33 replies to this topic

[denno]

Hi Programs opening and closing slowly. Like window dissolves from the top down. Or icons disappear, come back in b-and-w placeholders, slowly refill. Takes a few minutes to reboot the machine. Seems the HD is always busy, clicking away. I did full scan with MSE a day or so ago, found one trojan, removed it. Probably time for a guided exorcism, if someone will be so kind. [Possibly ---undoubtedly --- separate question, but Firefox crashes spontaneously once in awhile; also, if it hangs up and I should use ctrl-alt-del to close the offending window, all the windows close and I have to" recover the last session." This normal?] TIA denno

[denno]

Last night, Firefox was crashing hourly.

[denno]

ok---catching up with the instructions:

-------------------------------------------------------------------------------------------
OTL logfile created on: 10/21/2012 9:06:29 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Denno\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.10 Mb Total Physical Memory | 578.06 Mb Available Physical Memory | 57.06% Memory free
2.38 Gb Paging File | 1.90 Gb Available in Paging File | 79.67% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 251.13 Gb Free Space | 84.25% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive E: | 232.77 Gb Total Space | 194.44 Gb Free Space | 83.53% Space Free | Partition Type: NTFS

Computer Name: SHERIFFJOHN | User Name: Denno | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Denno\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - C:\Program Files\Fighters\FighterSuiteService.exe (SPAMfighter ApS)
PRC - C:\Program Files\LogMeIn\x86\ramaint.exe (LogMeIn, Inc.)
PRC - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe (LogMeIn, Inc.)
PRC - C:\Program Files\Fighters\Tray\FightersTray.exe (SPAMfighter ApS)
PRC - C:\Program Files\Fighters\SPAMfighter\sfus.exe (SPAMfighter ApS)
PRC - C:\Program Files\Fighters\SPAMfighter\sfagent.exe (SPAMfighter ApS)
PRC - C:\Program Files\IDrive\IDriveEBackground.exe (Pro-SoftNet Corp, U.S.A)
PRC - C:\Program Files\IDrive\IDriveE Service.exe (Pro Softnet Corporation)
PRC - C:\Program Files\IDrive\IDriveETray.exe (Pro Softnet Corp.)
PRC - C:\Program Files\IDrive\IDrivePlugin.exe ( )
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
PRC - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATI9HA.EXE (SEIKO EPSON CORPORATION)
PRC - C:\WINDOWS\LOGI_MWX.EXE (Logitech Inc.)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\2\fppdis1.exe (FinePrint Software, LLC)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Mozilla Firefox\mozjs.dll ()
MOD - C:\Program Files\Fighters\SPAMfighter\sfse.dll ()
MOD - C:\Program Files\Fighters\SPAMfighter\sfsg.dll ()
MOD - C:\Program Files\OpenOffice.org 3\program\libxml2.dll ()
MOD - C:\Program Files\OpenOffice.org 3\program\libxslt.dll ()


========== Services (SafeList) ==========

SRV - (HidServ) -- %SystemRoot%\System32\hidserv.dll File not found
SRV - (AppMgmt) -- %SystemRoot%\System32\appmgmts.dll File not found
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV - (Suite Service) -- C:\Program Files\Fighters\FighterSuiteService.exe (SPAMfighter ApS)
SRV - (LMIMaint) -- C:\Program Files\LogMeIn\x86\ramaint.exe (LogMeIn, Inc.)
SRV - (LMIGuardianSvc) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe (LogMeIn, Inc.)
SRV - (SPAMfighter Update Service) -- C:\Program Files\Fighters\SPAMfighter\sfus.exe (SPAMfighter ApS)
SRV - (IDriveE Service) -- C:\Program Files\IDrive\IDriveE Service.exe (Pro Softnet Corporation)
SRV - (LogMeIn) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (Lavasoft Kernexplorer) -- C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\Denno\LOCALS~1\Temp\catchme.sys File not found
DRV - (MpKsl8549e9d4) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{07D55818-5F6E-49B0-BF69-AF6B6FCAA93A}\MpKsl8549e9d4.sys (Microsoft Corporation)
DRV - (LMIRfsClientNP) -- C:\WINDOWS\System32\LMIRfsClientNP.dll (LogMeIn, Inc.)
DRV - (BANTExt) -- C:\WINDOWS\system32\drivers\BANTExt.sys ()
DRV - (LMIRfsDriver) -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys (LogMeIn, Inc.)
DRV - (LMIInfo) -- C:\Program Files\LogMeIn\x86\rainfo.sys (LogMeIn, Inc.)
DRV - (hamachi) -- C:\WINDOWS\system32\drivers\hamachi.sys (LogMeIn, Inc.)
DRV - (IntcAzAudAddService) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?...l_date=20111124
IE - HKCU\..\SearchScopes,DefaultScope = {7ABD5EFD-88A6-E9CE-80AE-DBCA8C52F41C}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...amp;Form=IE8SRC
IE - HKCU\..\SearchScopes\{7ABD5EFD-88A6-E9CE-80AE-DBCA8C52F41C}: "URL" = http://www.bing.com/...eferrer:source}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Bing"
FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledAddons: {b0e1b4a6-2c6f-4e99-94f2-8e625d7ae255}:3.0.14
FF - prefs.js..extensions.enabledAddons: crossriderapp4493@crossrider.com:0.85.39
FF - prefs.js..keyword.URL: "http://www.bing.com/...te=20111124&q="
FF - prefs.js..network.proxy.type: 0


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_262.dll ()
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.2.1: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.2.1: C:\Program Files\Oracle\JavaFX 2.0 Runtime\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Documents and Settings\Denno\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/10/12 11:12:08 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{1266764D-FC4F-4FA7-B63B-884D53B1680F}: C:\Documents and Settings\Denno\Application Data\NetAssistant\ [2011/11/09 13:14:01 | 000,000,000 | ---D | M]

[2012/03/02 17:17:04 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Denno\Application Data\Mozilla\Extensions
[2012/10/16 15:09:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Denno\Application Data\Mozilla\Firefox\Profiles\bagfegyi.default\extensions
[2012/10/15 06:20:44 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Denno\Application Data\Mozilla\Firefox\Profiles\bagfegyi.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/11/24 19:45:42 | 000,000,000 | ---D | M] (BFlix Toolbar) -- C:\Documents and Settings\Denno\Application Data\Mozilla\Firefox\Profiles\bagfegyi.default\extensions\{a6bf16ab-42a1-4bc5-965d-5e407e449aaa}
[2012/10/16 15:09:27 | 000,000,000 | ---D | M] ("Coupon Companion") -- C:\Documents and Settings\Denno\Application Data\Mozilla\Firefox\Profiles\bagfegyi.default\extensions\crossriderapp4493@crossrider.com
[2012/10/16 15:09:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Denno\Application Data\Mozilla\Firefox\Profiles\bagfegyi.default\extensions\crossriderapp4493@crossrider.com\chrome\content\extensionCode
[2012/04/10 08:19:59 | 000,015,185 | ---- | M] () (No name found) -- C:\Documents and Settings\Denno\Application Data\Mozilla\Firefox\Profiles\bagfegyi.default\extensions\{b0e1b4a6-2c6f-4e99-94f2-8e625d7ae255}.xpi
[2012/10/12 11:11:21 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/10/12 11:12:08 | 000,261,600 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/08/30 01:06:33 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/12 07:56:05 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml.old
[2012/10/12 11:11:28 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/10/18 13:50:10 | 000,000,822 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Coupon Companion) - {11111111-1111-1111-1111-110011441193} - C:\Program Files\Coupon Companion\Coupon Companion.dll (215 Apps)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll File not found
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [CommonToolkitTray] C:\Program Files\Fighters\Tray\FightersTray.exe (SPAMfighter ApS)
O4 - HKLM..\Run: [EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [EPSON Stylus Photo RX620 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [Logitech Utility] C:\WINDOWS\LOGI_MWX.EXE (Logitech Inc.)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\system32\spool\drivers\w32x86\2\fppdis1.exe (FinePrint Software, LLC)
O4 - HKLM..\Run: [sfagent] C:\Program Files\Fighters\SPAMfighter\sfagent.exe (SPAMfighter ApS)
O4 - HKCU..\Run: [IDriveE Startup] C:\Program Files\IDrive\IDrvieEStartup.exe (Pro Softnet Corporation)
O4 - HKCU..\Run: [Media Finder] "C:\Program Files\Media Finder\MF.exe" /opentotray File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk = C:\Program Files\The Print Shop 23.1\Remind.exe (Broderbund Properties LLC)
O4 - Startup: C:\Documents and Settings\Denno\Start Menu\Programs\Startup\IDrive Tray.lnk = C:\Program Files\IDrive\IDriveEReg2ini.exe (Pro Softnet Corp.)
O4 - Startup: C:\Documents and Settings\Denno\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1344738650693 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_02)
O16 - DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_02)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_02)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.22.32.8 64.22.32.9
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{CFF501FC-74FD-45DF-A444-135669F120CF}: DhcpNameServer = 64.22.32.8 64.22.32.9
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Denno\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Denno\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/06/09 12:55:23 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/08/10 15:04:08 | 000,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found
NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/10/21 09:01:57 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Denno\Desktop\OTL.exe
[2012/10/20 23:33:09 | 000,000,000 | ---D | C] -- C:\Program Files\DownloadManager
[2012/10/16 07:27:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Denno\Local Settings\Application Data\Coupon Companion
[2012/10/16 07:27:08 | 000,000,000 | ---D | C] -- C:\Program Files\Coupon Companion
[2012/10/12 11:11:20 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/10/10 21:20:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Denno\Start Menu\Programs\CDex
[2012/10/10 21:20:15 | 000,000,000 | ---D | C] -- C:\Program Files\CDex_150
[2012/09/28 22:30:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Denno\Application Data\Audacity
[2012/09/28 22:29:49 | 000,000,000 | ---D | C] -- C:\Program Files\Audacity
[2012/09/28 09:52:19 | 000,000,000 | ---D | C] -- C:\idrivee
[2012/09/27 21:41:16 | 000,509,440 | ---- | C] (Tech Support Guy System) -- C:\Documents and Settings\Denno\Desktop\SysInfo.exe
[2012/09/27 21:23:56 | 000,000,000 | ---D | C] -- C:\Program Files\Belarc

