PlugPlayManager | ID = 12
Description = The device 'Microsoft Kernel Acoustic Echo Canceller' (Root\LEGACY_AEC\0000)
disappeared from the system without first being prepared for removal.

Error - 12/10/2009 10:47:25 PM | Computer Name = SUSAN | Source = PlugPlayManager | ID = 12
Description = The device 'Microsoft Kernel Acoustic Echo Canceller' (Root\LEGACY_AEC\0000)
disappeared from the system without first being prepared for removal.

Error - 12/10/2009 10:47:30 PM | Computer Name = SUSAN | Source = PlugPlayManager | ID = 12
Description = The device 'Microsoft Kernel Acoustic Echo Canceller' (Root\LEGACY_AEC\0000)
disappeared from the system without first being prepared for removal.

Error - 12/10/2009 10:47:34 PM | Computer Name = SUSAN | Source = PlugPlayManager | ID = 12
Description = The device 'Microsoft Kernel Acoustic Echo Canceller' (Root\LEGACY_AEC\0000)
disappeared from the system without first being prepared for removal.

Error - 12/10/2009 10:47:37 PM | Computer Name = SUSAN | Source = PlugPlayManager | ID = 12
Description = The device 'Microsoft Kernel Acoustic Echo Canceller' (Root\LEGACY_AEC\0000)
disappeared from the system without first being prepared for removal.

Error - 12/10/2009 11:04:52 PM | Computer Name = SUSAN | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 12/10/2009 11:09:16 PM | Computer Name = SUSAN | Source = PlugPlayManager | ID = 12
Description = The device 'Microsoft Kernel Acoustic Echo Canceller' (Root\LEGACY_AEC\0000)
disappeared from the system without first being prepared for removal.

Error - 12/10/2009 11:09:22 PM | Computer Name = SUSAN | Source = PlugPlayManager | ID = 12
Description = The device 'Microsoft Kernel Acoustic Echo Canceller' (Root\LEGACY_AEC\0000)
disappeared from the system without first being prepared for removal.

Error - 12/10/2009 11:09:23 PM | Computer Name = SUSAN | Source = PlugPlayManager | ID = 12
Description = The device 'Microsoft Kernel Acoustic Echo Canceller' (Root\LEGACY_AEC\0000)
disappeared from the system without first being prepared for removal.

< End of report >


----------



## eddie5659 (Mar 19, 2001)

> Windows XP-KB 310994-SP2-Home-BootDisk-ENU". I noticed in the example you gave It is name starts with "Windows XP-KB-310994-SP2-Pr, I don't know if this matters??


I think its just the version that you download, as there are many different ones. It should be okay 

---------------

Okay, first of all, lets see if you can run MBAM now.

Delete the program file you downloaded before, and try again. I've posted it here for ease of use 

-----------

Please download Malwarebytes' Anti-Malware from *Here* or *Here*

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.*

---------------

If still no joy, let me know what happens. Either way, do the following afterwards:

------------

Right click *HERE* and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
To use: Right click *DelDomains.inf* and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

----------------

Please *download* *OTM* 

 *Save* it to your *desktop*.
 Please double-click *OTM* to run it. (*Note:* If you are running on Vista, right-click on the file and choose *Run As Administrator*).
*Copy the lines in the codebox below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):


```
:Processes
explorer.exe
:Files
C:\WINDOWS\System32\raditile.dll
C:\WINDOWS\System32\tomavita.dll
C:\WINDOWS\System32\bakivige.dll
C:\WINDOWS\System32\shawn_1.dll
:Commands
[purity]
[emptytemp]
[Reboot]
```

Return to OTM, right click in the *"Paste Instructions for Items to be Moved"* window (under the yellow bar) and choose *Paste*.

Click the red *Moveit!* button.
*Copy everything in the Results window (under the green bar) to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTM* and reboot your PC.
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.* In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter **.log* and press the Enter key, navigate to the *C:\_OTMoveIt\MovedFiles* folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

============

eddie


----------



## GMO (Dec 1, 2009)

Eddy, 
MBAM downloaded and ran fine and the log is copied below. I downloaded DelDomains.inf to my desktop but could not find "Install" in the menu. My choices following a right click are: 
Open
Print
Edit
Open With>>>>>>>Notepad, 
>>>>>>>>>>>>>>>Firefox, 
>>>>>>>>>>>>>>>WordPad,
>>>>>>>>>>>>>>>Choose Program...
Scan archives(s) for viruses 
Test archives
Encrypt files 
Compress and E-mail DelDomain.inf.ace
Add to DelDomain.inf.ace
Add to
Scan with Malwarebytes' Anti-Malware
Send to
Cut
Copy
Create Shortcut
Delete 
Rename 
Properties

But no "Install" so I was unable to. Not knowing if removing all entries in the "Trusted Zone" and "Ranges" was a prerequisite I did not proceed to the OTM download and run.
Here is the MBAM log: 

Malwarebytes' Anti-Malware 1.42
Database version: 3359
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

12/14/2009 3:49:34 PM
mbam-log-2009-12-14 (15-49-34).txt

Scan type: Quick Scan
Objects scanned: 140761
Time elapsed: 10 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{71eca692-9311-4a8a-a2de-cfa12d146977}\NameServer (Trojan.DNSChanger) -> Data: 83.149.115.182 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\raditile.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tomavita.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bakivige.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Please advise how to proceed, Thanks, Gregg.


----------



## eddie5659 (Mar 19, 2001)

Firstly, it looks like MBAM removed 3 out of the 4 files I asked to remove via OTM, so that makes it simpler, as we can use OTL instead 

Which, will take care of the 015's as well, which is strange that the Install option isn't available. Its no problem, as can add it if needed, but we'll try this other approach first 

-------

Please run OTL.exe

Under the *Custom Scans/Fixes* box at the bottom, paste in the following


```
:OTL
O15 - HKLM\..Trusted Domains: amaena.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: drivecleaner.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: errorprotector.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: errorsafe.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: imageservr.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: imagesrvr.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: systemdoctor.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: winantispyware.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: winantivirus.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: winfixer.com ([]* in Trusted sites)

:Files
C:\WINDOWS\System32\shawn_1.dll
:Commands
[purity]
[emptytemp]
[Reboot]
```

Then click the *Run Fix* button at the top
Let the program run unhindered, reboot when it is done
It will produce a log for you on reboot, please post that log in your next reply.

eddie


----------



## GMO (Dec 1, 2009)

Eddy,
Here is the OTL log but before I forget, FYI, the spyware scan that runs when I booted (just prior to getting this reply from you) showed a "bilfrost" threat. I directed the spyware to "block' bilfrost. Should we be concerned with this? 
Also, as a rule, should I be turning of all of the protections (virus, spyware, firewall, etc.) prior to running the stuff you have me run?? 
The OTL log:

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\amaena.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\drivecleaner.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorprotector.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imageservr.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imagesrvr.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\systemdoctor.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantispyware.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winfixer.com\ deleted successfully.
========== FILES ==========
C:\WINDOWS\System32\shawn_1.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: Administrator.SUSAN
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Gregg
->Temp folder emptied: 2023988 bytes
->Temporary Internet Files folder emptied: 4223019 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 86646564 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Susan Obbink
->Temp folder emptied: 18098 bytes
->Temporary Internet Files folder emptied: 127278 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 76236082 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 44993055 bytes

Total Files Cleaned = 204.40 mb

OTL by OldTimer - Version 3.1.17.0 log created on 12152009_224854

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Thanks, Gregg.


----------



## eddie5659 (Mar 19, 2001)

Please go to  VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the *"Suspicious files to scan"*box on the top of the page:

*c:\program files\wace26i4.exe*

 Click on the *Upload* button
 Once the Scan is completed, click on the "*Copy to Clipboard*" button. This will copy the link of the report into the Clipboard.
 Paste the contents of the Clipboard in your next reply.

Do the same for this one as well:

*C:\Documents and Settings\Gregg\Desktop\exefix.reg*

Unless you know what it is.

eddie


----------



## GMO (Dec 1, 2009)

Hi Eddy, Good to hear from you again. Seems the scans went OK I had a bit of trouble with the "Copy to Clipboard" function, but I think I'm giving you the information you need, and then some. I clicked the "report" button, then copy and pasted that for each scan also. I hope this will suffice??

VirSCAN.org Scanned Report :
Scanned time : 2009/12/17 19:24:12 (CST)
Scanner results: Scanners did not find malware!
File Name : wace26i4.exe
File Size : 3763883 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : e8da606d568a96412d7e929a6f2fc201
SHA1 : 032b78d9827e803a75a0417ce59168fa4ee859b3
Online report : http://virscan.org/report/f7e1427af08745d81afaf573248f1b9b.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091218060238 2009-12-18 0.08 -
AhnLab V3 2009.12.17.02 2009.12.17 2009-12-17 0.08 -
AntiVir 8.2.1.114 7.10.2.17 2009-12-17 0.17 -
Antiy 2.0.18 20091217.3494732 2009-12-17 0.43 -
Arcavir 2009 200912171732 2009-12-17 0.12 -
Authentium 5.1.1 200912172115 2009-12-17 1.50 -
AVAST! 4.7.4 091217-1 2009-12-17 1.29 -
AVG 8.5.288 270.14.112/2571 2009-12-18 3.44 -
BitDefender 7.81008.4743291 7.29497 2009-12-18 4.13 -
CA (VET) 35.1.0 7180 2009-12-16 0.08 -
ClamAV 0.95.2 10194 2009-12-17 0.59 -
Comodo 3.13 3279 2009-12-17 0.08 -
CP Secure 1.3.0.5 2009.12.18 2009-12-18 0.53 -
Dr.Web 4.44.0.9170 2009.12.17 2009-12-17 8.02 -
F-Prot 4.4.4.56 20091217 2009-12-17 1.54 -
F-Secure 7.02.73807 2009.12.17.12 2009-12-17 0.56 -
Fortinet 11.280- 11.280 2009-12-16 0.08 -
GData 19.9381/19.630 20091218 2009-12-18 0.09 -
ViRobot 20091217 2009.12.17 2009-12-17 0.09 -
Ikarus T3.1.01.79 2009.12.17.74788 2009-12-17 4.86 -
JiangMin 13.0.900 2009.12.17 2009-12-17 0.08 -
Kaspersky 5.5.10 2009.12.18 2009-12-18 0.14 -
KingSoft 2009.2.5.15 2009.12.17.22 2009-12-17 0.08 -
McAfee 5.3.00 5835 2009-12-17 3.62 -
Microsoft 1.5302 2009.12.18 2009-12-18 0.08 -
Norman 6.01.09 6.01.00 2009-12-16 2.36 -
Panda 9.05.01 2009.12.17 2009-12-17 0.08 -
Trend Micro 9.000-1003 6.700.09 2009-12-17 0.03 -
Quick Heal 10.00 2009.12.17 2009-12-17 0.08 -
Rising 20.0 22.26.03.04 2009-12-17 0.08 -
Sophos 3.03.0 4.49 2009-12-18 2.89 -
Sunbelt 3.9.2388.2 5567 2009-12-17 0.08 -
Symantec 1.3.0.24 20091217.005 2009-12-17 0.20 -
nProtect 20091217.02 6625284 2009-12-17 0.08 -
The Hacker 6.5.0.2 v00096 2009-12-17 0.08 -
VBA32 3.12.12.0 20091216.2207 2009-12-16 2.58 -
VirusBuster 4.5.11.10 10.117.1/2006893 2009-12-17 4.95 -

Report copy:

upanwannengqudong.zip (907 ) Found nothing yhqp2007b.zip (2613635 ) Found nothing Projeto1.exe (18747 ) Found W32/Heuristic-417!Eldorado (... virus (5%) notepad_npse.exe (467968 ) Found Heur.W32 virus (2%) CMExt.dll (46592 ) Found nothing dump_wmimmc.sys (318016 ) Found nothing 复件 我.exe (457746 ) Found DR/MicroJoiner.Gen virus (48%) 1.msi (85504 ) Found Win32:Midgare-UT [Trj] virus (21%) Microsoft_Windows_7_Ultimate_by_Suk... (486594 ) Found nothing New Text Document.bat (922 ) Found BAT/Teserv.A (Exact) virus (10%) 2007681516674040.rar (1033749 ) Found TR/Crypt.XPACK.Gen virus (45%) patch.exe (136704 ) Found TR/Agent.136704.B virus (29%) 礼物.rar (87635 ) Found nothing New Text Document.txt (953 ) Found BAT/Teserv.A (Exact) virus (10%) 晋哥大亨2.4.9.rar (1718909 ) Found nothing 爱Q大盗 9.0.exe (262365 ) Found TR/Crypt.CFI.Gen virus (27%) PerX.exe (268800 ) Found SPR/Tool.inj.268800 virus (24%) xClientV2.0.rar (608609 ) Found W32/Heuristic-210!Eldorado (... virus (21%) MapleStory 挂.rar (466880 ) Found W32/Autorun.FX (Exact) virus (18%) Projeto1.exe (18747 ) Found W32/Heuristic-417!Eldorado (... virus (5%) bond.EXE (391168 ) Found W32/Sality.L virus (51%) keygen.exe (40960 ) Found Backdoor.Win32.Singu virus (2%) mieur pat.exe (75489 ) Found TR/Drop.Decay.dsq virus (37%) 20090515hl0173.exe (140121 ) Found PUA.Packed.ASPack212 virus (8%) 2.EXE (911314 ) Found W32/Parite virus (51%) QZBox.rar (771087 ) Found DR/Delphi.Gen virus (51%) hevfs.rar (1184941 ) Found Trojan.Click.origin virus (10%) وردة حبنه.exe (168073 ) Found TR/Refroso.ybg virus (18%) 过全球免杀gh0st2009.exe (199473 ) Found TR/Drop.Agent.xkd virus (43%) Windows 7 Keygen.exe (30720 ) Found nothing wace26i4.exe (3763883 ) Found nothing infected.exe (2628608 ) Found Generic9.ARWM.dropper virus (8%) vx_00.exe (412672 ) Found TR/Crypt.ULPM.Gen virus (24%) ko.asp (151756 ) Found Trojan.ASP.Ace-9 virus (2%) 55.exe (627200 ) Found TR/Dropper.Gen virus (37%) InkInfor.exe (1159168 ) Found nothing 最新更新挂机辅助.rar (1451540 ) Found TR/Dropper.Gen virus (24%) clen.exe (68096 ) Found TR/Crypt.XPACK.Gen virus (37%) 10059178.mp3 (4808319 ) Found nothing shadu V3.exe (3403163 ) Found BDS/Backdoor.Gen virus (27%) Nudge.exe (578088 ) Found nothing Projeto1.exe (18747 ) Found W32/Heuristic-417!Eldorado (... virus (5%) وردة حبنه.exe (168454 ) Found TR/Refroso.ybg virus (32%) 1.exe (114358 ) Found TR/Spy.Gen virus (32%) PerX.exe (268800 ) Found SPR/Tool.inj.268800 virus (37%) ThunderService.exe (294912 ) Found HEUR/Crypted virus (16%) CRM_all1.EXE (9918724 ) Found W32/Parite virus (51%) 备份宽带密码和本地IP.EXE (336024 ) Found SPR/AutoIt.Gen virus (16%) 39.EXE (321079 ) Found VirTool.Win32.Injector virus (5%) 我说到了吧，双击他吧the special wishes come f... (462848 ) Found nothing 
About VirSCAN | Privacy policy | Contact us | Help VirSCAN 
Translated by Keith Miller, United States

When I scanned *C:\Documents and Settings\Gregg\Desktop\exefix.reg *I got this message:

"The file are exefix.reg uploaded by other users and scanned successfully at 2009/12/11 23:03:39, and 37 softwares update the database from last scan to now."

with the option to click a "ReScan" button and a "Scan result" button. I clicked the Scan result button, then the report button and copied them here.

VirSCAN.org Scanned Report :
Scanned time : 2009/12/11 09:03:39 (CST)
Scanner results: Scanners did not find malware!
File Name : exefix.reg
File Size : 9830 byte
File Type : 
MD5 : a8f8e48c13553ba09d9c72a9ef90fff7
SHA1 : 26f5518b3951347d8f4aba8740e7f0d137a7369b
Online report : http://virscan.org/report/6a6127bec06c2cd7dc50af70c11a2af7.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091211200223 2009-12-11 4.51 -
AhnLab V3 2009.12.11.07 2009.12.11 2009-12-11 1.18 -
AntiVir 8.2.1.108 7.10.1.215 2009-12-11 0.12 -
Antiy 2.0.18 20091211.3462203 2009-12-11 0.02 -
Arcavir 2009 200912110712 2009-12-11 0.03 -
Authentium 5.1.1 200912102255 2009-12-10 1.26 -
AVAST! 4.7.4 091211-0 2009-12-11 0.00 -
AVG 8.5.288 270.14.103/2558 2009-12-11 0.32 -
BitDefender 7.81008.4716217 7.29401 2009-12-11 4.09 -
CA (VET) 35.1.0 7169 2009-12-10 3.81 -
ClamAV 0.95.2 10149 2009-12-11 0.01 -
Comodo 3.13 3206 2009-12-11 0.90 -
CP Secure 1.3.0.5 2009.12.11 2009-12-11 0.01 -
Dr.Web 4.44.0.9170 2009.12.11 2009-12-11 7.52 -
F-Prot 4.4.4.56 20091210 2009-12-10 1.20 -
F-Secure 7.02.73807 2009.12.11.08 2009-12-11 0.07 -
Fortinet 11.255- 11.255 2009-12-11 0.19 -
GData 19.9252/19.619 20091211 2009-12-11 5.67 -
ViRobot 20091211 2009.12.11 2009-12-11 0.41 -
Ikarus T3.1.01.74 2009.12.11.74739 2009-12-11 4.17 -
JiangMin 13.0.900 2009.12.11 2009-12-11 4.64 -
Kaspersky 5.5.10 2009.12.11 2009-12-11 0.03 -
KingSoft 2009.2.5.15 2009.12.11.20 2009-12-11 0.52 -
McAfee 5.3.00 5828 2009-12-10 3.45 -
Microsoft 1.5302 2009.12.11 2009-12-11 6.53 -
Norman 6.01.09 6.01.00 2009-12-11 2.01 -
Panda 9.05.01 2009.12.10 2009-12-10 2.65 -
Trend Micro 9.000-1003 6.686.03 2009-12-11 0.03 -
Quick Heal 10.00 2009.12.11 2009-12-11 1.28 -
Rising 20.0 22.25.04.07 2009-12-11 0.26 -
Sophos 3.02.0 4.48 2009-12-11 2.76 -
Sunbelt 3.9.2386.2 5555 2009-12-10 2.04 -
Symantec 1.3.0.24 20091210.003 2009-12-10 0.04 -
nProtect 20091210.02 6560411 2009-12-10 4.87 -
The Hacker 6.5.0.2 v00090 2009-12-10 0.90 -
VBA32 3.12.12.0 20091210.1626 2009-12-10 2.25 -
VirusBuster 4.5.11.10 10.116.1/2004556 2009-12-11 2.35 -

Report copy:

InstAsm.exe (103240 ) Found nothing 
QQREG.rar (74589 ) Found nothing 
GoogleToolbarInstaller_en32_signed.... (2596008 ) Found W32/Heuristic-210!Eldorado (... virus (5%) 
èmoticon2015.exe (107690 ) Found TR/Dropper.Gen virus (8%) 
笨笨1218免费版1.exe (1028043 ) Found W32/Agent.CM.gen!Eldorado (P... virus (16%) interfacedinoking.zip (343 ) Found nothing 
QQ申请器.rar (74679 ) Found nothing 
Server_Setup.exe (720896 ) Found BDS/Hupigon.Gen virus (51%)
lenka0000.dll (97792 ) Found TR/Crypt.XPACK.Gen virus (21%) 
mieur pat222.exe (75489 ) Found TR/Drop.Decay.dsq virus (37%)
笨笨1218免费版.exe (743321 ) Found TR/Dropper.Gen virus (18%) 
Windows 7 keygen.rar (418345 ) Found TR/Dropper.Gen virus (24%) 
CRTV17.exe (212992 ) Found TR/Dropper.Gen virus (18%) 
IZArc4.1.exe (4172430 ) Found Dropper.Agent.PKF virus (2%) 
setup_gamespeed.exe (6180910 ) Found nothing 
qq(1).exe (16956 ) Found Win32ogrobot [Drp] virus (8%) 
xpp078.rar (48203 ) Found TR/Dropper.Gen virus (8%) 
flashplayer.exe (33292 ) Found TR/PSW.OnLineGame.E virus (5%) 
g.exe (96256 ) Found TR/Crypt.XPACK.Gen virus (32%) 
tianshen.rar (1099758 ) Found TR/Dropper.Gen virus (29%) 
BIBIDU RADIO.rar (1186266 ) Found TR/Click.Agent.jls virus (10%) 
XLUser.rar (90727 ) Found nothing 
qsd.exe (6656 ) Found nothing 
f.exe (15360 ) Found TR/Downloader.Gen virus (51%) 
93617960.mp3 (4814842 ) Found nothing 
npz_0907201.cab (727854 ) Found nothing 
Setup.exe (540172 ) Found nothing 
DNF联发程序.rar (364192 ) Found TR/Dropper.Gen virus (37%) etilqs_vjk8oyHwzb05ciroUmZB (24600 ) Found nothing 
ProcessFlux.exe (906752 ) Found nothing 
Dreamscape.scr (5472772 ) Found nothing 
PeX.exe (268800 ) Found SPR/Tool.inj.268800 virus (18%) 
GameInfodb.gz (2132 ) Found nothing 
hosts.ics (434 ) Found nothing 
cpuz-1.47Hmydown.rar (699867 ) Found PUA.Packed.MoleBox.2X virus (2%) ArmoredFist3Setup-dm.exe (125744 ) Found W32/Trymedia.B.gen!Eldorado ... virus (5%) 
e.exe (41984 ) Found TR/Fakealert.bey.8 virus (45%) 
连发程序.rar (222346 ) Found Troj.Spy.W32.Agent.btl virus (2%)
hosts (978 ) Found nothing 
姓名身份证号生成器.rar (207562 ) Found WORM/Agent.214780 virus (16%) 
Lenka.dll (114176 ) Found TR/ATRAPS.Gen2 virus (13%) 
Storm NoAD v1.89.exe (166924 ) Found Trojan.Generic.2855894 virus (5%) RCCheat12162009.rar (44081 ) Found HEUR/Malware virus (2%) 
QQ͵Сֶ.rar (1991525 ) Found Generic_c.CHHU virus (10%) 
d.exe (68608 ) Found TR/Crypt.XPACK.Gen virus (51%) 
qqkjqqnc2.17.exe (2471424 ) Found nothing 
随机姓名身份证生成器.rar (49350 ) Found TR/Delf.hgc.1 virus (43%) 金山通行证精灵V3.7终结版.rar (1039904 ) Found TR/Dropper.Gen virus (21%) 
UnstlSlf.exe (69632 ) Found TR/Hijacker.Gen virus (21%) 
DNF宝马VIP破解版.rar (1066686 ) Found TR/Crypt.XPACK.Gen virus (16%)

I hope this provides the information you were asking for??
Thanks, Gregg.


