Jump to content

Malwarebytes

System Check rogue/virus/trojan not fully removed by Malwarebytes

- - - - -
Started by Ndhlp, Feb 25 2012 06:08 PM


61 replies to this topic

#1
Ndhlp
Posted 25 February 2012 - 06:08 PM

    New Member

  • Members
  • Pip
  • 44 posts
Hi,

My friend got what appears to be a nasty case of a fake Windows Security Check. I had to run Malwarebytes from the Start>Run box in Safe Mode with Networking as everything was hidden.

I had to run unhide.exe and Rkill to get anything to show on the desktop. I also went to ESET and ran an online scan there and then was finally able to start and update their Anti-Virus and MBAM in regular mode. In safe mode w/networking Avira only shows up with some items now in the Programs list but we are unable to launch any programs from there. So I don't know if Avira has script blocking and in either case we wouldn't not have been able to disable it.

We are in Safe Mode with Networking with some icons showing on the desktop including the fake "Security Check" that according to the properties box was created yesterday. It does not allow us to click on any other tabs in this box when right clicking on the "security check" icon on the desktop or taskbar. After running the ESET scan and Rkill the Start.Run box is missing both in Safe and regular mode. I can only access MBAM through the Windows Task Manager.

Here is the MBAM scan (I ran it prior to running the DDS program).

They WILL be upgrading to Malwarebytes PRO but obviously this needs to be fixed first. THANK YOU for your help. I won't be able to run anything on their computer tomorrow but will have access to it Monday a.m. IF someone has time to get to us by then. THANKS again.

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.02.25.05
Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Owner :: YOUR-5E03CF73DE [administrator]
2/25/2012 5:19:57 PM
mbam-log-2012-02-25 (17-19-57).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 192659
Time elapsed: 3 minute(s), 44 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 6
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
**********************************************************
.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Owner at 17:46:36 on 2012-02-25
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1543 [GMT -5:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0MSN&bm=ms_home
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: PBlockHelper Class: {4115122b-85ff-4dd3-9515-f075bede5eb5} - c:\progra~1\netsca~1\netsca~1\pbhelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [AbacastDistributedOnDemand:11] c:\documents and settings\owner\local settings\application data\abacastdistributedondemand\node\11\AbacastDistributedOnDemand.exe -r:11 -x:1
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Gateway Extended Warranty] "c:\program files\gateway\gwcares\GWCares.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [lxecmon.exe] "c:\program files\lexmark pro800-pro900 series\lxecmon.exe"
mRun: [EzPrint] "c:\program files\lexmark pro800-pro900 series\ezprint.exe"
mRun: [Lexmark Pro800-Pro900 Series Fax Server] "c:\program files\lexmark pro800-pro900 series\fm3032.exe" /s
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [Power2GoExpress] NA
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\program files\netscape internet service\netscape web accelerator\sliplsp.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1285267317328
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2C6A64E4-1CC7-4A77-AEAF-23DEA62485B8} : DhcpNameServer = 192.168.1.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
S1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-24 36000]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-10-24 86224]
S2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-10-24 110032]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-16 74640]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]
S2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\verizon\iha_messagecenter\bin\Verizon_IHAMessageCenter.exe [2011-10-28 290832]
S2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?]
S2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [2010-9-8 193192]
S2 ServicepointService;ServicepointService;c:\program files\verizon\vsp\ServicepointService.exe [2010-5-10 668912]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-02-25 22:46:30 607260 ------r- c:\program files\dds.scr
2012-02-25 22:17:01 1008141 ----a-w- c:\program files\rkill.exe
2012-02-25 18:07:19 -------- d-----w- c:\program files\ESET
2012-02-22 14:14:33 -------- d-sh--w- c:\documents and settings\owner\PrivacIE
2012-02-22 01:38:10 -------- d-sh--w- c:\documents and settings\owner\IETldCache
2012-02-22 01:19:19 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-02-22 01:18:56 -------- d-----w- c:\windows\ie8updates
2012-02-22 01:14:13 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-02-22 01:14:12 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-02-22 01:14:12 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-02-22 01:11:10 -------- dc----w- c:\windows\ie8
2012-02-16 05:33:21 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-16 05:33:21 3072 ------w- c:\windows\system32\iacenc.dll
.
==================== Find3M ====================
.
2012-01-16 14:56:26 218642 ----a-w- c:\documents and settings\all users\SPLC65C.tmp
2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-29 18:29:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46:36 43520 ------w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46:36 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22:58 385024 ------w- c:\windows\system32\html.iec
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-23 15:31:46 1284232 ----a-w- c:\program files\couponprinter.exe
2011-06-27 22:20:31 900384 ----a-w- c:\program files\JavaSetup6u26.exe
2011-06-24 17:19:42 50688 ----a-w- c:\program files\ATF_Cleaner.exe
2011-06-23 17:19:51 684297 ----a-w- c:\program files\unhide.exe
.
============= FINISH: 17:47:23.20 ===============
I did not post the Attach file as it said not to unless specifically requested.

#2
MrCharlie
Posted 25 February 2012 - 06:39 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,313 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA
Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.
Click Scan to scan the system (don't run any other options)
Post back the report.

--------------------------------------

Next.......

Please download OTL from one of the links below:
http://oldtimer.geekstogo.com/OTL.exe
http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.
Double click on the icon on your desktop.
Click the Scan All Users checkbox.
Push the Quick Scan button.

The scan will take about 10 minutes...depends on your hard drive size.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)
OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#3
Ndhlp
Posted 27 February 2012 - 10:55 AM

    New Member

  • Members
  • Pip
  • 44 posts
Thank you for your help! I did not change any settings in either program, I ran them "as is".

RogueKiller V7.2.0 [02/27/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode with network support
User: Owner [Admin rights]
Mode: Scan -- Date: 02/27/2012 10:39:40
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 12 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : AbacastDistributedOnDemand:11 (C:\Documents and Settings\Owner\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe -r:11 -x:1) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-747832287-720386439-3837867810-1003[...]\Run : AbacastDistributedOnDemand:11 (C:\Documents and Settings\Owner\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe -r:11 -x:1) -> FOUND
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: HDT722516DLAT80 +++++
--- User ---
[MBR] 2de17797318da582eea1c6d0191a9ccd
[BSP] 785403c40b2e57190234204681ec45a9 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 10683225 | Size: 151840 Mo
1 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 5216 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1].txt >>
RKreport[1].txt

OTL logfile created on: 2/27/2012 10:43:50 AM - Run 1
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 1.62 Gb Available Physical Memory | 86.64% Memory free
2.29 Gb Paging File | 2.22 Gb Available in Paging File | 96.96% Paging File free
Paging file location(s): C:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.28 Gb Total Space | 128.10 Gb Free Space | 86.39% Space Free | Partition Type: NTFS
Drive D: | 5.08 Gb Total Space | 2.70 Gb Free Space | 53.13% Space Free | Partition Type: FAT32