========== Files - Modified Within 30 Days ==========

[2012/10/21 09:02:00 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Denno\Desktop\OTL.exe
[2012/10/21 01:30:19 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/10/20 21:31:18 | 000,000,368 | ---- | M] () -- C:\WINDOWS\tasks\FinalTorrent Update Checker.job
[2012/10/20 21:28:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/10/19 23:01:00 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2012/10/18 13:50:10 | 000,000,822 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/10/18 13:30:21 | 000,000,114 | ---- | M] () -- C:\Documents and Settings\Denno\Desktop\novelism month.url
[2012/10/17 12:49:42 | 000,000,216 | ---- | M] () -- C:\Documents and Settings\Denno\Desktop\translate swedish.url
[2012/10/16 17:37:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/10/13 21:26:16 | 000,000,117 | ---- | M] () -- C:\Documents and Settings\Denno\Desktop\doonesbury.url
[2012/10/10 21:20:18 | 000,000,658 | ---- | M] () -- C:\Documents and Settings\Denno\Desktop\CDex.lnk
[2012/10/10 03:01:07 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/09/29 11:16:16 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2012/09/28 22:30:07 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\Denno\Desktop\Audacity.lnk
[2012/09/28 09:53:01 | 000,000,336 | ---- | M] () -- C:\WINDOWS\System32\register.bat
[2012/09/27 21:41:18 | 000,509,440 | ---- | M] (Tech Support Guy System) -- C:\Documents and Settings\Denno\Desktop\SysInfo.exe
[2012/09/27 21:24:00 | 000,001,723 | ---- | M] () -- C:\Documents and Settings\Denno\Application Data\Microsoft\Internet Explorer\Quick Launch\Belarc Advisor.lnk
[2012/09/27 21:24:00 | 000,001,705 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Belarc Advisor.lnk
[2012/09/25 23:17:39 | 000,000,118 | ---- | M] () -- C:\Documents and Settings\Denno\Desktop\Fandalism musician search.url

========== Files Created - No Company Name ==========

[2012/10/18 13:30:00 | 000,000,114 | ---- | C] () -- C:\Documents and Settings\Denno\Desktop\novelism month.url
[2012/10/17 12:49:33 | 000,000,216 | ---- | C] () -- C:\Documents and Settings\Denno\Desktop\translate swedish.url
[2012/10/13 21:26:01 | 000,000,117 | ---- | C] () -- C:\Documents and Settings\Denno\Desktop\doonesbury.url
[2012/10/10 21:20:18 | 000,000,658 | ---- | C] () -- C:\Documents and Settings\Denno\Desktop\CDex.lnk
[2012/09/29 11:26:10 | 000,000,384 | -H-- | C] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/09/28 22:30:07 | 000,000,688 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Audacity.lnk
[2012/09/28 22:30:07 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\Denno\Desktop\Audacity.lnk
[2012/09/28 09:53:01 | 000,000,336 | ---- | C] () -- C:\WINDOWS\System32\register.bat
[2012/09/27 21:24:00 | 000,001,723 | ---- | C] () -- C:\Documents and Settings\Denno\Application Data\Microsoft\Internet Explorer\Quick Launch\Belarc Advisor.lnk
[2012/09/27 21:24:00 | 000,001,711 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Belarc Advisor.lnk
[2012/09/27 21:24:00 | 000,001,705 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Belarc Advisor.lnk
[2012/09/27 21:23:56 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2012/09/25 23:17:25 | 000,000,118 | ---- | C] () -- C:\Documents and Settings\Denno\Desktop\Fandalism musician search.url
[2012/02/16 02:14:53 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/02 23:51:38 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/02/02 23:51:38 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/02/02 23:51:38 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/02/02 23:51:38 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/02/02 23:51:38 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/11/09 13:13:43 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2011/10/11 09:41:47 | 000,000,751 | ---- | C] () -- C:\WINDOWS\Bti.ini
[2011/09/27 17:42:12 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/09/27 17:42:12 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/09/17 00:16:57 | 000,000,056 | ---- | C] () -- C:\WINDOWS\azzCardfile Settings.ini
[2011/08/29 08:28:20 | 000,000,886 | ---- | C] () -- C:\WINDOWS\EReg.dat
[2011/07/14 08:33:24 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Denno\Local Settings\Application Data\prvlcl.dat
[2011/06/29 00:45:42 | 000,000,124 | ---- | C] () -- C:\WINDOWS\PARSONS.INI
[2011/06/18 00:41:19 | 000,026,032 | ---- | C] () -- C:\WINDOWS\System32\IDriveEXceedCryReg.exe
[2011/06/18 00:41:18 | 000,055,808 | ---- | C] () -- C:\WINDOWS\System32\zlib1.dll
[2011/06/10 01:07:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/06/10 00:13:54 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4820.dll
[2011/06/10 00:11:45 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2011/06/09 12:56:53 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/06/09 12:53:20 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/06/09 08:46:44 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/06/09 08:45:51 | 000,988,184 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== ZeroAccess Check ==========

[2011/06/26 14:17:03 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2011/02/17 09:51:57 | 001,510,400 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 08:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/14 05:42:10 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/02/03 23:28:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2011/09/17 00:16:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\azzCardfile
[2011/08/27 02:41:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Big Fish Games
[2011/06/29 00:33:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund Software
[2012/08/11 22:26:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BSD
[2011/06/09 19:29:08 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/08/11 22:23:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Fighters
[2012/04/01 12:34:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GoldWaveCDDB
[2011/11/24 19:53:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallMate
[2012/10/20 11:43:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2012/02/03 23:15:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/11/24 19:45:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Premium
[2011/08/25 03:59:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TreeCardGames
[2012/01/04 12:32:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\W3i
[2011/08/18 23:07:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinMaximizer
[2012/10/10 21:16:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Denno\Application Data\Audacity
[2011/08/09 12:54:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Denno\Application Data\AVG
[2011/09/23 10:13:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Denno\Application Data\AVG2012
[2011/09/17 00:16:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Denno\Application Data\azzCardfile
[2011/06/10 00:16:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Denno\Application Data\BabylonToolbar
[2011/06/23 11:25:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Denno\Application Data\EPSON
[2012/08/11 22:25:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Denno\Application Data\Fighters
[2011/12/14 00:47:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Denno\Application Data\FinalTorrent
[2011/06/23 16:25:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Denno\Application Data\Foxit Software
[2012/04/01 12:34:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Denno\Application Data\GoldWaveCDDB
[2012/03/04 02:25:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Denno\Application Data\Media Finder
[2011/08/25 03:52:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Denno\Application Data\MumboJumbo
[2011/11/09 13:14:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Denno\Application Data\NetAssistant
[2011/06/11 23:08:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Denno\Application Data\OpenOffice.org
[2012/02/06 00:05:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Denno\Application Data\Oracle
[2011/08/18 23:34:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Denno\Application Data\svBuilder
[2011/06/09 23:59:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Denno\Application Data\TMP
[2011/08/25 03:59:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Denno\Application Data\TreeCardGames
[2011/11/24 19:45:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Denno\Application Data\vmntemplate

