Jump to content

System Check rogue/virus/trojan not fully removed by Malwarebytes


Ndhlp

Recommended Posts

Hi,

My friend got what appears to be a nasty case of a fake Windows Security Check. I had to run Malwarebytes from the Start>Run box in Safe Mode with Networking as everything was hidden.

I had to run unhide.exe and Rkill to get anything to show on the desktop. I also went to ESET and ran an online scan there and then was finally able to start and update their Anti-Virus and MBAM in regular mode. In safe mode w/networking Avira only shows up with some items now in the Programs list but we are unable to launch any programs from there. So I don't know if Avira has script blocking and in either case we wouldn't not have been able to disable it.

We are in Safe Mode with Networking with some icons showing on the desktop including the fake "Security Check" that according to the properties box was created yesterday. It does not allow us to click on any other tabs in this box when right clicking on the "security check" icon on the desktop or taskbar. After running the ESET scan and Rkill the Start.Run box is missing both in Safe and regular mode. I can only access MBAM through the Windows Task Manager.

Here is the MBAM scan (I ran it prior to running the DDS program).

They WILL be upgrading to Malwarebytes PRO but obviously this needs to be fixed first. THANK YOU for your help. I won't be able to run anything on their computer tomorrow but will have access to it Monday a.m. IF someone has time to get to us by then. THANKS again.

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.02.25.05

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)

Internet Explorer 8.0.6001.18702

Owner :: YOUR-5E03CF73DE [administrator]

2/25/2012 5:19:57 PM

mbam-log-2012-02-25 (17-19-57).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 192659

Time elapsed: 3 minute(s), 44 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 6

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

**********************************************************

.

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

Internet Explorer: 8.0.6001.18702

Run by Owner at 17:46:36 on 2012-02-25

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1543 [GMT -5:00]

.

AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0MSN&bm=ms_home

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

BHO: PBlockHelper Class: {4115122b-85ff-4dd3-9515-f075bede5eb5} - c:\progra~1\netsca~1\netsca~1\pbhelper.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll

BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll

TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [AbacastDistributedOnDemand:11] c:\documents and settings\owner\local settings\application data\abacastdistributedondemand\node\11\AbacastDistributedOnDemand.exe -r:11 -x:1

uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [Gateway Extended Warranty] "c:\program files\gateway\gwcares\GWCares.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN

mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"

mRun: [lxecmon.exe] "c:\program files\lexmark pro800-pro900 series\lxecmon.exe"

mRun: [EzPrint] "c:\program files\lexmark pro800-pro900 series\ezprint.exe"

mRun: [Lexmark Pro800-Pro900 Series Fax Server] "c:\program files\lexmark pro800-pro900 series\fm3032.exe" /s

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

dRun: [Power2GoExpress] NA

IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML

IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

LSP: c:\program files\netscape internet service\netscape web accelerator\sliplsp.dll

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1285267317328

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{2C6A64E4-1CC7-4A77-AEAF-23DEA62485B8} : DhcpNameServer = 192.168.1.1

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

============= SERVICES / DRIVERS ===============

.

S1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-24 36000]

S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-10-24 86224]

S2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-10-24 110032]

S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-16 74640]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]

S2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\verizon\iha_messagecenter\bin\Verizon_IHAMessageCenter.exe [2011-10-28 290832]

S2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?]

S2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [2010-9-8 193192]

S2 ServicepointService;ServicepointService;c:\program files\verizon\vsp\ServicepointService.exe [2010-5-10 668912]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2012-02-25 22:46:30 607260 ------r- c:\program files\dds.scr

2012-02-25 22:17:01 1008141 ----a-w- c:\program files\rkill.exe

2012-02-25 18:07:19 -------- d-----w- c:\program files\ESET

2012-02-22 14:14:33 -------- d-sh--w- c:\documents and settings\owner\PrivacIE

2012-02-22 01:38:10 -------- d-sh--w- c:\documents and settings\owner\IETldCache

2012-02-22 01:19:19 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll

2012-02-22 01:18:56 -------- d-----w- c:\windows\ie8updates

2012-02-22 01:14:13 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2012-02-22 01:14:12 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2012-02-22 01:14:12 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2012-02-22 01:11:10 -------- dc----w- c:\windows\ie8

2012-02-16 05:33:21 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll

2012-02-16 05:33:21 3072 ------w- c:\windows\system32\iacenc.dll

.

==================== Find3M ====================

.

2012-01-16 14:56:26 218642 ----a-w- c:\documents and settings\all users\SPLC65C.tmp

2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys

2011-12-29 18:29:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll

2011-12-17 19:46:36 43520 ------w- c:\windows\system32\licmgr10.dll

2011-12-17 19:46:36 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-12-16 12:22:58 385024 ------w- c:\windows\system32\html.iec

2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-23 15:31:46 1284232 ----a-w- c:\program files\couponprinter.exe

2011-06-27 22:20:31 900384 ----a-w- c:\program files\JavaSetup6u26.exe

2011-06-24 17:19:42 50688 ----a-w- c:\program files\ATF_Cleaner.exe

2011-06-23 17:19:51 684297 ----a-w- c:\program files\unhide.exe

.

============= FINISH: 17:47:23.20 ===============

I did not post the Attach file as it said not to unless specifically requested.

Link to post
Share on other sites

  • Replies 61
  • Created
  • Last Reply

Top Posters In This Topic

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

Click Scan to scan the system (don't run any other options)

Post back the report.

--------------------------------------

Next.......

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

The scan will take about 10 minutes...depends on your hard drive size.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

Link to post
Share on other sites

Thank you for your help! I did not change any settings in either program, I ran them "as is".

RogueKiller V7.2.0 [02/27/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Safe mode with network support

User: Owner [Admin rights]

Mode: Scan -- Date: 02/27/2012 10:39:40

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 12 ¤¤¤

[sUSP PATH] HKCU\[...]\Run : AbacastDistributedOnDemand:11 (C:\Documents and Settings\Owner\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe -r:11 -x:1) -> FOUND

[sUSP PATH] HKUS\S-1-5-21-747832287-720386439-3837867810-1003[...]\Run : AbacastDistributedOnDemand:11 (C:\Documents and Settings\Owner\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe -r:11 -x:1) -> FOUND

[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: HDT722516DLAT80 +++++

--- User ---

[MBR] 2de17797318da582eea1c6d0191a9ccd

[bSP] 785403c40b2e57190234204681ec45a9 : MBR Code unknown

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 10683225 | Size: 151840 Mo

1 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 5216 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

OTL logfile created on: 2/27/2012 10:43:50 AM - Run 1

OTL by OldTimer - Version 3.2.33.2 Folder = C:\Documents and Settings\Owner\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 1.62 Gb Available Physical Memory | 86.64% Memory free

2.29 Gb Paging File | 2.22 Gb Available in Paging File | 96.96% Paging File free

Paging file location(s): C:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 148.28 Gb Total Space | 128.10 Gb Free Space | 86.39% Space Free | Partition Type: NTFS

Drive D: | 5.08 Gb Total Space | 2.70 Gb Free Space | 53.13% Space Free | Partition Type: FAT32

Computer Name: YOUR-5E03CF73DE | User Name: Owner | Logged in as Administrator.