Computer Name: YOUR-5E03CF73DE | User Name: Owner | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/27 10:42:11 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/12/12 11:03:40 | 000,290,832 | ---- | M] (Verizon) [Auto | Stopped] -- C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe -- (IHA_MessageCenter)
SRV - [2011/10/11 14:00:20 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011/10/11 14:00:08 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/04/14 15:08:12 | 000,598,696 | ---- | M] ( ) [Auto | Stopped] -- C:\WINDOWS\System32\lxeccoms.exe -- (lxec_device)
SRV - [2010/04/14 15:08:05 | 000,193,192 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxecserv.exe -- (lxecCATSCustConnectService)
SRV - [2009/11/18 09:50:40 | 000,668,912 | ---- | M] (Radialpoint Inc.) [Auto | Stopped] -- C:\Program Files\Verizon\VSP\ServicepointService.exe -- (ServicepointService)
SRV - [2006/06/28 13:17:25 | 000,196,608 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2004/04/06 14:04:38 | 000,053,248 | ---- | M] (Netscape Communications Corporation) [Auto | Stopped] -- C:\Program Files\Netscape Internet Service\ncupdatesvc.exe -- (NCUpdateSvc)


========== Driver Services (SafeList) ==========

DRV - [2012/02/15 11:15:03 | 000,137,416 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/10/11 14:00:32 | 000,074,640 | ---- | M] (Avira GmbH) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2011/10/11 14:00:32 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2010/06/17 14:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/03/17 15:53:38 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2010/03/17 15:53:22 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2007/02/04 19:26:59 | 000,047,616 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\Haspnt.sys -- (Haspnt)
DRV - [2006/06/28 13:14:32 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2006/01/25 14:52:32 | 001,478,656 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/01/13 20:13:18 | 004,137,984 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/07/28 11:18:40 | 000,685,056 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (Hardlock)
DRV - [2005/07/20 21:08:28 | 000,100,096 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\aksusb.sys -- (aksusb)
DRV - [2005/07/20 21:08:26 | 000,327,808 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\akshasp.sys -- (akshasp)
DRV - [2005/03/17 11:51:16 | 001,033,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/03/17 11:50:36 | 000,221,440 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2005/03/17 11:50:32 | 000,705,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/04/13 23:14:12 | 000,070,144 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2001/08/17 15:49:32 | 000,019,968 | ---- | M] (Macronix International Co., Ltd. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxnic.sys -- (mxnic)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.c...ys=DTP&M=DX110S
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.c...ys=DTP&M=DX110S
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie

IE - HKU\S-1-5-21-747832287-720386439-3837867810-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon....0MSN&bm=ms_home
IE - HKU\S-1-5-21-747832287-720386439-3837867810-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
FF - HKLM\Software\MozillaPlugins\@radialpoint.com/SPA,version=1: C:\Program Files\Verizon\VSP\nprpspa.dll (Verizon)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()