========== Purity Check ==========



========== Custom Scans ==========

< %USERPROFILE%\..|smtmp;true;true;true /FP >

< %temp%\smtmp\*.* /s > >

< MD5 for: EXPLORER.EXE >
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2004/08/04 06:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: EXPLORER.EXE.HDMP >
[2012/10/16 15:05:04 | 021,204,134 | ---- | M] () MD5=0A30EB702DD554B35795A2DD4F79E9B6 -- C:\Documents and Settings\Denno\Local Settings\Temp\WER6588.dir00\explorer.exe.hdmp

< MD5 for: EXPLORER.EXE.MDMP >
[2012/10/16 15:03:58 | 000,087,146 | ---- | M] () MD5=E6008DACE21291E5215C682E19537780 -- C:\Documents and Settings\Denno\Local Settings\Temp\WER6588.dir00\explorer.exe.mdmp

< MD5 for: EXPLORER.EXE-082F38A9.PF >
[2012/10/20 23:19:53 | 000,018,434 | ---- | M] () MD5=EE0FA650D72643F30AF211CE6E57CD68 -- C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf

< MD5 for: EXPLORER.SCF >
[2004/08/04 06:00:00 | 000,000,080 | ---- | M] () MD5=A3975A7D2C98B30A2AE010754FFB9392 -- C:\WINDOWS\explorer.scf

< MD5 for: IEXPLORE.CHM >
[2009/02/21 01:21:24 | 000,529,818 | ---- | M] () MD5=1435F4731719DF5F57D17DC38196245D -- C:\WINDOWS\Help\iexplore.chm
[2004/08/04 06:00:00 | 000,204,810 | ---- | M] () MD5=60858526AAD1CC55F5F0055B8E3B66FE -- C:\WINDOWS\ie7\iexplore.chm
[2006/09/01 08:43:50 | 000,503,758 | ---- | M] () MD5=652E46500C149D1DC948BF9CEA8C4933 -- C:\WINDOWS\ie8\iexplore.chm

< MD5 for: IEXPLORE.CHW >
[2012/03/13 21:54:21 | 000,157,092 | ---- | M] () MD5=5932C2924C40E9B89F97E9F324BFFE7F -- C:\WINDOWS\Help\iexplore.chw

< MD5 for: IEXPLORE.EXE >
[2011/12/16 07:00:16 | 000,634,680 | ---- | M] (Microsoft Corporation) MD5=1C206B8FEEC6882B7F7F479E95D2BDD9 -- C:\WINDOWS\ie8\iexplore.exe
[2011/10/31 06:32:32 | 000,634,504 | ---- | M] (Microsoft Corporation) MD5=1C5DA2D9EA2A59D0D5C116FA3A5A21AA -- C:\WINDOWS\$hf_mig$\KB2618444-IE7\SP3QFE\iexplore.exe
[2011/10/31 06:46:00 | 000,634,504 | ---- | M] (Microsoft Corporation) MD5=2E34CF22B5862AB02786F0819B9FD819 -- C:\WINDOWS\ERDNT\cache\iexplore.exe
[2011/10/31 06:46:00 | 000,634,504 | ---- | M] (Microsoft Corporation) MD5=2E34CF22B5862AB02786F0819B9FD819 -- C:\WINDOWS\ie7updates\KB2647516-IE7\iexplore.exe
[2011/04/21 06:34:43 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=3E23DBEBE1020D52C63235E4189FAC03 -- C:\WINDOWS\$hf_mig$\KB2530548-IE7\SP3QFE\iexplore.exe
[2008/04/14 05:42:24 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=55794B97A7FAABD2910873C85274F409 -- C:\WINDOWS\ie7\iexplore.exe
[2008/04/14 05:42:24 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=55794B97A7FAABD2910873C85274F409 -- C:\WINDOWS\ServicePackFiles\i386\iexplore.exe
[2012/01/13 15:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\iexplore.exe
[2011/08/17 07:01:37 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=6A1D755C68C10863C598C78A597FA7C3 -- C:\WINDOWS\ie7updates\KB2618444-IE7\iexplore.exe
[2011/06/20 07:29:11 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=993F33696EF219C306BF9BBA34D85073 -- C:\WINDOWS\ie7updates\KB2586448-IE7\iexplore.exe
[2010/04/16 07:08:29 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=B24A4E23A2FEDB6976EB04D334AD82B2 -- C:\WINDOWS\$hf_mig$\KB982381-IE7\SP3QFE\iexplore.exe
[2010/04/16 07:08:29 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=B24A4E23A2FEDB6976EB04D334AD82B2 -- C:\WINDOWS\SoftwareDistribution\Download\626f83f88e86511ae79d7ff76840cc8e\SP3QFE\iexplore.exe
[2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) MD5=B60DDDD2D63CE41CB8C487FCFBB6419E -- C:\Program Files\Internet Explorer\iexplore.exe
[2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) MD5=B60DDDD2D63CE41CB8C487FCFBB6419E -- C:\WINDOWS\system32\dllcache\iexplore.exe
[2011/04/21 06:58:25 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=B6E13F9C120C776A89D783E26D6C15C5 -- C:\WINDOWS\ie7updates\KB2559049-IE7\iexplore.exe
[2010/04/16 07:43:25 | 000,634,656 | ---- | M] (Microsoft Corporation) MD5=C4BA5E36FB57F547117305BF1E0FE454 -- C:\WINDOWS\ie7updates\KB2497640-IE7\iexplore.exe
[2010/04/16 07:43:25 | 000,634,656 | ---- | M] (Microsoft Corporation) MD5=C4BA5E36FB57F547117305BF1E0FE454 -- C:\WINDOWS\SoftwareDistribution\Download\626f83f88e86511ae79d7ff76840cc8e\SP3GDR\iexplore.exe
[2011/08/17 06:34:43 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=CB0AFAF9E5C5FE70EC7087E71275DD33 -- C:\WINDOWS\$hf_mig$\KB2586448-IE7\SP3QFE\iexplore.exe
[2011/12/16 06:35:06 | 000,634,680 | ---- | M] (Microsoft Corporation) MD5=DB9D9A73FACB0B11992201D670D73E16 -- C:\WINDOWS\$hf_mig$\KB2647516-IE7\SP3QFE\iexplore.exe
[2011/06/20 06:38:09 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=DE0F15DD275A36C3E67DC1E36F958F3A -- C:\WINDOWS\$hf_mig$\KB2559049-IE7\SP3QFE\iexplore.exe
[2007/08/13 18:43:56 | 000,622,080 | ---- | M] (Microsoft Corporation) MD5=DE49B348A18369B4626FBA1D49B07FB4 -- C:\WINDOWS\ie7updates\KB982381-IE7\iexplore.exe
[2011/02/14 07:36:55 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=E3CC8CCF21BFDC954255BB17083FB9F0 -- C:\WINDOWS\$hf_mig$\KB2497640-IE7\SP3QFE\iexplore.exe
[2011/02/14 07:36:55 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=E3CC8CCF21BFDC954255BB17083FB9F0 -- C:\WINDOWS\SoftwareDistribution\Download\119d2150a866d5a5cb5dede92281fda9\SP3QFE\iexplore.exe
[2011/02/14 08:17:08 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=E4A798DFDE7FE6E79F23548F0EF0F844 -- C:\WINDOWS\ie7updates\KB2530548-IE7\iexplore.exe
[2011/02/14 08:17:08 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=E4A798DFDE7FE6E79F23548F0EF0F844 -- C:\WINDOWS\SoftwareDistribution\Download\119d2150a866d5a5cb5dede92281fda9\SP3GDR\iexplore.exe
[2004/08/04 06:00:00 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=E7484514C0464642BE7B4DC2689354C8 -- C:\WINDOWS\$NtServicePackUninstall$\iexplore.exe

< MD5 for: IEXPLORE.EXE.000 >
[2007/08/13 18:43:56 | 000,622,080 | ---- | M] (Microsoft Corporation) MD5=DE49B348A18369B4626FBA1D49B07FB4 -- C:\WINDOWS\ie7updates\KB982381-IE7\iexplore.exe.000

< MD5 for: IEXPLORE.EXE.MUI >
[2009/03/08 14:21:44 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=943030B55FDB56FB8B8FCC086071E119 -- C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui
[2009/03/08 14:21:44 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=943030B55FDB56FB8B8FCC086071E119 -- C:\Program Files\Internet Explorer\iexplore.exe.mui
[2007/08/13 18:43:36 | 000,573,440 | ---- | M] (Microsoft Corporation) MD5=B58D8A1C7EE0E922EC7D2616DA136FC3 -- C:\WINDOWS\ie8\iexplore.exe.mui

< MD5 for: IEXPLORE.HLP >
[2004/08/04 06:00:00 | 000,180,335 | ---- | M] () MD5=3F19AF1B745140DAFAC6F78F561A3C62 -- C:\WINDOWS\Help\iexplore.hlp

