61 replies to this topic

[MARIANNE97]

Hi, I am having terrible problems today with my PC. When I ran Malwarebytes it came up with several malware including JS Downloader (2) kinds. It is the fake spyware site that started coming up. Now Malwarebytes is coming up clean but I can't find any of my files and my start menu is empty. Here are the logs that you suggested I get on your start page.

Thank you,

Mary M.

Attached Files

•  OTL.Txt   55.42KB   297 downloads

[JonTom]

Hello MARIANNE97 and

My name is JonTom

• Malware Logs can sometimes take a lot of time to research and interpret.
  
• Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
  
• Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
  
• Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
  
• PLEASE NOTE: If you do not reply after 5 days your thread will be closed.

There is no need to attach any logs, just post them directly into your replies.

Have you ran any temporary file cleaners recently? Please do let me know if you have, and from this point forward, do not touch your temporary files.

When I ran Malwarebytes it came up with several malware including JS Downloader (2) kinds

I would like to see the log that lists the malware that was removed. You should be able to find it by opening MBAM and clicking on the logs tab.

When you ran OTL, two logs would have been created. You posted the otl.txt but I would also like to see the extras.txt

• Unhide
  
  
  
  • Download and run unhide.exe by grinler from here and save the file to your desktop.
  • Run the tool and allow it to complete.
  
  
• Please scan your system with GMER
  
  
  
  Download GMER Rootkit Scanner from here or here.
  
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
• Save it where you can easily find it, such as your desktop, and post it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries

Please post the MBAM log, the otl extras.txt log and the GMER log in your next reply, and let me know if your files/start menu items have returned after running unhide

[MARIANNE97]

Hi JonTom, I was trying to get the logs to you but now it keeps redirecting me to other places on the web when I try to reach your site. The logs are on the desktop of that computer. I saved all of the MBAm logs, Hijackthis log and OTL (both logs) I'm afraid to send them to this computer. We have 3 computers on the network but the other 2 do not seem to be affected yet.

Thank you,

Mary M.

[JonTom]

Hello MARIANNE97

We have 3 computers on the network but the other 2 do not seem to be affected yet

Lets try to keep it that way

The first thing you need to do is disconnect the infected machine from the network (this will isolate it and prevent the infection spreading to the other machines that it can be connected to).

Next, we will need to use a removable storage device (such as a flash drive/USB memory stick) to transfer the required logs to a different machine so you can post them back here without being redirected.

Before we do this, I would like you to use one of the uninfected machines to download and run one of the following tools first to reduce the chances of cross-infection.

If the uninfected machine runs on XP use the following tool:

• Please download Flash Disinfector
  
  
  
  • Click here to download Flash Disinfector and save the file (called Flash_Disinfector.exe) to your desktop.
  • Double click on the Flash_Disinfector.exe icon to run the program and follow any prompts that may appear.
  • The program may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so if prompted.
  • Wait until Flash disinfector has finished scanning and then exit the program.
  • Reboot your computer.
  
  If it runs on Vista/Win 7 use this one instead:
  
  
• AutoRun Eater
  
  
  
  • Download Autorun Eater and save it to your desktop.
  • Plug all of your removable storage devices into the machine (USB sticks etc) and run the tool.
  
  Once you have used one of the above tools on the flash drive, transfer the logs from the infected machine to the flash drive and then post them here using the uninfected machine.
  
  Please let me know if you have run unhide and whether you can now see the items in your Start Menu.
  
  If you encounter any problems just come back and let me know

[MARIANNE97]

Hi JonTom Thank you I found a way to open the email and click your link on the infected machine so that makes it alot easier to post the logs. So here we go...There are alot of them. Thank you very much for helping resolve this.

(LOG 1)
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8094

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/5/2011 10:15:59 PM
mbam-log-2011-11-05 (22-15-59).txt

Scan type: Quick scan
Objects scanned: 220065
Time elapsed: 8 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Owner\Desktop\.url (Malware.Trace) -> Quarantined and deleted successfully.

(Log 2)

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8101

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/6/2011 10:05:09 PM
mbam-log-2011-11-06 (22-05-09).txt

Scan type: Quick scan
Objects scanned: 248481
Time elapsed: 15 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Privacy Protection (Rogue.PrvacyProtect) -> Value: Privacy Protection -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\D478.tmp (Exploit.Drop.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\start menu\Programs\Startup\winupd.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.