Boot Mode: SafeMode with Networking | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/27 10:42:11 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (No Company Name) ==========

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)

SRV - [2011/12/12 11:03:40 | 000,290,832 | ---- | M] (Verizon) [Auto | Stopped] -- C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe -- (IHA_MessageCenter)

SRV - [2011/10/11 14:00:20 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)

SRV - [2011/10/11 14:00:08 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)

SRV - [2010/04/14 15:08:12 | 000,598,696 | ---- | M] ( ) [Auto | Stopped] -- C:\WINDOWS\System32\lxeccoms.exe -- (lxec_device)

SRV - [2010/04/14 15:08:05 | 000,193,192 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxecserv.exe -- (lxecCATSCustConnectService)

SRV - [2009/11/18 09:50:40 | 000,668,912 | ---- | M] (Radialpoint Inc.) [Auto | Stopped] -- C:\Program Files\Verizon\VSP\ServicepointService.exe -- (ServicepointService)

SRV - [2006/06/28 13:17:25 | 000,196,608 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)

SRV - [2004/04/06 14:04:38 | 000,053,248 | ---- | M] (Netscape Communications Corporation) [Auto | Stopped] -- C:\Program Files\Netscape Internet Service\ncupdatesvc.exe -- (NCUpdateSvc)

========== Driver Services (SafeList) ==========

DRV - [2012/02/15 11:15:03 | 000,137,416 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)

DRV - [2011/10/11 14:00:32 | 000,074,640 | ---- | M] (Avira GmbH) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)

DRV - [2011/10/11 14:00:32 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\avkmgr.sys -- (avkmgr)

DRV - [2010/06/17 14:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)

DRV - [2010/03/17 15:53:38 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)

DRV - [2010/03/17 15:53:22 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)

DRV - [2007/02/04 19:26:59 | 000,047,616 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\Haspnt.sys -- (Haspnt)

DRV - [2006/06/28 13:14:32 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)

DRV - [2006/01/25 14:52:32 | 001,478,656 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2006/01/13 20:13:18 | 004,137,984 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)

DRV - [2005/07/28 11:18:40 | 000,685,056 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (Hardlock)

DRV - [2005/07/20 21:08:28 | 000,100,096 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\aksusb.sys -- (aksusb)

DRV - [2005/07/20 21:08:26 | 000,327,808 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\akshasp.sys -- (akshasp)

DRV - [2005/03/17 11:51:16 | 001,033,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)

DRV - [2005/03/17 11:50:36 | 000,221,440 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)

DRV - [2005/03/17 11:50:32 | 000,705,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)

DRV - [2004/04/13 23:14:12 | 000,070,144 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)

DRV - [2001/08/17 15:49:32 | 000,019,968 | ---- | M] (Macronix International Co., Ltd. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxnic.sys -- (mxnic)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=DTP&M=DX110S

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=DTP&M=DX110S

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie

IE - HKU\S-1-5-21-747832287-720386439-3837867810-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0MSN&bm=ms_home

IE - HKU\S-1-5-21-747832287-720386439-3837867810-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Alcatel-Lucent)

FF - HKLM\Software\MozillaPlugins\@radialpoint.com/SPA,version=1: C:\Program Files\Verizon\VSP\nprpspa.dll (Verizon)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()

O1 HOSTS File: ([2011/06/25 19:28:11 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll File not found

O2 - BHO: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()

O2 - BHO: (PBlockHelper Class) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\pbhelper.dll (planetscott.ca)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)

O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\WINDOWS\system32\bae.dll (Gateway Inc.)

O2 - BHO: (Lexmark Printable Web) - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll ()

O3 - HKLM\..\Toolbar: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()

O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()

O3 - HKU\S-1-5-21-747832287-720386439-3837867810-1003\..\Toolbar\ShellBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()

O3 - HKU\S-1-5-21-747832287-720386439-3837867810-1003\..\Toolbar\WebBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()

O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)

O4 - HKLM..\Run: [EzPrint] C:\Program Files\Lexmark Pro800-Pro900 Series\ezprint.exe ()

O4 - HKLM..\Run: [Gateway Extended Warranty] C:\Program Files\Gateway\GWCares\GWCares.exe (BillP Studios)

O4 - HKLM..\Run: [Lexmark Pro800-Pro900 Series Fax Server] C:\Program Files\Lexmark Pro800-Pro900 Series\fm3032.exe ()

O4 - HKLM..\Run: [lxecmon.exe] C:\Program Files\Lexmark Pro800-Pro900 Series\lxecmon.exe ()

O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()

O4 - HKLM..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe (Alcatel-Lucent)

O4 - HKLM..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\VSP\VerizonServicepoint.exe (Verizon)

O4 - HKU\.DEFAULT..\Run: [Power2GoExpress] NA File not found

O4 - HKU\S-1-5-18..\Run: [Power2GoExpress] NA File not found

O4 - HKU\S-1-5-21-747832287-720386439-3837867810-1003..\Run: [AbacastDistributedOnDemand:11] C:\Documents and Settings\Owner\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe (Abacast, Inc.)

O4 - HKU\S-1-5-21-747832287-720386439-3837867810-1003..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-747832287-720386439-3837867810-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-747832287-720386439-3837867810-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-747832287-720386439-3837867810-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-21-747832287-720386439-3837867810-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML File not found

O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()

O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()

O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()

O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\sliplsp.dll ()

O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\sliplsp.dll ()

O15 - HKU\S-1-5-21-747832287-720386439-3837867810-1003\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab (Support.com Configuration Class)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1285267317328 (MUWebControl Class)

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)

O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)

O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2C6A64E4-1CC7-4A77-AEAF-23DEA62485B8}: DhcpNameServer = 192.168.1.1

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2004/08/26 13:04:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2003/08/08 17:24:26 | 000,000,045 | -HS- | M] () - D:\autorun.inf.aug.8 -- [ FAT32 ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/27 10:42:07 | 000,583,680 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

[2012/02/27 10:39:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\RK_Quarantine

[2012/02/25 17:46:30 | 000,607,260 | R--- | C] (Swearware) -- C:\Program Files\dds.scr

[2012/02/25 13:07:19 | 000,000,000 | ---D | C] -- C:\Program Files\ESET

[2012/02/25 11:52:15 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\Recent

[2012/02/24 16:26:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\System Check

[2012/02/22 09:14:33 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\PrivacIE

[2012/02/21 20:38:10 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\IETldCache

[2012/02/21 20:18:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates

[2012/02/21 20:11:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8

[2012/01/29 01:06:50 | 000,000,000 | -HSD | C] -- C:\Config.Msi

[2011/08/23 10:31:36 | 001,284,232 | ---- | C] (Coupons.com Incorporated) -- C:\Program Files\couponprinter.exe

[2011/06/27 17:20:25 | 000,900,384 | ---- | C] (Sun Microsystems, Inc.) -- C:\Program Files\JavaSetup6u26.exe

[2011/06/24 12:19:42 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Program Files\ATF_Cleaner.exe

[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/27 10:42:11 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

[2012/02/27 10:39:11 | 001,281,024 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RogueKiller.exe

[2012/02/27 10:35:59 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2012/02/27 10:35:55 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2012/02/25 17:46:34 | 000,607,260 | R--- | M] (Swearware) -- C:\Program Files\dds.scr

[2012/02/25 17:17:08 | 001,008,141 | ---- | M] () -- C:\Program Files\rkill.exe

[2012/02/25 16:16:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2012/02/25 14:02:38 | 008,405,015 | ---- | M] () -- C:\WINDOWS\TempFile

[2012/02/25 14:02:37 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2012/02/24 16:44:02 | 000,000,853 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk

[2012/02/24 16:28:49 | 000,000,448 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\XFPKBCIrCSMBrp