< MD5 for: SERVICES >
[2004/08/04 06:00:00 | 000,007,116 | ---- | M] () MD5=95826940E657FE0567A8EC0F2A6AD11A -- C:\WINDOWS\system32\drivers\etc\services

< MD5 for: SERVICES.CFG >
[2012/07/27 16:51:34 | 000,586,083 | ---- | M] () MD5=6DE4EA437EC1FE6DB27CADB0A7EA8DC2 -- C:\Program Files\Adobe\Reader 10.0\Reader\Services\Services.cfg
[2011/06/06 13:55:30 | 000,584,045 | R--- | M] () MD5=B82DD53FA8C260DDD7FDC42182DB816E -- C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\services.cfg

< MD5 for: SERVICES.CNF >
[2004/02/15 12:30:24 | 000,000,002 | ---- | M] () MD5=A55822426A5330C04625A41D264C190B -- C:\Documents and Settings\Denno\My Documents\My Documents\01 My Sites\lullabologist 2007\lullabologist.com\www\_vti_pvt\services.cnf

< MD5 for: SERVICES.EXE >
[2009/02/06 07:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
[2008/04/14 05:42:36 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\ServicePackFiles\i386\services.exe
[2009/02/06 07:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\ERDNT\cache\services.exe
[2009/02/06 07:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\dllcache\services.exe
[2009/02/06 07:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\services.exe
[2004/08/04 06:00:00 | 000,108,032 | ---- | M] (Microsoft Corporation) MD5=C6CE6EEC82F187615D1002BB3BB50ED4 -- C:\WINDOWS\$NtServicePackUninstall$\services.exe

< MD5 for: SERVICES.HTML >
[2006/06/04 02:58:20 | 000,010,485 | ---- | M] () MD5=0593516C8BE2A4A513FA239BA5525BBF -- C:\Documents and Settings\Denno\My Documents\My Documents\01 My Sites\pabloX\Roots2\services.html

< MD5 for: SERVICES.LNK >
[2011/06/09 12:55:27 | 000,001,602 | ---- | M] () MD5=60CB2E633CDAFBF3157893ECA8C22172 -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Services.lnk

< MD5 for: SERVICES.MSC >
[2004/08/04 06:00:00 | 000,033,464 | ---- | M] () MD5=E8089AA2A6F7FEE89B38C1F2D77BA6C6 -- C:\WINDOWS\system32\services.msc

< MD5 for: SERVICES.RDB >
[2011/01/17 18:52:22 | 000,237,568 | ---- | M] () MD5=507957679AE4579C15D57FA741EA6FFA -- C:\Program Files\OpenOffice.org 3\URE\misc\services.rdb
[2011/01/17 18:51:48 | 005,539,328 | ---- | M] () MD5=F2B666905F7FDAA80C86A101A7DE62F9 -- C:\Program Files\OpenOffice.org 3\Basis\program\services.rdb

< MD5 for: WINLOGON.EXE >
[2004/08/04 06:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2012/01/13 15:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< %SYSTEMDRIVE%\*.* >
[2011/08/22 14:38:56 | 000,001,024 | ---- | M] () -- C:\.rnd
[2012/03/13 16:36:01 | 000,013,116 | ---- | M] () -- C:\aaw7boot.log
[2011/06/09 12:55:23 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2011/08/19 14:01:40 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2012/02/03 23:22:13 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2004/08/04 00:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2012/02/05 18:18:34 | 000,014,578 | ---- | M] () -- C:\ComboFix.txt
[2011/06/09 12:55:23 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2011/06/09 12:55:23 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2012/02/05 23:53:53 | 000,025,252 | ---- | M] () -- C:\JavaRa.log
[2011/06/09 12:55:23 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 06:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2011/06/09 18:47:31 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2012/10/20 21:28:13 | 1598,029,824 | -HS- | M] () -- C:\pagefile.sys
[2012/03/13 20:14:00 | 000,044,366 | ---- | M] () -- C:\TDSSKiller.2.7.20.0_13.03.2012_20.06.10_log.txt
[2012/09/28 09:53:43 | 000,000,059 | ---- | M] () -- C:\Trace.txt

< %systemroot%\Fonts\*.com >

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2011/06/09 12:55:05 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2012/07/13 07:40:01 | 000,052,128 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\LMIproc.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2011/06/09 08:44:58 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2011/06/09 08:44:58 | 000,634,880 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2011/06/09 08:44:58 | 000,888,832 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2011/06/09 18:50:27 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2011/06/09 18:53:34 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Denno\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2011/06/09 12:59:25 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Denno\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2012/10/21 09:02:00 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Denno\Desktop\OTL.exe
[2012/09/27 21:41:18 | 000,509,440 | ---- | M] (Tech Support Guy System) -- C:\Documents and Settings\Denno\Desktop\SysInfo.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2012-10-10 07:07:15

< End of report >
----------------------------------------------------------------------------------------------------------------------------------
OTL Extras logfile created on: 10/21/2012 9:06:29 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Denno\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.10 Mb Total Physical Memory | 578.06 Mb Available Physical Memory | 57.06% Memory free
2.38 Gb Paging File | 1.90 Gb Available in Paging File | 79.67% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 251.13 Gb Free Space | 84.25% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive E: | 232.77 Gb Total Space | 194.44 Gb Free Space | 83.53% Space Free | Partition Type: NTFS

Computer Name: SHERIFFJOHN | User Name: Denno | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\WINDOWS\system32\usmt\migwiz.exe" = C:\WINDOWS\system32\usmt\migwiz.exe:*:Disabled:Files and Settings Transfer Wizard -- (Microsoft Corporation)
"C:\Program Files\WS_FTP Pro\ftp95pro.exe" = C:\Program Files\WS_FTP Pro\ftp95pro.exe:*:Enabled:WS_FTP 95 -- (Ipswitch, Inc. 81 Hartwell Ave. Lexington, MA)
"C:\Program Files\FinalTorrent\FinalTorrent.EXE" = C:\Program Files\FinalTorrent\FinalTorrent.EXE:*:Enabled:FinalTorrent -- (Bitberry Software)
"C:\Program Files\FinalTorrent\FTCheckForUpdates.exe" = C:\Program Files\FinalTorrent\FTCheckForUpdates.exe:*:Enabled:FinalTorrent Update Checker -- (Bitberry Software)
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Program Files\Java\jre7\bin\javaw.exe" = C:\Program Files\Java\jre7\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Oracle Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0C8C6F56-41FA-44F6-8107-DCFAA7EFD601}" = The Print Shop 23.1
"{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime
"{10B47424-611D-4FB4-951B-C946EB04830C}" = SPAMfighter
"{1111706F-666A-4037-7777-202328764D10}" = JavaFX 2.0.2
"{1266764D-FC4F-4FA7-B63B-884D53B1680F}" = NetAssistant
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83217002FF}" = Java™ 7 Update 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
"{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{57573545-74EB-46D2-B362-AA05364E4ED8}" = LogMeIn
"{5809E7CF-4DCF-11D4-9875-00105ACE7734}" = Logitech MouseWare 9.79.1
"{65CB4C08-C47B-4A7E-A6A4-50C06ADA5FC6}" = Adobe AIR
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.12.0
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{8B4AB829-DFD3-436D-B808-D9733D76C590}" = Macromedia Dreamweaver MX
"{8E1CB0F1-67BF-4052-AA23-FA22E94804C1}" = InstallIQ Updater
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{961FBA1C-C20F-463F-B9B1-30A2D96CC5E3}_is1" = MagicCute Data Recovery 2011.1
"{98EABC7F-B1A1-43A5-B505-5B4EC3908DCD}" = Microsoft Security Client
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A4D7B764-4140-11D4-88EB-0050DA3579C0}" = Nero
"{A5BA14E0-7384-11D4-BAE7-00409631A2C8}" = Macromedia Extension Manager
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.4)
"{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet PCI NIC Driver
"{C9CEC6F3-3944-92B4-6CCA-995182394542}" = svBuilder
"{CAAB0192-5704-469F-A0BE-2D842D70E93B}_is1" = Sothink FLV Player
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"123 Free Solitaire_is1" = 123 Free Solitaire 2011 v8.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Amazon Kindle" = Amazon Kindle
"Audacity_is1" = Audacity 2.0.2
"azzCardfile_is1" = azzCardfile 4.1
"Belarc Advisor" = Belarc Advisor 8.2
"CDex" = CDex extraction audio
"Coupon Companion" = Coupon Companion
"Desktop Taipei_is1" = Desktop Taipei version 2.2
"EASEUS Data Recovery Wizard Free Edition 5.5.1_is1" = EASEUS Data Recovery Wizard Free Edition 5.5.1
"EPSON Printer and Utilities" = EPSON Printer Software
"EPSON Scanner" = EPSON Scan
"ESET Online Scanner" = ESET Online Scanner v3
"FinalTorrent_is1" = FinalTorrent 2011
"FinePrint pdfFactory Pro" = FinePrint pdfFactory Pro
"FreeChess" = 100% Free Chess 7.30
"HDMI" = Intel® Graphics Media Accelerator Driver
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"IDrive_is1" = IDrive version 3.4.1 July 27, 2011
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstaCodecs_is1" = InstaCodecs
"LivePix" = LivePix 1.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox 16.0.1 (x86 en-US)" = Mozilla Firefox 16.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Picasa 3" = Picasa 3
"SPAMfighter" = SPAMfighter
"svBuilder" = svBuilder
"Trusted Software Assistant_is1" = File Type Assistant
"WebPost" = Microsoft Web Publishing Wizard 1.52
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"NetAssistant 3.6.5" = NetAssistant for Firefox
"UnityWebPlayer" = Unity Web Player

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 4/19/2012 1:53:28 PM | Computer Name = SHERIFFJOHN | Source = Application Hang | ID = 1001
Description = Fault bucket 09609326.