(LOG 3)

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8101

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/6/2011 10:56:37 PM
mbam-log-2011-11-06 (22-56-37).txt

Scan type: Full scan (C:\|)
Objects scanned: 333015
Time elapsed: 46 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{8c6394f0-34fb-428c-aa05-48b4e64f8c88}\RP1036\A0141579.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{8c6394f0-34fb-428c-aa05-48b4e64f8c88}\RP1036\A0141580.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


(LOG 4)

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8101

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/6/2011 11:13:08 PM
mbam-log-2011-11-06 (23-13-08).txt

Scan type: Quick scan
Objects scanned: 1
Time elapsed: 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:

(LOG 5)

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8101

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/6/2011 11:27:03 PM
mbam-log-2011-11-06 (23-27-03).txt

Scan type: Quick scan
Objects scanned: 248511
Time elapsed: 13 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

(LOG 6)

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8104

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

11/7/2011 12:37:00 AM
mbam-log-2011-11-07 (00-37-00).txt

Scan type: Quick scan
Objects scanned: 247972
Time elapsed: 11 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


(LOG 7)

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8105

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

11/7/2011 1:46:38 AM
mbam-log-2011-11-07 (01-46-38).txt

Scan type: Quick scan
Objects scanned: 248112
Time elapsed: 10 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


(LOG 8)

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8105

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/7/2011 9:33:21 AM
mbam-log-2011-11-07 (09-33-21).txt

Scan type: Quick scan
Objects scanned: 249522
Time elapsed: 14 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


(LOG 9)

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8105

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/7/2011 11:09:39 AM
mbam-log-2011-11-07 (11-09-39).txt

Scan type: Full scan (C:\|)
Objects scanned: 328457
Time elapsed: 33 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

(OTL LOG)

OTL logfile created on: 11/7/2011 1:15:33 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

895.17 Mb Total Physical Memory | 668.73 Mb Available Physical Memory | 74.70% Memory free
2.12 Gb Paging File | 1.99 Gb Available in Paging File | 93.63% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 47.46 Gb Free Space | 63.69% Space Free | Partition Type: NTFS

Computer Name: OWNER-BZ2MQ7E6C | User Name: Owner | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)


========== Driver Services (SafeList) ==========

DRV - (aswSnx) -- C:\WINDOWS\System32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswSP) -- C:\WINDOWS\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswRdr) -- C:\WINDOWS\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswTdi) -- C:\WINDOWS\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswMon2) -- C:\WINDOWS\System32\drivers\aswmon2.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (Aavmker4) -- C:\WINDOWS\System32\drivers\aavmker4.sys (AVAST Software)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...m...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://pogo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 15 BD 6E 14 AB DF D9 49 AE 04 01 21 C8 32 35 AA [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