[2012/02/24 16:26:04 | 000,000,288 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrp

[2012/02/24 16:26:04 | 000,000,184 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrpr

[2012/02/24 16:26:03 | 000,000,835 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\System Check.lnk

[2012/02/24 16:20:12 | 000,551,183 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-24-2012 04;20;04PM.JPG

[2012/02/22 20:04:56 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2012/02/22 10:52:52 | 000,515,074 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-22-2012 10;52;27AM2.JPG

[2012/02/22 10:52:51 | 000,099,991 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-22-2012 10;52;27AM.JPG

[2012/02/21 17:56:36 | 000,404,138 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-21-2012 05;56;30PM.JPG

[2012/02/21 17:56:36 | 000,313,687 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-21-2012 05;56;30PM2.JPG

[2012/02/21 17:54:34 | 000,146,623 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-21-2012 05;54;28PM.JPG

[2012/02/21 15:16:59 | 000,146,728 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-21-2012 03;16;55PM.JPG

[2012/02/21 11:53:13 | 000,279,297 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-21-2012 11;52;47AM.JPG

[2012/02/19 17:52:09 | 000,232,642 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-19-2012 05;52;04PM.JPG

[2012/02/17 08:49:58 | 000,246,312 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2012/02/16 20:25:30 | 000,494,276 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2012/02/16 20:25:30 | 000,083,254 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2012/02/15 16:53:55 | 000,641,490 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 04;53;36PM5.JPG

[2012/02/15 16:53:54 | 000,561,469 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 04;53;36PM3.JPG

[2012/02/15 16:53:54 | 000,294,486 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 04;53;36PM4.JPG

[2012/02/15 16:53:53 | 000,543,842 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 04;53;36PM.JPG

[2012/02/15 16:53:53 | 000,509,786 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 04;53;36PM2.JPG

[2012/02/15 12:22:58 | 000,387,824 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 12;22;51PM.JPG

[2012/02/15 11:15:03 | 000,137,416 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys

[2012/02/13 16:41:44 | 000,380,026 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-13-2012 04;39;34PM.JPG

[2012/02/03 10:56:28 | 000,472,443 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM5.JPG

[2012/02/03 10:56:28 | 000,454,243 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM4.JPG

[2012/02/03 10:56:28 | 000,247,936 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM6.JPG

[2012/02/03 10:56:27 | 000,631,275 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM.JPG

[2012/02/03 10:56:27 | 000,592,142 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM3.JPG

[2012/02/03 10:56:27 | 000,575,760 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM2.JPG

[2012/02/02 17:07:00 | 000,339,685 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 05;06;28PM2.JPG

[2012/02/02 17:07:00 | 000,315,849 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 05;06;28PM3.JPG

[2012/02/02 17:06:59 | 000,282,644 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 05;06;28PM.JPG

[2012/02/02 12:37:44 | 000,348,272 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 11;53;43AM.JPG

[2012/02/02 12:37:44 | 000,273,524 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 11;53;43AM2.JPG

[2012/02/02 10:06:58 | 000,689,935 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 10;05;58AM.JPG

[2012/02/02 10:06:58 | 000,140,871 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 10;05;58AM2.JPG

[2012/01/31 18:00:35 | 000,173,455 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\01-31-2012 05;59;13PM2.JPG

[2012/01/31 18:00:35 | 000,130,759 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\01-31-2012 05;59;13PM3.JPG

[2012/01/31 18:00:34 | 000,344,267 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\01-31-2012 05;59;13PM.JPG

[2012/01/31 17:49:41 | 000,370,557 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\01-31-2012 05;48;20PM.JPG

[2012/01/28 10:59:14 | 000,626,400 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\01-28-2012 10;57;52AM2.JPG

[2012/01/28 10:59:14 | 000,399,508 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\01-28-2012 10;57;52AM.JPG

[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/27 10:39:01 | 001,281,024 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RogueKiller.exe

[2012/02/25 17:17:01 | 001,008,141 | ---- | C] () -- C:\Program Files\rkill.exe

[2012/02/24 16:44:02 | 000,000,853 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk

[2012/02/24 16:26:04 | 000,000,288 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrp

[2012/02/24 16:26:04 | 000,000,184 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrpr

[2012/02/24 16:26:03 | 000,000,835 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\System Check.lnk

[2012/02/24 16:26:00 | 000,000,448 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\XFPKBCIrCSMBrp

[2012/02/24 16:20:12 | 000,551,183 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-24-2012 04;20;04PM.JPG

[2012/02/22 10:52:52 | 000,515,074 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-22-2012 10;52;27AM2.JPG

[2012/02/22 10:52:51 | 000,099,991 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-22-2012 10;52;27AM.JPG

[2012/02/21 17:56:36 | 000,404,138 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-21-2012 05;56;30PM.JPG

[2012/02/21 17:56:36 | 000,313,687 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-21-2012 05;56;30PM2.JPG

[2012/02/21 17:54:34 | 000,146,623 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-21-2012 05;54;28PM.JPG

[2012/02/21 15:16:59 | 000,146,728 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-21-2012 03;16;55PM.JPG

[2012/02/21 11:53:13 | 000,279,297 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-21-2012 11;52;47AM.JPG

[2012/02/19 17:52:09 | 000,232,642 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-19-2012 05;52;04PM.JPG

[2012/02/16 00:33:21 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll

[2012/02/16 00:33:21 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll

[2012/02/15 16:53:55 | 000,641,490 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 04;53;36PM5.JPG

[2012/02/15 16:53:55 | 000,294,486 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 04;53;36PM4.JPG

[2012/02/15 16:53:54 | 000,561,469 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 04;53;36PM3.JPG

[2012/02/15 16:53:53 | 000,543,842 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 04;53;36PM.JPG

[2012/02/15 16:53:53 | 000,509,786 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 04;53;36PM2.JPG

[2012/02/15 12:22:58 | 000,387,824 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-15-2012 12;22;51PM.JPG

[2012/02/13 16:41:44 | 000,380,026 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-13-2012 04;39;34PM.JPG

[2012/02/03 10:56:28 | 000,472,443 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM5.JPG

[2012/02/03 10:56:28 | 000,454,243 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM4.JPG

[2012/02/03 10:56:28 | 000,247,936 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM6.JPG

[2012/02/03 10:56:27 | 000,631,275 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM.JPG

[2012/02/03 10:56:27 | 000,592,142 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM3.JPG

[2012/02/03 10:56:27 | 000,575,760 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-03-2012 10;56;18AM2.JPG

[2012/02/02 17:07:00 | 000,339,685 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 05;06;28PM2.JPG

[2012/02/02 17:07:00 | 000,315,849 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 05;06;28PM3.JPG

[2012/02/02 17:06:59 | 000,282,644 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 05;06;28PM.JPG

[2012/02/02 12:37:44 | 000,348,272 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 11;53;43AM.JPG

[2012/02/02 12:37:44 | 000,273,524 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 11;53;43AM2.JPG

[2012/02/02 10:06:59 | 000,140,871 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 10;05;58AM2.JPG

[2012/02/02 10:06:58 | 000,689,935 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\02-02-2012 10;05;58AM.JPG

[2012/01/31 18:00:35 | 000,173,455 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\01-31-2012 05;59;13PM2.JPG

[2012/01/31 18:00:35 | 000,130,759 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\01-31-2012 05;59;13PM3.JPG

[2012/01/31 18:00:34 | 000,344,267 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\01-31-2012 05;59;13PM.JPG