Error - 4/19/2012 1:54:02 PM | Computer Name = SHERIFFJOHN | Source = Application Hang | ID = 1002
Description = Hanging application Photoshop.exe, version 7.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 4/19/2012 1:54:04 PM | Computer Name = SHERIFFJOHN | Source = Application Hang | ID = 1001
Description = Fault bucket 09609326.

Error - 4/19/2012 1:54:32 PM | Computer Name = SHERIFFJOHN | Source = Application Hang | ID = 1002
Description = Hanging application Photoshop.exe, version 7.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 4/20/2012 12:55:25 PM | Computer Name = SHERIFFJOHN | Source = Application Hang | ID = 1002
Description = Hanging application notepad.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/20/2012 12:55:25 PM | Computer Name = SHERIFFJOHN | Source = Application Hang | ID = 1002
Description = Hanging application notepad.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/20/2012 4:05:28 PM | Computer Name = SHERIFFJOHN | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 11.0.0.4454, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/20/2012 4:05:35 PM | Computer Name = SHERIFFJOHN | Source = Application Hang | ID = 1001
Description = Fault bucket -1413921487.

Error - 4/25/2012 10:39:47 AM | Computer Name = SHERIFFJOHN | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 11.0.0.4454, faulting
module quicktime.qts, version 7.71.80.42, fault address 0x00008540.

Error - 4/25/2012 10:40:01 AM | Computer Name = SHERIFFJOHN | Source = Application Error | ID = 1001
Description = Fault bucket -1402986534.

[ Application Events ]
Error - 4/19/2012 1:53:28 PM | Computer Name = SHERIFFJOHN | Source = Application Hang | ID = 1001
Description = Fault bucket 09609326.

Error - 4/19/2012 1:54:02 PM | Computer Name = SHERIFFJOHN | Source = Application Hang | ID = 1002
Description = Hanging application Photoshop.exe, version 7.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 4/19/2012 1:54:04 PM | Computer Name = SHERIFFJOHN | Source = Application Hang | ID = 1001
Description = Fault bucket 09609326.

Error - 4/19/2012 1:54:32 PM | Computer Name = SHERIFFJOHN | Source = Application Hang | ID = 1002
Description = Hanging application Photoshop.exe, version 7.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 4/20/2012 12:55:25 PM | Computer Name = SHERIFFJOHN | Source = Application Hang | ID = 1002
Description = Hanging application notepad.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/20/2012 12:55:25 PM | Computer Name = SHERIFFJOHN | Source = Application Hang | ID = 1002
Description = Hanging application notepad.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/20/2012 4:05:28 PM | Computer Name = SHERIFFJOHN | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 11.0.0.4454, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/20/2012 4:05:35 PM | Computer Name = SHERIFFJOHN | Source = Application Hang | ID = 1001
Description = Fault bucket -1413921487.

Error - 4/25/2012 10:39:47 AM | Computer Name = SHERIFFJOHN | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 11.0.0.4454, faulting
module quicktime.qts, version 7.71.80.42, fault address 0x00008540.

Error - 4/25/2012 10:40:01 AM | Computer Name = SHERIFFJOHN | Source = Application Error | ID = 1001
Description = Fault bucket -1402986534.

[ System Events ]
Error - 8/30/2012 9:59:01 AM | Computer Name = SHERIFFJOHN | Source = Microsoft Antimalware | ID = 1119
Description = %%860 has encountered a critical error when taking action on malware
or other potentially unwanted software. For more information please see the following:
http://go.microsoft....atid=2147650955

Name:
Trojan:Win32/Bamital!dat ID: 2147650955 Severity: Severe Category: Trojan Path: file:_E:\WINDOWS\system32\dll

Detection
Origin: %%845 Detection Type: %%822 Detection Source: %%815 User: SHERIFFJOHN\Denno

Process
Name: Unknown Action: %%810 Action Status: No additional actions required Error Code:
0x8007007f Error description: The specified procedure could not be found. Signature
Version: AV: 1.135.81.0, AS: 1.135.81.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.8704.0,
NIS: 0.0.0.0

Error - 9/4/2012 4:48:49 AM | Computer Name = SHERIFFJOHN | Source = Service Control Manager | ID = 7034
Description = The IDriveE Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 9/7/2012 8:50:35 PM | Computer Name = SHERIFFJOHN | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 9/12/2012 3:00:42 AM | Computer Name = SHERIFFJOHN | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Windows Malicious Software Removal Tool - September 2012
(KB890830).

Error - 9/28/2012 8:47:58 AM | Computer Name = SHERIFFJOHN | Source = Microsoft Antimalware | ID = 1119
Description = %%860 has encountered a critical error when taking action on malware
or other potentially unwanted software. For more information please see the following:
http://go.microsoft....atid=2147650955

Name:
Trojan:Win32/Bamital!dat ID: 2147650955 Severity: Severe Category: Trojan Path: file:_E:\WINDOWS\system32\dll

Detection
Origin: %%845 Detection Type: %%822 Detection Source: %%815 User: SHERIFFJOHN\Denno

Process
Name: Unknown Action: %%810 Action Status: No additional actions required Error Code:
0x8007007f Error description: The specified procedure could not be found. Signature
Version: AV: 1.137.579.0, AS: 1.137.579.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.8800.0,
NIS: 0.0.0.0

Error - 9/29/2012 10:15:32 AM | Computer Name = SHERIFFJOHN | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.172.51 for the Network Card with network
address 001D098C2B91 has been denied by the DHCP server 192.168.172.1 (The DHCP
Server sent a DHCPNACK message).

Error - 10/5/2012 8:24:27 AM | Computer Name = SHERIFFJOHN | Source = Microsoft Antimalware | ID = 1119
Description = %%860 has encountered a critical error when taking action on malware
or other potentially unwanted software. For more information please see the following:
http://go.microsoft....atid=2147650955

Name:
Trojan:Win32/Bamital!dat ID: 2147650955 Severity: Severe Category: Trojan Path: file:_E:\WINDOWS\system32\dll

Detection
Origin: %%845 Detection Type: %%822 Detection Source: %%815 User: SHERIFFJOHN\Denno

Process
Name: Unknown Action: %%810 Action Status: No additional actions required Error Code:
0x8007007f Error description: The specified procedure could not be found. Signature
Version: AV: 1.137.1110.0, AS: 1.137.1110.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.8800.0,
NIS: 0.0.0.0

Error - 10/8/2012 8:34:49 PM | Computer Name = SHERIFFJOHN | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 10/18/2012 1:50:10 PM | Computer Name = SHERIFFJOHN | Source = Microsoft Antimalware | ID = 1119
Description = %%860 has encountered a critical error when taking action on malware
or other potentially unwanted software. For more information please see the following:
http://go.microsoft....atid=2147650955

Name:
Trojan:Win32/Bamital!dat ID: 2147650955 Severity: Severe Category: Trojan Path: file:_E:\WINDOWS\system32\dll

Detection
Origin: %%845 Detection Type: %%822 Detection Source: %%815 User: SHERIFFJOHN\Denno

Process
Name: Unknown Action: %%810 Action Status: No additional actions required Error Code:
0x8007007f Error description: The specified procedure could not be found. Signature
Version: AV: 1.139.1.0, AS: 1.139.1.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.8904.0,
NIS: 0.0.0.0

Error - 10/20/2012 11:43:17 AM | Computer Name = SHERIFFJOHN | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.172.51 for the Network Card with network
address 001D098C2B91 has been denied by the DHCP server 192.168.172.1 (The DHCP
Server sent a DHCPNACK message).


< End of report >

[jeffce]

Sorry for any delay!!

Let's get fresh scans and see what we have...

Please download DDS from one of the following links and save it to your desktop.

• • DDS.scr
  • DDS.pif
• Disable any script blocking protection (How to Disable your Security Programs)
• Double click DDS icon to run the tool (may take up to 3 minutes to run)
• When done, DDS.txt will open.
• After a few moments, attach.txt will open in a second window.
• Save both reports to your desktop.