----------



## eddie5659 (Mar 19, 2001)

Yep, they're clean 

The stuff underneath are other files that have been scanned before, not yours 

Its looking a lot better, so lets have a look at an online scan, just to make sure 

Using Internet Explorer or Firefox, visit *Kaspersky Online Scanner*

*1.* Click *Accept*, when prompted to download and install the program files and database of malware definitions.

*2.* To *optimize scanning time* and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. Click *HERE* to see how to disable the most common antivirus programs.
*3.* Click *Run* at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

Once the update is complete, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
[*]Spyware, adware, dialers, and other riskware
[*]Archives
[*]E-mail databases

Click on *My Computer* under the green *Scan* bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do *NOT* be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click *View report...* at the bottom.
 Click the *Save report...* button.










 Change the *Files of type* dropdown box to *Text file (.txt)* and name the file *KasReport.txt* to save the file to your desktop so that you may post it in your next reply

eddie


----------



## GMO (Dec 1, 2009)

OK Eddie, Here is the Kaspersky scan report. The scan seemed to go OK but FYI there was a message just below the scan progress information that read:
Attention! Anti-virus scanning may be unavailable if your computer already has another anti-virus application installed and running. Please deactivate the anti-virus software installed on your computer and start Kaspersky Online Scanner 7.0 again from the web site of Kaspersky Lab.

I don't know if this is a generic message, or an indication that I didn't have my Anti-virus turned off. I had turned off everything I'm aware of having, virus, spyware, and firewall. I looked around where I know to look for anti-virus programs and I did go to the site you provided that showed how to disable antivirus programs. I think I got it all but I'm not sure.

Kaspersky scan report:

KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, December 19, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, December 19, 2009 17:48:40
Records in database: 3389795
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Objects scanned: 89092
Threats found: 31
Infected objects found: 45
Suspicious objects found: 1
Scan duration: 02:26:05

File name / Threat / Threats count
C:\Documents and Settings\Susan Obbink\My Documents\Greggs Work Transfers\EUDORA\General info.mbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Susan Obbink\My Documents\My Music\Tom's Music\BSINSTALL.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z 1
C:\Documents and Settings\Susan Obbink\My Documents\My Music\Tom's Music\BSINSTALL.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
C:\Documents and Settings\Susan Obbink\My Documents\My Music\Tom's Music\Snow Patrol\Final Straw\Snow Patrol - Bonus Track 1.wmv Infected: Trojan-Downloader.WMA.Wimad.t 1
C:\Documents and Settings\Susan Obbink\My Documents\My Music\Tom's Music\Snow Patrol\Final Straw\Snow Patrol - Bonus Track 2.wmv Infected: Trojan-Downloader.WMA.Wimad.t 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Microsoft AData\sysnet.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\UERS_0001_NI57M1124NetInstaller.exe.vir Infected: not-a-virusownloader.Win32.WinFixer.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bekoduya.dll.vir Infected: Trojan.Win32.Monder.cvau 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bidubiti.dll.vir Infected: Trojan.Win32.Monder.cvgf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bosurezo.dll.vir Infected: Trojan.Win32.Monderb.bgpg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\busoguze.dll.vir Infected: Trojan.Win32.Monder.cvbz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\divasalo.dll.vir Infected: Trojan.Win32.Monder.cvau 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\genetoda.dll.vir Infected: Trojan.Win32.Monder.cvia 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gesiwoha.dll.vir Infected: Trojan.Win32.Monder.cvau 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\golosufu.dll.vir Infected: Trojan.Win32.Monder.cusu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTpjovmkluvk.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTtmxdpqmqsa.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hatijina.dll.vir Infected: Trojan.Win32.Stuh.akot 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hiyoluge.dll.vir Infected: Trojan.Win32.Stuh.aklb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jevaziji.dll.vir Infected: Trojan.Win32.Monder.cvau 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kasiyebo.dll.vir Infected: Trojan.Win32.Monder.cvau 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kewowupa.dll.vir Infected: Trojan.Win32.Monderb.bgoo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\litunude.dll.vir Infected: Trojan.Win32.Migotrup.mkp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\logon.exe.vir Infected: Trojan.Win32.Vilsel.kga 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\melunule.dll.vir Infected: Trojan.Win32.Stuh.akso 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\MSView.exe.vir Infected: Trojan-Dropper.Win32.Agent.og 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\panosuba.dll.vir Infected: Trojan.Win32.Monder.cvau 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\peyumupo.dll.vir Infected: Packed.Win32.Katusha.g 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\redipefe.dll.vir Infected: Trojan.Win32.Monder.cvau 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sapawoma.dll.vir Infected: Trojan.Win32.Monder.cvau 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sdra64.exe.vir Infected: Trojan-Spy.Win32.Zbot.gen 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sivaforu.dll.vir Infected: Trojan.Win32.Monder.cuum 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\telelepu.dll.vir Infected: Trojan.Win32.Monder.cvem 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tijawani.dll.vir Infected: Trojan.Win32.Stuh.aknm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\togitata.dll.vir Infected: Trojan.Win32.Monder.cvau 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tubivabo.dll.vir Infected: Trojan.Win32.Migotrup.mko 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\voladeti.dll.vir Infected: Trojan.Win32.Monder.cvau 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wijidapa.dll.vir Infected: Trojan.Win32.Monder.cvau 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wobupobu.dll.vir Infected: Trojan.Win32.Stuh.akoq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wogutopa.dll.vir Infected: Trojan.Win32.Monder.cvau 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yazeriza.dll.vir Infected: Trojan.Win32.Monder.cvkv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zawibavu.dll.vir Infected: Packed.Win32.Katusha.g 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zujopuhe.dll.vir Infected: Trojan.Win32.Stuh.akek 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zumijasa.dll.vir Infected: Trojan.Win32.Monder.cuql 1
C:\WINDOWS\system32\ezStubx.exe Infected: not-a-virus:AdWare.Win32.EZula.a 1
C:\_OTL\MovedFiles\12152009_224854\C_WINDOWS\System32\shawn_1.dll Infected: not-a-virus:AdWare.Win32.EliteBar.ac 1

Selected area has been scanned.

PS. Thanks for the warning NOT to be alarmed by the report!! Things look pretty bad from here.

Thanks again, Gregg.


----------



## eddie5659 (Mar 19, 2001)

Yep, most are already gone 

You mentioned earlier about closing virus scanners, but I forgot to answer. Yes, if you can as they may conflict with the programs being used. This is a good link:


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. 
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

------------

As you have OTM already, do the following


 Please double-click *OTM* to run it. (*Note:* If you are running on Vista, right-click on the file and choose *Run As Administrator*).
*Copy the lines in the codebox below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):


```
:Processes
explorer.exe
:Files
C:\Documents and Settings\Susan Obbink\My Documents\My Music\Tom's Music\Snow Patrol\Final Straw\Snow Patrol - Bonus Track 1.wmv
C:\Documents and Settings\Susan Obbink\My Documents\My Music\Tom's Music\Snow Patrol\Final Straw\Snow Patrol - Bonus Track 2.wmv
:Commands
[purity]
[emptytemp]
[Reboot]
```

Return to OTM, right click in the *"Paste Instructions for Items to be Moved"* window (under the yellow bar) and choose *Paste*.

Click the red *Moveit!* button.
*Copy everything in the Results window (under the green bar) to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTM* and reboot your PC.
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.* In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter **.log* and press the Enter key, navigate to the *C:\_OTMoveIt\MovedFiles* folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

-------------

Then, delete the ComboFix you have on your Desktop, and re-downlaod and scan as follows:

Download ComboFix from *Here*

** IMPORTANT !!! Save ComboFix.exe to your Desktop*


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the *C:\ComboFix.txt* in your next reply.

eddie


----------



## GMO (Dec 1, 2009)

Hi Eddie, FYI I never download OTM, I was having trouble with MBAM (there was no "install" option see thread#18) so I never got that far. Also you had me rename ComboFix "Project" when I saved it to my desktop (thread#6) and at some point we removed it. Also FYI the ComboFix link provided in this thread gave me a "404-Not Found" page so I went back to Thread #6 and used link #2 of the 3 links you had provided, I hope this was OK to do. Otherwise everything went fine.
OTM Log:

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
C:\Documents and Settings\Susan Obbink\My Documents\My Music\Tom's Music\Snow Patrol\Final Straw\Snow Patrol - Bonus Track 1.wmv moved successfully.
C:\Documents and Settings\Susan Obbink\My Documents\My Music\Tom's Music\Snow Patrol\Final Straw\Snow Patrol - Bonus Track 2.wmv moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: Administrator.SUSAN
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Gregg
->Temp folder emptied: 150239630 bytes
->Temporary Internet Files folder emptied: 784598 bytes
->Java cache emptied: 13823532 bytes
->FireFox cache emptied: 94400072 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Susan Obbink
->Temp folder emptied: 13291013 bytes
->Temporary Internet Files folder emptied: 190548 bytes
->Java cache emptied: 13690439 bytes
->FireFox cache emptied: 82712132 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 16384 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 148776944 bytes

Total Files Cleaned = 494.00 mb

OTM by OldTimer - Version 3.1.3.0 log created on 12212009_200146

Files moved on Reboot...

Registry entries deleted on Reboot...

ComboFix Log:

ComboFix 09-12-21.01 - Gregg 12/21/2009 20:31:29.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.169 [GMT -6:00]
Running from: c:\documents and settings\Gregg\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-11-22 to 2009-12-22 )))))))))))))))))))))))))))))))
.

2009-12-22 02:01 . 2009-12-22 02:01 -------- d-----w- C:\_OTM
2009-12-19 16:54 . 2009-12-19 16:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-19 16:49 . 2009-12-19 16:49 152576 ----a-w- c:\documents and settings\Gregg\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-19 16:46 . 2009-12-19 16:46 79488 ----a-w- c:\documents and settings\Gregg\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-16 04:48 . 2009-12-16 04:48 -------- d-----w- C:\_OTL
2009-12-14 21:54 . 2009-12-14 21:54 -------- d-----w- c:\documents and settings\Susan Obbink\Application Data\Malwarebytes
2009-12-14 21:28 . 2009-12-14 21:28 -------- d-----w- c:\documents and settings\Gregg\Application Data\Malwarebytes
2009-12-14 21:28 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-14 21:28 . 2009-12-14 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-14 21:28 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-14 21:28 . 2009-12-14 21:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-14 06:29 . 2009-12-14 06:40 -------- d-----w- C:\Project3681P
2009-12-14 06:04 . 2009-12-14 06:29 -------- d-----w- C:\Project9686P
2009-12-14 06:02 . 2009-12-14 06:04 -------- d-----w- C:\Project21027P
2009-12-14 06:01 . 2009-12-14 06:02 -------- d-----w- C:\Project29781P
2009-12-14 06:00 . 2009-12-14 06:01 -------- d-----w- C:\Project20042P
2009-12-14 05:59 . 2009-12-14 06:00 -------- d-----w- C:\Project24901P
2009-12-14 05:56 . 2009-12-14 05:59 -------- d-----w- C:\Project12228P
2009-12-14 05:55 . 2009-12-14 05:56 -------- d-----w- C:\Project17412P
2009-12-14 05:52 . 2009-12-14 05:55 -------- d-----w- C:\Project18688P
2009-12-14 05:38 . 2009-12-14 05:42 -------- d-----w- C:\Project28979P
2009-12-14 05:13 . 2009-12-14 05:38 -------- d-----w- C:\Project
2009-12-02 15:16 . 2009-12-02 15:16 -------- d-----w- c:\program files\Trend Micro
2009-12-01 15:41 . 2009-11-19 17:48 43008 ----a-w- c:\documents and settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-01 15:41 . 2009-11-19 17:48 340480 ----a-w- c:\documents and settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-01 15:41 . 2009-11-19 17:48 346624 ----a-w- c:\documents and settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-01 15:41 . 2009-11-19 17:48 872960 ----a-w- c:\documents and settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-01 14:58 . 2009-12-01 14:58 -------- d-----w- c:\documents and settings\Gregg\Application Data\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-19 16:53 . 2004-02-27 03:04 -------- d-----w- c:\program files\Java
2009-12-19 16:36 . 2007-04-08 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-22 16:27 . 2007-01-08 05:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-04 14:57 . 2003-11-08 15:29 -------- d-----w- c:\program files\QuickTime
2005-01-07 05:16 . 2005-01-07 05:16 3763883 -c--a-w- c:\program files\wace26i4.exe
.

((((((((((((((((((((((((((((( [email protected]_14.32.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-22 02:03 . 2009-12-22 02:03 16384 c:\windows\temp\Perflib_Perfdata_690.dat
+ 2009-12-19 16:54 . 2009-12-19 16:54 149280 c:\windows\system32\javaws.exe
+ 2009-12-19 16:54 . 2009-12-19 16:54 145184 c:\windows\system32\javaw.exe
+ 2009-12-19 16:54 . 2009-12-19 16:54 145184 c:\windows\system32\java.exe
+ 2009-12-19 16:53 . 2009-12-19 16:53 537600 c:\windows\Installer\102061.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-19 149280]
"sscRun"="c:\program files\Common Files\AOL\1102874169\ee\SSCRun.exe" [2007-01-25 153168]
"PCTVOICE"="pctspk.exe" [2001-06-15 155648]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"nwiz"="nwiz.exe" [2002-05-03 364544]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [2001-11-28 45056]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2002-08-15 155648]
"InCD"="c:\program files\ahead\InCD\InCD.exe" [2002-08-15 995328]
"HostManager"="c:\program files\Common Files\AOL\1102874169\ee\AOLSoftware.exe" [2008-11-06 41264]
"AOLSPScheduler"="c:\program files\Common Files\AOL\1102874169\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe" [2007-01-25 8784]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-12-18 278528]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Monitor.lnk - c:\program files\ArcSoft\Media Card Companion\MCC Monitor.exe [2006-1-4 110592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\documents and settings\Susan Obbink\My Documents\Greggs Work Transfers\EUDORA\EuShlExt.dll" [2006-01-09 86016]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\NVATray.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater.exe"=
"c:\\WINDOWS\\msagent\\agentsvr.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [8/15/2002 8:51 AM 9088]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [8/15/2002 8:51 AM 328448]
S2 NeroSVC;NeroSVC;c:\program files\ahead\Nero\NeroSVC.exe [3/30/2001 5:10 PM 73728]
S3 NetMate;CATC USB/Ethernet Link device driver;c:\windows\system32\drivers\netmate2.sys [4/25/2000 6:01 AM 35694]
.
------- Supplementary Scan -------
.
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Gregg\Application Data\Mozilla\Firefox\Profiles\cmbb5emw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

AddRemove-AOLAntivirus - c:\program files\mcafee.com\antivirus\uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-21 20:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3928)
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
.
Completion time: 2009-12-21 20:42:22
ComboFix-quarantined-files.txt 2009-12-22 02:42
ComboFix2.txt 2009-12-14 14:35
ComboFix3.txt 2009-12-11 03:41

Pre-Run: 8,868,421,632 bytes free
Post-Run: 8,840,388,608 bytes free

- - End Of File - - 19D73CA49B04C28AB13F566053210E5A

I hope I've got everything here you were looking for.
Thanks again, Gregg


----------



## eddie5659 (Mar 19, 2001)

yep, that's fine as the link I posted was available, but it was updated through the night (for the UK), so I'm glad I posted previoulsy 

I've updated my speech for that now 

As for OTM, I thought we used it, but now see it was OTL we used to remove stuff with. Sorry about the confusion.

Having a look at the log, back in a bit


----------



## eddie5659 (Mar 19, 2001)

Looking a lot better, so I just want to check a folder, and we're almost done. After that, we'll clean up the tools, and I just want to have a check on something else (not malware) and its good to go 

Oh, how is the computer running now, by the way?

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*

Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:

```
:dir
C:\WINDOWS\System32\zatunuyi
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found at on your Desktop entitled *SystemLook.txt*


----------



## GMO (Dec 1, 2009)

Hey Eddie, Our computer is running a LOT better, thank you very much! One thing though, my wife and I have separate accounts, and she can not download or play anything on her media player. We use the same one (Windows Media Player) but she was stuck with the same media player/account that our son (Tom) use to downloaded all of his music to. I noticed last time you went after something from there: (C:\Documents and Settings\Susan Obbink\My Documents\My Music\Tom's Music\Snow Patrol\Final Straw\Snow Patrol - Bonus Track 1.wmv 
C:\Documents and Settings\Susan Obbink\My Documents\My Music\Tom's Music\Snow Patrol\Final Straw\Snow Patrol - Bonus Track 2.wmv) 
and as fate would have it that is when it stopped working. Other than that things are very much improved. My media player works fine and my MP3 player syncs up again, pop ups are gone, speed is up and CPU usage is down.
Here are the results from the Systemlook scan:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 20:52 on 22/12/2009 by Gregg (Administrator - Elevation successful)

========== dir ==========

C:\WINDOWS\System32\zatunuyi - Unable to find folder.

-=End Of File=-

Thanks! Gregg.


----------



## eddie5659 (Mar 19, 2001)

Firstly, with regards to the media player not working, I'll have a look at that when its all clear of malware and the tools removed 

The files that were removed actually had the Trojan-Downloader.WMA.Wimad.t. I've popped a link here so you can have a read 

It may be that the player was integrated with the mp3's that were infected, so once the files were gone, the player didn't work. But, like I said, we'll look at that afterwards:

http://www.bitdefender.com/VIRUS-1000317-en--Trojan.Downloader.WMA.Wimad.html

Good to see the computer, apart from the player, is a lot better.

Now, as I said, all malware is gone, so lets run this program to do a bit of cleaning, which will help the system.

Ooo, before I do, can you do this for me:

Delete the SystemLook.txt off your Desktop, then..


Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:

```
:dir
C:\Project3681P
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found at on your Desktop entitled *SystemLook.txt*

-----

After that, do this:

Please download *Runscanner* to your desktop and run it.

When the first page comes up select *Beginner Mode*
On the next page select *Save a binary .Run file (Recommended)* then click *Start full scan* at the top.
At this time Runscanner.exe may request *access to the Internet* through your firewall please allow it to do so, it will then run for two or three minutes.
On completion it will ask for a location to save the file and a name. It will do this for both the *.run file* and the *log file*
Call the .run file *"RSReport"* and save it to your desktop. You will see the *RSReport.run* file on your desktop. Rightclick on it and select *Send To* then select *Compressed (zipped) Folder * and upload that zip here. Click on the *Go Advanced* button for the uploading options at the bottom of this page (in the picture below  )











In there, at the bottom, click on the button *Manage Attachments* (in the picture below  .
A window will appear, and then Browse to *RSReport.zip* on your Desktop.
Click Upload, and when uploaded click *Close this Window*
Then, in the previous window, click on *Add Reply*










And have a Merry Christmas, as I may be busy until Sunday 

eddie


----------



## GMO (Dec 1, 2009)

Thanks Eddie, Merry Christmas to you too! I'm not real sure I have everything here you requested. I got as far as Browsing, Uploading, and "Close This Window" but I kind of got lost at the end about the time you said "Then, in the previous window, click on *Add Reply". * I have no idea where the Zip file uploaded to. Maybe I could copy and paste it in a reply?? I still have it on my desktop so I might send this and go through your instructions again to see if I can figure out where I went wrong. Here is the SystemLook Log.