[2012/01/31 17:49:41 | 000,370,557 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\01-31-2012 05;48;20PM.JPG

[2012/01/28 10:59:14 | 000,626,400 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\01-28-2012 10;57;52AM2.JPG

[2012/01/28 10:59:14 | 000,399,508 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\01-28-2012 10;57;52AM.JPG

[2011/10/24 13:47:03 | 000,260,762 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat

[2011/06/23 12:19:47 | 000,684,297 | ---- | C] () -- C:\Program Files\unhide.exe

[2011/06/20 11:53:30 | 000,000,168 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~17424164r

[2011/06/20 11:53:25 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\17424164

[2010/09/08 13:47:17 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxecvs.dll

[2010/09/08 13:47:15 | 000,442,368 | ---- | C] ( ) -- C:\WINDOWS\System32\lxeccoin.dll

[2010/09/08 13:47:08 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\lxecgcfg.dll

[2010/09/08 13:47:07 | 000,294,912 | ---- | C] () -- C:\WINDOWS\System32\lxeccui.dll

[2010/09/08 13:47:07 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\lxeccuir.dll

[2010/09/08 13:45:19 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\LXECPMON.DLL

[2010/09/08 13:45:19 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXECFXPU.DLL

[2010/09/08 13:44:59 | 004,485,120 | ---- | C] () -- C:\WINDOWS\System32\LXECoem.dll

[2010/09/08 13:43:17 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\lxecrwrd.ini

[2010/09/08 13:43:05 | 000,356,352 | ---- | C] ( ) -- C:\WINDOWS\System32\LXEChcp.dll

[2010/09/08 13:43:05 | 000,331,776 | ---- | C] () -- C:\WINDOWS\System32\LXECinst.dll

[2010/09/08 13:43:04 | 000,364,544 | ---- | C] ( ) -- C:\WINDOWS\System32\lxecinpa.dll

[2010/09/08 13:43:04 | 000,344,064 | ---- | C] ( ) -- C:\WINDOWS\System32\lxeciesc.dll

[2010/09/08 13:43:03 | 001,048,576 | ---- | C] ( ) -- C:\WINDOWS\System32\lxecserv.dll

[2010/09/08 13:43:03 | 000,847,872 | ---- | C] ( ) -- C:\WINDOWS\System32\lxecusb1.dll

[2010/09/08 13:43:03 | 000,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\lxecpmui.dll

[2010/09/08 13:43:03 | 000,577,536 | ---- | C] ( ) -- C:\WINDOWS\System32\lxeclmpm.dll

[2010/09/08 13:43:02 | 000,688,128 | ---- | C] ( ) -- C:\WINDOWS\System32\lxechbn3.dll

[2010/09/08 13:43:02 | 000,324,264 | ---- | C] ( ) -- C:\WINDOWS\System32\lxecih.exe

[2010/09/08 13:43:02 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\lxecins.dll

[2010/09/08 13:43:02 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\lxecinsb.dll

[2010/09/08 13:43:02 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxecgrd.dll

[2010/09/08 13:43:02 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\lxecinsr.dll

[2010/09/08 13:43:02 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\lxecjswr.dll

[2010/09/08 13:43:01 | 000,802,816 | ---- | C] ( ) -- C:\WINDOWS\System32\lxeccomc.dll

[2010/09/08 13:43:01 | 000,598,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxeccoms.exe

[2010/09/08 13:43:01 | 000,372,736 | ---- | C] ( ) -- C:\WINDOWS\System32\lxeccomm.dll

[2010/09/08 13:43:01 | 000,253,952 | ---- | C] () -- C:\WINDOWS\System32\lxeccu.dll

[2010/09/08 13:43:01 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\lxeccub.dll

[2010/09/08 13:43:01 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\lxeccur.dll

[2010/09/08 13:43:00 | 000,373,416 | ---- | C] ( ) -- C:\WINDOWS\System32\lxeccfg.exe

[2010/09/08 13:42:19 | 000,299,008 | ---- | C] () -- C:\WINDOWS\System32\LXECsm.dll

[2010/09/08 13:42:19 | 000,023,552 | ---- | C] () -- C:\WINDOWS\System32\LXECsmr.dll

========== LOP Check ==========

[2006/06/28 13:17:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.YOUR-5E03CF73DE\Application Data\Leadertech

[2006/06/28 13:13:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.YOUR-5E03CF73DE\Application Data\SampleView

[2012/02/24 17:55:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.YOUR-5E03CF73DE\Application Data\Windows Search

[2008/02/01 14:16:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix

[2011/08/21 10:31:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lexmark Pro800-Pro900 Series

[2011/05/27 13:26:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster

[2006/06/28 12:57:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Netscape Internet Service

[2010/09/08 13:44:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pro800-Pro900 Series

[2011/04/28 07:32:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Radialpoint

[2006/06/28 13:15:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint

[2006/06/28 13:17:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Leadertech

[2006/06/28 13:13:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\SampleView

[2011/09/20 16:38:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Garmin

[2006/06/28 13:17:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Leadertech

[2011/08/22 09:11:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Pro800-Pro900 Series

[2006/06/28 13:13:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView

[2010/09/16 12:14:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Template

[2010/07/12 13:27:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Windows Desktop Search

[2010/07/13 13:01:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Windows Search

========== Purity Check ==========

< End of report >

OTL Extras logfile created on: 2/27/2012 10:43:50 AM - Run 1

OTL by OldTimer - Version 3.2.33.2 Folder = C:\Documents and Settings\Owner\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 1.62 Gb Available Physical Memory | 86.64% Memory free

2.29 Gb Paging File | 2.22 Gb Available in Paging File | 96.96% Paging File free

Paging file location(s): C:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 148.28 Gb Total Space | 128.10 Gb Free Space | 86.39% Space Free | Partition Type: NTFS

Drive D: | 5.08 Gb Total Space | 2.70 Gb Free Space | 53.13% Space Free | Partition Type: FAT32

Computer Name: YOUR-5E03CF73DE | User Name: Owner | Logged in as Administrator.

Boot Mode: SafeMode with Networking | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"UpdatesDisableNotify" = 0

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"50000:UDP" = 50000:UDP:*:Enabled:IHA_MessageCenter

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL

"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL

"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\SmartFTP Client\SmartFTP.exe" = C:\Program Files\SmartFTP Client\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5 -- (SmartSoft Ltd.)

"C:\Documents and Settings\Owner\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe" = C:\Documents and Settings\Owner\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe:*:Disabled:Abacast Distributed On-Demand -- (Abacast, Inc.)

"C:\Documents and Settings\Owner\Local Settings\Application Data\Abacast\Abaclient.exe" = C:\Documents and Settings\Owner\Local Settings\Application Data\Abacast\Abaclient.exe:*:Disabled:Abaclient -- (Abacast, Inc.)

"C:\Documents and Settings\Owner\Local Settings\Application Data\Abacast\Abaclient2.exe" = C:\Documents and Settings\Owner\Local Settings\Application Data\Abacast\Abaclient2.exe:*:Disabled:Abaclient -- (Abacast, Inc.)

"C:\Program Files\Verizon\VSP\ServicepointService.exe" = C:\Program Files\Verizon\VSP\ServicepointService.exe:*:Enabled:Servicepoint Service -- (Radialpoint Inc.)