---------------------------------------------------

• Post the contents of the DDS.txt report in your next reply
• Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

----------

Please download aswMBR to your desktop.

• Double click the aswMBR icon to run it.
• Click the Scan button to start scan.
• If you are asked to update the Avast Virus database please allow it to do so.
• When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

Click the image to enlarge it
----------

In your next reply please post both of the logs created by DDS and the log created by aswMBR.exe.

[denno]

THANK YOU! This is gettin worse! DDS (Ver_2012-10-19.01) - NTFS_x86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.2.1 Run by Denno at 15:45:51 on 2012-10-26 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.132 [GMT -4:00] . AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . ============== Running Processes ================ . c:\Program Files\Microsoft Security Client\MsMpEng.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Fighters\Tray\FightersTray.exe C:\Program Files\Fighters\SPAMfighter\sfagent.exe C:\Program Files\Microsoft Security Client\msseces.exe C:\WINDOWS\LOGI_MWX.EXE C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\OpenOffice.org 3\program\soffice.exe C:\Program Files\OpenOffice.org 3\program\soffice.bin C:\Program Files\IDrive\IDriveE Service.exe C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\Fighters\SPAMfighter\sfus.exe C:\Program Files\Fighters\FighterSuiteService.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\System32\alg.exe C:\Program Files\IDrive\IDriveETray.exe C:\Program Files\IDrive\IDriveEBackground.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\IDrive\IDrivePlugin.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch C:\WINDOWS\system32\svchost.exe -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k imgsvc . ============== Pseudo HJT Report =============== . BHO: Coupon Companion: {11111111-1111-1111-1111-110011441193} - c:\program files\coupon companion\Coupon Companion.dll BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - uRun: [IDriveE Startup] "c:\program files\idrive\IDrvieEStartup.exe" Hide uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Media Finder] "c:\program files\media finder\MF.exe" /opentotray mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [pdfFactory Pro Dispatcher v1] c:\windows\system32\spool\drivers\w32x86\2\fppdis1.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [EPSON Stylus Photo RX620 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9HA.EXE /P31 "EPSON Stylus Photo RX620 Series" /O5 "LPT1:" /M "Stylus Photo RX620" mRun: [EPSON Stylus Photo RX620 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9HA.EXE /P40 "EPSON Stylus Photo RX620 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo RX620" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe" mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe mRun: [CommonToolkitTray] c:\program files\fighters\tray\FightersTray.exe mRun: [sfagent] c:\program files\fighters\spamfighter\sfagent.exe mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe" mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [Logitech Utility] LOGI_MWX.EXE mRun: [Wondershare Helper Compact.exe] c:\program files\common files\wondershare\wondershare helper compact\WSHelper.exe StartupFolder: c:\docume~1\denno\startm~1\programs\startup\idrive~1.lnk - c:\program files\idrive\IDriveEReg2ini.exe StartupFolder: c:\docume~1\denno\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventr~1.lnk - c:\program files\the print shop 23.1\Remind.exe uPolicies-Explorer: NoDriveTypeAutoRun = dword:323 uPolicies-Explorer: NoDriveAutoRun = dword:67108863 uPolicies-Explorer: NoDrives = dword:0 mPolicies-Explorer: NoDriveAutoRun = dword:67108863 mPolicies-Explorer: NoDriveTypeAutoRun = dword:323 mPolicies-Explorer: NoDrives = dword:0 mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1 mPolicies-Explorer: NoDriveTypeAutoRun = dword:323 mPolicies-Explorer: NoDriveAutoRun = dword:67108863 IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1344738650693 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab TCP: NameServer = 64.22.32.8 64.22.32.9 TCP: Interfaces\{CFF501FC-74FD-45DF-A444-135669F120CF} : DHCPNameServer = 64.22.32.8 64.22.32.9 Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll Notify: igfxcui - igfxdev.dll Notify: LMIinit - LMIinit.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\denno\application data\mozilla\firefox\profiles\bagfegyi.default\ FF - prefs.js: browser.search.selectedEngine - Bing FF - prefs.js: browser.startup.homepage - hxxp://www.google.com FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z134&form=ZGAADF&install_date=20111124&q= FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\documents and settings\denno\local settings\application data\unity\webplayer\loader\npUnity3D32.dll FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll FF - plugin: c:\program files\oracle\javafx 2.0 runtime\bin\new_plugin\npjp2.dll FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll FF - plugin: c:\windows\system32\npdeployJava1.dll FF - plugin: c:\windows\system32\npptools.dll FF - plugin: c:\windows\system32\npwmsdrm.dll FF - ExtSQL: 2012-10-16 07:27; crossriderapp4493@crossrider.com; c:\documents and settings\denno\application data\mozilla\firefox\profiles\bagfegyi.default\extensions\crossriderapp4493@crossrider.com . ---- FIREFOX POLICIES ---- FF - user.js: yahoo.ytff.general.dontshowhpoffer - true . ============= SERVICES / DRIVERS =============== . R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 193552] R2 IDriveE Service;IDriveE Service;c:\program files\idrive\IDriveE Service.exe [2011-6-18 157128] R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-7-6 374184] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2011-1-11 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-8-22 47640] R2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\fighters\spamfighter\sfus.exe [2011-12-20 215688] R2 Suite Service;Suite Service;c:\program files\fighters\FighterSuiteService.exe [2012-8-9 1267816] S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?] S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-1 115168] S4 LMIRfsClientNP;LMIRfsClientNP; [x] . =============== Created Last 30 ================ . 2012-10-25 20:43:44 6918632 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8419f693-8653-4583-8a40-51dea38dd218}\mpengine.dll 2012-10-24 12:57:30 6918632 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll 2012-10-23 04:02:51 -------- d-----w- c:\documents and settings\all users\application data\Wondershare 2012-10-23 04:02:35 -------- d-----w- c:\documents and settings\denno\local settings\application data\Wondershare 2012-10-23 04:02:28 -------- d-----w- c:\program files\common files\Wondershare 2012-10-23 04:01:52 531496 ----a-w- c:\windows\system32\mcmpeg2mux.ax 2012-10-23 04:01:52 375848 ----a-w- c:\windows\system32\mcm2ve.ax 2012-10-23 04:01:52 257064 ----a-w- c:\windows\system32\mcl2ae.ax 2012-10-23 04:01:52 244776 ----a-w- c:\windows\system32\mcmpgaout.dll 2012-10-23 04:01:52 2140712 ----a-w- c:\windows\system32\mcmpgvout.004 2012-10-23 04:01:52 20520 ----a-w- c:\windows\system32\mcmpgvout.dll 2012-10-23 04:01:39 -------- d-----w- c:\program files\Wondershare 2012-10-21 03:33:09 -------- d-----w- c:\program files\DownloadManager 2012-10-16 11:27:12 -------- d-----w- c:\documents and settings\denno\local settings\application data\Coupon Companion 2012-10-16 11:27:08 -------- d-----w- c:\program files\Coupon Companion 2012-10-12 15:12:08 96224 ----a-w- c:\program files\mozilla firefox\webapprt-stub.exe 2012-10-12 15:12:08 157272 ----a-w- c:\program files\mozilla firefox\webapp-uninstaller.exe 2012-10-11 01:20:15 -------- d-----w- c:\program files\CDex_150 2012-09-29 02:29:49 -------- d-----w- c:\program files\Audacity 2012-09-28 13:53:01 336 ----a-w- c:\windows\system32\register.bat 2012-09-28 13:52:19 -------- d-----w- C:\idrivee 2012-09-28 01:23:56 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys 2012-09-28 01:23:56 -------- d-----w- c:\program files\Belarc . ==================== Find3M ==================== . 2012-08-31 02:03:50 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys 2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll 2012-08-28 15:14:53 43520 ------w- c:\windows\system32\licmgr10.dll 2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-08-28 12:07:15 385024 ------w- c:\windows\system32\html.iec 2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll 2012-08-21 13:33:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-08-21 12:58:09 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe . ============= FINISH: 15:46:56.93 ===============

Attached Files

•  attach.txt   13.92KB   278 downloads

[denno]

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software Run date: 2012-10-26 15:51:49 ----------------------------- 15:51:49.765 OS Version: Windows 5.1.2600 Service Pack 3 15:51:49.765 Number of processors: 2 586 0xF0D 15:51:49.765 ComputerName: SHERIFFJOHN UserName: Denno 15:51:50.921 Initialize success 15:59:59.703 AVAST engine defs: 12102601 16:00:04.562 The log file has been saved successfully to "C:\Documents and Settings\Denno\Desktop\aswMBR.txt"

[denno]

Jeff---at the end of your reply there's apparently a repeat instruction to post the three results.....should I do that?