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 11:54 on 25/12/2009 by Gregg (Administrator - Elevation successful)

========== dir ==========

C:\Project3681P - Parameters: "(none)"

---Files---
ComboFix-Download.cfxxe -ra--- 141312 bytes [06:29 14/12/2009] [14:00 31/08/2000]

---Folders---
N_ d----- [06:29 14/12/2009]

-=End Of File=-

OK I went back and clicked "Manage Attachments" and saw the Zip file there, I think, so I'm assuming we're OK?? 
Thanks again (especially for your patience) Gregg.


----------



## GMO (Dec 1, 2009)

Hey Eddie, Now I see the zip file attached to my last message. Just in case you want to look at this, here is the runscanner Logfile.

Runscanner logfile

* = signed file
- = file not found

General info
------------
Computer name : SUSAN
Creation time : 12/26/2009 4:07:59 PM
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 6.0.2900.2180
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
RunScanner Version : 1.9.0.9
User Language : English (United States)
User rights : Administrator
Windows folder : C:\WINDOWS

Running processes
-----------------
* C:\Program Files\Common Files\AOL\1102874169\ee\AOLSoftware.exe (AOL LLC)
* C:\Program Files\Common Files\AOL\1102874169\EE\aolsoftware.exe (AOL LLC)
* C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe (America Online Inc)
* C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (America Online, Inc)
* C:\WINDOWS\System32\alg.exe (Microsoft Corporation)
* C:\WINDOWS\system32\csrss.exe (Microsoft Corporation)
* C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe (Sony Corporation)
* C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe (CA, Inc.)
* C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
C:\Program Files\ahead\InCD\InCD.exe (Copyright (C) ahead software gmbh and its licensors)
* C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)
C:\Program Files\iPod\bin\iPodService.exe (Apple Computer, Inc.)
C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc.)
* C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
* C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
* C:\WINDOWS\system32\lsass.exe (Microsoft Corporation)
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe (Arcsoft, Inc.)
C:\WINDOWS\system32\NVATray.exe (NVIDIA® Corporation)
* C:\WINDOWS\System32\nvsvc32.exe (NVIDIA Corporation)
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe (ScanSoft, Inc.)
* C:\WINDOWS\system32\pctspk.exe
* C:\Documents and Settings\Gregg\Desktop\runscanner.exe (Runscanner.net)
* C:\WINDOWS\system32\services.exe (Microsoft Corporation)
* C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation)
* C:\Program Files\Common Files\AOL\1102874169\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe (AOL LLC)
* C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
* C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
* C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation)
* c:\windows\System32\smss.exe (Microsoft Corporation)
* C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation)
* C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation)
* C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation)

Unrated items
-------------
002 * C:\Program Files\Common Files\AOL\ACS\AOLDial.exe (AOL LLC)
002 * C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe (Sony Corporation)
002 * C:\Program Files\Common Files\AOL\1102874169\ee\AOLSoftware.exe (AOL LLC)
002 C:\Program Files\ahead\InCD\InCD.exe (Copyright (C) ahead software gmbh and its licensors)
002 C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc.)
002 C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
002 C:\WINDOWS\system32\NVATray.exe (NVIDIA® Corporation)
002 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe (ScanSoft, Inc.)
005 C:\PROGRA~1\ArcSoft\MEDIAC~1\MCCMON~1.EXE (Arcsoft, Inc.)
010 * C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (AOL Connectivity Service)
010 * C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe (CA Pest Patrol Realtime Protection Service)
010 * C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Update Service)
010 C:\Program Files\iPod\bin\iPodService.exe (iPod Service)
010 C:\Program Files\ahead\Nero\NeroSVC.exe (NeroSVC)
011 C:\WINDOWS\System32\DRIVERS\bsstor.sys (InCD Storage Helper Driver)
011 C:\WINDOWS\system32\drivers\BsUDF.sys (InCD UDF Driver)
041 * C:\Program Files\AOL Toolbar\aoltb.dll (AOL LLC) {DE9C389F-3316-41A7-809B-AA305ED9D922}
041 C:\Program Files\Canon\Easy-WebPrint\Toolband.dll {327C2873-E90D-4c37-AA9D-10AC9BABA46C}
042 GUID / CLSID not found {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
042 GUID / CLSID not found {4982D40A-C53B-4615-B15B-B5B5E98D167C}
045 * C:\Program Files\AOL Toolbar\aoltb.dll (AOL LLC) {DE9C389F-3316-41A7-809B-AA305ED9D922}
047 Zone: objects.aol.com : *.objects.aol.com
050 C:\Documents and Settings\Susan Obbink\My Documents\Greggs Work Transfers\EUDORA\EuShlExt.dll (Qualcomm Inc.) {EDB0E980-90BD-11D4-8599-0008C7D3B6F8}
052 * C:\Program Files\AOL Toolbar\aoltb.dll (AOL LLC) {7C554162-8CB7-45A4-B8F4-8EA1C75885F9}
052 C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.) {E7E6F031-17CE-4C07-BC86-EABFE594F69C}
061 C:\Program Files\dBpowerAMP\dMCShell.dll {2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}
061 C:\Program Files\dBpowerAMP\dBShell.dll {FED7043D-346A-414D-ACD7-550D052499A7}
061 C:\Documents and Settings\Susan Obbink\My Documents\Greggs Work Transfers\EUDORA\EuShlExt.dll (Qualcomm Inc.) {EDB0E980-90BD-11D4-8599-0008C7D3B6F8}
061 C:\Program Files\iTunes\iTunesMiniPlayer.dll (Apple Computer, Inc.) {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}
061 C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL (Microsoft Corporation) {0006F045-0000-0000-C000-000000000046}
061 C:\Program Files\WinAce\arcext.dll (e-merge GmbH) {8FF88D21-7BD0-11D1-BFB7-00AA00262A11}
061 C:\Program Files\WinAce\arcext.dll (e-merge GmbH) {8FF88D27-7BD0-11D1-BFB7-00AA00262A11}
061 C:\Program Files\WinAce\arcext.dll (e-merge GmbH) {8FF88D25-7BD0-11D1-BFB7-00AA00262A11}
061 C:\Program Files\WinAce\arcext.dll (e-merge GmbH) {8FF88D23-7BD0-11D1-BFB7-00AA00262A11}
062 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}
100 ShellNext HKCU : http://windowsupdate.microsoft.com/
102 GUID / CLSID not found {32683183-48a0-441b-a342-7c2a440a9478}
104 C:\WINDOWS\Downloaded Program Files\SnapfishActivia1000.ocx (Snapfish) {406B5949-7190-4245-91A9-30A17DE16AD0}
104 GUID / CLSID not found {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B}
104 GUID / CLSID not found {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
104 * C:\WINDOWS\Downloaded Program Files\FacebookPhotoUploader.ocx (The Facebook) {5F8469B4-B055-49DD-83F7-62B522420ECC}
104 GUID / CLSID not found {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
104 C:\WINDOWS\Downloaded Program Files\FujifilmUploadClient.dll (Fujifilm E-Systems, Inc.) {A8683C98-5341-421B-B23C-8514C05354F1}
104 GUID / CLSID not found {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}
104 C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll (JavaSoft / Sun Microsystems, Inc.) {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
104 C:\WINDOWS\Downloaded Program Files\ticker13.ocx (Microsoft Corporation) {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29}
105 Google Sidewiki... : res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
173 GUID / CLSID not found
173 C:\Program Files\WinAce\arcext.dll (e-merge GmbH) {8FF88D27-7BD0-11D1-BFB7-00AA00262A11}
221 GUID / CLSID not found
221 C:\Program Files\WinAce\arcext.dll (e-merge GmbH) {8FF88D27-7BD0-11D1-BFB7-00AA00262A11}
223 * C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll (Malwarebytes Corporation) {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
225 * C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll (Malwarebytes Corporation) {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
225 * C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll (Malwarebytes Corporation) {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
227 GUID / CLSID not found
227 C:\Program Files\WinAce\arcext.dll (e-merge GmbH) {8FF88D27-7BD0-11D1-BFB7-00AA00262A11}
231 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll (Adobe Systems, Inc.) PDF Column Info
251 C:\Program Files\WinAce\arcext.dll (e-merge GmbH) {8FF88D25-7BD0-11D1-BFB7-00AA00262A11}
254 C:\Program Files\Common Files\aolshare\aolshcpy.dll (America Online Inc.) {2AA464DB-D10A-4E26-9A19-B81118D5C562}

Missing files
-------------
011 C:\WINDOWS\system32\drivers\Abiosdsk.sys
011 C:\WINDOWS\system32\drivers\abp480n5.sys
011 C:\WINDOWS\system32\drivers\adpu160m.sys
011 C:\WINDOWS\system32\drivers\Aha154x.sys
011 C:\WINDOWS\system32\drivers\aic78u2.sys
011 C:\WINDOWS\system32\drivers\aic78xx.sys
011 C:\WINDOWS\system32\drivers\AliIde.sys
011 C:\WINDOWS\system32\drivers\amsint.sys
011 C:\WINDOWS\system32\drivers\asc.sys
011 C:\WINDOWS\system32\drivers\asc3350p.sys
011 C:\WINDOWS\system32\drivers\asc3550.sys
011 C:\WINDOWS\system32\drivers\Atdisk.sys
011 C:\DOCUME~1\Gregg\LOCALS~1\Temp\catchme.sys
011 C:\WINDOWS\system32\drivers\cd20xrnt.sys
011 C:\WINDOWS\system32\drivers\Changer.sys
011 C:\WINDOWS\system32\drivers\CmdIde.sys
011 C:\WINDOWS\system32\drivers\Cpqarray.sys
011 C:\WINDOWS\system32\drivers\dac2w2k.sys
011 C:\WINDOWS\system32\drivers\dac960nt.sys
011 C:\WINDOWS\system32\drivers\dpti2o.sys
011 C:\WINDOWS\system32\drivers\hpn.sys
011 C:\WINDOWS\system32\drivers\hpt3xx.sys
011 C:\WINDOWS\system32\drivers\i2omgmt.sys
011 C:\WINDOWS\system32\drivers\i2omp.sys
011 C:\WINDOWS\system32\drivers\ini910u.sys
011 C:\WINDOWS\system32\drivers\IntelIde.sys
011 C:\WINDOWS\system32\drivers\lbrtfdc.sys
011 C:\WINDOWS\system32\drivers\mraid35x.sys
011 C:\WINDOWS\system32\drivers\PCIDump.sys
011 C:\WINDOWS\system32\drivers\PDCOMP.sys
011 C:\WINDOWS\system32\drivers\PDFRAME.sys
011 C:\WINDOWS\system32\drivers\PDRELI.sys
011 C:\WINDOWS\system32\drivers\PDRFRAME.sys
011 C:\WINDOWS\system32\drivers\perc2.sys
011 C:\WINDOWS\system32\drivers\perc2hib.sys
011 C:\WINDOWS\system32\drivers\ql1080.sys
011 C:\WINDOWS\system32\drivers\Ql10wnt.sys
011 C:\WINDOWS\system32\drivers\ql12160.sys
011 C:\WINDOWS\system32\drivers\ql1240.sys
011 C:\WINDOWS\system32\drivers\ql1280.sys
011 C:\WINDOWS\system32\drivers\Simbad.sys
011 C:\WINDOWS\system32\drivers\Sparrow.sys
011 C:\WINDOWS\system32\drivers\sym_hi.sys
011 C:\WINDOWS\system32\drivers\sym_u3.sys
011 C:\WINDOWS\system32\drivers\symc810.sys
011 C:\WINDOWS\system32\drivers\symc8xx.sys
011 C:\WINDOWS\system32\drivers\TosIde.sys
011 C:\WINDOWS\system32\drivers\ultra.sys
011 C:\WINDOWS\system32\drivers\ViaIde.sys
011 C:\WINDOWS\system32\drivers\WDICA.sys
061 deskpan.dll
104 C:\WINDOWS\DOWNLO~1\Install.dll

Sorry if you already have this.
Gregg


----------



## eddie5659 (Mar 19, 2001)

Hmm, looks like ComboFix created some extra folders. If they're not gone when we uninstall in a bit, we'll manually remove them 

Download the attachment at the end of this post. This will be your *RSReport* file, with the fixes I need you to do.


Save it to your desktop, then extract the *RSReport.run* file to your Desktop, overwriting the existing one.
Open the runscanner folder and double click on the *runscanner.exe* file.
This time select the *Expert Mode*
click the *Item Fixer* tab
Click the button at the top called *Fix selected items*
Accept the warning(s) and repeat until they are all gone.
Reboot your PC
Post a fresh HijackThis log

eddie


----------



## GMO (Dec 1, 2009)

OK Eddie, I think this is what you're looking for. Let me know if it isn't (like I need to tell you that). 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:00:25 PM, on 12/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Common Files\AOL\1102874169\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\1102874169\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe

Gregg


----------



## eddie5659 (Mar 19, 2001)

Looks like its missing some lines, as there are no 01,02's etc


----------



## GMO (Dec 1, 2009)

OKAAA, Don't know how I managed that! I missed all the good stuff! How does this look?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:00:25 PM, on 12/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Common Files\AOL\1102874169\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\1102874169\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\AOL\1102874169\EE\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\AOL\1102874169\EE\anotify.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Loader - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL Toolbar\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1102874169\ee\SSCRun.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102874169\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1102874169\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ContentTransferWMDetector.exe] C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NeroSVC - ahead software gmbh
im stoeckmaedle 6
76307 karlsbad, germany
Fax: ++49-7248-911-888
e-mail: [email protected] - C:\Program Files\ahead\Nero\NeroSVC.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 7419 bytes

Sorry about that, Gregg.


----------



## eddie5659 (Mar 19, 2001)

Looking a lot better 

Okay, lets do the final clear up.

Run HijackThis again, and tick the following entries only:

*O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
*

Make sure all internet and explorer windows are closed, then press *Fix Checked*.

-----

Please run OTL. 

Click *Clean Up* button. 
Accept any prompts. 
This will remove any tools we used, including OTL, and will require a reboot.

-----

You can delete the *SystemLook* program off your Desktop.

You can delete the *DelDomains.inf* off your Desktop.

-------

We have a couple of last steps to perform and then you're all set.

Go to Control Panel and open the *Internet Options*. Click on the *Advanced tab* and do the follwing:

 Tick Empty Temporary Internet Files When Browser is Closed under Security. Apply
Then, click on the *Security tab* and do the following:

 Make sure the Internet icon is selected.
 Select *Custom Settings*.
 From the drop down menu, select *Medium*, and press *Reset* and select Yes. If its already on *Medium*, still click on the Reset button.
 Apply and OK.

Secondly, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
* Click *Start*.
* Open *My Computer*.
* Select the *Tools menu* and click *Folder Options*.
* Select the *View* tab.
* Under the *Hidden files and folders* heading *UNSELECT Show hidden files and folders*.
* *CHECK* the *Hide protected operating system files (recommended)* option.
* Click *Yes* to confirm.
* Click *OK*.
Next, let's clean your restore points and set a new one:

*Reset and Re-enable your System Restore* to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
*1. Turn off System Restore.*
On the Desktop, right-click *My Computer*.
Click *Properties*.
Click the *System Restore* tab.
Check *Turn off System Restore*.
Click *Apply*, and then click *OK*.
*2. Restart your computer.*

*3. Turn ON System Restore.*
On the Desktop, right-click *My Computer*.
Click *Properties*.
Click the *System Restore* tab.
UN-Check *Turn off System Restore*.
Click *Apply*, and then click *OK*.

*System Restore will now be active again.*

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: 
*SpywareBlaster* to help prevent spyware from installing in the first place.
*SpywareGuard* to catch and block spyware before it can execute.
*ZonedOut* to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 2 free ones available for personal use:
*Sunbelt Personal Firewall*
*ZoneAlarm*
and a good antivirus (these are also free for personal use):
*AVG Anti-Virus*
*Avast Home Edition*
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit 
*Microsoft Windows Update*
monthly. And to keep your system clean run these free malware scanners 

*Malwarebytes' Anti-Malware*

*Spybot Search & Destroy*
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this about Security online: *General Security Information, How to tighten Security Settings and Warnings *

Have a safe and happy computing day!

eddie


----------



## eddie5659 (Mar 19, 2001)

Okay, I haven't marked this Solved, as I'm just asking if you're still having this issue you mentioned before:



> Hey Eddie, Our computer is running a LOT better, thank you very much! One thing though, my wife and I have separate accounts, and she can not download or play anything on her media player. We use the same one (Windows Media Player) but she was stuck with the same media player/account that our son (Tom) use to downloaded all of his music to. I noticed last time you went after something from there: (C:\Documents and Settings\Susan Obbink\My Documents\My Music\Tom's Music\Snow Patrol\Final Straw\Snow Patrol - Bonus Track 1.wmv
> C:\Documents and Settings\Susan Obbink\My Documents\My Music\Tom's Music\Snow Patrol\Final Straw\Snow Patrol - Bonus Track 2.wmv)
> and as fate would have it that is when it stopped working. Other than that things are very much improved. My media player works fine and my MP3 player syncs up again, pop ups are gone, speed is up and CPU usage is down.


If so, lets get that sorted as well


----------



## GMO (Dec 1, 2009)

OK Eddie, I did everything you recommended. In addition to Malwarebytes, that your recommending I keep and use regularly, I still have the following tools on my desktop, ComboFix, exefix, TFC, Windows-XP-KB-310994-SP2-Home-BootDisk-ENU, and HIjackThis. I've downloaded SpywareBlaster and SpwareGuard, (I had some trouble with ZonedOut, something about my "win" something or another being out of date), Sunbelt Personal Firewall, and AVG Anti-Virus. The AVG seemed to have a "real time" scan going on that kept some sites from loading, like AOL and my internet banking site so I stopped that function and they loaded immediately. Is it still doing what I need it to do or do I need to consider another one?? 
As for Windows updates, that's another story all together. I have been unable to download SP3 (good bad or otherwise) and I get notices regularly that tell me I can update my media player but that installation fails so I end up going back to the old version, if it ain't broke don't fix it I guess. I'm not sure how to operate MalewareBytes, as all I've ever done with it is, do what you tell me to do, but I'll look at it and see if I can figure it out without messing something up. 
And last but not least, speaking of media players, the media player on my wife's account is still DOA. The media player on my account seems to be working fine, plays videos, CD's and it sync's up with my MP3 player, (I'm happy about that!) 
Oh, I will go to the site you gave me and read about general security information, I really, really don't want this to happen again, so I will do what ever it takes to avoid it. 
Thanks, Gregg


----------



## eddie5659 (Mar 19, 2001)

Okay, firstly, can you check to see if these folders are still showing:

C:\Project3681P
C:\Project9686P
C:\Project21027P
C:\Project29781P
C:\Project20042P
C:\Project24901P
C:\Project12228P
C:\Project17412P
C:\Project18688P
C:\Project28979P
C:\Project

I think the ComboFix that you have was the renamed program, so that may be the reason why its still there. In that case, see if this works:

*Follow these steps to uninstall Combofix and some tools used in the removal of malware. This will also clean out and reset your Restore Points*


 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.










Then check to see if the folders are still there.

--

Keep the TFC program, I tend to run this weekly or monthly 

What's exefix? Is it something you downloaded a while ago, to fix programs? If so, move that to the Recycle Bin. If you're not sure, can you scan here:


Please go to  VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the *"Suspicious files to scan"*box on the top of the page:

*C:\Documents and Settings\Desktop\exefix.exe
*

 Click on the *Upload* button
 Once the Scan is completed, click on the "*Copy to Clipboard*" button. This will copy the link of the report into the Clipboard.
 Paste the contents of the Clipboard in your next reply.

If it isn't an exe, just rightclick and select Properties. In there will be the full name, and the location, if its not C:\Documents and Settings\Desktop\

-------

Looks like Windows-XP-KB-310994-SP2-Home-BootDisk-ENU is from here:

http://www.microsoft.com/downloads/...07-99F7-4A2D-983D-81C2137FF464&displaylang=en

Which I'm guessing you have used. If so, just delete that as well.

----

You can delete the HijackThis program, as you should have it in the Programs list. Just doublecheck, it will be listed under Start | Programs | Trend Micro.

----

Don't worry about ZoneOut, I'm going to remove that from my speech 

---

I'll look at AVG in a bit: at work, so posting when I can, so posting this part now, rest to follow at lunch


----------



## eddie5659 (Mar 19, 2001)

AVG: there has been some problems lately with the new patch. A few of my friends told me about this, then I noticed that web pages took forever, or timeout and that my gaming was affected.

So, I've removed that and gone for the other one, Avast. A lot better, and when I want to do gaming, I can stop all the scanners, eg Email etc.

This is the one:

http://www.avast.com/eng/avast_4_home.html

---

Windows Update: I tend not to go for SP3, as I like to see the updates I'm getting. So, when you scan, click No Thanks, and it carries on to the rest of the list. By the way, select Custom Updates when you're there, not the Critical button. That way, it will show you others.