O1 HOSTS File: ([2011/06/25 19:28:11 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll File not found
O2 - BHO: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O2 - BHO: (PBlockHelper Class) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\pbhelper.dll (planetscott.ca)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\WINDOWS\system32\bae.dll (Gateway Inc.)
O2 - BHO: (Lexmark Printable Web) - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll ()
O3 - HKLM\..\Toolbar: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKU\S-1-5-21-747832287-720386439-3837867810-1003\..\Toolbar\ShellBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKU\S-1-5-21-747832287-720386439-3837867810-1003\..\Toolbar\WebBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [EzPrint] C:\Program Files\Lexmark Pro800-Pro900 Series\ezprint.exe ()
O4 - HKLM..\Run: [Gateway Extended Warranty] C:\Program Files\Gateway\GWCares\GWCares.exe (BillP Studios)
O4 - HKLM..\Run: [Lexmark Pro800-Pro900 Series Fax Server] C:\Program Files\Lexmark Pro800-Pro900 Series\fm3032.exe ()
O4 - HKLM..\Run: [lxecmon.exe] C:\Program Files\Lexmark Pro800-Pro900 Series\lxecmon.exe ()
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe (Alcatel-Lucent)
O4 - HKLM..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\VSP\VerizonServicepoint.exe (Verizon)
O4 - HKU\.DEFAULT..\Run: [Power2GoExpress] NA File not found
O4 - HKU\S-1-5-18..\Run: [Power2GoExpress] NA File not found
O4 - HKU\S-1-5-21-747832287-720386439-3837867810-1003..\Run: [AbacastDistributedOnDemand:11] C:\Documents and Settings\Owner\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe (Abacast, Inc.)
O4 - HKU\S-1-5-21-747832287-720386439-3837867810-1003..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-747832287-720386439-3837867810-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-747832287-720386439-3837867810-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-747832287-720386439-3837867810-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-747832287-720386439-3837867810-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML File not found
O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\sliplsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\sliplsp.dll ()
O15 - HKU\S-1-5-21-747832287-720386439-3837867810-1003\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} https://activatemyds...20Installer.cab (Support.com Configuration Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1285267317328 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: Garmin Communicator Plug-In https://static.garmi...inAxControl.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2C6A64E4-1CC7-4A77-AEAF-23DEA62485B8}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/26 13:04:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2003/08/08 17:24:26 | 000,000,045 | -HS- | M] () - D:\autorun.inf.aug.8 -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/27 10:42:07 | 000,583,680 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2012/02/27 10:39:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\RK_Quarantine
[2012/02/25 17:46:30 | 000,607,260 | R--- | C] (Swearware) -- C:\Program Files\dds.scr
[2012/02/25 13:07:19 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/02/25 11:52:15 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\Recent
[2012/02/24 16:26:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\System Check
[2012/02/22 09:14:33 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\PrivacIE
[2012/02/21 20:38:10 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\IETldCache
[2012/02/21 20:18:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2012/02/21 20:11:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8
[2012/01/29 01:06:50 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/08/23 10:31:36 | 001,284,232 | ---- | C] (Coupons.com Incorporated) -- C:\Program Files\couponprinter.exe
[2011/06/27 17:20:25 | 000,900,384 | ---- | C] (Sun Microsystems, Inc.) -- C:\Program Files\JavaSetup6u26.exe
[2011/06/24 12:19:42 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Program Files\ATF_Cleaner.exe
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/27 10:42:11 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2012/02/27 10:39:11 | 001,281,024 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RogueKiller.exe
[2012/02/27 10:35:59 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/02/27 10:35:55 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/02/25 17:46:34 | 000,607,260 | R--- | M] (Swearware) -- C:\Program Files\dds.scr
[2012/02/25 17:17:08 | 001,008,141 | ---- | M] () -- C:\Program Files\rkill.exe
[2012/02/25 16:16:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/02/25 14:02:38 | 008,405,015 | ---- | M] () -- C:\WINDOWS\TempFile
[2012/02/25 14:02:37 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/02/24 16:44:02 | 000,000,853 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/02/24 16:28:49 | 000,000,448 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\XFPKBCIrCSMBrp
[2012/02/24 16:26:04 | 000,000,288 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrp
[2012/02/24 16:26:04 | 000,000,184 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrpr
[2012/02/24 16:26:03 | 000,000,835 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\System Check.lnk
[2012/02/24 16:20:12 | 000,551,183 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-24-2012 04;20;04PM.JPG
[2012/02/22 20:04:56 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/02/22 10:52:52 | 000,515,074 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-22-2012 10;52;27AM2.JPG
[2012/02/22 10:52:51 | 000,099,991 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-22-2012 10;52;27AM.JPG
[2012/02/21 17:56:36 | 000,404,138 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-21-2012 05;56;30PM.JPG
[2012/02/21 17:56:36 | 000,313,687 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-21-2012 05;56;30PM2.JPG
[2012/02/21 17:54:34 | 000,146,623 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-21-2012 05;54;28PM.JPG
[2012/02/21 15:16:59 | 000,146,728 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-21-2012 03;16;55PM.JPG
[2012/02/21 11:53:13 | 000,279,297 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-21-2012 11;52;47AM.JPG
[2012/02/19 17:52:09 | 000,232,642 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-19-2012 05;52;04PM.JPG
[2012/02/17 08:49:58 | 000,246,312 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/02/16 20:25:30 | 000,494,276 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/02/16 20:25:30 | 000,083,254 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/02/15 16:53:55 | 000,641,490 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 04;53;36PM5.JPG
[2012/02/15 16:53:54 | 000,561,469 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 04;53;36PM3.JPG
[2012/02/15 16:53:54 | 000,294,486 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 04;53;36PM4.JPG
[2012/02/15 16:53:53 | 000,543,842 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 04;53;36PM.JPG
[2012/02/15 16:53:53 | 000,509,786 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 04;53;36PM2.JPG
[2012/02/15 12:22:58 | 000,387,824 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 12;22;51PM.JPG
[2012/02/15 11:15:03 | 000,137,416 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2012/02/13 16:41:44 | 000,380,026 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-13-2012 04;39;34PM.JPG
[2012/02/03 10:56:28 | 000,472,443 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM5.JPG
[2012/02/03 10:56:28 | 000,454,243 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM4.JPG
[2012/02/03 10:56:28 | 000,247,936 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM6.JPG
[2012/02/03 10:56:27 | 000,631,275 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM.JPG
[2012/02/03 10:56:27 | 000,592,142 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM3.JPG
[2012/02/03 10:56:27 | 000,575,760 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM2.JPG
[2012/02/02 17:07:00 | 000,339,685 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 05;06;28PM2.JPG
[2012/02/02 17:07:00 | 000,315,849 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 05;06;28PM3.JPG
[2012/02/02 17:06:59 | 000,282,644 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 05;06;28PM.JPG
[2012/02/02 12:37:44 | 000,348,272 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 11;53;43AM.JPG
[2012/02/02 12:37:44 | 000,273,524 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 11;53;43AM2.JPG
[2012/02/02 10:06:58 | 000,689,935 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 10;05;58AM.JPG
[2012/02/02 10:06:58 | 000,140,871 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 10;05;58AM2.JPG
[2012/01/31 18:00:35 | 000,173,455 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\01-31-2012 05;59;13PM2.JPG
[2012/01/31 18:00:35 | 000,130,759 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\01-31-2012 05;59;13PM3.JPG
[2012/01/31 18:00:34 | 000,344,267 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\01-31-2012 05;59;13PM.JPG
[2012/01/31 17:49:41 | 000,370,557 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\01-31-2012 05;48;20PM.JPG
[2012/01/28 10:59:14 | 000,626,400 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\01-28-2012 10;57;52AM2.JPG
[2012/01/28 10:59:14 | 000,399,508 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\01-28-2012 10;57;52AM.JPG
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/27 10:39:01 | 001,281,024 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RogueKiller.exe
[2012/02/25 17:17:01 | 001,008,141 | ---- | C] () -- C:\Program Files\rkill.exe
[2012/02/24 16:44:02 | 000,000,853 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/02/24 16:26:04 | 000,000,288 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrp
[2012/02/24 16:26:04 | 000,000,184 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrpr
[2012/02/24 16:26:03 | 000,000,835 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\System Check.lnk
[2012/02/24 16:26:00 | 000,000,448 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\XFPKBCIrCSMBrp
[2012/02/24 16:20:12 | 000,551,183 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-24-2012 04;20;04PM.JPG
[2012/02/22 10:52:52 | 000,515,074 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-22-2012 10;52;27AM2.JPG
[2012/02/22 10:52:51 | 000,099,991 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-22-2012 10;52;27AM.JPG
[2012/02/21 17:56:36 | 000,404,138 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-21-2012 05;56;30PM.JPG
[2012/02/21 17:56:36 | 000,313,687 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-21-2012 05;56;30PM2.JPG
[2012/02/21 17:54:34 | 000,146,623 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-21-2012 05;54;28PM.JPG
[2012/02/21 15:16:59 | 000,146,728 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-21-2012 03;16;55PM.JPG
[2012/02/21 11:53:13 | 000,279,297 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-21-2012 11;52;47AM.JPG
[2012/02/19 17:52:09 | 000,232,642 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-19-2012 05;52;04PM.JPG
[2012/02/16 00:33:21 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/16 00:33:21 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/02/15 16:53:55 | 000,641,490 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 04;53;36PM5.JPG
[2012/02/15 16:53:55 | 000,294,486 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 04;53;36PM4.JPG
[2012/02/15 16:53:54 | 000,561,469 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 04;53;36PM3.JPG
[2012/02/15 16:53:53 | 000,543,842 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 04;53;36PM.JPG
[2012/02/15 16:53:53 | 000,509,786 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 04;53;36PM2.JPG
[2012/02/15 12:22:58 | 000,387,824 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 12;22;51PM.JPG
[2012/02/13 16:41:44 | 000,380,026 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-13-2012 04;39;34PM.JPG
[2012/02/03 10:56:28 | 000,472,443 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM5.JPG
[2012/02/03 10:56:28 | 000,454,243 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM4.JPG
[2012/02/03 10:56:28 | 000,247,936 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM6.JPG
[2012/02/03 10:56:27 | 000,631,275 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM.JPG
[2012/02/03 10:56:27 | 000,592,142 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM3.JPG
[2012/02/03 10:56:27 | 000,575,760 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM2.JPG
[2012/02/02 17:07:00 | 000,339,685 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 05;06;28PM2.JPG
[2012/02/02 17:07:00 | 000,315,849 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 05;06;28PM3.JPG
[2012/02/02 17:06:59 | 000,282,644 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 05;06;28PM.JPG
[2012/02/02 12:37:44 | 000,348,272 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 11;53;43AM.JPG
[2012/02/02 12:37:44 | 000,273,524 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 11;53;43AM2.JPG
[2012/02/02 10:06:59 | 000,140,871 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 10;05;58AM2.JPG
[2012/02/02 10:06:58 | 000,689,935 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 10;05;58AM.JPG
[2012/01/31 18:00:35 | 000,173,455 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\01-31-2012 05;59;13PM2.JPG
[2012/01/31 18:00:35 | 000,130,759 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\01-31-2012 05;59;13PM3.JPG
[2012/01/31 18:00:34 | 000,344,267 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\01-31-2012 05;59;13PM.JPG
[2012/01/31 17:49:41 | 000,370,557 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\01-31-2012 05;48;20PM.JPG
[2012/01/28 10:59:14 | 000,626,400 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\01-28-2012 10;57;52AM2.JPG
[2012/01/28 10:59:14 | 000,399,508 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\01-28-2012 10;57;52AM.JPG
[2011/10/24 13:47:03 | 000,260,762 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/06/23 12:19:47 | 000,684,297 | ---- | C] () -- C:\Program Files\unhide.exe
[2011/06/20 11:53:30 | 000,000,168 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~17424164r
[2011/06/20 11:53:25 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\17424164
[2010/09/08 13:47:17 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxecvs.dll
[2010/09/08 13:47:15 | 000,442,368 | ---- | C] ( ) -- C:\WINDOWS\System32\lxeccoin.dll
[2010/09/08 13:47:08 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\lxecgcfg.dll
[2010/09/08 13:47:07 | 000,294,912 | ---- | C] () -- C:\WINDOWS\System32\lxeccui.dll
[2010/09/08 13:47:07 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\lxeccuir.dll
[2010/09/08 13:45:19 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\LXECPMON.DLL
[2010/09/08 13:45:19 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXECFXPU.DLL
[2010/09/08 13:44:59 | 004,485,120 | ---- | C] () -- C:\WINDOWS\System32\LXECoem.dll
[2010/09/08 13:43:17 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\lxecrwrd.ini
[2010/09/08 13:43:05 | 000,356,352 | ---- | C] ( ) -- C:\WINDOWS\System32\LXEChcp.dll
[2010/09/08 13:43:05 | 000,331,776 | ---- | C] () -- C:\WINDOWS\System32\LXECinst.dll
[2010/09/08 13:43:04 | 000,364,544 | ---- | C] ( ) -- C:\WINDOWS\System32\lxecinpa.dll
[2010/09/08 13:43:04 | 000,344,064 | ---- | C] ( ) -- C:\WINDOWS\System32\lxeciesc.dll
[2010/09/08 13:43:03 | 001,048,576 | ---- | C] ( ) -- C:\WINDOWS\System32\lxecserv.dll
[2010/09/08 13:43:03 | 000,847,872 | ---- | C] ( ) -- C:\WINDOWS\System32\lxecusb1.dll
[2010/09/08 13:43:03 | 000,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\lxecpmui.dll
[2010/09/08 13:43:03 | 000,577,536 | ---- | C] ( ) -- C:\WINDOWS\System32\lxeclmpm.dll
[2010/09/08 13:43:02 | 000,688,128 | ---- | C] ( ) -- C:\WINDOWS\System32\lxechbn3.dll
[2010/09/08 13:43:02 | 000,324,264 | ---- | C] ( ) -- C:\WINDOWS\System32\lxecih.exe
[2010/09/08 13:43:02 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\lxecins.dll
[2010/09/08 13:43:02 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\lxecinsb.dll
[2010/09/08 13:43:02 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxecgrd.dll
[2010/09/08 13:43:02 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\lxecinsr.dll
[2010/09/08 13:43:02 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\lxecjswr.dll
[2010/09/08 13:43:01 | 000,802,816 | ---- | C] ( ) -- C:\WINDOWS\System32\lxeccomc.dll
[2010/09/08 13:43:01 | 000,598,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxeccoms.exe
[2010/09/08 13:43:01 | 000,372,736 | ---- | C] ( ) -- C:\WINDOWS\System32\lxeccomm.dll
[2010/09/08 13:43:01 | 000,253,952 | ---- | C] () -- C:\WINDOWS\System32\lxeccu.dll
[2010/09/08 13:43:01 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\lxeccub.dll
[2010/09/08 13:43:01 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\lxeccur.dll
[2010/09/08 13:43:00 | 000,373,416 | ---- | C] ( ) -- C:\WINDOWS\System32\lxeccfg.exe
[2010/09/08 13:42:19 | 000,299,008 | ---- | C] () -- C:\WINDOWS\System32\LXECsm.dll
[2010/09/08 13:42:19 | 000,023,552 | ---- | C] () -- C:\WINDOWS\System32\LXECsmr.dll