O1 HOSTS File: ([2011/11/06 16:51:38 | 000,000,884 | RH-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 94.63.240.131 www.google.com
O1 - Hosts: 94.63.240.132 www.bing.com
O2 - BHO: (no name) - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - No CLSID value found.
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [volmgr] %APPDATA%\volmgr.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.syma...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1221784093359 (WUWebControl Class)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.syma...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1256451306250 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} http://lads.myspace....ceUploader2.cab (MySpace Uploader Control)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.72.134 68.87.77.134
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{722AA42D-3320-47D2-A261-FC87E700BDDD}: DhcpNameServer = 68.87.72.134 68.87.77.134
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/18 12:42:24 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{0a9b33de-b5d1-11dd-a5fd-001e90fcd973}\Shell - "" = AutoRun
O33 - MountPoints2\{0a9b33de-b5d1-11dd-a5fd-001e90fcd973}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{0a9b33de-b5d1-11dd-a5fd-001e90fcd973}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL http://www.mgae.com/...654268391798973
O33 - MountPoints2\{dcbf51f4-85ae-11dd-a533-001e90fcd973}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{dcbf51f4-85ae-11dd-a533-001e90fcd973}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
O33 - MountPoints2\{dcbf51f4-85ae-11dd-a533-001e90fcd973}\Shell\Explore\command - "" = E:\system.exe
O33 - MountPoints2\{dcbf51f4-85ae-11dd-a533-001e90fcd973}\Shell\Open\command - "" = E:\system.exe
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/11/07 01:15:08 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/11/06 19:56:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/11/06 19:48:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/11/06 19:48:36 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/11/06 19:48:36 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/11/06 18:17:43 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
[2011/11/06 16:55:40 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/11/06 05:46:28 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/11/06 05:46:07 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/10/19 21:05:06 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\GQXUVTWGYG
[2011/10/18 16:30:49 | 000,000,000 | -H-D | C] -- C:\extensions
[2011/10/18 16:30:48 | 000,000,000 | -H-D | C] -- C:\Program Files\Conduit
[2011/10/18 16:30:46 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Temp
[2011/10/18 16:30:46 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Conduit
[2011/10/18 16:29:45 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Owner\Application Data\uTorrent
[2011/10/16 03:12:52 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Owner\Application Data\SulusGames
[2011/10/16 03:12:52 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\SulusGames
[2011/10/16 03:11:56 | 000,000,000 | -H-D | C] -- C:\Program Files\Strange Cases - The Tarot Card Mystery
[2011/10/16 03:11:56 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Strange Cases - The Tarot Card Mystery
[2011/10/16 03:09:38 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Big Fish Games
[2011/10/16 03:09:36 | 000,000,000 | -H-D | C] -- C:\Program Files\bfgclient
[2011/10/16 03:08:30 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
[2011/10/10 18:04:08 | 000,000,000 | -H-D | C] -- C:\Temp
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Owner\Desktop\*.tmp files -> C:\Documents and Settings\Owner\Desktop\*.tmp -> ]
[1 C:\Documents and Settings\Owner\*.tmp files -> C:\Documents and Settings\Owner\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/11/07 01:15:09 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/11/07 01:12:48 | 000,000,244 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Support for Windows Internet Explorer 6, 7, 8, and 9.url
[2011/11/07 01:12:16 | 000,002,206 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/11/07 01:12:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/11/07 00:34:26 | 000,000,223 | RHS- | M] () -- C:\boot.ini
[2011/11/07 00:16:44 | 000,001,466 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Privacy Protection.lnk
[2011/11/06 20:14:58 | 000,000,194 | -HS- | M] () -- C:\Program Files\Common Files\winset.ini
[2011/11/06 19:48:40 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/11/06 19:11:56 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/11/06 16:51:38 | 000,000,884 | RH-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/11/06 06:04:11 | 000,432,784 | -H-- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/11/06 06:04:11 | 000,067,740 | -H-- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/11/06 05:19:27 | 000,009,075 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\CAT LITTER1.jpg
[2011/11/06 05:19:27 | 000,008,515 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\KITTY LITTER CAKE.jpg
[2011/11/06 05:18:57 | 000,009,831 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\CAT LITTER.jpg
[2011/11/06 05:07:53 | 000,000,211 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\Google.url
[2011/11/05 23:13:49 | 000,000,184 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\Hoosier Lottery.url
[2011/11/05 20:30:38 | 000,035,122 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\funny-facebook-fails-wrap-your-head-around-that-math.jpg
[2011/11/05 20:30:37 | 000,048,042 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\funny-facebook-fails-its-important-to-know-where-to-measure-from.jpg
[2011/11/05 17:46:51 | 000,029,943 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\jeffrey-campbell-lita-shag.jpg
[2011/11/05 03:51:58 | 000,000,179 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\LoudCity.com.url
[2011/11/04 08:48:16 | 000,000,301 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\Documentapril.rtf
[2011/11/04 08:20:54 | 000,020,553 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\Important Information Regarding the National EAS Test on Nov_ 9.eml
[2011/11/02 19:35:00 | 000,012,734 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\JOB CREATED.jpg