The critical ones are still there, and under Others (ignore the Hardware ones) may be some like Root Update, etc. Again, you can see what they are, and if you're unsure, just ask 

---

Media Player: Which version are you both on? If you're not sure, in the Menu (again, from memory) or in Options, click on About, and it will say which version.

Ah, can do this at work. Open media player. On the drop down list for the Options, which is next to the minimise button, top right, select Help then About.

---

With MalewareBytes, just use it like I have mentioned before. Just update and scan, and it should be okay. Again, I do this weekly.

---

Again, let me know which media player your wife has, and we'll go from there 

Happy New Year

eddie


----------



## GMO (Dec 1, 2009)

Hey Eddie, Thanks for all the information. I'll install Avast ASAP, I assume I should uninstall AVG?? 
As for the media player, I can't open Susan's, I get the "An internal application error has occurred" message, but I'm using 
version:10.00.00.4058, 
I doubt you need it but just in case, here is the 
Product ID#: 69808-325-6768-422-04623.
Thanks again, Gregg.


----------



## GMO (Dec 1, 2009)

Eddie, I didn't notice your first post until now. I'll need to read and follow your instructions before I can get back to you. I did start on it and when I tried to search ComboFix for the folders I got a message about AVG virus scan running and it might mess things up, and that I should disable it. I tried to disable it but it told me it was still running and if I continued it would at my own risk, at which point I aborted. Should I uninstall AVG or how do I disable?
Gregg


----------



## GMO (Dec 1, 2009)

Hi again Eddie, I did the VirSCAN for the exefix.exe I clicked Copy to clipboard but couldn't see anything happen and I couldn't find the scan results so I copy and pasted them here. I hope you can see what you need to see???

VirSCAN.org Scanned Report :
Scanned time : 2009/12/11 09:03:39 (CST)
Scanner results: Scanners did not find malware!
File Name : exefix.reg
File Size : 9830 byte
File Type : 
MD5 : a8f8e48c13553ba09d9c72a9ef90fff7
SHA1 : 26f5518b3951347d8f4aba8740e7f0d137a7369b
Online report : http://virscan.org/report/6a6127bec06c2cd7dc50af70c11a2af7.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091211200223 2009-12-11 4.51 -
AhnLab V3 2009.12.11.07 2009.12.11 2009-12-11 1.18 -
AntiVir 8.2.1.108 7.10.1.215 2009-12-11 0.12 -
Antiy 2.0.18 20091211.3462203 2009-12-11 0.02 -
Arcavir 2009 200912110712 2009-12-11 0.03 -
Authentium 5.1.1 200912102255 2009-12-10 1.26 -
AVAST! 4.7.4 091211-0 2009-12-11 0.00 -
AVG 8.5.288 270.14.103/2558 2009-12-11 0.32 -
BitDefender 7.81008.4716217 7.29401 2009-12-11 4.09 -
CA (VET) 35.1.0 7169 2009-12-10 3.81 -
ClamAV 0.95.2 10149 2009-12-11 0.01 -
Comodo 3.13 3206 2009-12-11 0.90 -
CP Secure 1.3.0.5 2009.12.11 2009-12-11 0.01 -
Dr.Web 4.44.0.9170 2009.12.11 2009-12-11 7.52 -
F-Prot 4.4.4.56 20091210 2009-12-10 1.20 -
F-Secure 7.02.73807 2009.12.11.08 2009-12-11 0.07 -
Fortinet 11.255- 11.255 2009-12-11 0.19 -
GData 19.9252/19.619 20091211 2009-12-11 5.67 -
ViRobot 20091211 2009.12.11 2009-12-11 0.41 -
Ikarus T3.1.01.74 2009.12.11.74739 2009-12-11 4.17 -
JiangMin 13.0.900 2009.12.11 2009-12-11 4.64 -
Kaspersky 5.5.10 2009.12.11 2009-12-11 0.03 -
KingSoft 2009.2.5.15 2009.12.11.20 2009-12-11 0.52 -
McAfee 5.3.00 5828 2009-12-10 3.45 -
Microsoft 1.5302 2009.12.11 2009-12-11 6.53 -
Norman 6.01.09 6.01.00 2009-12-11 2.01 -
Panda 9.05.01 2009.12.10 2009-12-10 2.65 -
Trend Micro 9.000-1003 6.686.03 2009-12-11 0.03 -
Quick Heal 10.00 2009.12.11 2009-12-11 1.28 -
Rising 20.0 22.25.04.07 2009-12-11 0.26 -
Sophos 3.02.0 4.48 2009-12-11 2.76 -
Sunbelt 3.9.2386.2 5555 2009-12-10 2.04 -
Symantec 1.3.0.24 20091210.003 2009-12-10 0.04 -
nProtect 20091210.02 6560411 2009-12-10 4.87 -
The Hacker 6.5.0.2 v00090 2009-12-10 0.90 -
VBA32 3.12.12.0 20091210.1626 2009-12-10 2.25 -
VirusBuster 4.5.11.10 10.116.1/2004556 2009-12-11 2.35 -

Let me know, Gregg.


----------



## GMO (Dec 1, 2009)

Hey Eddie, Sorry to keep bothering you but, FYI, whilst looking around I noticed, on my Local C disk, the stuff you were asking about:
C:\Project3681P
C:\Project9686P
C:\Project21027P
C:\Project29781P
C:\Project20042P
C:\Project24901P
C:\Project12228P
C:\Project17412P
C:\Project18688P
C:\Project28979P
C:\Project

Is all listed there.
Gregg


----------



## eddie5659 (Mar 19, 2001)

Yep, was posting at work, so had to do it in stages 

Okay, for the AVG, yes uninstall it. I think its either through Start | Programs, or via AddRemove in the Control Panel.

For those folders, can you do this:

Please *download* *OTM* 

 *Save* it to your *desktop*.
 Please double-click *OTM* to run it. (*Note:* If you are running on Vista, right-click on the file and choose *Run As Administrator*).
*Copy the lines in the codebox below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):


```
:Processes
explorer.exe
:Files
C:\Project3681P
C:\Project9686P
C:\Project21027P
C:\Project29781P
C:\Project20042P
C:\Project24901P
C:\Project12228P
C:\Project17412P
C:\Project18688P
C:\Project28979P
C:\Project
:Commands
[purity]
[emptytemp]
[Reboot]
```

Return to OTM, right click in the *"Paste Instructions for Items to be Moved"* window (under the yellow bar) and choose *Paste*.

Click the red *Moveit!* button.
*Copy everything in the Results window (under the green bar) to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close *OTM* and reboot your PC.
*Note:* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.* In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter **.log* and press the Enter key, navigate to the *C:\_OTMoveIt\MovedFiles* folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

I'll post this first, then I'll look at the other replies


----------



## eddie5659 (Mar 19, 2001)

I can see what the exefix.reg file is now, as it looks like its the reg file you can get from Kelly's Corner, so yes delete that.

It won't be linked to anything, so its safe to delete 

---

I'm using WMP10, and am very happy with it. I get the message now and then to update, I just press No.

If you click in the Tools | Options, the first tab mentions the Update. However, you can't stop this, so I just set mine to weekly. 

---

I'll come back to about your wife's media player. It will be tonight, but off out in a few hours.


----------



## eddie5659 (Mar 19, 2001)

Okay, on Susan's profile, try this:

Click Start | Run and type the following, or copy/paste:

*regsvr32 jscript.dll*

and press OK.

It should say something about it being registered.

Repeat again, but this time use:

*regsvr32 vbscript.dll*

and press OK.

If I don't reply tonight, have a Happy New Year 

eddie


----------



## GMO (Dec 1, 2009)

Hi Eddie, Here are the results from the OTM run:

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
C:\Project3681P\N_ folder moved successfully.
C:\Project3681P folder moved successfully.
C:\Project9686P\N_ folder moved successfully.
C:\Project9686P folder moved successfully.
C:\Project21027P\N_ folder moved successfully.
C:\Project21027P folder moved successfully.
C:\Project29781P\N_ folder moved successfully.
C:\Project29781P folder moved successfully.
C:\Project20042P\N_ folder moved successfully.
C:\Project20042P folder moved successfully.
C:\Project24901P\N_ folder moved successfully.
C:\Project24901P folder moved successfully.
C:\Project12228P\N_ folder moved successfully.
C:\Project12228P folder moved successfully.
C:\Project17412P\N_ folder moved successfully.
C:\Project17412P folder moved successfully.
C:\Project18688P\N_ folder moved successfully.
C:\Project18688P folder moved successfully.
C:\Project28979P folder moved successfully.
C:\Project\N_ folder moved successfully.
C:\Project folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: Administrator.SUSAN
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Gregg
->Temp folder emptied: 237734554 bytes
->Temporary Internet Files folder emptied: 374511 bytes
->Java cache emptied: 3473629 bytes
->FireFox cache emptied: 50307868 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Susan Obbink
->Temp folder emptied: 16541770 bytes
->Temporary Internet Files folder emptied: 823457 bytes
->Java cache emptied: 13690439 bytes
->FireFox cache emptied: 85841916 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 208344110 bytes

Total Files Cleaned = 589.00 mb

OTM by OldTimer - Version 3.1.4.0 log created on 01012010_115015

Files moved on Reboot...

Registry entries deleted on Reboot...

I'm on to your next post about Susan's profile, and happy new year to you as well! 
Thanks, Gregg


----------



## GMO (Dec 1, 2009)

OK Eddie, I copy/paste "*regsvr32 jscript.dll" *hit OK and got this message:
"DllRegisterServer in jscript.dll succeeded", in a box titled "RegSur32" . Then copy/paste *"regsvr32 vbscript.dll" *hit OK and got the same message box with dllRegisterSever in vbscript.dll succeeded. 
I hope this tells you something, because it means nothing to me. I will switch to Susan's account and try her media player.
Thanks, Gregg


----------



## eddie5659 (Mar 19, 2001)

Yes, it does. The dll files may have to be re-regsitered, as sometimes they can become un-registered if problems occur with certain programs, etc.

Let me know what happens


----------



## GMO (Dec 1, 2009)

Hey Eddie, I switched to Susan's account and tried her Media player, no joy. I tried a reboot, still no joy. Then I realized I was following your instructions in MY account,,, it's her media player that isn't working, Duh! So I did the obvious, tried the old "*regsvr32 jscript.dll" and "**regsvr32 vbscript.dll" *in the run box trick and go figure, I got different messages in the RegSvr 32 message box:

Message 1: DllRegisterServer in jscript.dll failed. Return code was: 0x80004005

Message 2: DllRegisterServer in vbscript.dll failed. Return Code was: 0x80004005

I guess that's what you meant when you said "on Susan's profile try this:" Sorry about being a bit slow on the uptake. From now on I'll be in the correct account.
Thanks, Gregg


----------



## eddie5659 (Mar 19, 2001)

That's okay, its easy to forget to switch accounts 

Okay, I'm thinking she may have the same version of Media Player, so lets see if reinstalling it will help.

What this does, is replaces any files that are corrupt or missing, and its the easiest thing to start with 

On Susan's account, go here and download WMP10:

http://www.microsoft.com/downloads/...53-3759-40cf-80d5-cde4bbe07999&displaylang=en

Install, and reboot the computer, and see if that helps, as in opeing the player.

eddie


----------



## GMO (Dec 1, 2009)

Eddie, I went to the site above and started the validation process. I got the following message in a box titled "Windows Genuine Advantage":
Code not available. The validation code could not be obtained. This may be due to technical difficulties, or you may be running an unsupported operating system. Please close this window and attempt the validation process again, or use the Back button in your Web browser to return to the download details page. [Error code: 0x800401f3]
I did try again using Firefox, no joy. Then I opened Internet Explorer and went to the above site and tried again, no joy, same message. 
Gregg


----------



## GMO (Dec 1, 2009)

Hey Eddie, FYI. I did the last post last night (on Susan's account). This morning when I went to use the media played on my account I got the "An internal application error has occurred" message. I did the "*regsvr32 jscript.dll" and "**regsvr32 vbscript.dll" *in the run box, got "DllRegisterServer in jscript.dll succeeded", and dllRegisterSever in vbscript.dll succeeded, and my media player was up and running again. Just an FYI, thought it might help you figure out what's going on???
Thanks, Gregg.


----------



## GMO (Dec 1, 2009)

Hi Eddie, A couple quick questions about using Malwarebytes. While poking around, I clicked the "quarantine" tab and noticed 5 items in there (from a scan we did back on 12-24 I think). 
1 Trogan.Vundo file, 
2 Trogan.Vundo.H files, and 
2 Backdoor.Bot Register Key. 
Should I delete them? 
And as a rule, when I run a Malwarebytes scan, should I delete any malicious items that are identified, or quarantine them or what??
Thanks, Gregg.


----------



## eddie5659 (Mar 19, 2001)

Don't you love this weather.....

Deep snow, icy conditions, car in your front room 

This is what happened last night:

http://forums.techguy.org/random-discussion/891026-happy-new-yea-not-me.html

Anyway, back to you 

The error 0x800401f3 is a common Windows Update error. They sometimes have problems, and it can sort itself out a few hours later. I've had it before, its annoying to say the least.

---

So, your media player had problems, but re-registering those files got it up and running again, but not on Susan's?

---

On the MBAM issue, yes you can delete those files, as they have already been removed from the actual computer. I tend to delete all MBAM finds, but just so you know, it will always quarantine them, as a safeguard.

Just delete them at a later date, when you're certain it wasn't needed by the pc, which they rarely do.

--------

On Susan's computer, can you run this:

Please download *ATF Cleaner* by Atribune.

*Caution: This program is for Windows 2000, XP and Vista only*


Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
If you use Firefox browser
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.
If you use Opera browser
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.
Click *Exit* on the Main menu to close the program.
For *Technical Support*, double-click the e-mail address located at the bottom of each menu.

Then, try the media player link again.

eddie


----------



## GMO (Dec 1, 2009)

Eddie, I'm really sorry to hear of your misfortune. I wish there was something I could do for you, especially after all you've done for me! 

Re-registering did work for my media player, in my account, but so far nothing has helped the media player in Susan's account... Including running the ATF Cleaner you recommended. After running ATF, I tried to open her media player, no joy, I then tried re-registering again, no joy, then validating, which I can't seem to do either. When I get to 65% of the Genuine Check.exe down load it stops. When I try the alternate validation method, I get to about 69% downloaded before it stops.
Just to be sure, both Susan and I are using the same computer, just different accounts. 
Thanks for the advice on using MBAM.
Hang in there and stay warm, 
Thanks again, Gregg.


----------



## GMO (Dec 1, 2009)

Hey Eddie, A data point FYI. It seems that when ever I try the "regsvr32 jscript.dll" and "regsvr32 vbscript.dll" in the run box trick while in Susan's account, it messes up the media player in my account. I have to do the "regsvr32 jscript.dll" and "regsvr32 vbscript.dll" in the run box, trick in my account to jump start my media player. After doing that it works fine. Go figure?? Gregg


----------



## GMO (Dec 1, 2009)

Hi Eddie, I hope your doing OK. I'm sure your busy with your recent "break in", so don't please feel obligated to reply to all my posts but I have something I thought I should show you. I did a Malwarebytes "Full Scan" last night (boy that takes a long time up until now I had always done the "Quick Scan"), and it came up with 1 item. Maywarebytes said it "took no action" and I wasn't sure what to do so I did nothing also. here is the log:

Malwarebytes' Anti-Malware 1.43
Database version: 3499
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

1/6/2010 8:33:54 AM
mbam-log-2010-01-06 (08-33-46).txt

Scan type: Full Scan (C:\|)
Objects scanned: 232921
Time elapsed: 1 hour(s), 10 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{308F6869-1759-4F58-852F-B04C0532EC38}\RP6\A0002194.sys (Malware.Trace) -> No action taken.

Please advise, Thanks Gregg.


----------



## eddie5659 (Mar 19, 2001)

The insurrance company is sorting it out, and as its a rented house, its the landord's problem 

Not sure when it will be done though 

--------

Okay, media player: Are you the Administrator of your computer? Thinking you are, so can you try and re-install Media Player from the link I gave you, then reboot and try to see if Susan's works.

If not, can you run MBAM and ComboFix on her account, and post the results.

----

As for the full scan, I do this once a month, as it takes a while. The one entry you found:

*C:\System Volume Information\_restore{308F6869-1759-4F58-852F-B04C0532EC38}\RP6\A0002194.sys (Malware.Trace) -> No action taken*

Is in the restore folder. Strange, as we flushed the restore folder earlier, but yes, this can go.

It has no actual name, as in just A0002194.sys, but if it was restored, it would revert to the original name.

eddie


----------



## GMO (Dec 1, 2009)

HI Eddie, I tried to re-Install Media player (while in my account). I got a lot further this time. Got through the validation process etc. but I did get this error message during set up, "It was not possible to complete setup. Windows Media player 10 was not installed. To update windows, run windows media player 10 setup again." I tried again and no joy. When I went to check to see if my media player was working I got the end of the set up/configure window and finished up with that and it worked fine, for what that's worth to you. 
As for MBAM log:
Malwarebytes' Anti-Malware 1.43
Database version: 3499
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

1/7/2010 11:17:48 PM
mbam-log-2010-01-07 (23-17-48).txt

Scan type: Quick Scan
Objects scanned: 135947
Time elapsed: 6 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ComboFix Log:
ComboFix 10-01-04.01 - Susan Obbink 01/07/2010 22:46:30.4.1 - x86
Running from: c:\documents and settings\Susan Obbink\Desktop\Project.exe
.

((((((((((((((((((((((((( Files Created from 2009-12-08 to 2010-01-08 )))))))))))))))))))))))))))))))
.

2010-01-08 04:07 . 2010-01-08 04:07 -------- d-----w- c:\windows\LastGood
2010-01-04 04:37 . 2010-01-04 04:37 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-01 18:58 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-01 18:58 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-01 18:58 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-01-01 18:58 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2010-01-01 18:58 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-01-01 18:58 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-01-01 18:58 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-01 18:58 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-01 18:58 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-01 18:58 . 2010-01-01 18:58 -------- d-----w- c:\program files\Alwil Software
2010-01-01 17:50 . 2010-01-01 17:50 -------- d-----w- C:\_OTM
2009-12-31 14:27 . 2009-12-29 16:51 2033432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-12-30 14:46 . 2009-12-30 14:45 4043544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-30 14:46 . 2009-12-29 16:51 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-12-30 14:46 . 2009-12-29 16:51 916248 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2009-12-30 14:46 . 2009-12-29 16:51 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2009-12-30 14:46 . 2009-12-30 14:42 3966744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-29 17:11 . 2009-12-29 17:11 -------- d-----w- c:\documents and settings\Susan Obbink\Local Settings\Application Data\AVG Security Toolbar
2009-12-29 16:52 . 2009-12-29 20:53 -------- d-----w- C:\$AVG
2009-12-29 16:51 . 2009-12-29 16:51 -------- d-----w- c:\program files\AVG
2009-12-29 16:50 . 2010-01-01 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-29 15:57 . 2008-06-21 10:54 65576 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2009-12-29 15:57 . 2008-10-31 13:09 270888 ----a-r- c:\windows\system32\drivers\SbFw.sys
2009-12-29 15:57 . 2009-12-29 15:57 -------- d-----w- c:\program files\Sunbelt Software
2009-12-29 15:44 . 2009-12-29 16:52 -------- d-----w- c:\program files\SpywareGuard
2009-12-29 15:39 . 2010-01-06 05:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-29 15:38 . 2009-12-29 15:38 -------- d-----w- c:\program files\SpywareBlaster
2009-12-19 16:54 . 2009-12-19 16:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-14 21:54 . 2009-12-14 21:54 -------- d-----w- c:\documents and settings\Susan Obbink\Application Data\Malwarebytes
2009-12-14 21:28 . 2009-12-30 20:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-14 21:28 . 2009-12-14 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-14 21:28 . 2009-12-30 20:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-14 21:28 . 2010-01-04 04:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-01 19:38 . 2002-10-26 18:27 -------- d-----w- c:\program files\GrabEasy2
2010-01-01 18:58 . 2007-01-08 05:28 -------- d-----w- c:\program files\Google
2009-12-24 01:54 . 2006-06-02 21:57 -------- d-----w- c:\documents and settings\Susan Obbink\Application Data\Canon
2009-12-19 16:53 . 2004-02-27 03:04 -------- d-----w- c:\program files\Java
2009-12-19 16:36 . 2007-04-08 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-02 15:16 . 2009-12-02 15:16 -------- d-----w- c:\program files\Trend Micro
2009-11-22 16:27 . 2007-01-08 05:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-19 17:48 . 2009-12-01 15:41 872960 ----a-w- c:\documents and settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 17:48 . 2009-12-01 15:41 43008 ----a-w- c:\documents and settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 17:48 . 2009-12-01 15:41 340480 ----a-w- c:\documents and settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 17:48 . 2009-12-01 15:41 346624 ----a-w- c:\documents and settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2005-01-07 05:16 . 2005-01-07 05:16 3763883 -c--a-w- c:\program files\wace26i4.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-19 149280]
"sscRun"="c:\program files\Common Files\AOL\1102874169\ee\SSCRun.exe" [2007-01-25 153168]
"PCTVOICE"="pctspk.exe" [2001-06-15 155648]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"nwiz"="nwiz.exe" [2002-05-03 364544]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [2001-11-28 45056]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2002-08-15 155648]
"HostManager"="c:\program files\Common Files\AOL\1102874169\ee\AOLSoftware.exe" [2008-11-06 41264]

FYI, I forgot to turn of my Anti-Spyware app. as there isn't an icon on the System tray in this account (I did turn off Anti-Virus though). Hopefully that did not hinder the scan/results.
Thanks, Gregg


----------



## eddie5659 (Mar 19, 2001)

Not much there standing out, but don't worry about the program not being turned off, it didn't look like it would have caused much of a problem.