========== LOP Check ==========

[2006/06/28 13:17:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.YOUR-5E03CF73DE\Application Data\Leadertech
[2006/06/28 13:13:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.YOUR-5E03CF73DE\Application Data\SampleView
[2012/02/24 17:55:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.YOUR-5E03CF73DE\Application Data\Windows Search
[2008/02/01 14:16:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2011/08/21 10:31:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lexmark Pro800-Pro900 Series
[2011/05/27 13:26:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2006/06/28 12:57:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Netscape Internet Service
[2010/09/08 13:44:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pro800-Pro900 Series
[2011/04/28 07:32:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Radialpoint
[2006/06/28 13:15:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2006/06/28 13:17:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Leadertech
[2006/06/28 13:13:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\SampleView
[2011/09/20 16:38:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Garmin
[2006/06/28 13:17:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Leadertech
[2011/08/22 09:11:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Pro800-Pro900 Series
[2006/06/28 13:13:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2010/09/16 12:14:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Template
[2010/07/12 13:27:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Windows Desktop Search
[2010/07/13 13:01:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Windows Search

========== Purity Check ==========


< End of report >
OTL Extras logfile created on: 2/27/2012 10:43:50 AM - Run 1
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 1.62 Gb Available Physical Memory | 86.64% Memory free
2.29 Gb Paging File | 2.22 Gb Available in Paging File | 96.96% Paging File free
Paging file location(s): C:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.28 Gb Total Space | 128.10 Gb Free Space | 86.39% Space Free | Partition Type: NTFS
Drive D: | 5.08 Gb Total Space | 2.70 Gb Free Space | 53.13% Space Free | Partition Type: FAT32

Computer Name: YOUR-5E03CF73DE | User Name: Owner | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"50000:UDP" = 50000:UDP:*:Enabled:IHA_MessageCenter