[2011/11/02 19:03:52 | 000,302,346 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\Find area code lookup by number on WebShoppingHelper.mht
[2011/11/02 03:45:00 | 000,000,472 | -H-- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/10/24 03:18:51 | 000,000,119 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\dayam YOU AUTOCORRECT.url
[2011/10/21 21:13:52 | 000,010,467 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\JEALOUS WOMEN.jpg
[2011/10/21 02:47:09 | 000,000,139 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\Tippecanoe Waste Removal, Inc Home.url
[2011/10/17 04:03:42 | 000,001,210 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\Earmarks Map – 2011 Requests Ending Spending EndingSpending.com.url
[2011/10/17 03:20:21 | 001,333,597 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\Jakie_time_out_lol.jpg
[2011/10/15 20:09:32 | 000,414,368 | -H-- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/10/13 17:57:09 | 000,148,400 | -H-- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/10/13 03:30:49 | 000,001,393 | -H-- | M] () -- C:\WINDOWS\imsins.BAK
[2011/10/11 17:11:59 | 000,882,519 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\Conjoined twins 34 amazing photos (GRAPHIC IMAGES) Pictures - CBS News.mht
[2011/10/11 15:13:51 | 000,007,919 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\Be Strong and Save Now with Os-Cal.eml
[2011/10/11 04:26:38 | 000,000,172 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\Free Polls, Questions, and Answers, News Discussions - SodaHead.url
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Owner\Desktop\*.tmp files -> C:\Documents and Settings\Owner\Desktop\*.tmp -> ]
[1 C:\Documents and Settings\Owner\*.tmp files -> C:\Documents and Settings\Owner\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/11/06 23:40:04 | 000,000,244 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Support for Windows Internet Explorer 6, 7, 8, and 9.url
[2011/11/06 20:03:26 | 000,000,194 | -HS- | C] () -- C:\Program Files\Common Files\winset.ini
[2011/11/06 20:01:12 | 000,001,466 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Privacy Protection.lnk
[2011/11/06 19:48:40 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/11/06 05:47:25 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/11/06 05:25:28 | 000,008,515 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\KITTY LITTER CAKE.jpg
[2011/11/06 05:20:34 | 000,009,075 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\CAT LITTER1.jpg
[2011/11/06 05:19:22 | 000,009,831 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\CAT LITTER.jpg
[2011/11/05 20:34:15 | 000,035,122 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\funny-facebook-fails-wrap-your-head-around-that-math.jpg
[2011/11/05 20:32:09 | 000,048,042 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\funny-facebook-fails-its-important-to-know-where-to-measure-from.jpg
[2011/11/05 17:52:54 | 000,029,943 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\jeffrey-campbell-lita-shag.jpg
[2011/11/04 08:48:16 | 000,000,301 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\Documentapril.rtf
[2011/11/04 08:20:54 | 000,020,553 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\Important Information Regarding the National EAS Test on Nov_ 9.eml
[2011/11/02 19:36:28 | 000,012,734 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\JOB CREATED.jpg
[2011/11/02 19:03:47 | 000,302,346 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\Find area code lookup by number on WebShoppingHelper.mht
[2011/10/24 03:18:51 | 000,000,119 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\dayam YOU AUTOCORRECT.url
[2011/10/21 21:16:50 | 000,010,467 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\JEALOUS WOMEN.jpg
[2011/10/21 02:47:09 | 000,000,139 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\Tippecanoe Waste Removal, Inc Home.url
[2011/10/17 04:03:42 | 000,001,210 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\Earmarks Map – 2011 Requests Ending Spending EndingSpending.com.url
[2011/10/17 03:20:30 | 001,333,597 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\Jakie_time_out_lol.jpg
[2011/10/11 17:11:51 | 000,882,519 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\Conjoined twins 34 amazing photos (GRAPHIC IMAGES) Pictures - CBS News.mht
[2011/10/11 15:13:51 | 000,007,919 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\Be Strong and Save Now with Os-Cal.eml
[2011/08/18 00:36:08 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\xyxe.exe
[2011/08/18 00:36:08 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\wdih.exe
[2011/08/18 00:36:08 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\rgsg.exe
[2011/08/18 00:36:08 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\quti.exe
[2011/08/18 00:36:08 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\qdvq.exe
[2011/08/18 00:36:08 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\lukc.exe
[2011/08/18 00:36:08 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\dkyc.exe
[2011/08/18 00:36:08 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\aeyi.exe
[2011/01/15 05:33:35 | 000,091,712 | -H-- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/01/05 17:01:21 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\nsreg.dat
[2009/09/14 20:12:31 | 000,017,532 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/08/03 15:07:42 | 000,403,816 | -H-- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | -H-- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/06/30 22:53:06 | 000,000,797 | -H-- | C] () -- C:\Documents and Settings\Owner\Application Data\Launch Internet Explorer Browser.lnk
[2009/05/25 18:40:40 | 000,000,419 | -H-- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/05/25 18:40:40 | 000,000,027 | -H-- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2009/05/25 18:38:56 | 000,000,228 | -H-- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2009/05/25 18:38:56 | 000,000,094 | -H-- | C] () -- C:\WINDOWS\brpcfx.ini
[2009/05/25 18:38:56 | 000,000,050 | -H-- | C] () -- C:\WINDOWS\System32\bridf06a.dat
[2009/05/25 18:38:11 | 000,106,496 | -H-- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2009/05/25 18:38:11 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\brdfxspd.dat