Now, this blasted media player 


So, from what I'm reading, the install went a bit wrong, as in it wouldn't let you finish, but when you tried the program, it worked at the very end.

Does Susan's? Don't mean to install it, just to see if its working from your install.

If not, let me have a think on the next route


----------



## GMO (Dec 1, 2009)

Hi Eddie, Susan's media player still isn't working. The thing I don't understand is the apparent link between her player and mine. On the one hand they are clearly separate in that, mine works fine and hers doesn't, and I have entirely different music on mine than she does on her's (although most of what is on her player my son loaded years back), on the other hand they are linked in some way because when ever I try to do something to hers, like reinstalling media player 10, mine stops working and I get the "An internal error has occurred" message (which by the way is the most predominate message I get whenever I try to open her player) and I need to do the "regsvr32 jscript.dll" and "regsvr32 vbscript.dll" in the run box trick, in my account, to get mine up and running again. At which point mine works fine until I try reinstalling or something like that in her account. I don't know if this tells you anything but I thought it was worth telling you about.
Thanks, Gregg.


----------



## eddie5659 (Mar 19, 2001)

Okay, can you download and run OTL for me again. This will be a fresh one, so I can see what may be going on.

I'm also making a Notepad list of what has been tried/ your replies, to narrow it down 

This is the link 


Download *OTL* to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath *Output* at the top change it to *Minimal Output*.
Under the *Standard Registry* box change it to *All*.
Check the boxes beside *LOP Check* and *Purity Check*.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. *OTListIt.Txt* and *Extras.Txt*. These are saved in the same location as OTL.
Please copy *(Edit->Select All, Edit->Copy)* the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.


----------



## eddie5659 (Mar 19, 2001)

Okay, can you have a look at some things for me, on Susan's account 

Still do the OTL as well, as I'm hoping it will stand out what I'm hoping is there.

In the meantime, can you go to Start | Control Panel | Adminstrative Tools | Services.

In there, look for *Automatic Updates*. Is the startup type set to Automatic?

Just close Services by clicking the X as normal.

---------

Then, back in Administrative Tools, open up Event Viewer.

Click on *System* on the left to highlight it. The date column should be the second one, so can you look for this date:

*12/10/2009 11:04:52 PM*

It should be called Error with a red circle with a X as the icon.

Right-click on it and select Properties.

What's the Event ID number?

Also, you will see some info in the *Description* box. Highlight all with the mouse, then press Ctrl-C
In your reply, right-click on the box you type in, and select Paste.

Just close the program by clicking the X as normal.


----------



## GMO (Dec 1, 2009)

Hi Eddie, Turns out the OTL.Txt log file is too big (58505 characters) so I'll post it in three logs for good places to break the data.

OTL logfile created on: 1/11/2010 11:11:02 PM - Run 1
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\Susan Obbink\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 302.00 Mb Available Physical Memory | 59.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 8.28 Gb Free Space | 14.81% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SUSAN
Current User Name: Susan Obbink
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Susan Obbink\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\AOL\1102874169\EE\aolsoftware.exe (AOL LLC)
PRC - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe (Sunbelt Software, Inc.)
PRC - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)
PRC - C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe (Sony Corporation)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Program Files\Common Files\AOL\1102874169\EE\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe (AOL LLC)
PRC - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe (CA, Inc.)
PRC - C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe (Arcsoft, Inc.)
PRC - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (America Online, Inc)
PRC - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe (America Online Inc)
PRC - C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe (ScanSoft, Inc.)
PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\WINDOWS\system32\NVATray.exe (NVIDIA® Corporation)
PRC - C:\WINDOWS\system32\pctspk.exe ()

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Susan Obbink\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll (Microsoft Corporation)
MOD - C:\Program Files\ScanSoft\OmniPageSE2.0\OpHookSE2.dll (ScanSoft, Inc.)

========== Win32 Services (SafeList) ==========

SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
SRV - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
SRV - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
SRV - (aswUpdSv) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
SRV - (iPod Service) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (gusvc) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (Bonjour Service) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (SPF4) -- C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe (Sunbelt Software, Inc.)
SRV - (SbPF.Launcher) -- C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe (Sunbelt Software, Inc.)
SRV - (IntuitUpdateService) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)
SRV - (ITMRTSVC) -- C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe (CA, Inc.)
SRV - (AOL ACS) -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (AOL LLC)
SRV - (AOL TopSpeedMonitor) -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (America Online, Inc)
SRV - (NVSvc) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (NeroSVC) -- C:\Program Files\ahead\Nero\NeroSVC.exe (ahead software gmbh
im stoeckmaedle 6
76307 karlsbad, germany
Fax: ++49-7248-911-888
e-mail: [email protected])

========== Driver Services (SafeList) ==========

DRV - (aswMon2) -- C:\WINDOWS\system32\drivers\aswmon2.sys (ALWIL Software)
DRV - (aswSP) -- C:\WINDOWS\system32\drivers\aswSP.sys (ALWIL Software)
DRV - (aswFsBlk) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys (ALWIL Software)
DRV - (aswTdi) -- C:\WINDOWS\system32\drivers\aswTdi.sys (ALWIL Software)
DRV - (aswRdr) -- C:\WINDOWS\system32\drivers\aswRdr.sys (ALWIL Software)
DRV - (Aavmker4) -- C:\WINDOWS\system32\drivers\aavmker4.sys (ALWIL Software)
DRV - (USBAAPL) -- C:\WINDOWS\system32\drivers\usbaapl.sys (Apple, Inc.)
DRV - (GEARAspiWDM) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (SbFw) -- C:\WINDOWS\system32\drivers\SbFw.sys (Sunbelt Software, Inc.)
DRV - (sbhips) -- C:\WINDOWS\system32\drivers\sbhips.sys (Sunbelt Software, Inc.)
DRV - (SBFWIMCL) -- C:\WINDOWS\system32\drivers\SbFwIm.sys (Sunbelt Software, Inc.)
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)
DRV - (BsUDF) -- C:\WINDOWS\system32\drivers\bsudf.sys (ahead software)
DRV - (BsStor) -- C:\WINDOWS\System32\DRIVERS\bsstor.sys (B.H.A Co.,Ltd.)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (NVENET) -- C:\WINDOWS\system32\drivers\NVENET.sys (NVIDIA Corporation)
DRV - (nvnforce) Service for NVIDIA® nForce(TM) -- C:\WINDOWS\system32\drivers\nvapu.sys (NVIDIA® Corporation)
DRV - (nvax) Service for NVIDIA® nForce(TM) -- C:\WINDOWS\system32\drivers\nvax.sys (NVIDIA® Corporation)
DRV - (nv_agp) -- C:\WINDOWS\System32\DRIVERS\nv_agp.sys (NVIDIA Corporation)
DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys ()
DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (ms_mpu401) -- C:\WINDOWS\system32\drivers\msmpu401.sys (Microsoft Corporation)
DRV - (Ptserial) -- C:\WINDOWS\system32\drivers\ptserial.sys (PCTEL, INC.)
DRV - (Vvoice) -- C:\WINDOWS\System32\DRIVERS\vvoice.sys (PCtel, Inc.)
DRV - (Vmodem) -- C:\WINDOWS\System32\DRIVERS\vmodem.sys (PCTEL, INC.)
DRV - (Vpctcom) -- C:\WINDOWS\System32\DRIVERS\vpctcom.sys (PCtel, Inc.)
DRV - (NetMate) -- C:\WINDOWS\system32\drivers\netmate2.sys (CATC (Computer Access Technology Corp.))

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
IE - HKLM\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL LLC)

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://mail.kroll.com/CookieAuth.dll?GetLogonWrapper?url=/exchange&reason=0
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)
IE - HKCU\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL LLC)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

Eddie, END OF FIRST PORTION, OTL.Txt
Cheers Gregg.


----------



## GMO (Dec 1, 2009)

Eddie, Start second portion OTL.Txt

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://search.aol.com/aolcom/search?invocationType=tb50ffaoldesktop-chromesbox-en-us&query="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://undefined/"
FF - prefs.js..extensions.enabledItems: {7affbfae-c4e2-4915-8c0f-00fa3ec610a1}:5.74.1.1
FF - prefs.js..extensions.enabledItems: {3112ca9c-de6d-4884-a869-9855de68056c}:6.1.20091119W
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}:6.0.17
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.7
FF - prefs.js..keyword.URL: "http://www.google.com/search?sourceid=navclient&hl=en&q="

FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/12/19 10:54:03 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/07 23:05:36 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/09 21:53:47 | 00,000,000 | ---D | M]

[2008/09/02 18:36:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Susan Obbink\Application Data\Mozilla\Extensions
[2008/09/02 18:36:39 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Susan Obbink\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2010/01/11 09:53:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions
[2009/12/01 09:41:43 | 00,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/07/14 08:56:00 | 00,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}
[2009/07/14 08:56:03 | 00,001,741 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\searchplugins\aol-search.xml
[2010/01/11 09:53:20 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/01/07 23:05:36 | 00,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/12/19 10:54:25 | 00,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
[2010/01/07 23:05:19 | 00,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2010/01/07 23:05:19 | 00,137,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2009/12/19 10:54:03 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
[2009/02/06 12:44:28 | 01,447,296 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
[2010/01/07 23:05:27 | 00,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2007/05/10 22:52:34 | 00,095,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2010/01/09 21:53:46 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2010/01/09 21:53:46 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2010/01/09 21:53:47 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2010/01/09 21:53:47 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2010/01/09 21:53:47 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2010/01/09 21:53:47 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2010/01/09 21:53:47 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2007/08/21 18:42:32 | 00,057,344 | ---- | M] (America Online, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
[2010/01/07 23:05:29 | 00,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2010/01/07 23:05:29 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2010/01/01 11:23:07 | 00,001,354 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\avg_igeared.xml
[2010/01/07 23:05:29 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2010/01/07 23:05:29 | 00,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2010/01/07 23:05:29 | 00,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2010/01/07 23:05:29 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2010/01/07 23:05:29 | 00,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll File not found
O2 - BHO: (SpywareGuardDLBLOCK.CBrowserHelper) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll ()
O2 - BHO: (AOL Toolbar Loader) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL LLC)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL LLC)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL LLC)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe (AOL LLC)
O4 - HKLM..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1102874169\EE\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe (AOL LLC)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [ContentTransferWMDetector.exe] C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe (Sony Corporation)
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102874169\EE\aolsoftware.exe (AOL LLC)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\rundll32.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NVIDIA nForce APU1 Utilities] C:\WINDOWS\System32\NVATray.exe (NVIDIA® Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [OpwareSE2] C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [PCTVOICE] C:\WINDOWS\System32\pctspk.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [sscRun] C:\Program Files\Common Files\AOL\1102874169\EE\sscRun.exe (AOL LLC)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe (Arcsoft, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html ()
O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll (Google Inc.)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: amaena.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKCU\..Trusted Domains: drivecleaner.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: errorprotector.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: errorsafe.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: imageservr.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: imagesrvr.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: systemdoctor.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: winantispyware.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: winantivirus.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: winfixer.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photo.walgreens.com/WalgreensActivia.cab (Snapfish Activia)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} http://upload.facebook.com/controls/FacebookPhotoUploader.cab (Facebook Photo Uploader Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab (FujifilmUploader Class)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} http://fdl.msn.com/public/investor/v13/ticker.cab (MSN Money Ticker)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 74.60.80.5 75.95.21.12
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\lid {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Susan Obbink\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Susan Obbink\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {81559C35-8464-49F7-BB0E-07A383BEF910} - C:\Program Files\SpywareGuard\spywareguard.dll ()
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Documents and Settings\Susan Obbink\My Documents\Greggs Work Transfers\EUDORA\EuShlExt.dll (Qualcomm Inc.)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/08/15 08:30:09 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

Eddie, END OF SECOND PORTION OTL:Txt
Cheers, Gregg.


----------



## GMO (Dec 1, 2009)

Eddie, Start of third portion:

========== Files/Folders - Created Within 30 Days ==========

File not found -- C:\Documents and Settings\Susan Obbink\Desktop\get-attachment.
[2010/01/11 23:04:53 | 00,544,256 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Susan Obbink\Desktop\OTL.exe
[2010/01/11 23:04:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Susan Obbink\My Documents\Downloads
[2010/01/09 21:54:58 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/01/09 21:54:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/01/09 21:53:58 | 00,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/01/09 21:52:17 | 00,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2010/01/09 21:52:02 | 02,065,696 | ---- | C] (Apple, Inc.) -- C:\WINDOWS\System32\usbaaplrc.dll
[2010/01/09 21:52:02 | 00,040,448 | ---- | C] (Apple, Inc.) -- C:\WINDOWS\System32\drivers\usbaapl.sys
[2010/01/09 21:51:04 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2010/01/09 21:51:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple
[2010/01/08 10:22:44 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2010/01/07 22:44:40 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/01/07 22:44:40 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/01/07 22:44:40 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/01/07 22:44:40 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/01/07 21:40:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2010/01/05 21:25:23 | 00,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Susan Obbink\Desktop\ATF-Cleaner.exe
[2010/01/01 12:58:38 | 00,023,120 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/01/01 12:58:36 | 00,048,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/01/01 12:58:35 | 00,027,408 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/01/01 12:58:33 | 00,097,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr
[2010/01/01 12:58:32 | 00,114,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/01/01 12:58:32 | 00,094,160 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/01/01 12:58:32 | 00,093,424 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/01/01 12:58:32 | 00,020,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/01/01 12:58:08 | 01,280,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/01/01 12:58:05 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/01/01 11:50:15 | 00,000,000 | ---D | C] -- C:\_OTM
[2010/01/01 11:39:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/01/01 11:29:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/01/01 11:29:50 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/01/01 11:29:50 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/12/31 09:04:47 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/12/29 11:11:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Susan Obbink\Local Settings\Application Data\AVG Security Toolbar
[2009/12/29 10:52:42 | 00,000,000 | ---D | C] -- C:\$AVG
[2009/12/29 10:51:00 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
[2009/12/29 10:50:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/12/29 09:57:49 | 00,065,576 | ---- | C] (Sunbelt Software, Inc.) -- C:\WINDOWS\System32\drivers\SbFwIm.sys
[2009/12/29 09:57:48 | 00,270,888 | R--- | C] (Sunbelt Software, Inc.) -- C:\WINDOWS\System32\drivers\SbFw.sys
[2009/12/29 09:57:41 | 00,000,000 | ---D | C] -- C:\Program Files\Sunbelt Software
[2009/12/29 09:44:19 | 00,000,000 | ---D | C] -- C:\Program Files\SpywareGuard
[2009/12/29 09:39:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/12/29 09:38:42 | 00,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2009/12/19 10:54:22 | 00,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/12/19 10:54:21 | 00,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/12/19 10:54:21 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/12/19 10:54:21 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/12/19 10:54:21 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/12/16 12:50:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Susan Obbink\My Documents\Electronic reinterviews completed 2010
[2009/12/16 12:45:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Susan Obbink\My Documents\Issue Alerts 2010
[2009/12/16 12:24:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Susan Obbink\My Documents\QC work completed 2010
[2009/12/14 15:54:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Susan Obbink\Application Data\Malwarebytes
[2009/12/14 15:28:23 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/14 15:28:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/12/14 15:28:18 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/14 15:28:17 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/14 08:35:43 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/12/13 23:39:35 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/01/29 08:01:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\AOL
[2007/08/31 11:12:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2007/04/08 12:03:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
[2005/01/06 23:16:44 | 03,763,883 | ---- | C] (e-merge GmbH) -- C:\Program Files\wace26i4.exe
[2004/12/16 00:59:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\Documents and Settings\Susan Obbink\My Documents\*.tmp files -> C:\Documents and Settings\Susan Obbink\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