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\SmartFTP Client\SmartFTP.exe" = C:\Program Files\SmartFTP Client\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5 -- (SmartSoft Ltd.)
"C:\Documents and Settings\Owner\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe" = C:\Documents and Settings\Owner\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe:*:Disabled:Abacast Distributed On-Demand -- (Abacast, Inc.)
"C:\Documents and Settings\Owner\Local Settings\Application Data\Abacast\Abaclient.exe" = C:\Documents and Settings\Owner\Local Settings\Application Data\Abacast\Abaclient.exe:*:Disabled:Abaclient -- (Abacast, Inc.)
"C:\Documents and Settings\Owner\Local Settings\Application Data\Abacast\Abaclient2.exe" = C:\Documents and Settings\Owner\Local Settings\Application Data\Abacast\Abaclient2.exe:*:Disabled:Abaclient -- (Abacast, Inc.)
"C:\Program Files\Verizon\VSP\ServicepointService.exe" = C:\Program Files\Verizon\VSP\ServicepointService.exe:*:Enabled:Servicepoint Service -- (Radialpoint Inc.)
"C:\WINDOWS\system32\lxeccoms.exe" = C:\WINDOWS\system32\lxeccoms.exe:*:Enabled:Pro800-Pro900 Series Server -- ( )
"C:\Program Files\Abbyy FineReader 6.0 Sprint\scan\scanman6.exe" = C:\Program Files\Abbyy FineReader 6.0 Sprint\scan\scanman6.exe:*:Enabled:ABBYY FineReader -- (ABBYY (BIT Software))


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{05410044-64A6-4248-A026-9745C1E9E159}" = Microsoft Encarta Encyclopedia Standard 2005
"{094B8DC6-1B31-46A8-B09F-0CA0E72B2246}" = Product Information Manuals
"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" = Lexmark Toolbar
"{15377C3E-9655-400F-B441-E69F0A6BEAFE}" = Recovery Software Suite Gateway
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Solution
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216026FF}" = Java™ 6 Update 26
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = Browser Address Error Redirector
"{3F262ADC-5AD2-48E5-A586-44315E04A9E2}" = Microsoft Picture It! Library 10
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 4.0
"{42756145-9997-4D28-809B-8756BFD00106}" = Microsoft Picture It! Premium 10
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{67E4EE98-59F4-4210-89A6-A20AF5BEC689}" = Microsoft Streets and Trips 2005
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{82EF8297-C8B2-4CA8-9430-FF2BC8C40414}" = GWCares
"{859963C1-E908-49E8-9FA3-9E833D717563}" = IHA_MessageCenter
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{911B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002
"{9862B19F-4CAD-4EED-920F-2F378D84393F}" = ATI Parental Control & Encoder
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C169D3BB-9A27-43F5-9979-09A0D65FE95C}" = SmartFTP Client
"{CB54ABA8-D67F-47AD-A76C-2631BADA9FE5}" = Microsoft Works Suite Add-in for Microsoft Word
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2C5E510-BE6D-42CC-9F61-E4F939078474}" = Lexmark Printable Web
"{D8F0F3F4-D55C-4FBD-A590-B984615D7A6A}" = Vz In Home Agent
"{DE1AF137-C455-494A-A817-EFE44BCCFDEE}" = Works Upgrade
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
"{FFC3B772-C00A-42da-90A6-A87F4AFD73D9}" = Netscape Internet Service
"{FFC3B772-C00A-42da-90A6-A87F4AFD73E0}" = Netscape Web Accelerator
"AbacastNode:11" = Abacast Distributed On-Demand
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"AudibleManager" = AudibleManager
"Avira AntiVir Desktop" = Avira Free Antivirus
"CADKIT Pricing Kit" = CADKIT Pricing Kit
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1" = Soft Data Fax Modem with SmartCP
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"Coupon Printer for Windows5.0.0.1" = Coupon Printer for Windows
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"Easy-WebPrint" = Easy-WebPrint
"ESET Online Scanner" = ESET Online Scanner v3
"Fundamentals of Pricing Kit" = Fundamentals of Pricing Kit
"gtw_logo" = gtw_logo
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Lexmark Pro800-Pro900 Series" = Lexmark Pro800-Pro900 Series
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Money2005b" = Microsoft Money 2005
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PictureItPrem_v10" = Microsoft Picture It! Premium 10
"QuickTime" = QuickTime
"RadialpointClientGateway_is1" = Verizon Servicepoint 3.5.10
"RealPlayer 6.0" = RealPlayer Basic
"Shockwave" = Shockwave
"StreetPlugin" = Learn2 Player (Uninstall Only)
"Verizon Help and Support" = Verizon Help and Support Tool
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Works2005Setup" = Microsoft Works 2005 Setup Launcher
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-747832287-720386439-3837867810-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Abacast Distributed Live" = Abacast Distributed Live

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/25/2012 3:05:26 PM | Computer Name = YOUR-5E03CF73DE | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\OWNER\RECENT\DESKTOP.INI> in
the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 2/25/2012 3:05:26 PM | Computer Name = YOUR-5E03CF73DE | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\OWNER\RECENT\DESKTOP.INI> in
the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 2/25/2012 3:05:59 PM | Computer Name = YOUR-5E03CF73DE | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\OWNER\RECENT\DESKTOP.INI> in
the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 2/25/2012 3:05:59 PM | Computer Name = YOUR-5E03CF73DE | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\OWNER\RECENT\DESKTOP.INI> in
the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 2/25/2012 3:06:44 PM | Computer Name = YOUR-5E03CF73DE | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\OWNER\RECENT\DESKTOP.INI> in
the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 2/25/2012 3:06:44 PM | Computer Name = YOUR-5E03CF73DE | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\OWNER\RECENT\DESKTOP.INI> in
the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 2/25/2012 3:09:02 PM | Computer Name = YOUR-5E03CF73DE | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\OWNER\RECENT\DESKTOP.INI> in
the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 2/25/2012 3:09:02 PM | Computer Name = YOUR-5E03CF73DE | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\OWNER\RECENT\DESKTOP.INI> in
the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 2/25/2012 3:09:03 PM | Computer Name = YOUR-5E03CF73DE | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\OWNER\RECENT\DESKTOP.INI> in
the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 2/25/2012 3:10:11 PM | Computer Name = YOUR-5E03CF73DE | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\OWNER\RECENT\DESKTOP.INI> in
the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

[ System Events ]
Error - 2/25/2012 3:03:14 PM | Computer Name = YOUR-5E03CF73DE | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the lxecCATSCustConnectService
service to connect.