"C:\WINDOWS\system32\lxeccoms.exe" = C:\WINDOWS\system32\lxeccoms.exe:*:Enabled:Pro800-Pro900 Series Server -- ( )

"C:\Program Files\Abbyy FineReader 6.0 Sprint\scan\scanman6.exe" = C:\Program Files\Abbyy FineReader 6.0 Sprint\scan\scanman6.exe:*:Enabled:ABBYY FineReader -- (ABBYY (BIT Software))

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

"{05410044-64A6-4248-A026-9745C1E9E159}" = Microsoft Encarta Encyclopedia Standard 2005

"{094B8DC6-1B31-46A8-B09F-0CA0E72B2246}" = Product Information Manuals

"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" = Lexmark Toolbar

"{15377C3E-9655-400F-B441-E69F0A6BEAFE}" = Recovery Software Suite Gateway

"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer

"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Solution

"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer

"{26A24AE4-039D-4CA4-87B4-2F83216026FF}" = Java 6 Update 26

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile

"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = Browser Address Error Redirector

"{3F262ADC-5AD2-48E5-A586-44315E04A9E2}" = Microsoft Picture It! Library 10

"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 4.0

"{42756145-9997-4D28-809B-8756BFD00106}" = Microsoft Picture It! Premium 10

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{67E4EE98-59F4-4210-89A6-A20AF5BEC689}" = Microsoft Streets and Trips 2005

"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD

"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works

"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility

"{82EF8297-C8B2-4CA8-9430-FF2BC8C40414}" = GWCares

"{859963C1-E908-49E8-9FA3-9E833D717563}" = IHA_MessageCenter

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{911B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002

"{9862B19F-4CAD-4EED-920F-2F378D84393F}" = ATI Parental Control & Encoder

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0

"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C169D3BB-9A27-43F5-9979-09A0D65FE95C}" = SmartFTP Client

"{CB54ABA8-D67F-47AD-A76C-2631BADA9FE5}" = Microsoft Works Suite Add-in for Microsoft Word

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D2C5E510-BE6D-42CC-9F61-E4F939078474}" = Lexmark Printable Web

"{D8F0F3F4-D55C-4FBD-A590-B984615D7A6A}" = Vz In Home Agent

"{DE1AF137-C455-494A-A817-EFE44BCCFDEE}" = Works Upgrade

"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR

"{FFC3B772-C00A-42da-90A6-A87F4AFD73D9}" = Netscape Internet Service

"{FFC3B772-C00A-42da-90A6-A87F4AFD73E0}" = Netscape Web Accelerator

"AbacastNode:11" = Abacast Distributed On-Demand

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX

"All ATI Software" = ATI - Software Uninstall Utility

"ATI Display Driver" = ATI Display Driver

"AudibleManager" = AudibleManager

"Avira AntiVir Desktop" = Avira Free Antivirus

"CADKIT Pricing Kit" = CADKIT Pricing Kit

"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1" = Soft Data Fax Modem with SmartCP

"Coupon Printer for Windows4.0" = Coupon Printer for Windows

"Coupon Printer for Windows5.0.0.1" = Coupon Printer for Windows

"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint

"Easy-WebPrint" = Easy-WebPrint

"ESET Online Scanner" = ESET Online Scanner v3

"Fundamentals of Pricing Kit" = Fundamentals of Pricing Kit

"gtw_logo" = gtw_logo

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"ie8" = Windows Internet Explorer 8

"Lexmark Pro800-Pro900 Series" = Lexmark Pro800-Pro900 Series

"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"Money2005b" = Microsoft Money 2005

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"PictureItPrem_v10" = Microsoft Picture It! Premium 10

"QuickTime" = QuickTime

"RadialpointClientGateway_is1" = Verizon Servicepoint 3.5.10

"RealPlayer 6.0" = RealPlayer Basic

"Shockwave" = Shockwave

"StreetPlugin" = Learn2 Player (Uninstall Only)

"Verizon Help and Support" = Verizon Help and Support Tool

"ViewpointMediaPlayer" = Viewpoint Media Player

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Works2005Setup" = Microsoft Works 2005 Setup Launcher

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-747832287-720386439-3837867810-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"Abacast Distributed Live" = Abacast Distributed Live

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 2/25/2012 3:05:26 PM | Computer Name = YOUR-5E03CF73DE | Source = Windows Search Service | ID = 3013

Description = The entry <C:\DOCUMENTS AND SETTINGS\OWNER\RECENT\DESKTOP.INI> in

the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:

A

device attached to the system is not functioning. (0x8007001f)

Error - 2/25/2012 3:05:26 PM | Computer Name = YOUR-5E03CF73DE | Source = Windows Search Service | ID = 3013

Description = The entry <C:\DOCUMENTS AND SETTINGS\OWNER\RECENT\DESKTOP.INI> in

the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:

A

device attached to the system is not functioning. (0x8007001f)

Error - 2/25/2012 3:05:59 PM | Computer Name = YOUR-5E03CF73DE | Source = Windows Search Service | ID = 3013

Description = The entry <C:\DOCUMENTS AND SETTINGS\OWNER\RECENT\DESKTOP.INI> in

the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:

A

device attached to the system is not functioning. (0x8007001f)

Error - 2/25/2012 3:05:59 PM | Computer Name = YOUR-5E03CF73DE | Source = Windows Search Service | ID = 3013

Description = The entry <C:\DOCUMENTS AND SETTINGS\OWNER\RECENT\DESKTOP.INI> in

the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:

A

device attached to the system is not functioning. (0x8007001f)

Error - 2/25/2012 3:06:44 PM | Computer Name = YOUR-5E03CF73DE | Source = Windows Search Service | ID = 3013

Description = The entry <C:\DOCUMENTS AND SETTINGS\OWNER\RECENT\DESKTOP.INI> in

the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:

A

device attached to the system is not functioning. (0x8007001f)

Error - 2/25/2012 3:06:44 PM | Computer Name = YOUR-5E03CF73DE | Source = Windows Search Service | ID = 3013

Description = The entry <C:\DOCUMENTS AND SETTINGS\OWNER\RECENT\DESKTOP.INI> in

the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:

A

device attached to the system is not functioning. (0x8007001f)

Error - 2/25/2012 3:09:02 PM | Computer Name = YOUR-5E03CF73DE | Source = Windows Search Service | ID = 3013

Description = The entry <C:\DOCUMENTS AND SETTINGS\OWNER\RECENT\DESKTOP.INI> in

the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:

A

device attached to the system is not functioning. (0x8007001f)

Error - 2/25/2012 3:09:02 PM | Computer Name = YOUR-5E03CF73DE | Source = Windows Search Service | ID = 3013

Description = The entry <C:\DOCUMENTS AND SETTINGS\OWNER\RECENT\DESKTOP.INI> in

the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:

A

device attached to the system is not functioning. (0x8007001f)

Error - 2/25/2012 3:09:03 PM | Computer Name = YOUR-5E03CF73DE | Source = Windows Search Service | ID = 3013

Description = The entry <C:\DOCUMENTS AND SETTINGS\OWNER\RECENT\DESKTOP.INI> in

the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:

A

device attached to the system is not functioning. (0x8007001f)

Error - 2/25/2012 3:10:11 PM | Computer Name = YOUR-5E03CF73DE | Source = Windows Search Service | ID = 3013

Description = The entry <C:\DOCUMENTS AND SETTINGS\OWNER\RECENT\DESKTOP.INI> in

the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:

A

device attached to the system is not functioning. (0x8007001f)

[ System Events ]

Error - 2/25/2012 3:03:14 PM | Computer Name = YOUR-5E03CF73DE | Source = Service Control Manager | ID = 7009

Description = Timeout (30000 milliseconds) waiting for the lxecCATSCustConnectService

service to connect.