File not found -- C:\Documents and Settings\Susan Obbink\Desktop\get-attachment.
[2010/01/11 23:14:00 | 00,000,412 | ---- | M] () -- C:\WINDOWS\tasks\Symantec NetDetect.job
[2010/01/11 23:08:25 | 00,025,088 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\Desktop\Okay.doc
[2010/01/11 23:05:03 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Susan Obbink\Desktop\OTL.exe
[2010/01/11 19:18:16 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Susan Obbink\ntuser.ini
[2010/01/11 19:03:11 | 00,058,880 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\Issue Alert Form-Integrity-Shaw (K479)-Beland-Source Wildes.doc
[2010/01/11 19:00:54 | 00,058,880 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\Issue Alert Form-Integrity-Shaw (K479)-Gregory-Source Mongelli.doc
[2010/01/11 17:25:38 | 00,043,520 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\Reinterview Procedures.doc
[2010/01/11 11:33:31 | 06,815,744 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\NTUSER.DAT
[2010/01/11 10:45:01 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/11 10:44:52 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/11 10:44:51 | 53,640,3968 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/09 21:52:28 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/08 17:47:09 | 00,060,416 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\Issue Alert Form-Integrity-Young (K498)-Olson-Source Prather.doc
[2010/01/08 14:29:44 | 00,059,904 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\Issue Alert Form-Interview Error-Rasmussen (W934)-Rennie-Source Burd.doc
[2010/01/08 13:15:38 | 00,060,928 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\Issue Alert Form-Integrity-Rasmussen (W934)-Cheng-Source Kim.doc
[2010/01/08 13:01:38 | 00,021,504 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\Hi Robert.doc
[2010/01/08 11:44:55 | 00,054,784 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\Master Issue Alert Form-type-Inv(SID)-Case last name-Source last name-Revised 07.14.09..doc
[2010/01/07 22:58:09 | 00,000,265 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/07 22:40:58 | 03,819,182 | R--- | M] () -- C:\Documents and Settings\Susan Obbink\Desktop\Project.exe
[2010/01/07 22:07:10 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/07 14:50:14 | 02,999,296 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\QC Concerns Spreadsheet.xls
[2010/01/07 14:05:23 | 00,038,912 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\Investigators with sources missing in Phoenix.doc
[2010/01/07 13:25:07 | 00,022,016 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\Electronic Source Reinterviews completed by month.doc
[2010/01/05 21:28:21 | 00,000,796 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/01/05 21:25:23 | 00,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Susan Obbink\Desktop\ATF-Cleaner.exe
[2010/01/05 18:42:18 | 00,056,832 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\Recovery Spreadsheet II - Williams (M811).xls
[2010/01/05 18:05:58 | 00,051,712 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\Recovery Spreadsheet-Widmar (Q917).xls
[2010/01/05 14:49:19 | 00,194,560 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\Revised Completed Recovery Spreadsheet - Williams, John (M811).xls
[2010/01/05 11:01:24 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\QC work completed 2010.doc
[2010/01/04 12:26:54 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\Reinterview telecon ideas.doc
[2010/01/01 12:58:38 | 00,001,709 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Antivirus.lnk
[2010/01/01 12:58:32 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/12/31 15:32:52 | 00,022,528 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\Admin Error Correction Notification.doc
[2009/12/29 09:03:19 | 00,117,360 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/12/23 20:24:43 | 04,316,530 | -H-- | M] () -- C:\Documents and Settings\Susan Obbink\Local Settings\Application Data\IconCache.db
[2009/12/23 20:02:34 | 00,026,112 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\Employee Expense Report 12-23-09.xls
[2009/12/23 19:54:18 | 02,257,074 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\Internet expenses Sept-Dec '09.pdf
[2009/12/22 12:23:38 | 00,019,456 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\Dear Senator Klobuchar.doc
[2009/12/22 12:00:01 | 01,265,754 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\Telephone expenses Sept-Dec '09.pdf
[2009/12/22 11:26:47 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\Dear Senator Nelson.doc
[2009/12/20 10:37:56 | 00,254,560 | ---- | M] () -- C:\WINDOWS\System32\Status.MPF
[2009/12/19 10:54:02 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/12/19 10:54:02 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/12/19 10:54:02 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/12/19 10:54:02 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/12/19 10:54:02 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/12/16 16:24:04 | 00,067,072 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\Source Reinterview Form-Couch (K558)-Griggs-Source Kidwell.doc
[2009/12/15 16:11:06 | 00,065,536 | ---- | M] () -- C:\Documents and Settings\Susan Obbink\My Documents\Source Reinterview Form - Siegler (P744)-Whitson-Source Christa Deene.doc
[2009/12/14 15:28:27 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/13 23:39:44 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\Documents and Settings\Susan Obbink\My Documents\*.tmp files -> C:\Documents and Settings\Susan Obbink\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/11 23:08:25 | 00,025,088 | ---- | C] () -- C:\Documents and Settings\Susan Obbink\Desktop\Okay.doc
[2010/01/11 18:50:31 | 00,058,880 | ---- | C] () -- C:\Documents and Settings\Susan Obbink\My Documents\Issue Alert Form-Integrity-Shaw (K479)-Beland-Source Wildes.doc
[2010/01/11 17:25:57 | 00,058,880 | ---- | C] () -- C:\Documents and Settings\Susan Obbink\My Documents\Issue Alert Form-Integrity-Shaw (K479)-Gregory-Source Mongelli.doc
[2010/01/11 12:20:39 | 00,043,520 | ---- | C] () -- C:\Documents and Settings\Susan Obbink\My Documents\Reinterview Procedures.doc
[2010/01/09 21:52:27 | 00,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/08 17:19:13 | 00,060,416 | ---- | C] () -- C:\Documents and Settings\Susan Obbink\My Documents\Issue Alert Form-Integrity-Young (K498)-Olson-Source Prather.doc
[2010/01/08 12:36:17 | 00,059,904 | ---- | C] () -- C:\Documents and Settings\Susan Obbink\My Documents\Issue Alert Form-Interview Error-Rasmussen (W934)-Rennie-Source Burd.doc
[2010/01/08 11:35:42 | 00,060,928 | ---- | C] () -- C:\Documents and Settings\Susan Obbink\My Documents\Issue Alert Form-Integrity-Rasmussen (W934)-Cheng-Source Kim.doc
[2010/01/08 11:11:24 | 00,054,784 | ---- | C] () -- C:\Documents and Settings\Susan Obbink\My Documents\Master Issue Alert Form-type-Inv(SID)-Case last name-Source last name-Revised 07.14.09..doc
[2010/01/07 22:44:40 | 00,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/01/07 22:44:40 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/01/07 22:44:40 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/01/07 22:44:40 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/01/07 22:44:40 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/01/07 22:40:58 | 03,819,182 | R--- | C] () -- C:\Documents and Settings\Susan Obbink\Desktop\Project.exe
[2010/01/06 14:07:53 | 00,038,912 | ---- | C] () -- C:\Documents and Settings\Susan Obbink\My Documents\Investigators with sources missing in Phoenix.doc
[2010/01/05 14:50:14 | 00,056,832 | ---- | C] () -- C:\Documents and Settings\Susan Obbink\My Documents\Recovery Spreadsheet II - Williams (M811).xls
[2010/01/01 12:58:38 | 00,001,709 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Antivirus.lnk
[2010/01/01 12:58:08 | 00,380,928 | ---- | C] () -- C:\WINDOWS\System32\actskin4.ocx
[2009/12/23 19:54:16 | 02,257,074 | ---- | C] () -- C:\Documents and Settings\Susan Obbink\My Documents\Internet expenses Sept-Dec '09.pdf
[2009/12/22 12:23:38 | 00,019,456 | ---- | C] () -- C:\Documents and Settings\Susan Obbink\My Documents\Dear Senator Klobuchar.doc
[2009/12/22 11:59:59 | 01,265,754 | ---- | C] () -- C:\Documents and Settings\Susan Obbink\My Documents\Telephone expenses Sept-Dec '09.pdf
[2009/12/22 11:48:51 | 00,026,112 | ---- | C] () -- C:\Documents and Settings\Susan Obbink\My Documents\Employee Expense Report 12-23-09.xls
[2009/12/16 16:12:11 | 00,067,072 | ---- | C] () -- C:\Documents and Settings\Susan Obbink\My Documents\Source Reinterview Form-Couch (K558)-Griggs-Source Kidwell.doc
[2009/12/16 13:24:44 | 00,020,992 | ---- | C] () -- C:\Documents and Settings\Susan Obbink\My Documents\Dear Senator Nelson.doc
[2009/12/16 12:14:04 | 00,020,992 | ---- | C] () -- C:\Documents and Settings\Susan Obbink\My Documents\QC work completed 2010.doc
[2009/12/14 15:28:27 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/13 23:39:44 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/12/13 23:39:39 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/03/21 15:20:33 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2007/08/01 11:05:39 | 00,000,135 | ---- | C] () -- C:\Documents and Settings\Susan Obbink\Local Settings\Application Data\fusioncache.dat
[2006/03/21 20:42:02 | 00,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS7K.DLL
[2006/03/21 20:28:16 | 00,000,532 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2005/06/11 10:35:59 | 00,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2004/12/12 11:40:01 | 00,000,179 | ---- | C] () -- C:\WINDOWS\upst.ini
[2004/08/19 19:42:50 | 00,000,047 | ---- | C] () -- C:\WINDOWS\upth.ini
[2004/08/19 19:42:50 | 00,000,030 | ---- | C] () -- C:\WINDOWS\atid.ini
[2004/07/04 14:47:08 | 00,003,380 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/02/04 22:15:19 | 00,000,048 | ---- | C] () -- C:\WINDOWS\PerWin.ini
[2004/01/22 13:00:28 | 00,012,635 | ---- | C] () -- C:\WINDOWS\System32\DAntivirus.ini
[2003/11/08 09:04:19 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\coinst.dll
[2003/09/23 20:31:58 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Susan Obbink\Application Data\dm.ini
[2003/09/07 13:35:52 | 00,000,026 | ---- | C] () -- C:\WINDOWS\UP9ASP.INI
[2003/06/29 18:19:51 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2002/11/27 13:42:33 | 00,004,816 | ---- | C] () -- C:\WINDOWS\CDPlayer.ini
[2002/09/26 10:55:41 | 00,189,440 | ---- | C] () -- C:\Documents and Settings\Susan Obbink\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2002/08/25 11:48:59 | 00,000,023 | ---- | C] () -- C:\WINDOWS\EPSC80.ini
[2002/08/15 12:19:09 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2001/09/15 14:06:36 | 00,001,406 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[1979/12/31 18:00:00 | 00,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys

========== LOP Check ==========

[2010/01/01 11:39:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2006/03/21 20:42:04 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2006/06/02 16:01:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2008/02/15 15:04:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
[2006/03/21 20:28:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanWizard
[2007/08/06 20:08:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2010/01/05 23:33:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/03/16 11:18:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/01/09 21:56:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/02/16 22:16:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
[2009/01/28 10:01:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Susan Obbink\Application Data\acccore
[2009/12/23 19:54:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Susan Obbink\Application Data\Canon
[2002/08/15 12:13:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Susan Obbink\Application Data\InterVideo
[2003/11/08 09:54:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Susan Obbink\Application Data\Learn2.com
[2004/12/18 11:01:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Susan Obbink\Application Data\Lycos
[2007/08/06 16:58:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Susan Obbink\Application Data\MSNInstaller
[2006/03/21 20:28:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Susan Obbink\Application Data\ScanSoft
[2006/05/22 11:54:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Susan Obbink\Application Data\Snapfish
[2007/03/16 11:18:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Susan Obbink\Application Data\Viewpoint

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >

END OF THIRD PORTION OTL:Txt report

I think I got it all, Gregg


----------



## GMO (Dec 1, 2009)

Now on to the OTL:Extras.Txt log:

OTL Extras logfile created on: 1/11/2010 11:11:02 PM - Run 1
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\Susan Obbink\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 302.00 Mb Available Physical Memory | 59.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 8.28 Gb Free Space | 14.81% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SUSAN
Current User Name: Susan Obbink
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- 
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\AOL 9.5\waol.exe" = C:\Program Files\AOL 9.5\waol.exe:*:Enabled:AOL 9.5 -- (AOL, LLC.)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNetisabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\Program Files\iPod\bin\iPodService.exe" = C:\Program Files\iPod\bin\iPodService.exe:*:Enabled:iPodService -- (Apple Inc.)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:firefox -- (Mozilla Corporation)
"C:\WINDOWS\system32\NVATray.exe" = C:\WINDOWS\system32\NVATray.exe:*:Enabled:NVATray -- (NVIDIA® Corporation)
"C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" = C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe:*:Enabled:AdobeUpdater -- (Adobe Systems Incorporated)
"C:\WINDOWS\msagent\agentsvr.exe" = C:\WINDOWS\msagent\agentsvr.exe:*:Enabled:AgentSvr -- (Microsoft Corporation)
"C:\WINDOWS\system32\taskmgr.exe" = C:\WINDOWS\system32\taskmgr.exe:*:Enabled:taskmgr -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00030409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Small Business
"{0594472B-42DC-4E29-A161-2CCC011AE7DE}" = TurboTax 2008 wmniper
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0878E100-C0BB-41E8-B4C6-C486B61FDA7B}" = Canon PhotoRecord
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{178BAABD-0C95-4EB6-9E12-29A039EA27F6}" = Qwest eChat Support Tools
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}" = Google Earth
"{218BBBE3-FE63-4BB2-81A8-7435575A84FA}" = PhotoStitch
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 17
"{28291BD5-92D2-4685-82DC-CCA925C53CCA}" = RemoteCapture Task 1.1
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005
"{2E819828-BC8D-4177-BEBB-425FAFF89E6B}" = Microsoft XML Parser SDK
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36495C59-089C-49D1-BD15-9E5BD86DC9A1}" = ItsDeductible Express
"{3E908702-AF35-4611-9518-955DA24B7E07}" = Microsoft XML Parser and SDK
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{45EF4EE3-F591-4B74-A477-0CAE12934CE7}" = RAW Image Task 1.2
"{4C96958A-6562-4143-B820-FF4890D3B734}" = Camera Window DVC
"{4F1CECBC-670F-4DAA-81D6-944B12450917}" = DIGOpt
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{797EE0CA-8165-405C-B5CE-F11EC20F1BB0}" = Microsoft VC9 runtime libraries
"{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}" = OmniPage SE 2.0
"{7C40DB7D-5049-4E15-ACB8-71F3C6C32DDA}" = Eudora
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{82B1150E-9B37-49FC-83EB-D52197D900D0}" = Sunbelt Personal Firewall
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{85309D89-7BE9-4094-BB17-24999C6118FC}" = ArcSoft PhotoStudio 5.5
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{8AF1E098-1A5C-4336-BBE2-D047ABB401ED}" = MovieEdit Task
"{91203BD3-6C3E-472F-ADBD-F60FDC7C4010}" = Camera Window DS
"{91F1A0D6-23AD-49FE-8D4E-379485652214}" = Camera Support Core Library
"{9692FD03-6662-4E62-B08C-30DFF51651E1}" = Actiontec Gateway
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}" = TurboTax ItsDeductible 2006
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B6ACFF51-248A-4290-B50B-E50C81F25B97}" = iPod for Windows 2005-02-22
"{C1939820-A945-11D4-86F6-0001031E5712}" = InterVideo WinDVD
"{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}" = Canon ZoomBrowser EX
"{C7281207-4AA4-425E-B57A-0E9EF8445635}" = Camera Window MC
"{CA9A3609-3ECC-4574-8824-A8161A71A603}" = Canon MP150
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CEC2A5B9-CE19-4F2E-9C8F-F310C0EAB993}" = ArcSoft Media Card Companion
"{CF6F8056-3EC3-4582-A915-9BF11A82097A}" = TurboTax 2008 wnmiper
"{CFADE4AF-C0CF-4A04-A776-741318F1658F}" = Content Transfer
"{D167DA32-32AB-45FC-AEC1-7380BE2221A2}" = QuickConnect
"{D3EE034D-5B92-4A55-AA02-2E6D0A6A96EE}" = Windows Resource Kit Tools - SubInAcl.exe
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"{F05A5232-CE5E-4274-AB27-44EB8105898D}" = CA Pest Patrol Realtime Protection
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"AdobeESD" = Adobe Download Manager 1.2 (Remove Only)
"AOL Deskbar" = AOL Deskbar
"AOL Toolbar" = AOL Toolbar 
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"AOL YGP Screensaver" = AOL You've Got Pictures Screensaver
"AolCoach" = AOL Coach Version 1.0(Build:20040229.1 en)
"AolCoach2_en" = AOL Coach Version 2.0(Build:20041026.5 en)
"avast!" = avast! Antivirus
"Broadband Blaster 8012U" = Broadband Blaster 8012U
"dBpowerAMP Music Converter" = dBpowerAMP Music Converter
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"Easy-WebPrint" = Easy-WebPrint
"Fonts" = Fonts
"Google Updater" = Google Updater
"GrabEasy2" = GrabEasy2
"HijackThis" = HijackThis 2.0.2
"InCD!UninstallKey" = InCD (Ahead Software)
"Installing HSP56 MicroModem Drivers" = Aztech MSP5950-U Modem Drivers
"InstallShield_{218BBBE3-FE63-4BB2-81A8-7435575A84FA}" = Canon Utilities PhotoStitch 3.1
"InstallShield_{28291BD5-92D2-4685-82DC-CCA925C53CCA}" = Canon RemoteCapture Task for ZoomBrowser EX
"InstallShield_{45EF4EE3-F591-4B74-A477-0CAE12934CE7}" = Canon RAW Image Task for ZoomBrowser EX
"InstallShield_{4C96958A-6562-4143-B820-FF4890D3B734}" = Canon Camera Window DVC for ZoomBrowser EX
"InstallShield_{8AF1E098-1A5C-4336-BBE2-D047ABB401ED}" = Canon MovieEdit Task for ZoomBrowser EX
"InstallShield_{91203BD3-6C3E-472F-ADBD-F60FDC7C4010}" = Canon Camera Window DS for ZoomBrowser EX
"InstallShield_{91F1A0D6-23AD-49FE-8D4E-379485652214}" = Canon Camera Support Core Library
"InstallShield_{B6ACFF51-248A-4290-B50B-E50C81F25B97}" = iPod for Windows 2005-02-22
"InstallShield_{C7281207-4AA4-425E-B57A-0E9EF8445635}" = Canon Camera Window for ZoomBrowser EX
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate" = LiveUpdate 1.80 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"MP Navigator 2.0" = Canon MP Navigator 2.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero - Burning Rom!UninstallKey" = Nero - Burning Rom (Web installer)
"NVAUtils" = NVIDIA nForce APU1 Utilities
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"SpywareBlaster_is1" = SpywareBlaster 4.2
"SpywareGuard_is1" = SpywareGuard v2.2
"SSC Uninstaller" = Safety and Security Center Uninstaller
"StreetPlugin" = Learn2 Player (Uninstall Only)
"Super Collapse! from GameHouse" = Super Collapse! from GameHouse
"TurboTax 2008" = TurboTax 2008
"TurboTax Home & Business 2007" = TurboTax Home & Business 2007
"TurboTax Premier 2005" = TurboTax Premier 2005
"TurboTax Premier Home & Business 2003" = TurboTax Premier Home & Business 2003
"ViewpointMediaPlayer" = Viewpoint Media Player
"WinAce Archiver" = WinAce Archiver
"Windows Media Format Runtime" = Windows Media Format Runtime
"WinMX" = WinMX
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Toolbar" = Yahoo! Toolbar

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 1/11/2010 11:43:15 AM | Computer Name = SUSAN | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\DOCUMENTS AND SETTINGS\GREGG\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CMBB5EMW.DEFAULT\SESSIONSTORE.JS
failed, 00000005.

Error - 1/11/2010 12:46:37 PM | Computer Name = SUSAN | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\DOCUMENTS AND SETTINGS\GREGG\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CMBB5EMW.DEFAULT\EXTENSIONS\{3E0E7D2A-070F-4A47-B019-91FE5385BA79}\DEFAULTS\PREFERENCES\DEFAULTS.JS
failed, 00000005.

Error - 1/11/2010 12:46:37 PM | Computer Name = SUSAN | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\DOCUMENTS AND SETTINGS\GREGG\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CMBB5EMW.DEFAULT\EXTENSIONS\{635ABD67-4FE9-1B23-4F01-E679FA7484C1}\DEFAULTS\PREFERENCES\YAHOO.JS
failed, 00000005.

Error - 1/11/2010 12:46:37 PM | Computer Name = SUSAN | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\DOCUMENTS AND SETTINGS\GREGG\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CMBB5EMW.DEFAULT\PREFS.JS
failed, 00000005.

Error - 1/11/2010 12:46:37 PM | Computer Name = SUSAN | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\DOCUMENTS AND SETTINGS\GREGG\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CMBB5EMW.DEFAULT\USER.JS
failed, 00000005.

Error - 1/11/2010 12:46:37 PM | Computer Name = SUSAN | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\DOCUMENTS AND SETTINGS\GREGG\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CMBB5EMW.DEFAULT\SESSIONSTORE.JS
failed, 00000005.

Error - 1/11/2010 2:19:58 PM | Computer Name = SUSAN | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\DOCUMENTS AND SETTINGS\GREGG\APPLICATION DATA\MICROSOFT\TEMPLATES\NORMAL.DOT
failed, 00000005.

Error - 1/11/2010 7:27:16 PM | Computer Name = SUSAN | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\DOCUMENTS AND SETTINGS\GREGG\APPLICATION DATA\MICROSOFT\TEMPLATES\NORMAL.DOT
failed, 00000005.

Error - 1/12/2010 1:02:49 AM | Computer Name = SUSAN | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\DOCUMENTS AND SETTINGS\GREGG\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CMBB5EMW.DEFAULT\PREFS.JS
failed, 00000005.

Error - 1/12/2010 1:02:49 AM | Computer Name = SUSAN | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\DOCUMENTS AND SETTINGS\GREGG\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CMBB5EMW.DEFAULT\SESSIONSTORE.JS
failed, 00000005.

[ Application Events ]
Error - 12/29/2009 1:53:13 PM | Computer Name = SUSAN | Source = Application Error | ID = 1000
Description = Faulting application excel.exe, version 9.0.0.2719, faulting module
excel.exe, version 9.0.0.2719, fault address 0x00179856.

Error - 12/29/2009 1:53:50 PM | Computer Name = SUSAN | Source = Application Error | ID = 1001
Description = Fault bucket 00031602.

Error - 1/4/2010 10:43:55 AM | Computer Name = SUSAN | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80080005 from line 44 of d:\comxp_sp2\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 1/6/2010 12:58:06 PM | Computer Name = SUSAN | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Small Business -- Error 1706. No valid
source could be found for product Microsoft Office 2000 Small Business. The Windows
installer cannot continue.

Error - 1/7/2010 10:58:29 AM | Computer Name = SUSAN | Source = Application Error | ID = 1000
Description = Faulting application aolsoftware.exe, version 16.2.3.1, faulting module
unknown, version 0.0.0.0, fault address 0x67080ed7.

Error - 1/7/2010 10:58:41 AM | Computer Name = SUSAN | Source = Application Error | ID = 1001
Description = Fault bucket 1049297847.

Error - 1/9/2010 11:49:07 PM | Computer Name = SUSAN | Source = Application Error | ID = 1000
Description = Faulting application aolsoftware.exe, version 16.2.3.1, faulting module
unknown, version 0.0.0.0, fault address 0x67080ed7.

Error - 1/10/2010 1:13:31 AM | Computer Name = SUSAN | Source = Application Hang | ID = 1002
Description = Hanging application OutlookSyncClient.exe, version 8.4.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/10/2010 1:13:31 AM | Computer Name = SUSAN | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Small Business -- Error 1706. No valid
source could be found for product Microsoft Office 2000 Small Business. The Windows
installer cannot continue.

Error - 1/10/2010 1:26:50 AM | Computer Name = SUSAN | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Small Business -- Error 1706. No valid
source could be found for product Microsoft Office 2000 Small Business. The Windows
installer cannot continue.

[ System Events ]
Error - 12/10/2009 10:47:37 PM | Computer Name = SUSAN | Source = PlugPlayManager | ID = 12
Description = The device 'Microsoft Kernel Acoustic Echo Canceller' (Root\LEGACY_AEC\0000)
disappeared from the system without first being prepared for removal.

Error - 12/10/2009 11:04:52 PM | Computer Name = SUSAN | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 12/10/2009 11:09:16 PM | Computer Name = SUSAN | Source = PlugPlayManager | ID = 12
Description = The device 'Microsoft Kernel Acoustic Echo Canceller' (Root\LEGACY_AEC\0000)
disappeared from the system without first being prepared for removal.

Error - 12/10/2009 11:09:22 PM | Computer Name = SUSAN | Source = PlugPlayManager | ID = 12
Description = The device 'Microsoft Kernel Acoustic Echo Canceller' (Root\LEGACY_AEC\0000)
disappeared from the system without first being prepared for removal.

Error - 12/10/2009 11:09:23 PM | Computer Name = SUSAN | Source = PlugPlayManager | ID = 12
Description = The device 'Microsoft Kernel Acoustic Echo Canceller' (Root\LEGACY_AEC\0000)
disappeared from the system without first being prepared for removal.

Error - 12/17/2009 12:05:55 PM | Computer Name = SUSAN | Source = System Error | ID = 1003
Description = Error code 00000024, parameter1 001902fe, parameter2 f8b61864, parameter3
f8b61560, parameter4 826d7fdc.