[2009/02/23 21:52:49 | 000,000,069 | -H-- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/02/13 00:25:32 | 000,000,754 | -H-- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/11/12 03:11:23 | 000,010,240 | -H-- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/09/19 01:58:51 | 000,172,032 | -H-- | C] () -- C:\WINDOWS\System32\adsubtb.dll
[2008/09/19 01:58:51 | 000,002,150 | -H-- | C] () -- C:\WINDOWS\System32\nshxml.ini
[2008/09/18 13:20:44 | 000,049,152 | RH-- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2008/09/18 12:56:12 | 000,001,732 | RH-- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin
[2008/09/18 12:44:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/09/18 12:39:12 | 000,021,640 | -H-- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/09/18 08:35:22 | 000,004,161 | -H-- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/09/18 08:34:05 | 000,148,400 | -H-- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/04/20 08:32:00 | 001,703,936 | -H-- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/04/20 08:32:00 | 001,626,112 | -H-- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2007/04/20 08:32:00 | 001,474,560 | -H-- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/04/20 08:32:00 | 001,339,392 | -H-- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2007/04/20 08:32:00 | 001,019,904 | -H-- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/04/20 08:32:00 | 001,018,748 | -H-- | C] () -- C:\WINDOWS\System32\nvucode.bin
[2007/04/20 08:32:00 | 000,466,944 | -H-- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/04/20 08:32:00 | 000,442,368 | -H-- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2007/04/20 08:32:00 | 000,425,984 | -H-- | C] () -- C:\WINDOWS\System32\keystone.exe
[2007/04/20 08:32:00 | 000,286,720 | -H-- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2004/08/02 13:20:40 | 000,004,569 | -H-- | C] () -- C:\WINDOWS\System32\secupd.dat
[2001/08/23 07:00:00 | 013,107,200 | -H-- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 07:00:00 | 000,755,200 | -H-- | C] () -- C:\WINDOWS\System32\ir50_32.dll
[2001/08/23 07:00:00 | 000,673,088 | -H-- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 07:00:00 | 000,432,784 | -H-- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 07:00:00 | 000,338,432 | -H-- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll
[2001/08/23 07:00:00 | 000,272,128 | -H-- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 07:00:00 | 000,218,003 | -H-- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 07:00:00 | 000,200,192 | -H-- | C] () -- C:\WINDOWS\System32\ir50_qc.dll
[2001/08/23 07:00:00 | 000,183,808 | -H-- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll
[2001/08/23 07:00:00 | 000,120,320 | -H-- | C] () -- C:\WINDOWS\System32\ir41_qc.dll
[2001/08/23 07:00:00 | 000,067,740 | -H-- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 07:00:00 | 000,046,258 | -H-- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 07:00:00 | 000,028,626 | -H-- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 07:00:00 | 000,004,463 | -H-- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 07:00:00 | 000,001,804 | -H-- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/23 07:00:00 | 000,000,741 | -H-- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2010/04/12 22:28:56 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2011/10/16 03:09:38 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Big Fish Games
[2011/08/11 18:13:57 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\BQXUVTWGYG
[2011/01/28 02:00:26 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\FEYUVTWGYG
[2011/06/27 23:48:37 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\FJYUVTWGYG
[2011/02/17 00:35:46 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\GFYUVTWGYG
[2011/10/19 22:07:54 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\GQXUVTWGYG
[2011/09/15 13:45:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\HHYUVTWGYG
[2011/02/26 01:34:55 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\HXXUVTWGYG
[2011/08/20 04:05:47 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\IBYUVTWGYG
[2011/02/24 02:37:42 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\interMute
[2010/12/28 10:54:51 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\JVXUVTWGYG
[2011/09/14 23:23:39 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\LIYUVTWGYG
[2011/02/17 02:04:37 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\LTXUVTWGYG
[2011/06/27 23:50:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\LWXUVTWGYG
[2011/01/21 02:25:58 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\NRXUVTWGYG
[2011/02/20 23:33:34 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\PKYUVTWGYG
[2011/09/07 09:24:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\RVXUVTWGYG
[2011/09/07 09:43:18 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\RXXUVTWGYG
[2011/09/22 00:38:25 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\SBYUVTWGYG
[2011/03/10 03:13:19 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\SRXUVTWGYG
[2011/10/16 03:12:52 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\SulusGames
[2011/10/16 03:49:07 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/12/04 04:26:00 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\VYXUVTWGYG
[2011/02/16 01:54:02 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\XZXUVTWGYG
[2011/09/02 04:14:14 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\YFYUVTWGYG
[2009/01/30 05:57:31 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\ZXXUVTWGYG
[2009/09/14 20:02:33 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/05/18 18:20:49 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\ConsumerSoft
[2010/05/14 02:12:48 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\E-centives
[2011/10/16 03:12:52 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\SulusGames
[2011/03/16 03:39:57 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\Uniblue
[2011/10/18 17:01:20 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\uTorrent
[2011/11/02 03:45:00 | 000,000,472 | -H-- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FDF9B285
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EEB25EAE
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9EF92A1A