Error - 2/25/2012 3:03:14 PM | Computer Name = YOUR-5E03CF73DE | Source = Service Control Manager | ID = 7000

Description = The lxecCATSCustConnectService service failed to start due to the

following error: %%1053

Error - 2/25/2012 6:13:32 PM | Computer Name = YOUR-5E03CF73DE | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/25/2012 6:13:49 PM | Computer Name = YOUR-5E03CF73DE | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

avipbb avkmgr Fips intelppm ssmdrv

Error - 2/25/2012 6:16:46 PM | Computer Name = YOUR-5E03CF73DE | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 2/25/2012 6:33:08 PM | Computer Name = YOUR-5E03CF73DE | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service BITS with arguments

"" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

Error - 2/25/2012 7:09:56 PM | Computer Name = YOUR-5E03CF73DE | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/27/2012 11:36:36 AM | Computer Name = YOUR-5E03CF73DE | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/27/2012 11:37:39 AM | Computer Name = YOUR-5E03CF73DE | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

avipbb avkmgr Fips intelppm ssmdrv

Error - 2/27/2012 11:38:56 AM | Computer Name = YOUR-5E03CF73DE | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

< End of report >

Link to post
Share on other sites

Please do this: (will require a reboot)

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll File not found
    O4 - HKU\.DEFAULT..\Run: [Power2GoExpress] NA File not found
    O4 - HKU\S-1-5-18..\Run: [Power2GoExpress] NA File not found
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML File not found
    [2012/02/24 16:26:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\System Check
    [2012/02/24 16:44:02 | 000,000,853 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
    [2012/02/24 16:28:49 | 000,000,448 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\XFPKBCIrCSMBrp
    [2012/02/24 16:26:04 | 000,000,288 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrp
    [2012/02/24 16:26:04 | 000,000,184 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrpr
    [2012/02/24 16:26:03 | 000,000,835 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\System Check.lnk
    [2012/02/24 16:44:02 | 000,000,853 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
    [2012/02/24 16:26:04 | 000,000,288 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrp
    [2012/02/24 16:26:04 | 000,000,184 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrpr
    [2012/02/24 16:26:03 | 000,000,835 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\System Check.lnk
    [2012/02/24 16:26:00 | 000,000,448 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\XFPKBCIrCSMBrp
    [2011/06/20 11:53:30 | 000,000,168 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~17424164r
    [2011/06/20 11:53:25 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\17424164
    :Commands
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

-------------------------------

Next........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

MrC

Link to post
Share on other sites

['quote name=MrCharlie' timestamp='1330359395' post='530840]


  • when done it will say "Fix Complete press ok to open the log"

It did not say this at the end. It only asked me to reboot, so I did...Here is the log file from after the reboot.

All processes killed

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\ deleted successfully.

Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\Power2GoExpress deleted successfully.

Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Power2GoExpress not found.

Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&AOL Toolbar search\ deleted successfully.

C:\Documents and Settings\Owner\Start Menu\Programs\System Check folder moved successfully.

C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk moved successfully.

C:\Documents and Settings\All Users\Application Data\XFPKBCIrCSMBrp moved successfully.

C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrp moved successfully.

C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrpr moved successfully.

C:\Documents and Settings\Owner\Desktop\System Check.lnk moved successfully.

File C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk not found.

File C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrp not found.

File C:\Documents and Settings\All Users\Application Data\~XFPKBCIrCSMBrpr not found.

File C:\Documents and Settings\Owner\Desktop\System Check.lnk not found.

File C:\Documents and Settings\All Users\Application Data\XFPKBCIrCSMBrp not found.

C:\Documents and Settings\All Users\Application Data\~17424164r moved successfully.

C:\Documents and Settings\All Users\Application Data\17424164 moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: Administrator.YOUR-5E03CF73DE

->Temp folder emptied: 1985048 bytes

->Temporary Internet Files folder emptied: 30541755 bytes

->Flash cache emptied: 456 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 56468 bytes

User: LocalService

->Temp folder emptied: 66284 bytes

->Temporary Internet Files folder emptied: 2101264 bytes

->Flash cache emptied: 348 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 1202766 bytes

User: Owner

->Temp folder emptied: 2039889044 bytes

->Temporary Internet Files folder emptied: 6784520 bytes

->Java cache emptied: 189994 bytes

->Flash cache emptied: 2091084 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 155160 bytes

%systemroot%\System32 .tmp files removed: 2577 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 1194034 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 93255849 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes

RecycleBin emptied: 1208 bytes

Total Files Cleaned = 2,079.00 mb

OTL by OldTimer - Version 3.2.33.2 log created on 02272012_132048

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

ComboFix detected Avira AntiVirus scanner as being active. As you have probably seen in the logs, they are running the Avira free version which I cannot seem to access in Safe Mode with Networking. I even went to their Windows Security Center but it only shows: Windows Firewall, Internet Options, and Automatic Updates. I looked in the Processes in Windows Taskbar but did not see it running and I was unable to get it to open via Windows Taskbar. I can right click a file and scan it with Avira but I am not able to access the actual program to shut it down.

I took a chance and ran ComboFix anyway. Hopefully I did not make a bigger mess...

You will see that they have Verizon Internet Security Suite installed. It was disabled long ago. We are not sure what components can be installed and still Verizon work as their DSL provider so we just left it disabled and use other programs in its place.

ComboFix 12-02-27.02 - Owner 02/27/2012 13:50:34.3.1 - x86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1639 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\SPLC65C.tmp

.

.

((((((((((((((((((((((((( Files Created from 2012-01-27 to 2012-02-27 )))))))))))))))))))))))))))))))

.

.

2012-02-27 18:20 . 2012-02-27 18:20 -------- d-----w- C:\_OTL

2012-02-25 22:46 . 2012-02-25 22:46 607260 ------r- c:\program files\dds.scr

2012-02-25 22:17 . 2012-02-25 22:17 1008141 ----a-w- c:\program files\rkill.exe

2012-02-25 18:07 . 2012-02-25 18:07 -------- d-----w- c:\program files\ESET

2012-02-25 16:20 . 2012-02-25 16:20 -------- d-sh--w- c:\documents and settings\Administrator.YOUR-5E03CF73DE\PrivacIE

2012-02-24 22:55 . 2012-02-24 22:55 -------- d-----w- c:\documents and settings\Administrator.YOUR-5E03CF73DE\Application Data\Windows Search

2012-02-24 22:52 . 2012-02-24 22:52 -------- d-sh--w- c:\documents and settings\Administrator.YOUR-5E03CF73DE\IETldCache

2012-02-22 14:14 . 2012-02-22 14:14 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE

2012-02-22 01:40 . 2012-02-22 01:40 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2012-02-22 01:38 . 2012-02-22 01:38 -------- d-sh--w- c:\documents and settings\Owner\IETldCache

2012-02-22 01:19 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll

2012-02-22 01:14 . 2011-12-17 19:46 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2012-02-22 01:14 . 2011-12-17 19:46 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2012-02-22 01:14 . 2011-12-17 19:46 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2012-02-22 01:11 . 2012-02-22 01:13 -------- dc----w- c:\windows\ie8

2012-02-16 05:33 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll

2012-02-16 05:33 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-02-15 16:15 . 2011-10-24 18:51 137416 ----a-w- c:\windows\system32\drivers\avipbb.sys