[jeffce]

Hi,

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
4. If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.
----------

[denno]

BTW---I sometimes get a pop up about virtual memory being too low. Should I do something about that? Part of the problem?


ComboFix 12-10-26.05 - Denno 10/26/2012 17:24:41.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.650 [GMT -4:00]
Running from: c:\documents and settings\Denno\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-09-26 to 2012-10-26 )))))))))))))))))))))))))))))))
.
.
2012-10-26 19:46 . 2012-10-26 19:46 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8419F693-8653-4583-8A40-51DEA38DD218}\MpKsl0acb6e2f.sys
2012-10-25 20:43 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8419F693-8653-4583-8A40-51DEA38DD218}\mpengine.dll
2012-10-24 12:57 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-10-23 04:02 . 2012-10-23 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Wondershare
2012-10-23 04:02 . 2012-10-23 04:02 -------- d-----w- c:\documents and settings\Denno\Local Settings\Application Data\Wondershare
2012-10-23 04:02 . 2012-10-23 04:02 -------- d-----w- c:\program files\Common Files\Wondershare
2012-10-23 04:01 . 2012-08-01 19:00 531496 ----a-w- c:\windows\system32\mcmpeg2mux.ax
2012-10-23 04:01 . 2012-08-01 19:00 375848 ----a-w- c:\windows\system32\mcm2ve.ax
2012-10-23 04:01 . 2012-08-01 19:00 257064 ----a-w- c:\windows\system32\mcl2ae.ax
2012-10-23 04:01 . 2012-08-01 19:00 244776 ----a-w- c:\windows\system32\mcmpgaout.dll
2012-10-23 04:01 . 2012-08-01 19:00 2140712 ----a-w- c:\windows\system32\mcmpgvout.004
2012-10-23 04:01 . 2012-08-01 19:00 20520 ----a-w- c:\windows\system32\mcmpgvout.dll
2012-10-23 04:01 . 2012-10-23 04:01 -------- d-----w- c:\program files\Wondershare
2012-10-21 03:33 . 2012-10-21 03:42 -------- d-----w- c:\program files\DownloadManager
2012-10-16 11:27 . 2012-10-16 11:27 -------- d-----w- c:\documents and settings\Denno\Local Settings\Application Data\Coupon Companion
2012-10-16 11:27 . 2012-10-16 11:27 -------- d-----w- c:\program files\Coupon Companion
2012-10-11 01:20 . 2012-10-11 01:28 -------- d-----w- c:\program files\CDex_150
2012-09-29 02:30 . 2012-10-23 04:12 -------- d-----w- c:\documents and settings\Denno\Application Data\Audacity
2012-09-29 02:29 . 2012-10-10 04:02 -------- d-----w- c:\program files\Audacity
2012-09-28 13:53 . 2012-09-28 13:53 336 ----a-w- c:\windows\system32\register.bat
2012-09-28 13:52 . 2012-09-28 13:53 -------- d-----w- C:\idrivee
2012-09-28 01:23 . 2012-09-28 01:23 -------- d-----w- c:\program files\Belarc
2012-09-28 01:23 . 2011-08-09 21:33 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-31 02:03 . 2011-04-18 17:18 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14 . 2006-03-04 03:33 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2004-08-04 10:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2004-08-04 10:00 385024 ------w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2004-08-04 10:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33 . 2005-03-30 01:21 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2005-03-30 01:01 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-12 15:12 . 2012-10-12 15:11 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDriveE Startup"="c:\program files\IDrive\IDrvieEStartup.exe" [2011-06-24 185800]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-16 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-16 138008]
"pdfFactory Pro Dispatcher v1"="c:\windows\System32\spool\DRIVERS\W32X86\2\fppdis1.exe" [2002-06-25 356352]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 16132608]
"EPSON Stylus Photo RX620 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE" [2004-05-20 98304]
"EPSON Stylus Photo RX620 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE" [2004-05-20 98304]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-01-11 63048]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CommonToolkitTray"="c:\program files\Fighters\Tray\FightersTray.exe" [2012-06-29 1454184]
"sfagent"="c:\program files\Fighters\SPAMfighter\sfagent.exe" [2011-12-20 1197704]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"Logitech Utility"="LOGI_MWX.EXE" [2003-12-17 19968]
"Wondershare Helper Compact.exe"="c:\program files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe" [2012-03-27 1686528]
.
c:\documents and settings\Denno\Start Menu\Programs\Startup\
IDrive Tray.lnk - c:\program files\IDrive\IDriveEReg2ini.exe [2011-6-18 304584]
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-6-10 113664]
Event Reminder.lnk - c:\program files\The Print Shop 23.1\Remind.exe [2010-6-21 344064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-07-13 11:40 87456 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\WS_FTP Pro\\ftp95pro.exe"=
"c:\\Program Files\\FinalTorrent\\FinalTorrent.EXE"=
"c:\\Program Files\\FinalTorrent\\FTCheckForUpdates.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Java\\jre7\\bin\\javaw.exe"=
.
R1 MpKsl0acb6e2f;MpKsl0acb6e2f;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8419F693-8653-4583-8A40-51DEA38DD218}\MpKsl0acb6e2f.sys [10/26/2012 3:46 PM 29904]
R2 IDriveE Service;IDriveE Service;c:\program files\IDrive\IDriveE Service.exe [6/18/2011 12:41 AM 157128]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [7/6/2011 4:32 PM 374184]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/11/2011 7:04 PM 12856]
R2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\Fighters\SPAMfighter\sfus.exe [12/20/2011 1:41 PM 215688]
R2 Suite Service;Suite Service;c:\program files\Fighters\FighterSuiteService.exe [8/9/2012 3:05 PM 1267816]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/1/2012 11:07 PM 115168]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*NewlyCreated* - MPKSL0ACB6E2F
*Deregistered* - aswMBR
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-10-26 c:\windows\Tasks\FinalTorrent Update Checker.job
- c:\program files\FinalTorrent\FTCheckForUpdates.exe [2011-11-25 20:24]
.
2012-10-26 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 21:25]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 64.22.32.8 64.22.32.9
FF - ProfilePath - c:\documents and settings\Denno\Application Data\Mozilla\Firefox\Profiles\bagfegyi.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z134&form=ZGAADF&install_date=20111124&q=
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-10-16 07:27; crossriderapp4493@crossrider.com; c:\documents and settings\Denno\Application Data\Mozilla\Firefox\Profiles\bagfegyi.default\extensions\crossriderapp4493@crossrider.com
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Media Finder - c:\program files\Media Finder\MF.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-26 17:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2012-10-26 17:33:06
ComboFix-quarantined-files.txt 2012-10-26 21:33
ComboFix2.txt 2012-02-05 22:18
ComboFix3.txt 2012-02-04 20:26
ComboFix4.txt 2012-02-04 17:20
ComboFix5.txt 2012-10-26 21:22
.
Pre-Run: 273,523,064,832 bytes free
Post-Run: 275,026,436,096 bytes free
.
- - End Of File - - 3D25A40639AE8F75ED66F2BE058198FA

[jeffce]

Hi,

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the box below:
  

  
  ClearJavaCache::
  
  DDS::
  BHO: Coupon Companion: {11111111-1111-1111-1111-110011441193} - c:\program files\coupon companion\Coupon Companion.dll
  
  File::
  c:\documents and settings\Denno\Application Data\Mozilla\Firefox\Profiles\bagfegyi.default\extensions\crossriderapp4493@crossrider.com
  
  Folder::
  c:\documents and settings\Denno\Local Settings\Application Data\Coupon Companion
  c:\program files\Coupon Companion
  

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix may request an update; please allow it.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Post the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

Post the new ComboFix log and let me know how your system is running.

[denno]

Dunno how it's running yet, but can report soon.