Error - 12/22/2009 1:26:12 PM | Computer Name = SUSAN | Source = Print | ID = 6161
Description =

Error - 12/31/2009 10:20:57 AM | Computer Name = SUSAN | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000243'
while processing the file 'avgcorex.dll.old' on the volume 'HarddiskVolume1'. 
It has stopped monitoring the volume.

Error - 1/4/2010 10:43:55 AM | Computer Name = SUSAN | Source = DCOM | ID = 10010
Description = The server {1BE1F766-5536-11D1-B726-00C04FB926AF} did not register
with DCOM within the required timeout.

Error - 1/11/2010 1:11:55 PM | Computer Name = SUSAN | Source = Print | ID = 6161
Description = The device 'Microsoft Kernel Acoustic Echo Canceller' (Root\LEGACY_AEC\0000)

< End of report >

I think this is everything you asked for in your first post, I'll go on to your second post.
Thanks, Gregg


----------



## GMO (Dec 1, 2009)

Hey Eddie, Your second post questions and answers:

Q: In there, look for *Automatic Updates*. Is the startup type set to Automatic?

A: YES

Q: Click on *System* on the left to highlight it. The date column should be the second one, so can you look for this date:

*12/10/2009 11:04:52 PM*

A: No such date and time, goes from: 
12/11/2009 7:37:28 AM to: 
12/10/2009 11:17:49 PM
Neither of which is called Error, both are called "Information".
Also, knowing how dates are called out in England I looked for 10/12/2009, date log only went back to 11/10/2009 (just a thought)
Gregg.


----------



## eddie5659 (Mar 19, 2001)

Okay, plodding thru the loooong list, whilst filling in a job application for a totally new area to work in, so its great fun here 

In the meantime, as I'm partway, I can see some infection. Can you do this first:

Right click *HERE* and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
To use: Right click *DelDomains.inf* and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

-------

If the files doesn't work (as some have said it doesn't, based on their system), let me know, and we'll do it manually.

--------

Also, can you do this:


Please go to  VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the *"Suspicious files to scan"*box on the top of the page:

*C:\WINDOWS\System32\rundll32.exe*

 Click on the *Upload* button
 Once the Scan is completed, click on the "*Copy to Clipboard*" button. This will copy the link of the report into the Clipboard.
 Paste the contents of the Clipboard in your next reply.


----------



## GMO (Dec 1, 2009)

Hi Eddie, I saved DelDomains.inf to my desktop, right clicked and clicked Install, at which point I got the open file security box asking "do you want to open this file"? I clicked open, and within about a nano second I got the hour glass, all my desk top icons blinked, and nothing more happened. I'm guessing that, as you suggested some said, it didn't work, although it did say in the note pad: "Note: you will not see any onscreen action." so maybe it did what it was supposed to do?? I have no clue. 
You will however fine below the report of the Virscan.org scan.

VirSCAN.org Scanned Report :
Scanned time : 2009/11/28 11:25:17 (CST)
Scanner results: Scanners did not find malware!
File Name : rundll32.exe
File Size : 33280 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : da285490bbd8a1d0ce6623577d5ba1ff
SHA1 : c466b4f4c2600fd62fbe943d8049afd0f6606f48
Online report : http://virscan.org/report/8bfaa1a8a0fa4b5e4627426d033581f7.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091128050151 2009-11-28 4.19 -
AhnLab V3 2009.11.29.00 2009.11.29 2009-11-29 0.95 -
AntiVir 8.2.1.78 7.10.1.117 2009-11-27 0.52 -
Antiy 2.0.18 20091127.3320938 2009-11-27 0.12 -
Arcavir 2009 200911280020 2009-11-28 0.03 -
Authentium 5.1.1 200911271611 2009-11-27 1.22 -
AVAST! 4.7.4 091128-0 2009-11-28 0.01 -
AVG 8.5.288 270.14.85/2532 2009-11-28 0.32 -
BitDefender 7.81008.4654974 7.29184 2009-11-28 4.03 -
CA (VET) 35.1.0 7145 2009-11-26 7.61 -
ClamAV 0.95.2 10090 2009-11-28 0.01 -
Comodo 3.12 3068 2009-11-28 0.77 -
CP Secure 1.3.0.5 2009.11.28 2009-11-28 0.05 -
Dr.Web 4.44.0.9170 2009.11.28 2009-11-28 7.21 -
F-Prot 4.4.4.56 20091128 2009-11-28 1.21 -
F-Secure 7.02.73807 2009.11.28.03 2009-11-28 0.10 -
Fortinet 11.104- 11.104 2009-11-28 0.26 -
GData 19.9053/19.592 20091128 2009-11-28 5.80 -
ViRobot 20091128 2009.11.28 2009-11-28 0.42 -
Ikarus T3.1.01.74 2009.11.28.74610 2009-11-28 4.14 -
JiangMin 11.0.800 2009.11.27 2009-11-27 4.16 -
Kaspersky 5.5.10 2009.11.28 2009-11-28 0.07 -
KingSoft 2009.2.5.15 2009.11.28.15 2009-11-28 0.55 -
McAfee 5.3.00 5816 2009-11-28 3.35 -
Microsoft 1.5302 2009.11.28 2009-11-28 6.27 -
Norman 6.01.09 6.01.00 2009-11-27 4.00 -
Panda 9.05.01 2009.11.27 2009-11-27 2.69 -
Trend Micro 9.000-1003 6.658.06 2009-11-28 0.03 -
Quick Heal 10.00 2009.11.28 2009-11-28 1.25 -
Rising 20.0 22.23.05.04 2009-11-28 0.99 -
Sophos 3.01.0 4.47 2009-11-28 3.12 -
Sunbelt 5518 5518 2009-11-18 1.74 -
Symantec 1.3.0.24 20091127.003 2009-11-27 0.05 -
nProtect 20091127.01 6396533 2009-11-27 3.54 -
The Hacker 6.5.0.2 v00081 2009-11-28 0.78 -
VBA32 3.12.12.0 20091127.2029 2009-11-27 2.14 -
VirusBuster 4.5.11.10 10.114.2/2016093 2009-11-28 2.43 -

Thanks and good luck with your job hunting, Gregg.


----------



## eddie5659 (Mar 19, 2001)

Well, the good old job. I spent ages creating a cover letter, only to find out I need to fill in a downloaded application form. Oh, the joy, so that's waiting tonight 

Okay, lets do it this way:

Please run OTL.exe

Under the *Custom Scans/Fixes* box at the bottom, paste in the following


```
:OTL
O15 - HKCU\..Trusted Domains: amaena.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKCU\..Trusted Domains: drivecleaner.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: errorprotector.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: errorsafe.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: imageservr.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: imagesrvr.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: systemdoctor.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: winantispyware.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: winantivirus.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: winfixer.com ([]* in Trusted sites)
:Commands
[purity]
[emptytemp]
[Reboot]
```

Then click the *Run Fix* button at the top
Let the program run unhindered, reboot when it is done
It will produce a log for you on reboot, please post that log in your next reply.


----------



## GMO (Dec 1, 2009)

Hi Eddie, Sorry about the slow response, I've been out of town. Speaking of jobs, how's the economy in the UK? Ours stinks, not much work to be had if you don't already have a job.
Here are the OTL scan results:

All processes killed
========== OTL ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\amaena.com\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\aol.com\objects\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\drivecleaner.com\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorprotector.com\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\errorsafe.com\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imageservr.com\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imagesrvr.com\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\systemdoctor.com\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\turbotax.com\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantispyware.com\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winantivirus.com\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winfixer.com\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: Administrator.SUSAN
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Gregg

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Susan Obbink
->Temp folder emptied: 529958 bytes
->Temporary Internet Files folder emptied: 127278 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 33753986 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 68224 bytes
Windows Temp folder emptied: 49152 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 33.00 mb

OTL by OldTimer - Version 3.1.24.0 log created on 01182010_094912

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_728.dat moved successfully.

Registry entries deleted on Reboot...

I think that does it.
Thanks, Gregg.


----------



## eddie5659 (Mar 19, 2001)

Well, applying for a job whilst in a job, which is the best way. Still, its not that easy over here 

Good to see that file is okay, just wanted to check it out 

Missed one file to remove, so can you do this as well:

Please run OTL.exe

Under the *Custom Scans/Fixes* box at the bottom, paste in the following


```
:Files
C:\WINDOWS\System32\Status.MPF
:Commands
[purity]
[emptytemp]
[Reboot]
```

Then click the *Run Fix* button at the top
Let the program run unhindered, reboot when it is done
It will produce a log for you on reboot, please post that log in your next reply.

---------

Any joy on downloading that media player now?


----------



## GMO (Dec 1, 2009)

Eddie, No luck downloading Media Player. I can't seem to get through the validation process. 
OTL Log:

All processes killed
========== FILES ==========
C:\WINDOWS\System32\Status.MPF moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: Administrator.SUSAN
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Gregg

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Susan Obbink
->Temp folder emptied: 350543 bytes
->Temporary Internet Files folder emptied: 219152 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 83434249 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 49152 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 136704 bytes

Total Files Cleaned = 80.00 mb

OTL by OldTimer - Version 3.1.24.0 log created on 01212010_091726

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\Perflib_Perfdata_728.dat scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Thanks, Gregg.


----------



## eddie5659 (Mar 19, 2001)

Please run the MGA Diagnostic Tool and post back the report it shall produce:

Download *MGADiag* to your desktop.
Double-click on MGADiag.exe to launch the program
Click "Continue"
Ensure that the "Windows" tab is selected (it should be by default).
Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
Paste the MGA Diagnostic Report back here in your next reply.


----------



## GMO (Dec 1, 2009)

OK Eddie, Here Ya go, one MGA Diagnostic Report. FYI. The report herein has more information than I could see while viewing the "Windows" page in MGA. Starting near the bottom of the report where you'll see "Resolution Status: N/A", everything from there on down (WgaER Data--> on down) was not on the "Windows" page of the report.


Diagnostic Report (1.9.0011.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0

Cached Validation Code: N/A
Windows Product Key: *****-*****-48VWH-T66HT-C7R2B
Windows Product Key Hash: H+mXaJKf2mqV6RqI0E31hdOez/E=
Windows Product ID: 55277-OEM-2111907-00108
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.2.0.hom
ID: {71791EF2-2B18-4B47-B232-41B2FDD47B33}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.9.9.1
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1_70AFE6BE-1223-800401f3_70AFE6BE-116-800401f3_63BB5E84-298-800401f3_E2AD56EA-85-800401f3_16E0B333-89-800401f3_78155E4D-232-800401f3
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->

Licensing Data-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 10864:MPC Computers
Marker string from OEMBIOS.DAT: micron,micron,micron,micron

OEM Activation 2.0 Data-->
N/A

Cheers, Gregg.


----------



## eddie5659 (Mar 19, 2001)

That's okay, I have the info I needed 

Okay, in Susan's account, try this first.

Go to the Control Panel and open Internet Options.

Click on the Security tab, make sure that Internet (the one with the globe) is highlighted, then click Custom Level.

Make sure the drop-down menu is set to Medium, and press Reset, then Yes.

If its already on Medium, reset anyway.

Apply and OK.

Now, try the good old page again


----------



## GMO (Dec 1, 2009)

OK Eddie, Can do. However, I have wireless internet and we're in the middle of an ice storm so my download speed is about zero right about now so I'll have to wait to try this. In the mean time, just to be sure. When you say "try the good old page again", do you mean try verifying and down loading media player 10 again? 
Thanks, Gregg.


----------



## GMO (Dec 1, 2009)

Eddie, OK I did what you said above, and if you wanted me try to validate and download media player 10 again I did, and still cannot get validated. The message I get is:
Code not available. The validation code could not be obtained. This may be due to technical difficulties or you may be running an unsupported operating system. Please close this window and attempt the validation process again, or use the back button in your web browser to return to the download page. [Error code: 0x800401f3]

Is this what you wanted me to do and does this tell you anything?
Thanks, Gregg.


----------



## GMO (Dec 1, 2009)

Eddie, I don't know if this helps or not but, when I try to validate using Mozilla (as opposed to Microsoft Internet Explorer) I get this message:

*Validation Status: Action Required*

The validation process cannot continue because your web browser is not configured to run the script required by the validation process. To extend the functionality of a Mozilla-based Web browser, you can download the required plug-in and continue with the validation 
The following will help you fix this problem and continue with validation.


 In the WgaPluginInstaller.exe pop up window, select *Save File.*
 *Open* the .exe and follow the steps to install the plug-in.
 Once the plug-in is installed, click the *Refresh* button below to verify that the plug-in loaded correctly. Refresh
Windows Genuine Advantage Plug-in loaded correctly. 
 If the message shows that the plug-in loaded correctly, then click the *Continue* button below to resume the validation process. Continue
 If the message does not show that the plug-in is loaded correctly, you have two options. You may click on the *Continue* to learn why the plug-in failed to install. Otherwise, you may click the *Validate Now* button below to launch the alternate validation process (optimized for browsers unable to run the original validation script).  Validate Now

Gregg.


----------



## GMO (Dec 1, 2009)

Eddie, I did what they told me to do in my last post to you (under *Validation Status: Action Required) *and here is what I got:

*Microsoft Genuine Advantage Diagnostic Results*

PassedActive scripting allowed PassedDisplay images enabled PassedComputer time and date correct PassedCookies enabled PassedPlug-ins enabled FailedMicrosoft Genuine Advantage plug-ins are installed and loaded PassedOffice validation ActiveX loaded PassedValidation Self-help ActiveX loaded FailedMicrosoft Genuine Advantage plug-ins connect with Microsoft validation servers
Maybe this means something to you?? 
Thanks, Gregg.


----------



## eddie5659 (Mar 19, 2001)

Firstly, yes it was corrrect, the media player download site was the one I wanted you to re-try 

Now, lets see if this works:

http://support.microsoft.com/kb/971058

Just start with the *Default* option, and we'll go from there if needbe. Choose the first option, where you click on a button to let Microsoft Fix it for you 

eddie


----------



## GMO (Dec 1, 2009)

Hey Eddie! It worked! I did the Microsoft Fix it thing then downloaded Media player 10. All is good here again! FYI I did need to configure the media player in my account again, the window popped up as soon as I tried to open the media player in my account, but all is well now. I'll see if everything works OK over the next couple days on both Susan and my account, but so far I have no reason to think otherwise.
Thanks! Gregg.


----------



## eddie5659 (Mar 19, 2001)

At last!!! :up:

It was fun getting there, but we did it. I tend to like these kind of things (strange I know), as i can get my teeth in to try and solve it.

Let me know how it goes, then we can mark it solved


----------



## GMO (Dec 1, 2009)

Eddie, Not that strange for some of us really. I, like you, like a challenge, which is why I chose to go this route (techguy.org) to fix my computer rather than taking it in to someone and having them do it. I still have little idea what all you did but I do have a better idea of what is going on. 
I'll give it a few days here but so far so good! I do have some of the tools that we downloaded still on Susan's desktop I suppose I should clean up??
Thanks again! Gregg.


----------



## eddie5659 (Mar 19, 2001)

The strange thing is, what can fix one persons computer may not fix another's, so its a lot of 'trying new things' 

Okay, had a quick look thru to see what we used on Susan's account, so hopefully this will be them all:

Please run OTL. 

Click *Clean Up* button. 
Accept any prompts. 
This will remove any tools we used, including OTL, and will require a reboot.

If, after the reboot, the following are still there, do this:

You can delete the *DelDomains.inf* program off your Desktop.

You can delete the *MGADiag.exe* program off your Desktop.

eddie


----------



## GMO (Dec 1, 2009)

Hey Eddie, Any word on the job? Also, how's the "car in the front room" debacle?? 
OK I ran OTL clean up and here's what I still have on the desktop. ComboFix (renamed Project), Microsoft Fix it 50202, and some other Windows Installer tool, "Security Descriptor and Migration and Editing Tool" (subinacl) that I have no recollection of downloading or using (but that doesn't say anything) and MGA diagnostic and Deldomains,(which I'll delete as you suggested). Do I need to keep any of this other stuff around? Oh yea, the media player seems to be working fine!
Thanks, Gregg.


----------



## eddie5659 (Mar 19, 2001)

Hi Gregg

No word on that job, but I have up to 4 weeks to wait, and if no reply, I've no interview. 3 weeks to go 

Still applying for many others though 

As for the lovely window, still waiting for the insurance to come thru, though the landord was round last night so work may start very soon.

Okay, the tools:

*Follow these steps to uninstall Combofix and some tools used in the removal of malware. This will also clean out and reset your Restore Points*


 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.










Then, if its still not removed it, manually delete the file on the desktop. Also, after runing the above, see if you have this file:

C:\Project

if so, manually delete that as well..

I assume Microsoft Fix it 50202 is the program that you used to fix media player in the end. If so, just delete that.

Is SubInACL this:

http://www.microsoft.com/downloads/...56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en

If so, not sure what its doing on your computer, as its mainly for Windows 2000/2003.

I would move that to another folder for now, say My Documents. If after a week or so there is no problems, just delete it.

That's if it is that program. If you right-click on it and select Properties then Version, it should give you more information.

eddie


----------



## GMO (Dec 1, 2009)

OK Eddie, I did the ComboFix /u in the "run" box. It produced a log, and I know you didn't ask for it but I've included it FYI. I manually deleted C:\Project, and MicrosoftFix it 50202 from my desktop. As for Subinacl, I don't think it's http://www.microsoft.com/downloads/d...displaylang=en. Isn't that the site you gave me to get the media player 10 download from?? Anyway, when I hold the mouse over Subinacl it says this:
Type: Windows Installer Package
Author: Microsoft Corp
Title: Security Descriptor Migration and editing Tool
Subject:Security Descriptor Migration and editing Tool
This installer database contains the logic and data required to install Subinacl.exe.
Date Modified:3/26/2009
Size: 370 KB

I did spend copious amounts of time last march with the folks at Microsoft trying to get SP2 loaded on this machine, I think it's left over from then?

ComboFix log:

ComboFix 10-02-04.06 - Susan Obbink 02/04/2010 22:46:05.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.195 [GMT -6:00]
Running from: c:\documents and settings\Susan Obbink\Desktop\Project.exe
Command switches used :: /u
AV: Norton AntiVirus Online *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\SET61D.tmp
c:\program files\Internet Explorer\SET87D.tmp
c:\program files\Internet Explorer\SET944.tmp
c:\program files\Internet Explorer\SETA1B.tmp
c:\program files\Internet Explorer\SETA70.tmp
c:\program files\Internet Explorer\SETACB.tmp
c:\program files\Internet Explorer\SETF88.tmp

.
((((((((((((((((((((((((( Files Created from 2010-01-05 to 2010-02-05 )))))))))))))))))))))))))))))))
.