< End of report >

(EXTRAS OTL)

OTL Extras logfile created on: 11/7/2011 1:15:33 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

895.17 Mb Total Physical Memory | 668.73 Mb Available Physical Memory | 74.70% Memory free
2.12 Gb Paging File | 1.99 Gb Available in Paging File | 93.63% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 47.46 Gb Free Space | 63.69% Space Free | Partition Type: NTFS

Computer Name: OWNER-BZ2MQ7E6C | User Name: Owner | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\AdSubtract\adsub.exe" = C:\Program Files\AdSubtract\adsub.exe:*:Enabled:AdSubtract SE
"C:\Program Files\Cake Poker 2.0\PokerClient.exe" = C:\Program Files\Cake Poker 2.0\PokerClient.exe:*:Disabled:Cake Poker 2.0


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java™ 6 Update 19
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{55A960A6-0CAC-4EBB-9D7E-199545391033}" = Nero 7 Essentials
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.6
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{F0F563C4-D4AD-41C4-A8A6-26664C027D11}" = Brother MFL-Pro Suite
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AdSubtract PRO 3" = AdSubtract PRO 3
"avast" = avast! Free Antivirus
"AVS Image Converter_is1" = AVS Image Converter 1.1.1.31 Beta Version
"AVS Update Manager_is1" = AVS Update Manager 1.0
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.3
"BFGC" = Big Fish Games: Game Manager
"BFG-Strange Cases - The Tarot Card Mystery" = Strange Cases: The Tarot Card Mystery
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"EmailStripper_is1" = EmailStripper 2.2
"HijackThis" = HijackThis 2.0.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"VLC media player" = VLC media player 1.1.11
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

(HIJACK THIS LOG)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:19:38 AM, on 11/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pogo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O1 - Hosts: 94.63.240.131 www.google.com
O1 - Hosts: 94.63.240.132 www.bing.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - (no file)
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [volmgr] %APPDATA%\volmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [volmgr] %APPDATA%\volmgr.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [winupd] C:\WINDOWS\TEMP\winupd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [volmgr] %APPDATA%\volmgr.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1221784093359
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1256451306250
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebo...oUploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace....ceUploader2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6060 bytes


(GMER LOG)

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-07 20:15:45
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e SAMSUNG_HD080HJ rev.WT100-41
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\axkiypow.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[172] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[172] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[172] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5397 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[172] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52C9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[172] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5334 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[172] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E519A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[172] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E51FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[172] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E53FA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[172] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E525E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[424] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[424] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AD1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[424] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD10D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[424] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[424] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25464E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[424] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5397 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[424] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52C9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[424] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5334 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[424] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E519A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[424] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E51FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[424] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E53FA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[424] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E525E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[424] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBA0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[424] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E56FF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1940] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1940] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AD1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1940] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD10D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1940] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1940] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25464E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1940] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5397 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1940] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52C9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1940] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5334 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1940] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E519A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1940] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E51FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1940] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E53FA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1940] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E525E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1940] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBA0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1940] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E56FF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/AVAST Software)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB18975$\172900433 0 bytes
File C:\WINDOWS\$NtUninstallKB18975$\172900433\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB18975$\172900433\bckfg.tmp 933 bytes
File C:\WINDOWS\$NtUninstallKB18975$\172900433\cfg.ini 199 bytes
File C:\WINDOWS\$NtUninstallKB18975$\172900433\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB18975$\172900433\keywords 0 bytes
File C:\WINDOWS\$NtUninstallKB18975$\172900433\kwrd.dll 208896 bytes
File C:\WINDOWS\$NtUninstallKB18975$\172900433\L 0 bytes
File C:\WINDOWS\$NtUninstallKB18975$\172900433\L\akygdmgo 62976 bytes
File C:\WINDOWS\$NtUninstallKB18975$\172900433\lsflt7.ver 17074 bytes
File C:\WINDOWS\$NtUninstallKB18975$\172900433\U 0 bytes
File C:\WINDOWS\$NtUninstallKB18975$\172900433\U\00000001.@ 1536 bytes
File C:\WINDOWS\$NtUninstallKB18975$\172900433\U\00000002.@ 209920 bytes
File C:\WINDOWS\$NtUninstallKB18975$\172900433\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB18975$\172900433\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB18975$\172900433\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB18975$\172900433\U\80000032.@ 75776 bytes
File C:\WINDOWS\$NtUninstallKB18975$\3425165832 0 bytes