ComboFix 12-10-26.05 - Denno 10/26/2012 23:17:48.7.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.592 [GMT -4:00]
Running from: c:\documents and settings\Denno\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Denno\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\documents and settings\Denno\Application Data\Mozilla\Firefox\Profiles\bagfegyi.default\extensions\crossriderapp4493@crossrider.com"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Denno\Local Settings\Application Data\Coupon Companion
c:\documents and settings\Denno\Local Settings\Application Data\Coupon Companion\Chrome\Coupon Companion.crx
c:\program files\Coupon Companion
c:\program files\Coupon Companion\ButtonUtil.dll
c:\program files\Coupon Companion\Coupon Companion-bg.exe
c:\program files\coupon companion\Coupon Companion.dll
c:\program files\Coupon Companion\Coupon Companion.exe
c:\program files\Coupon Companion\Coupon Companion.ico
c:\program files\Coupon Companion\Coupon Companion.ini
c:\program files\Coupon Companion\Coupon CompanionInstaller.log
c:\program files\Coupon Companion\Uninstall.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-09-27 to 2012-10-27 )))))))))))))))))))))))))))))))
.
.
2012-10-26 21:40 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F5210940-D1ED-4C37-BC2A-1FE584037097}\mpengine.dll
2012-10-24 12:57 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-10-23 04:02 . 2012-10-23 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Wondershare
2012-10-23 04:02 . 2012-10-23 04:02 -------- d-----w- c:\documents and settings\Denno\Local Settings\Application Data\Wondershare
2012-10-23 04:02 . 2012-10-23 04:02 -------- d-----w- c:\program files\Common Files\Wondershare
2012-10-23 04:01 . 2012-08-01 19:00 531496 ----a-w- c:\windows\system32\mcmpeg2mux.ax
2012-10-23 04:01 . 2012-08-01 19:00 375848 ----a-w- c:\windows\system32\mcm2ve.ax
2012-10-23 04:01 . 2012-08-01 19:00 257064 ----a-w- c:\windows\system32\mcl2ae.ax
2012-10-23 04:01 . 2012-08-01 19:00 244776 ----a-w- c:\windows\system32\mcmpgaout.dll
2012-10-23 04:01 . 2012-08-01 19:00 2140712 ----a-w- c:\windows\system32\mcmpgvout.004
2012-10-23 04:01 . 2012-08-01 19:00 20520 ----a-w- c:\windows\system32\mcmpgvout.dll
2012-10-23 04:01 . 2012-10-23 04:01 -------- d-----w- c:\program files\Wondershare
2012-10-21 03:33 . 2012-10-21 03:42 -------- d-----w- c:\program files\DownloadManager
2012-10-11 01:20 . 2012-10-11 01:28 -------- d-----w- c:\program files\CDex_150
2012-09-29 02:30 . 2012-10-23 04:12 -------- d-----w- c:\documents and settings\Denno\Application Data\Audacity
2012-09-29 02:29 . 2012-10-10 04:02 -------- d-----w- c:\program files\Audacity
2012-09-28 13:53 . 2012-09-28 13:53 336 ----a-w- c:\windows\system32\register.bat
2012-09-28 13:52 . 2012-09-28 13:53 -------- d-----w- C:\idrivee
2012-09-28 01:23 . 2012-09-28 01:23 -------- d-----w- c:\program files\Belarc
2012-09-28 01:23 . 2011-08-09 21:33 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-31 02:03 . 2011-04-18 17:18 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-08-28 15:14 . 2006-03-04 03:33 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2004-08-04 10:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2004-08-04 10:00 385024 ------w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2004-08-04 10:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33 . 2005-03-30 01:21 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2005-03-30 01:01 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-26 21:35 . 2012-10-12 15:11 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDriveE Startup"="c:\program files\IDrive\IDrvieEStartup.exe" [2011-06-24 185800]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-16 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-16 138008]
"pdfFactory Pro Dispatcher v1"="c:\windows\System32\spool\DRIVERS\W32X86\2\fppdis1.exe" [2002-06-25 356352]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 16132608]
"EPSON Stylus Photo RX620 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE" [2004-05-20 98304]
"EPSON Stylus Photo RX620 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE" [2004-05-20 98304]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-01-11 63048]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CommonToolkitTray"="c:\program files\Fighters\Tray\FightersTray.exe" [2012-06-29 1454184]
"sfagent"="c:\program files\Fighters\SPAMfighter\sfagent.exe" [2011-12-20 1197704]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"Logitech Utility"="LOGI_MWX.EXE" [2003-12-17 19968]
"Wondershare Helper Compact.exe"="c:\program files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe" [2012-03-27 1686528]
.
c:\documents and settings\Denno\Start Menu\Programs\Startup\
IDrive Tray.lnk - c:\program files\IDrive\IDriveEReg2ini.exe [2011-6-18 304584]
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-6-10 113664]
Event Reminder.lnk - c:\program files\The Print Shop 23.1\Remind.exe [2010-6-21 344064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-07-13 11:40 87456 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\WS_FTP Pro\\ftp95pro.exe"=
"c:\\Program Files\\FinalTorrent\\FinalTorrent.EXE"=
"c:\\Program Files\\FinalTorrent\\FTCheckForUpdates.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Java\\jre7\\bin\\javaw.exe"=
.
R2 IDriveE Service;IDriveE Service;c:\program files\IDrive\IDriveE Service.exe [6/18/2011 12:41 AM 157128]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [7/6/2011 4:32 PM 374184]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/11/2011 7:04 PM 12856]
R2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\Fighters\SPAMfighter\sfus.exe [12/20/2011 1:41 PM 215688]
R2 Suite Service;Suite Service;c:\program files\Fighters\FighterSuiteService.exe [8/9/2012 3:05 PM 1267816]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/1/2012 11:07 PM 115168]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*NewlyCreated* - MPKSL0ACB6E2F
*Deregistered* - aswMBR
*Deregistered* - MpKsl0acb6e2f
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-10-26 c:\windows\Tasks\FinalTorrent Update Checker.job
- c:\program files\FinalTorrent\FTCheckForUpdates.exe [2011-11-25 20:24]
.
2012-10-26 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 21:25]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 64.22.32.8 64.22.32.9
FF - ProfilePath - c:\documents and settings\Denno\Application Data\Mozilla\Firefox\Profiles\bagfegyi.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z134&form=ZGAADF&install_date=20111124&q=
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-10-16 07:27; crossriderapp4493@crossrider.com; c:\documents and settings\Denno\Application Data\Mozilla\Firefox\Profiles\bagfegyi.default\extensions\crossriderapp4493@crossrider.com
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Coupon Companion - c:\program files\Coupon Companion\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-26 23:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2012-10-26 23:25:17
ComboFix-quarantined-files.txt 2012-10-27 03:25
ComboFix2.txt 2012-10-26 21:33
ComboFix3.txt 2012-02-05 22:18
ComboFix4.txt 2012-02-04 20:26
ComboFix5.txt 2012-10-27 03:16
.
Pre-Run: 274,920,292,352 bytes free
Post-Run: 274,917,855,232 bytes free
.
- - End Of File - - FFC061027D1CA74FAACD725114391423

[denno]

All seems to be pretty spiffy. THANK YOU! Now...can you tell me A) what was in there screwing things up, where might I be encountering such stuff and C) how come my AV is not keeping it all out? denno

[jeffce]

Hi,

A) what was in there screwing things up

You had some entries relating to thing you downloaded or were downloaded on the internet.

how come my AV is not keeping it all out?

Well antivirus programs can only detect what it has been shown previously. There are many many new variants of malware made daily so there is no antivirus that can keep everything out all the time.
-----------

Adobe Reader

You have an older version of Adobe Reader. You can download the current version HERE

You may want to consider Foxit Reader instead. It may be a bit lighter on resources.

Visit their support forum
Foxit Forum

In either case you should uninstall Adobe Reader X (10.1.4) first. Be sure to move any PDF documents to another folder first though.
----------

I see that your Java software is out of date. Please go to Start >> Control Panel >> Programs and Features >> uninstall all versions of Java.

Now download and install the newest version from here >> http://java.com/en/download/index.jsp
-------------

Clear Java Cache

See this page for instructions on how to clear java's cache.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

• Under Temporary Internet Files, click the Delete Files button.
• There are three options in the window to clear the cache - Leave ALL 3 Checked
  • Downloaded Applets
    Downloaded Applications
    Other Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Java Control Panel.

----------

Malwarebytes

I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
----------

ESET Online Scanner

Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

• Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
• Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
• Close the ESET online scan, and let me know how things are now.

----------

[denno]

Hi Jeff I updated Adobe Reader and ran Malwarebytes. Might not be able to do more until tonight. Malwarebytes Anti-Malware 1.65.1.1000 www.malwarebytes.org Database version: v2012.10.27.06 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Denno :: SHERIFFJOHN [administrator] 10/27/2012 2:28:17 PM mbam-log-2012-10-27 (14-28-17).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 206921 Time elapsed: 5 minute(s), 8 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 3 HKCU\SOFTWARE\INSTALLEDBROWSEREXTENSIONS\215 APPS (PUP.CrossFire.SA) -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA4520F3-AE13-4FB1-A513-58E23991C86D} (Trojan.Downloader) -> Quarantined and deleted successfully. HKCU\SOFTWARE\CROSSRIDER (Adware.GamePlayLab) -> Quarantined and deleted successfully. Registry Values Detected: 2 HKCU\Software\InstalledBrowserExtensions\215 Apps|4493 (PUP.CrossFire.SA) -> Data: Coupon Companion -> No action taken. HKCU\Software\Crossrider|215AppVerifier (Adware.GamePlayLab) -> Data: 0fb343b091e18175df842feefff05bf9 -> Quarantined and deleted successfully. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)

[jeffce]

Looking good......when you get the ESET scan done post that as well!!