2012-01-12 16:53 . 2004-08-26 16:12 1859968 ----a-w- c:\windows\system32\win32k.sys

2011-12-29 18:29 . 2011-07-30 23:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-12-17 19:46 . 2004-08-26 16:12 916992 ----a-w- c:\windows\system32\wininet.dll

2011-12-17 19:46 . 2004-08-26 16:11 43520 ------w- c:\windows\system32\licmgr10.dll

2011-12-17 19:46 . 2004-08-26 16:11 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-12-16 12:22 . 2004-08-26 16:11 385024 ------w- c:\windows\system32\html.iec

2011-12-10 20:24 . 2011-06-20 20:15 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-23 15:31 . 2011-08-23 15:31 1284232 ----a-w- c:\program files\couponprinter.exe

2011-06-27 22:20 . 2011-06-27 22:20 900384 ----a-w- c:\program files\JavaSetup6u26.exe

2011-06-24 17:19 . 2011-06-24 17:19 50688 ----a-w- c:\program files\ATF_Cleaner.exe

2011-06-23 17:19 . 2011-06-23 17:19 684297 ----a-w- c:\program files\unhide.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-10 39408]

"AbacastDistributedOnDemand:11"="c:\documents and settings\Owner\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe" [2008-09-30 54776]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]

"Gateway Extended Warranty"="c:\program files\Gateway\GWCares\GWCares.exe" [2004-02-08 73728]

"RTHDCPL"="RTHDCPL.EXE" [2006-01-12 15961088]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-28 98304]

"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-11-18 4269296]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]

"lxecmon.exe"="c:\program files\Lexmark Pro800-Pro900 Series\lxecmon.exe" [2011-01-23 770728]

"EzPrint"="c:\program files\Lexmark Pro800-Pro900 Series\ezprint.exe" [2010-01-18 139944]

"Lexmark Pro800-Pro900 Series Fax Server"="c:\program files\Lexmark Pro800-Pro900 Series\fm3032.exe" [2011-01-23 316072]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-11 258512]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\AbacastDistributedOnDemand\\Node\\11\\AbacastDistributedOnDemand.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Abacast\\Abaclient.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Abacast\\Abaclient2.exe"=

"c:\\Program Files\\Verizon\\VSP\\ServicepointService.exe"=

"c:\\WINDOWS\\system32\\lxeccoms.exe"=

"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\scan\\scanman6.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"50000:UDP"= 50000:UDP:IHA_MessageCenter

.

S1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [10/24/2011 1:51 PM 36000]

S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/24/2011 1:52 PM 86224]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 4:12 PM 135664]

S2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [10/28/2011 6:20 PM 290832]

S2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?]

S2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [9/8/2010 1:47 PM 193192]

S2 ServicepointService;ServicepointService;c:\program files\Verizon\VSP\ServicepointService.exe [5/10/2010 12:44 PM 668912]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 4:12 PM 135664]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]

.

Contents of the 'Scheduled Tasks' folder

.

2012-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 21:12]

.

2012-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 21:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0MSN&bm=ms_home

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

LSP: c:\program files\Netscape Internet Service\Netscape Web Accelerator\sliplsp.dll

TCP: DhcpNameServer = 192.168.1.1

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB

.

- - - - ORPHANS REMOVED - - - -

.

MSConfigStartUp-Verizon Internet Security Suite - c:\program files\Verizon\Verizon Internet Security Suite\Rps.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-02-27 13:55

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(428)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2012-02-27 13:57:10

ComboFix-quarantined-files.txt 2012-02-27 18:57

.

Pre-Run: 139,572,973,568 bytes free

Post-Run: 139,532,345,344 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 141BCF79A3DEE03CA92529284A38B2B7

THANK YOU again for your help.

Link to post
Share on other sites

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.02.27.04

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)

Internet Explorer 8.0.6001.18702

Owner :: YOUR-5E03CF73DE [administrator]

2/27/2012 2:45:09 PM

mbam-log-2012-02-27 (14-45-09).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 189832

Time elapsed: 1 minute(s), 46 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

I am still in Safe Mode w/Networking. The Malwarebytes is still missing from the Desktop/toolbar as is Avira Antivirus. Also, When I go to Start > All Programs I cannot run/access any of the programs as their icon/logo (?) have been all been replaced by one that looks like the file with the colored dots in front of a folder. It looked like this when after I ran unhide.exe prior to posting the requests for help. If I go to Program Files in the C drive most of the programs have a Folder icon with the exception of Java, ATF Cleaner, RKill and a few others. So I still have to find/open MBAM from Windows Taskbar. Sorry, I am unable to post a screen capture as I don't seem to have the ability to do that either.

I also went into System Restore to try and see what their last restore point was (I did this prior to running ComboFix), but there is nothing referring to setting a restore point, or restore point dates although according to the Windows Help, we should easily be able to do this. So I didn't want to fiddle with that in case this bug was able to infect System Restore...

Thank you for your help.

Link to post
Share on other sites

That infections will hide all your files and folders, check the link below:

http://www.smartestc...ted-by-a-virus/

---------------

Please remove any usb or external drives from the computer before you run these scan!

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

-------------

Next..........

Please download and run RogueKiller.

Click Scan to scan the system (don't run any other options)

Post back the report.

MrC

Link to post
Share on other sites

(I did not check the Windows Defender box as you had not requested I do so).

Farbar Service Scanner Version: 22-02-2012

Ran by Owner (administrator) on 27-02-2012 at 17:00:07

Running from "C:\Documents and Settings\Owner\Desktop"

Microsoft Windows XP Home Edition Service Pack 3 (X86)

Boot Mode: Nerwork

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Yahoo IP is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

wscsvc Service is not running. Checking service configuration:

The start type of wscsvc service is OK.

The ImagePath of wscsvc service is OK.

The ServiceDll of wscsvc service is OK.

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:

The start type of BITS service is set to Demand. The default start type is Auto.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:

The start type of EventSystem service is OK.

The ImagePath of EventSystem: "C:\WINDOWS\system32\svchost.exe -k netsvcs".

The ServiceDll of EventSystem: "C:\WINDOWS\system32\Es.dll".

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\wscsvc.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\wuauserv.dll => MD5 is legit

C:\WINDOWS\system32\qmgr.dll => MD5 is legit

C:\WINDOWS\system32\es.dll => MD5 is legit

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)

0x0A000000040000000100000002000000030000000A0000000900000005000000060000000700000008000000

IpSec Tag value is correct.

**** End of log ****

We already have RogueKiller downloaded from earlier but I'll download it again for the newest version and re-run and post back.

Thank you for your help.

Link to post
Share on other sites

Unfortunately unhide did not work as it said

The C:\DOCUME~1\Owner\LOCALS~1\Temp\smtmp\ folder does not exist!!

I haven't cleaned out any temp folders so I'm not sure why they're not there unless one of these programs did. I also tried the scripts he had posted in November 2011 but it still did not make a difference.

Here is the Rkill log.