2010-02-02 17:00 . 2010-02-02 17:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-02 15:52 . 2010-02-02 15:52 -------- d-----w- c:\documents and settings\Susan Obbink\Local Settings\Application Data\Qwest
2010-02-02 15:51 . 2010-02-02 15:51 -------- d-----w- c:\documents and settings\Susan Obbink\Local Settings\Application Data\SupportSoft
2010-02-02 14:34 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-02 14:34 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-02 04:27 . 2010-02-02 04:27 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-02 04:27 . 2010-02-02 04:27 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-02 04:26 . 2010-02-03 03:52 -------- d-----w- c:\windows\system32\drivers\NAV
2010-02-02 04:26 . 2010-02-02 04:26 -------- d-----w- c:\program files\Windows Sidebar
2010-02-02 04:26 . 2010-02-02 04:26 -------- d-----w- c:\program files\Norton AntiVirus
2010-02-02 04:26 . 2010-02-02 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-02 04:26 . 2010-02-02 04:26 -------- d-----w- c:\program files\NortonInstaller
2010-02-02 04:22 . 2010-02-02 04:22 -------- d-----w- c:\program files\Qwest Personal Digital Vault
2010-02-02 04:01 . 2010-02-02 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-02 03:56 . 2010-02-02 03:56 -------- d-----w- c:\program files\Microsoft
2010-02-02 03:55 . 2010-02-02 03:55 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-02-02 03:55 . 2010-02-02 03:56 -------- d-----w- c:\program files\Windows Live
2010-02-02 03:55 . 2006-11-29 19:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-02-02 03:51 . 2010-02-02 03:51 -------- d-----w- c:\program files\Common Files\Windows Live
2010-02-02 03:50 . 2010-02-02 03:50 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-02-02 03:49 . 2010-02-05 03:11 -------- d--h--w- c:\windows\msdownld.tmp
2010-02-02 03:15 . 2010-02-02 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Qwest
2010-02-02 03:14 . 2010-02-02 03:15 -------- d-----w- c:\windows\XSxS
2010-02-02 03:14 . 2010-02-02 03:14 -------- d-----w- c:\program files\Xenocode
2010-01-28 01:40 . 2010-01-28 01:40 -------- d-----w- c:\windows\system32\XPSViewer
2010-01-28 01:40 . 2010-01-28 01:40 -------- d-----w- c:\program files\MSBuild
2010-01-28 01:39 . 2010-01-28 01:39 -------- d-----w- c:\program files\Reference Assemblies
2010-01-28 01:39 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-01-28 01:39 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-01-28 01:39 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-01-28 01:39 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-01-28 01:39 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-01-28 01:39 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-01-28 01:39 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-01-28 01:39 . 2010-01-28 01:39 -------- d-----w- C:\0791f2a5bb396fce5bc1e4e712bbab22
2010-01-28 01:39 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-01-28 01:39 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-01-26 19:45 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-26 19:44 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-01-26 19:40 . 2009-07-10 13:42 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-01-26 19:28 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-01-10 03:54 . 2010-01-10 03:56 -------- d-----w- c:\program files\iTunes
2010-01-10 03:54 . 2010-01-10 03:56 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-10 03:53 . 2010-01-10 03:53 -------- d-----w- c:\program files\Bonjour
2010-01-10 03:52 . 2010-01-10 03:52 -------- d-----w- c:\program files\Apple Software Update
2010-01-10 03:52 . 2009-08-29 01:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-01-10 03:52 . 2009-08-29 01:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-01-10 03:51 . 2010-01-10 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-10 03:51 . 2010-01-10 03:55 -------- d-----w- c:\program files\Common Files\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-05 02:51 . 2002-08-15 14:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-05 02:51 . 2007-08-01 17:04 -------- d-----w- c:\program files\Qwest
2010-02-04 14:47 . 2010-02-05 03:19 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20100204.024\NAVEX15.SYS
2010-02-04 14:47 . 2010-02-05 03:19 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20100204.024\NAVENG.SYS
2010-02-03 20:49 . 2006-06-02 21:57 -------- d-----w- c:\documents and settings\Susan Obbink\Application Data\Canon
2010-02-03 03:51 . 2004-09-14 20:01 19872 -c--a-w- c:\documents and settings\Susan Obbink\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-02 06:11 . 2002-08-15 15:03 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-02 04:51 . 2010-02-05 03:19 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20100204.024\EECTRL.SYS
2010-02-02 04:51 . 2010-02-05 03:19 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20100204.024\CCERASER.DLL
2010-02-02 04:51 . 2010-02-05 03:19 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20100204.024\ECMSVR32.DLL
2010-02-02 04:51 . 2010-02-05 03:19 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20100204.024\NAVENG32.DLL
2010-02-02 04:51 . 2010-02-05 03:19 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20100204.024\NAVEX32A.DLL
2010-02-02 04:51 . 2010-02-05 03:19 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20100204.024\ERASER.SYS
2010-02-02 04:27 . 2002-08-15 15:03 -------- d-----w- c:\program files\Symantec
2010-02-02 04:27 . 2010-02-02 04:27 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-02 04:27 . 2010-02-02 04:27 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-02 03:48 . 2007-08-01 17:04 -------- d-----w- c:\program files\Common Files\supportsoft
2010-01-10 03:55 . 2005-05-16 18:10 -------- d-----w- c:\program files\iPod
2010-01-10 03:53 . 2003-11-08 15:29 -------- d-----w- c:\program files\QuickTime
2010-01-10 03:52 . 2005-05-16 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-08 05:45 . 2009-12-14 21:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 05:45 . 2010-01-04 04:37 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 22:07 . 2009-12-14 21:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2009-12-14 21:28 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 05:33 . 2009-12-29 15:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-01 19:38 . 2002-10-26 18:27 -------- d-----w- c:\program files\GrabEasy2
2010-01-01 18:58 . 2007-01-08 05:28 -------- d-----w- c:\program files\Google
2010-01-01 17:39 . 2009-12-29 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-30 14:45 . 2009-12-30 14:46 4043544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-30 14:42 . 2009-12-30 14:46 3966744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-29 16:51 . 2009-12-30 14:46 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-12-29 16:51 . 2009-12-30 14:46 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2009-12-29 16:51 . 2009-12-31 14:27 2033432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-12-29 16:51 . 2009-12-30 14:46 916248 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2009-12-29 16:51 . 2009-12-29 16:51 -------- d-----w- c:\program files\AVG
2009-12-22 05:42 . 2009-03-27 02:05 662016 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:42 . 2009-03-27 03:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-19 16:54 . 2009-12-19 16:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-19 16:53 . 2004-02-27 03:04 -------- d-----w- c:\program files\Java
2009-12-19 16:36 . 2007-04-08 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-14 21:54 . 2009-12-14 21:54 -------- d-----w- c:\documents and settings\Susan Obbink\Application Data\Malwarebytes
2009-12-14 21:28 . 2009-12-14 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-05 04:54 . 2010-02-02 20:30 529456 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100130.002\BHDrvx86.sys
2009-12-05 04:54 . 2010-02-02 20:30 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100130.002\BHRules.dll
2009-12-05 04:54 . 2010-02-02 20:30 1405840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100130.002\BHEngine.dll
2009-12-05 04:54 . 2010-02-02 20:30 668720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100130.002\BHDrvx64.sys
2009-12-05 04:54 . 2010-02-02 20:30 610704 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100130.002\bbRGen.dll
2009-11-25 04:29 . 2010-02-02 04:27 899320 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\CLT\cltLMSx.dll
2009-11-21 16:36 . 2009-03-27 02:05 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-19 17:48 . 2009-12-01 15:41 872960 ----a-w- c:\documents and settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 17:48 . 2009-12-01 15:41 43008 ----a-w- c:\documents and settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 17:48 . 2009-12-01 15:41 340480 ----a-w- c:\documents and settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 17:48 . 2009-12-01 15:41 346624 ----a-w- c:\documents and settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-11-12 23:07 . 2009-11-12 23:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2005-01-07 05:16 . 2005-01-07 05:16 3763883 -c--a-w- c:\program files\wace26i4.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-19 149280]
"PCTVOICE"="pctspk.exe" [2001-06-15 155648]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"nwiz"="nwiz.exe" [2002-05-03 364544]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [2001-11-28 45056]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2002-08-15 155648]
"HostManager"="c:\program files\Common Files\AOL\1102874169\ee\AOLSoftware.exe" [2008-11-06 41264]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"QwestTouchPointAgent"="c:\program files\Qwest\Desktop\QwestTouchPointAgent.exe" [2009-12-21 45992]
"QuickCare"="c:\program files\Qwest\Quickcare\bin\sprtcmd.exe" [2008-11-06 202016]
"Qwest Personal Digital Vault"="c:\program files\Qwest Personal Digital Vault\QwestPersonalDigitalVault.exe" [2009-12-18 1064808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Monitor.lnk - c:\program files\ArcSoft\Media Card Companion\MCC Monitor.exe [2006-1-4 110592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\documents and settings\Susan Obbink\My Documents\Greggs Work Transfers\EUDORA\EuShlExt.dll" [2006-01-09 86016]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\NVATray.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater.exe"=
"c:\\WINDOWS\\msagent\\agentsvr.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [8/15/2002 8:51 AM 9088]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1105000.07F\symds.sys [2/2/2010 1:19 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1105000.07F\symefa.sys [2/2/2010 1:19 PM 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100130.002\BHDrvx86.sys [2/2/2010 2:30 PM 529456]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1105000.07F\cchpx86.sys [2/2/2010 1:19 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1105000.07F\ironx86.sys [2/2/2010 1:19 PM 116272]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.5.0.127\ccsvchst.exe [2/2/2010 1:19 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/1/2010 10:51 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100128.002\IDSXpx86.sys [2/2/2010 8:50 AM 329592]
S2 NeroSVC;NeroSVC;c:\program files\ahead\Nero\NeroSVC.exe [3/30/2001 5:10 PM 73728]
S3 NetMate;CATC USB/Ethernet Link device driver;c:\windows\system32\drivers\netmate2.sys [4/25/2000 6:01 AM 35694]
S4 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [8/15/2002 8:51 AM 328448]
.
Contents of the 'Scheduled Tasks' folder

2010-01-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-02-05 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-15 15:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://qwest.live.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = ;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tb50ffaoldesktop-chromesbox-en-us&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://undefined/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\Susan Obbink\Application Data\Mozilla\Firefox\Profiles\011km8n2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-04 22:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.5.0.127\diMaster.dll\" /prefetch:1"
.
Completion time: 2010-02-04 23:07:23
ComboFix-quarantined-files.txt 2010-02-05 05:07

Pre-Run: 5,037,367,296 bytes free
Post-Run: 5,151,653,888 bytes free

- - End Of File - - B81E3B8C344055FC80F2E70D5DAE1365


----------



## eddie5659 (Mar 19, 2001)

Not sure why it would give you that log, as you were only uninstalling it 

Anyway, its gone now, that's the main thing 

As for the link, its a different link I posted. Its for SubInACL (SubInACL.exe). It may look the same here in the forums, as all long links get shortened, so it looks neater 

Still, as you were working through things with Microsoft, like you say that may just be some leftovers. If you're not too sure, just pop it into My Documents and if after a while nothing is asking for it, just delete it


----------



## GMO (Dec 1, 2009)

Hey Eddie, Sorry about the delay in responding. I've been tied up with changing Internet providers, and also, I wanted to make sure all was working correctly. I am pleased to announce that everything seems to be working just fine and my desk top is cleaned up! Of course it's your call but I believe you can call this one solved! I am very grateful for all of your time and expertise, and would like to donate to the cause. Do you have any suggestions as to what a respectable donation would be??
Thanks, Gregg.


----------



## eddie5659 (Mar 19, 2001)

Excellent to hear the news, I can now happily mark this one Solved 

For donations, my bank account is........... 

Only kidding 

Any amount is greatly received, no matter how small you can donate as it all goes towards the servers, etc 

This is all about it:

http://www.techguy.org/donate.html

It was a long journey to get there, but it was a learning path for me at some points, especially the media player 

Tata for now

eddie


----------



## GMO (Dec 1, 2009)

Eddie, Yes I believe you can mark it solved! It was interesting, a learning experience, and dare I say, fun? Thank you again for all your expert help, advice, and of course patience. You say it was a "long journey", not counting the media player, did this one take longer than normal? Is there a "normal"?? How long do you generally spend on something like this? Hopefully I can keep my machine clean from now on. One interesting thing to note FYI, I have no idea how much malicious stuff, or viruses you found and removed, but a couple of the files, the ones that were removed from the media player, 

( C:\Documents and Settings\Susan Obbink\My Documents\My Music\Tom's Music\Snow Patrol\Final Straw\Snow Patrol - Bonus Track 1. )
and
( C:\Documents and Settings\Susan Obbink\My Documents\My Music\Tom's Music\Snow Patrol\Final Straw\Snow Patrol - Bonus Track 2. )

I know were downloaded years ago and have been there for a long time, for what that's worth??

Thanks again, Gregg


----------



## eddie5659 (Mar 19, 2001)

Well, in the malware forum, its not as easy as it was a few years ago. Back then, you could run a few programs and *poof*, the computer is clean.

Nowadays, there are so many out that, and the tools as you know, produce long logs which take a while to look at. Still, I like a challenge.

As for other forums, I did do one that last for 16 pages (think that was Adobe Premier) which involved all sorts.

Then, there was one that lasted 16 months, off an on. That was Windows Media Encoder, but as you may have realised, in the malware forum, only those authorised to remove malware and the original poster can reply, so its easier.

In the other forums, all can reply. In the first one, no-one popped in, so it was me all the way.

The second, others did reply, but with similar problems. Ended up solving a few in the same thread, and then finally the original problem.


I do miss the other forums, as once you're in this malware forum, its like the door is jammed, and I can't get out. So many threads, and only a handful can fix at any one time, due to how long they take 

I may venture outside soon, and hit a random forum. In fact, you can help me, if you want 

Looked at the ones I can work on, in the main page. Can you throw a number between 1-20 for me? Its pretty easy to figure out what they are, but I know I should get another forum, and work on it as well 


-----

Ah, the malicious files: Well, I can do a summary if you wish, won't take me long. Its actually an interesting question, as many just see us say 'run this tool' and 'now do this fix' without knowing what is going.

The ones you listed above will have been embeded in media player for a long time, which is why it stopped working when we removed them 

eddie


----------



## GMO (Dec 1, 2009)

Hey Eddie, Still looking for a new forum?? How about lucky number 13?
Gregg


----------



## eddie5659 (Mar 19, 2001)

Hmmm, 13 is Windows Server, and Networking I have no idea on 

I have a second choice, between Windows XP or Earlier Versions of Windows (NT, 95, 98, 2000, or Me)

You decide, as I'm happy in either one, though one looks like it may be interesting


----------



## GMO (Dec 1, 2009)

Well by all means, take the one that will be the most interesting. After all that's what it's all about right?


----------



## eddie5659 (Mar 19, 2001)

Thanks mate, will pick the older versions of Windows 

Number 13 was Servers (just count from General Security downwards on the main page. As that was a no-way for me, the 2 that were either side was XP and Earlier. So, I chose Earlier, as I used to have Windows 95, 98, 2000 and NT 


And thank you for sending the message to the Admins saying thanks, it really did brighten up my day seeing it when they posted it for me in the Moderator's forum 

It makes a lot of what we do, not just us in malware but the countless others in the other forums, rewarding and happy when we solve a problem. But, when we get a reply or message saying thank you, it makes it more worthwhile.

I'll send you the spec'c for my new gaming computer, nothing fancy, just a nice quad core with a decent motherboard, and a......................


Only kidding 

If you have any issues in the future, just let me know, and I'll have a look for you (as long as its not networking  )

eddie


----------



## GMO (Dec 1, 2009)

Eddie, Yes the note to the Admins, just my way of expressing my gratitude. As for your new gaming computer, I don't think you want me shopping for your computer needs, I'm not sure I even know what a "quad core" is!! Thanks again and I'll be sure to let you know if I have any trouble, it won't be networking, can't be I don't think, I only have two computers and they don't talk to each other.
Thanks again for all your help! Gregg.


----------



## eddie5659 (Mar 19, 2001)

I was only kidding about the gaming pc, as I have a new cpu to put in. Its not as fast as a quad, but faster than the one I have at the moment 

Like I say, any problems in the future, just drop me a message 

eddie


----------



## GMO (Dec 1, 2009)

Hey Eddie, I've been meaning to tell you, but wasn't sure of protocol regarding idle banter on the forums. I worked in Guildford England (about 30 to 40 minutes southwest on the train from Gatwick) fairly regularly over two years, from 2005 to 2007 I think. I would be there anywhere from a week to a month, and went to Portsmouth to work a time or two also. At Guildford I was working with the chaps at The University of Surry/Surrey Satellite Technology Limited. We bought a satellite bus from SSTL and were doing the system integration and environmental testing with them, which is how we found ourselves down at Porstmouth, doing the system vibration testing. Naturally when time permitted, mostly on weekends, we toured as much as we could, Portsmouth,Brighton, and mostly in and around London. I even had a chance to get Susan there for two weeks or so over what is our Thanksgiving, but was during the "lights on" celebrations in London, and Guildford. Very cool! Needless to say, over the more than two years I was traveling there, I was in England during just about every season. I managed to see most of what London has to offer from the many museums to the obvious stuff like, St. Paul's Cathedral, Westminster Abby etc. There was an airplane buff working with us, so we went to see 2 or 3 WWII air fields/air museums. I walked through a Concord at one of them. Brighton was really unique, I was there twice but would have liked to go back more, it was about 1/2 hour or so on the train. Some really really memorable people,things to see and times. I made some good friends while there, at work as well as in some of the local pubs. I was fortunate enough to see and get on the Cutty Sark before she burned a while back (2007 I think), what a bummer that was! I have many lifetime memories of my times and friends in the UK. 
I see where Bradford is way the heck up there, half way to Scotland it looks like. About as far north as the Isle of Man, which reminds me of the time I met a guy from the Isle of Man here in the US in, of all places Espanola New Mexico. He was quite an interesting fella. Any way I thought I'd let you know that, and by the way, if your ever in the US and more specifically, Minnesota, (I can't imagine why but one never knows) be sure to let me know. 
Gregg


----------



## eddie5659 (Mar 19, 2001)

Its okay for a banter here, good a place as any 

I have actually lived down in Eastbourne, which is very near Brighton, so I know that area well 

Bradford has some great curry houses, but there's not that much happening there lately. The Yorkshire Moors are nice, and I've walked up something called the 1st of the Three Peaks.

I've been on holiday to Florida, mainly Orlando and Tampa Bay. It was a long time ago, so would be nice to go back sometime 

Good grief, just looked where Minnesota is, and its at the top. Watching something on iPlayer last night about Yellowstone, so not sure where that is near you, as its near the top I'm guessing.

Not sure if you can view this, but pretty sure you will be able to:

http://www.bbc.co.uk/iplayer/episode/b00jc6p6/Yellowstone_Winter/

Scotland is a lovely country, been to Inverness and even applied for a job here, of all places:

http://www.undiscoveredscotland.co.uk/thurso/thurso/index.html

If you look on the top left, the red dot is where it is 

eddie


----------



## GMO (Dec 1, 2009)

Yes, Scotland. Susan and I have talked about visiting Scotland, Ireland too. I'd live to go to both places some time. Interesting you should mention Florida. Most of the British I talked with that had been to the US had gone to Florida, for the sunshine and warm weather I would imagine. I worked in Florida extensively, in the Coco Beach,Titusville area because of the launch facility at Cape Kennedy/Cape Canaveral. I never got too far from that area though. 
Yes Minnesota borders Canada, not my first choice of places to live but this is where both our families are and we moved here about 2 years ago after I retired. We like it, it does have a lot to offer, but I' prefer New Mexico, much warmer, drier, and a lot of sunshine. I spent most of my career in New Mexico (Los Alamos). 
Yellowstone is incredible. My dad loved to travel to the mountains so every year when I was growing up we piled into the car and drove out west. Needless to say Yellowstone was one of the many places we visited. For a while I owned 10 acres of land just out side of Bozeman Montana, which is just north of Yellowstone, so I've been there many times. Yellowstone is remarkable any time of year, but winter is especially unique due to all the hot springs. Summers tend to be much more crowded, but summer and winter are entirely different experience, I would recommend both but if you had to choose one I'd go in the winter. Yellowstone is almost entirely in Wyoming (in the north west corner of Wyoming) so it's quite a ways from Minnesota, at least a day and a half, probably more like two days drive from here. The further west in the US you get the bigger the states get. Minnesota is the 12th largest state, just smaller than the UK, and Wyoming is the 10th largest, slightly bigger than the UK, so driving from state to state in the western US is no small task. 
When I tried to view the site you sent on Yellowstone I got this message: Currently BBC iPlayer TV programmes are available to play in the UK only, but all BBC iPlayer Radio programmes are available to you. so needless to say I could not view it.
Inverness is a long way up there. Looks pretty cool though, it would be neat living near the water. One of the things I can never seem to get over is the amount of history in the UK and Europe. The US has only been around for a couple hundred years, so by comparison, we have no history. You have many many buildings in the UK that are much much older than _anything_ in the US.


----------



## eddie5659 (Mar 19, 2001)

Well, I would love to visit YellowStone in the Winter, but my girlfriend wants hot weather, so we'll have to make a comprimise. May go in Summer with her, and Winter with my mate, who loves cold weather as well.

Talking of cold weather, I applied for a job in the most strangest of places a fe years back. Didn't get it, but its the only letter I have ever kept, for a rejection of a job.

Now, what landmarks were there? Er......er......er......

Well, this is the place: Antartica.

And this was the company:

http://www.antarctica.ac.uk/

See, told you I like cold places 

It would have been 6 months out there, 6 months back at home (well, Cambridge to work). Not all the jobs are out in the middle of nowhere.

This is where I would have lived:










Its a shame you couldn't see the clip, it was a good film about YellowStone, mostly at Winter.

Will have a look for the future on getting up there, once I sort some things out


----------



## eddie5659 (Mar 19, 2001)

Thought I'd post this, as I went for an interview today. First, I was going for this job:



> Date Posted: Wednesday, 17th of February 2010
> 
> Salary: Competitive
> 
> ...


==========

And this was my reaction today:

Well, that was SHEEER HELL 

Why? Well, it was nothing like I posted above. In the above, it says Analyst who just does some dissolution testing.

The advantageous part (NOT ESSENTIAL) was the method development.

When I got there, and sat in the interview, they said it was purely method development. I have no idea on this area at all, and explained that the job description on the advert was misleading.

Damn agencies 

So, I sat thru the 2 hour interview, answering some of the questions which were PURE chemistry. It was like they were speaking in toungues in front of me, then asking me a question based on it.

For example, just grabbed this off a website:

http://www.organic-chemistry.org/synthesis/heterocycles/pyridines.shtm

So, they started by saying, for example, this:

*So then, a one-pot synthesis of substituted pyridines via a domino cyclization-oxidative aromatization approach is based on the use of a new bifunctional noble metal-solid acid catalyst, Pd/C/K-10 montmorillonite and microwave irradiation. The cyclization readily takes place on the strong solid acid while palladium dehydrogenates the dihydropyridine intermediate.

How would you start to create a method based on that? *

And I was just like

WHAT THE HELL WAS THAT (in my head) and struggled through answer.

If I get this, it will be a flaming miracle.

----

So, I start a second job on Monday, so getting home at 9.30 every night, as its 2 jobs a day. Need the money, and as soon as I'm sorted, back to one job I go.

Of course, if I get a decent job.....


----------