Error - 2/25/2012 3:03:14 PM | Computer Name = YOUR-5E03CF73DE | Source = Service Control Manager | ID = 7000
Description = The lxecCATSCustConnectService service failed to start due to the
following error: %%1053

Error - 2/25/2012 6:13:32 PM | Computer Name = YOUR-5E03CF73DE | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/25/2012 6:13:49 PM | Computer Name = YOUR-5E03CF73DE | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
avipbb avkmgr Fips intelppm ssmdrv

Error - 2/25/2012 6:16:46 PM | Computer Name = YOUR-5E03CF73DE | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 2/25/2012 6:33:08 PM | Computer Name = YOUR-5E03CF73DE | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service BITS with arguments
"" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

Error - 2/25/2012 7:09:56 PM | Computer Name = YOUR-5E03CF73DE | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/27/2012 11:36:36 AM | Computer Name = YOUR-5E03CF73DE | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/27/2012 11:37:39 AM | Computer Name = YOUR-5E03CF73DE | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
avipbb avkmgr Fips intelppm ssmdrv

Error - 2/27/2012 11:38:56 AM | Computer Name = YOUR-5E03CF73DE | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}


< End of report >

#4
MrCharlie
Posted 27 February 2012 - 11:16 AM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,313 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA
Please do this: (will require a reboot)
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following 
    :OTL
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll File not found
O4 - HKU\.DEFAULT..\Run: [Power2GoExpress] NA File not found
O4 - HKU\S-1-5-18..\Run: [Power2GoExpress] NA File not found
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML File not found
[2012/02/24 16:26:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\System Check
[2012/02/24 16:44:02 | 000,000,853 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/02/24 16:28:49 | 000,000,448 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\XFPKBCIrCSMBrp
[2012/02/24 16:26:04 | 000,000,288 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrp
[2012/02/24 16:26:04 | 000,000,184 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrpr
[2012/02/24 16:26:03 | 000,000,835 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\System Check.lnk
[2012/02/24 16:44:02 | 000,000,853 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/02/24 16:26:04 | 000,000,288 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrp
[2012/02/24 16:26:04 | 000,000,184 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrpr
[2012/02/24 16:26:03 | 000,000,835 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\System Check.lnk
[2012/02/24 16:26:00 | 000,000,448 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\XFPKBCIrCSMBrp
[2011/06/20 11:53:30 | 000,000,168 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~17424164r
[2011/06/20 11:53:25 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\17424164
:Commands
[emptytemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
-------------------------------
Next........
Please download and run ComboFix.
The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#5
Ndhlp
Posted 27 February 2012 - 02:16 PM

    New Member

  • Members
  • Pip
  • 44 posts
['quote name='MrCharlie' timestamp='1330359395' post='530840']

  • when done it will say "Fix Complete press ok to open the log"
    [/quote]
It did not say this at the end. It only asked me to reboot, so I did...Here is the log file from after the reboot.
All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\ deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\Power2GoExpress deleted successfully.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Power2GoExpress not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&AOL Toolbar search\ deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\System Check folder moved successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk moved successfully.
C:\Documents and Settings\All Users\Application Data\XFPKBCIrCSMBrp moved successfully.
C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrp moved successfully.
C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrpr moved successfully.
C:\Documents and Settings\Owner\Desktop\System Check.lnk moved successfully.
File C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk not found.
File C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrp not found.
File C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrpr not found.
File C:\Documents and Settings\Owner\Desktop\System Check.lnk not found.
File C:\Documents and Settings\All Users\Application Data\XFPKBCIrCSMBrp not found.
C:\Documents and Settings\All Users\Application Data\~17424164r moved successfully.
C:\Documents and Settings\All Users\Application Data\17424164 moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: Administrator.YOUR-5E03CF73DE
->Temp folder emptied: 1985048 bytes
->Temporary Internet Files folder emptied: 30541755 bytes
->Flash cache emptied: 456 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56468 bytes

User: LocalService
->Temp folder emptied: 66284 bytes
->Temporary Internet Files folder emptied: 2101264 bytes
->Flash cache emptied: 348 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1202766 bytes

User: Owner
->Temp folder emptied: 2039889044 bytes
->Temporary Internet Files folder emptied: 6784520 bytes
->Java cache emptied: 189994 bytes
->Flash cache emptied: 2091084 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 155160 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1194034 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 93255849 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 1208 bytes

Total Files Cleaned = 2,079.00 mb


OTL by OldTimer - Version 3.2.33.2 log created on 02272012_132048
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...

ComboFix detected Avira AntiVirus scanner as being active. As you have probably seen in the logs, they are running the Avira free version which I cannot seem to access in Safe Mode with Networking. I even went to their Windows Security Center but it only shows: Windows Firewall, Internet Options, and Automatic Updates. I looked in the Processes in Windows Taskbar but did not see it running and I was unable to get it to open via Windows Taskbar. I can right click a file and scan it with Avira but I am not able to access the actual program to shut it down.