---- EOF - GMER 1.0.15 ----

[MARIANNE97]

I thought you may like to see these too. I couldn't copy and paste them so I saved as pics.

Thank you,

Mary M.

Attached Thumbnails

• 
• 

[JonTom]

Hello MARIANNE97

Thank you for the logs.

There are several things on this machine that need our attention.

MBAM has removed a number of infected system restore points which means we must reset your system restore chain before we go any further:

• Please create a new System Restore point
  
  
  
• Click on "Start" > "All Programs" > "Accessories" > "System tools" > "System Restore".
• In the dialogue box that appears select "Create a Restore Point".
• Click "Next".
• Enter a name
• e.g. Todays date.
• Click "Create".

In my first post to you I provided instructions to a tool called unhide.

Were you able to download this tool and run it? If you were unable to download the tool using the infected machine, please download it using an uninfected system then copy it to a flash drive and transfer it to the desktop of the infected machine and allow it to run.

Once it has run, check to see if the missing items in your Start Menu are now visible and let me know (very important).

Once we have done this we will continue

[MARIANNE97]

Good morning I went to system restore but it didn't give me the option to create a restore point ...Only to restore to an earlier time. I have included a screen shot pic of it. The unhide worked when you prompted me to DL and run it, everything appeared again. I am awaiting further instructions.

Thank you

Attached Thumbnails

• 

[MARIANNE97]

Hi again, Sorry about that...I was in safe mode. I started thinking about it and thought maybe it's not possible in safe mode so I logged on in regular mode and found it. I created the restore point....All good to go.

[JonTom]

Hello MARIANNE97

The unhide worked when you prompted me to DL and run it, everything appeared again

Thats good news

I created the restore point....All good to go

Good job Lets continue (please run the next tool from Normal/Regular Mode):

• Combofix
  
  
  
• Download ComboFix from one of the following locations:
  
  Link 1
  Link 2

• VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here .
• Double click on ComboFix.exe & follow the prompts.

• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
• When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
• Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
• Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
• Should there be issues with internet afterward:
  
  In IE: Tools Menu -> Internet Options -> Connections Tab -> Lan Settings -> uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
  
  In Firefox: Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.

Please post the ComboFix log in your next reply

[MARIANNE97]

Hi I disabled the anti-virus ... DL and installed the combofix and console. Not sure what is going on with the combofix. It may be frozen....It has been easily 30-45 minutes since a popup that said rootkit found please be patient this may take some moments. it has a button to click OK and i tried to click it but it didn't do anything and If I move the mouse over it...It shows the hourglass. Should I restart the PC and try it again.

[JonTom]

Hello MARIANNE97

It sounds as though ComboFix may have stalled, but lets give it a little more time (say an hour). If it does not complete after that time, please close ComboFix and check your C drive for a ComboFix log (C:\ComboFix.txt).

If there is no log to be found, go ahead and run ComboFix again.

Let me know how you get on in your next reply

[MARIANNE97]

Hi again ...I realized that the PC was frozen when I looked at the clock so I restarted combofix and it froze again ...I just restarted it again 5 minutes ago and I think it's running this time...I will keep checking the clock to see if it's frozen I will let you know progress soon. Whatever is in there doesn't want us to get it out but I have faith in you

[JonTom]

I will let you know progress soon

[MARIANNE97]

Hello Well...It just wouldn't run completely for me, it kept freezing up the PC but I let it go for a while anyway. Over an hour last time. I can find no log C:\ComboFix.txt in the PC I'll be here for the next step

Thank you