I took a chance and ran ComboFix anyway. Hopefully I did not make a bigger mess...
You will see that they have Verizon Internet Security Suite installed. It was disabled long ago. We are not sure what components can be installed and still Verizon work as their DSL provider so we just left it disabled and use other programs in its place.
ComboFix 12-02-27.02 - Owner 02/27/2012 13:50:34.3.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1639 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\SPLC65C.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-01-27 to 2012-02-27 )))))))))))))))))))))))))))))))
.
.
2012-02-27 18:20 . 2012-02-27 18:20 -------- d-----w- C:\_OTL
2012-02-25 22:46 . 2012-02-25 22:46 607260 ------r- c:\program files\dds.scr
2012-02-25 22:17 . 2012-02-25 22:17 1008141 ----a-w- c:\program files\rkill.exe
2012-02-25 18:07 . 2012-02-25 18:07 -------- d-----w- c:\program files\ESET
2012-02-25 16:20 . 2012-02-25 16:20 -------- d-sh--w- c:\documents and settings\Administrator.YOUR-5E03CF73DE\PrivacIE
2012-02-24 22:55 . 2012-02-24 22:55 -------- d-----w- c:\documents and settings\Administrator.YOUR-5E03CF73DE\Application Data\Windows Search
2012-02-24 22:52 . 2012-02-24 22:52 -------- d-sh--w- c:\documents and settings\Administrator.YOUR-5E03CF73DE\IETldCache
2012-02-22 14:14 . 2012-02-22 14:14 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2012-02-22 01:40 . 2012-02-22 01:40 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-02-22 01:38 . 2012-02-22 01:38 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2012-02-22 01:19 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-02-22 01:14 . 2011-12-17 19:46 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-02-22 01:14 . 2011-12-17 19:46 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-02-22 01:14 . 2011-12-17 19:46 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-02-22 01:11 . 2012-02-22 01:13 -------- dc----w- c:\windows\ie8
2012-02-16 05:33 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-16 05:33 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-15 16:15 . 2011-10-24 18:51 137416 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-01-12 16:53 . 2004-08-26 16:12 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-29 18:29 . 2011-07-30 23:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-17 19:46 . 2004-08-26 16:12 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2004-08-26 16:11 43520 ------w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2004-08-26 16:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-08-26 16:11 385024 ------w- c:\windows\system32\html.iec
2011-12-10 20:24 . 2011-06-20 20:15 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-23 15:31 . 2011-08-23 15:31 1284232 ----a-w- c:\program files\couponprinter.exe
2011-06-27 22:20 . 2011-06-27 22:20 900384 ----a-w- c:\program files\JavaSetup6u26.exe
2011-06-24 17:19 . 2011-06-24 17:19 50688 ----a-w- c:\program files\ATF_Cleaner.exe
2011-06-23 17:19 . 2011-06-23 17:19 684297 ----a-w- c:\program files\unhide.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-10 39408]
"AbacastDistributedOnDemand:11"="c:\documents and settings\Owner\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe" [2008-09-30 54776]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"Gateway Extended Warranty"="c:\program files\Gateway\GWCares\GWCares.exe" [2004-02-08 73728]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-12 15961088]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-28 98304]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-11-18 4269296]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"lxecmon.exe"="c:\program files\Lexmark Pro800-Pro900 Series\lxecmon.exe" [2011-01-23 770728]
"EzPrint"="c:\program files\Lexmark Pro800-Pro900 Series\ezprint.exe" [2010-01-18 139944]
"Lexmark Pro800-Pro900 Series Fax Server"="c:\program files\Lexmark Pro800-Pro900 Series\fm3032.exe" [2011-01-23 316072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-11 258512]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\AbacastDistributedOnDemand\\Node\\11\\AbacastDistributedOnDemand.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Abacast\\Abaclient.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Abacast\\Abaclient2.exe"=
"c:\\Program Files\\Verizon\\VSP\\ServicepointService.exe"=
"c:\\WINDOWS\\system32\\lxeccoms.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\scan\\scanman6.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50000:UDP"= 50000:UDP:IHA_MessageCenter
.
S1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [10/24/2011 1:51 PM 36000]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/24/2011 1:52 PM 86224]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 4:12 PM 135664]
S2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [10/28/2011 6:20 PM 290832]
S2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?]
S2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [9/8/2010 1:47 PM 193192]
S2 ServicepointService;ServicepointService;c:\program files\Verizon\VSP\ServicepointService.exe [5/10/2010 12:44 PM 668912]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 4:12 PM 135664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 21:12]
.
2012-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 21:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0MSN&bm=ms_home
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
LSP: c:\program files\Netscape Internet Service\Netscape Web Accelerator\sliplsp.dll
TCP: DhcpNameServer = 192.168.1.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Verizon Internet Security Suite - c:\program files\Verizon\Verizon Internet Security Suite\Rps.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-27 13:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(428)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-02-27 13:57:10
ComboFix-quarantined-files.txt 2012-02-27 18:57
.
Pre-Run: 139,572,973,568 bytes free
Post-Run: 139,532,345,344 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 141BCF79A3DEE03CA92529284A38B2B7

THANK YOU again for your help.

#6
MrCharlie
Posted 27 February 2012 - 02:31 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,313 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA
You did OK in running it...no harm done. :)

Please Update and run a Quick Scan with MBAM, post the report.

Please let me know how it is, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#7
Ndhlp
Posted 27 February 2012 - 03:04 PM

    New Member

  • Members
  • Pip
  • 44 posts
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.02.27.04
Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Owner :: YOUR-5E03CF73DE [administrator]
2/27/2012 2:45:09 PM
mbam-log-2012-02-27 (14-45-09).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 189832
Time elapsed: 1 minute(s), 46 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

I am still in Safe Mode w/Networking. The Malwarebytes is still missing from the Desktop/toolbar as is Avira Antivirus. Also, When I go to Start > All Programs I cannot run/access any of the programs as their icon/logo (?) have been all been replaced by one that looks like the file with the colored dots in front of a folder. It looked like this when after I ran unhide.exe prior to posting the requests for help. If I go to Program Files in the C drive most of the programs have a Folder icon with the exception of Java, ATF Cleaner, RKill and a few others. So I still have to find/open MBAM from Windows Taskbar. Sorry, I am unable to post a screen capture as I don't seem to have the ability to do that either.

I also went into System Restore to try and see what their last restore point was (I did this prior to running ComboFix), but there is nothing referring to setting a restore point, or restore point dates although according to the Windows Help, we should easily be able to do this. So I didn't want to fiddle with that in case this bug was able to infect System Restore...

Thank you for your help.

#8
MrCharlie
Posted 27 February 2012 - 03:27 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,313 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA
That infections will hide all your files and folders, check the link below:
http://www.smartestc...ted-by-a-virus/

---------------

Please remove any usb or external drives from the computer before you run these scan!

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
-------------

Next..........

Please download and run RogueKiller.
Click Scan to scan the system (don't run any other options)
Post back the report.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#9
Ndhlp
Posted 27 February 2012 - 05:04 PM

    New Member

  • Members
  • Pip
  • 44 posts
(I did not check the Windows Defender box as you had not requested I do so).

Farbar Service Scanner Version: 22-02-2012
Ran by Owner (administrator) on 27-02-2012 at 17:00:07
Running from "C:\Documents and Settings\Owner\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Nerwork
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".
BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem: "C:\WINDOWS\system32\svchost.exe -k netsvcs".
The ServiceDll of EventSystem: "C:\WINDOWS\system32\Es.dll".

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0A000000040000000100000002000000030000000A0000000900000005000000060000000700000008000000
IpSec Tag value is correct.
**** End of log ****

We already have RogueKiller downloaded from earlier but I'll download it again for the newest version and re-run and post back.

Thank you for your help.

#10
MrCharlie
Posted 27 February 2012 - 05:24 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,313 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA
Please backup the registry before doing this:
http://www.geekstogo...ry-using-erunt/

---------------------------

Then download wscsvc.reg and wuauserv.reg.

Then right click on each one and choose merge.

Reboot the computer and run FSS again and post the log, see if system restore now works.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#11
Ndhlp
Posted 27 February 2012 - 05:35 PM

    New Member

  • Members
  • Pip
  • 44 posts
Unfortunately unhide did not work as it said
The C:\DOCUME~1\Owner\LOCALS~1\Temp\smtmp\ folder does not exist!!
I haven't cleaned out any temp folders so I'm not sure why they're not there unless one of these programs did. I also tried the scripts he had posted in November 2011 but it still did not make a difference.

Here is the Rkill log.
RogueKiller V7.2.0 [02/27/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode with network support
User: Owner [Admin rights]
Mode: Scan -- Date: 02/27/2012 17:29:04
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 9 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : AbacastDistributedOnDemand:11 (C:\Documents and Settings\Owner\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe -r:11 -x:1) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-747832287-720386439-3837867810-1003[...]\Run : AbacastDistributedOnDemand:11 (C:\Documents and Settings\Owner\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe -r:11 -x:1) -> FOUND
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: HDT722516DLAT80 +++++
--- User ---
[MBR] 2de17797318da582eea1c6d0191a9ccd
[BSP] 785403c40b2e57190234204681ec45a9 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 10683225 | Size: 151840 Mo
1 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 5216 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

Getting started on the other instructions...
Thank you for your help.

#12
Ndhlp
Posted 27 February 2012 - 06:17 PM

    New Member

  • Members
  • Pip
  • 44 posts
Ok. I followed your instructions in post #10. Thanks. It looks like I can access System Restore.

Now that ERUNT is in the All Programs list it has the same little icon as the others but at least you can get to documentation etc. from there. Most programs you can't. i.e. MBAM > tools > (empty)
NOTE: I hope I correctly interpreted post #10 directions correctly as to only right click and merge the two programs, not to click an run them.
Avira still not visible/accessible. Nothing shows in the Windows Security Center about any antivirus, i.e. active or WARNING: it's not active.

Here is the newest FSS log
Farbar Service Scanner Version: 22-02-2012
Ran by Owner (administrator) on 27-02-2012 at 18:01:21
Running from "C:\Documents and Settings\Owner\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Nerwork
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".
BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem: "C:\WINDOWS\system32\svchost.exe -k netsvcs".
The ServiceDll of EventSystem: "C:\WINDOWS\system32\Es.dll".

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0A000000040000000100000002000000030000000A0000000900000005000000060000000700000008000000
IpSec Tag value is correct.
**** End of log ****

Should I just do a System Restore from the date prior to the "properties" date of the fake System Check file and see if that brings their computer and settings back? I think the only program download would have been the annoying IE 8 installation.

I have to go now and won't have access to their computer til the a.m.

Thank you again for your continued help.

#13
MrCharlie
Posted 27 February 2012 - 06:24 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,313 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA
Please download and run WUS_Fix.exe: http://users.telenet...ols/WUS_Fix.exe
This should restore the default registry settings related with BITS and Automatic updates.

Reboot and run another FSS scan, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#14
Ndhlp
Posted 27 February 2012 - 06:37 PM

    New Member

  • Members
  • Pip
  • 44 posts
I really am going home after this post. :D
I downloaded WUS_Fix.exe: http://users.telenet...ols/WUS_Fix.exe to the desktop and clicked RUN. A black dialog box flashed and that was it. Nothing opened or asked me anything or any reports...I rebooted but there are no visible changes.

Here is the FSS scan log.
Farbar Service Scanner Version: 22-02-2012
Ran by Owner (administrator) on 27-02-2012 at 18:28:26
Running from "C:\Documents and Settings\Owner\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Nerwork
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".
BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem: "C:\WINDOWS\system32\svchost.exe -k netsvcs".
The ServiceDll of EventSystem: "C:\WINDOWS\system32\Es.dll".

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0A000000040000000100000002000000030000000A0000000900000005000000060000000700000008000000
IpSec Tag value is correct.
**** End of log ****

Have a good night. Thank you again for your help.

#15
MrCharlie
Posted 27 February 2012 - 07:32 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,313 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA
The WUS_Fix.exe ran correctly.

--------------------------------------

You can also visit MS FixIt for solutions to some of your problems:

http://support.microsoft.com/fixit/

-------------------------------------

Please check these........

From the FSS log:

Quote

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Go to Start > Run > copy and paste services.msc > click OK
Double click on Background Intelligent Transfer Service
Make the Startup Type is set to Automatic
The Service Status should be Started
OK your way out.

-------------------------------------------

Quote

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem: "C:\WINDOWS\system32\svchost.exe -k netsvcs".
The ServiceDll of EventSystem: "C:\WINDOWS\system32\Es.dll".


Do the same for COM+ Event System
Make sure it's Started and set to Manual

Let me know, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#16
Ndhlp
Posted 28 February 2012 - 02:03 PM

    New Member

  • Members
  • Pip
  • 44 posts
Thank you for the Windows link. I haven't tried their solution(s) yet.

I tried to make the BITS and COM+ Event System change but I got a window saying they cannot be started in Safe Mode. So I rebooted in Normal Mode and made the changes. I noticed their Avira icon was back in the taskbar and I was able to open it. It said their firewall was off. When I clicked on the "balloon" in the taskbar to make the change, it said it couldn't make the change and I had to do it through the control panel, which I did.

I then went back to Safe Mode with Networking and opened servicesmsc again to see what Avira appeared as there. It says the service is stopped and not available in safe mode (although ComboFix detected it running?)

Also, Windows Security Center says it cannot be started in Safe Mode either which seems odd. I guess that is why it wouldn't tell me or allow me to check the firewall and/or antivirus.

I then rebooted and went back to Normal mode (I am going to use that term loosley at this moment ;) ) and I got a warning that the firewall was now off (again). I then went to Start to try and shut down/restart and the computer froze. I CTRL + ALT+DEL and the Taskbar was blank. The mouse pointer moved on its own and froze so I did a hard shut down and restarted in Safe Mode w/Networking to log in and post this. Are they still infected or is this residual problems? Should I boot in Normal Mode and run Avira/malwarebytes???

#17
Ndhlp
Posted 28 February 2012 - 02:09 PM

    New Member

  • Members
  • Pip
  • 44 posts
I forgot to add that I did make the BITS and COM+ Event System changes in Normal Mode but when in Safe Mode they still say they are stopped.

Also, regarding my post #11, I wasn't yelling/complaining. This was a quote from the program windows results. I just didn't quote it properly.
"The C:\DOCUME~1\Owner\LOCALS~1\Temp\smtmp\ folder does not exist!!" Just in case anyone misinterpreted it.

We are really thankful for the help.

#18
MrCharlie
Posted 28 February 2012 - 02:16 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,313 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA
OK....run me another FSS scan and post the log.



Should I boot in Normal Mode and run Avira/malwarebytes???




Yes...lets try that.

Let me know, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#19
Ndhlp
Posted 28 February 2012 - 02:26 PM

    New Member

  • Members
  • Pip
  • 44 posts
Here is the FSS from Safe Mode w/Networking. Everything was checked except for Windows Defender. Should I check that and run in Safe and or Normal Mode?

I'll run the other 2 and post back. Would you like me to also run and post an FSS from Normal Mode? With or without Windows Defender checked?
Farbar Service Scanner Version: 22-02-2012
Ran by Owner (administrator) on 28-02-2012 at 14:20:14
Running from "C:\Documents and Settings\Owner\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Nerwork
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".
BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem: "C:\WINDOWS\system32\svchost.exe -k netsvcs".
The ServiceDll of EventSystem: "C:\WINDOWS\system32\Es.dll".

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0A000000040000000100000002000000030000000A0000000900000005000000060000000700000008000000
IpSec Tag value is correct.
**** End of log ****
Thank you for your help!

#20
MrCharlie
Posted 28 February 2012 - 02:47 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 17,313 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA
Yes, check all the boxes and do it in normal mode, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us