RogueKiller V7.2.0 [02/27/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Safe mode with network support

User: Owner [Admin rights]

Mode: Scan -- Date: 02/27/2012 17:29:04

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 9 ¤¤¤

[sUSP PATH] HKCU\[...]\Run : AbacastDistributedOnDemand:11 (C:\Documents and Settings\Owner\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe -r:11 -x:1) -> FOUND

[sUSP PATH] HKUS\S-1-5-21-747832287-720386439-3837867810-1003[...]\Run : AbacastDistributedOnDemand:11 (C:\Documents and Settings\Owner\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe -r:11 -x:1) -> FOUND

[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: HDT722516DLAT80 +++++

--- User ---

[MBR] 2de17797318da582eea1c6d0191a9ccd

[bSP] 785403c40b2e57190234204681ec45a9 : MBR Code unknown

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 10683225 | Size: 151840 Mo

1 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 5216 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2].txt >>

RKreport[1].txt ; RKreport[2].txt

Getting started on the other instructions...

Thank you for your help.

Link to post
Share on other sites

Ok. I followed your instructions in post #10. Thanks. It looks like I can access System Restore.

Now that ERUNT is in the All Programs list it has the same little icon as the others but at least you can get to documentation etc. from there. Most programs you can't. i.e. MBAM > tools > (empty)

NOTE: I hope I correctly interpreted post #10 directions correctly as to only right click and merge the two programs, not to click an run them.

Avira still not visible/accessible. Nothing shows in the Windows Security Center about any antivirus, i.e. active or WARNING: it's not active.

Here is the newest FSS log

Farbar Service Scanner Version: 22-02-2012

Ran by Owner (administrator) on 27-02-2012 at 18:01:21

Running from "C:\Documents and Settings\Owner\Desktop"

Microsoft Windows XP Home Edition Service Pack 3 (X86)

Boot Mode: Nerwork

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Yahoo IP is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

wscsvc Service is not running. Checking service configuration:

The start type of wscsvc service is OK.

The ImagePath of wscsvc service is OK.

The ServiceDll of wscsvc service is OK.

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:

The start type of BITS service is set to Demand. The default start type is Auto.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:

The start type of EventSystem service is OK.

The ImagePath of EventSystem: "C:\WINDOWS\system32\svchost.exe -k netsvcs".

The ServiceDll of EventSystem: "C:\WINDOWS\system32\Es.dll".

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\wscsvc.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\wuauserv.dll => MD5 is legit

C:\WINDOWS\system32\qmgr.dll => MD5 is legit

C:\WINDOWS\system32\es.dll => MD5 is legit

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)

0x0A000000040000000100000002000000030000000A0000000900000005000000060000000700000008000000

IpSec Tag value is correct.

**** End of log ****

Should I just do a System Restore from the date prior to the "properties" date of the fake System Check file and see if that brings their computer and settings back? I think the only program download would have been the annoying IE 8 installation.

I have to go now and won't have access to their computer til the a.m.

Thank you again for your continued help.

Link to post
Share on other sites

I really am going home after this post. :D

I downloaded WUS_Fix.exe: http://users.telenet...ols/WUS_Fix.exe to the desktop and clicked RUN. A black dialog box flashed and that was it. Nothing opened or asked me anything or any reports...I rebooted but there are no visible changes.

Here is the FSS scan log.

Farbar Service Scanner Version: 22-02-2012

Ran by Owner (administrator) on 27-02-2012 at 18:28:26

Running from "C:\Documents and Settings\Owner\Desktop"

Microsoft Windows XP Home Edition Service Pack 3 (X86)

Boot Mode: Nerwork

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Yahoo IP is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

wscsvc Service is not running. Checking service configuration:

The start type of wscsvc service is OK.

The ImagePath of wscsvc service is OK.

The ServiceDll of wscsvc service is OK.

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:

The start type of BITS service is set to Demand. The default start type is Auto.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:

The start type of EventSystem service is OK.

The ImagePath of EventSystem: "C:\WINDOWS\system32\svchost.exe -k netsvcs".

The ServiceDll of EventSystem: "C:\WINDOWS\system32\Es.dll".

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\wscsvc.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\wuauserv.dll => MD5 is legit

C:\WINDOWS\system32\qmgr.dll => MD5 is legit

C:\WINDOWS\system32\es.dll => MD5 is legit

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)

0x0A000000040000000100000002000000030000000A0000000900000005000000060000000700000008000000

IpSec Tag value is correct.

**** End of log ****

Have a good night. Thank you again for your help.

Link to post
Share on other sites

The WUS_Fix.exe ran correctly.

--------------------------------------

You can also visit MS FixIt for solutions to some of your problems:

http://support.microsoft.com/fixit/

-------------------------------------

Please check these........

From the FSS log:

BITS Service is not running. Checking service configuration:

The start type of BITS service is set to Demand. The default start type is Auto.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

Go to Start > Run > copy and paste services.msc > click OK

Double click on Background Intelligent Transfer Service

Make the Startup Type is set to Automatic

The Service Status should be Started

OK your way out.

-------------------------------------------

EventSystem Service is not running. Checking service configuration:

The start type of EventSystem service is OK.

The ImagePath of EventSystem: "C:\WINDOWS\system32\svchost.exe -k netsvcs".

The ServiceDll of EventSystem: "C:\WINDOWS\system32\Es.dll".

Do the same for COM+ Event System

Make sure it's Started and set to Manual

Let me know, MrC

Link to post
Share on other sites

Thank you for the Windows link. I haven't tried their solution(s) yet.

I tried to make the BITS and COM+ Event System change but I got a window saying they cannot be started in Safe Mode. So I rebooted in Normal Mode and made the changes. I noticed their Avira icon was back in the taskbar and I was able to open it. It said their firewall was off. When I clicked on the "balloon" in the taskbar to make the change, it said it couldn't make the change and I had to do it through the control panel, which I did.

I then went back to Safe Mode with Networking and opened servicesmsc again to see what Avira appeared as there. It says the service is stopped and not available in safe mode (although ComboFix detected it running?)

Also, Windows Security Center says it cannot be started in Safe Mode either which seems odd. I guess that is why it wouldn't tell me or allow me to check the firewall and/or antivirus.

I then rebooted and went back to Normal mode (I am going to use that term loosley at this moment ;) ) and I got a warning that the firewall was now off (again). I then went to Start to try and shut down/restart and the computer froze. I CTRL + ALT+DEL and the Taskbar was blank. The mouse pointer moved on its own and froze so I did a hard shut down and restarted in Safe Mode w/Networking to log in and post this. Are they still infected or is this residual problems? Should I boot in Normal Mode and run Avira/malwarebytes???

Link to post
Share on other sites

I forgot to add that I did make the BITS and COM+ Event System changes in Normal Mode but when in Safe Mode they still say they are stopped.

Also, regarding my post #11, I wasn't yelling/complaining. This was a quote from the program windows results. I just didn't quote it properly.

"The C:\DOCUME~1\Owner\LOCALS~1\Temp\smtmp\ folder does not exist!!" Just in case anyone misinterpreted it.

We are really thankful for the help.

Link to post
Share on other sites

Here is the FSS from Safe Mode w/Networking. Everything was checked except for Windows Defender. Should I check that and run in Safe and or Normal Mode?

I'll run the other 2 and post back. Would you like me to also run and post an FSS from Normal Mode? With or without Windows Defender checked?

Farbar Service Scanner Version: 22-02-2012

Ran by Owner (administrator) on 28-02-2012 at 14:20:14

Running from "C:\Documents and Settings\Owner\Desktop"

Microsoft Windows XP Home Edition Service Pack 3 (X86)

Boot Mode: Nerwork

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Yahoo IP is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

wscsvc Service is not running. Checking service configuration:

The start type of wscsvc service is OK.

The ImagePath of wscsvc service is OK.

The ServiceDll of wscsvc service is OK.

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:

The start type of BITS service is OK.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:

The start type of EventSystem service is OK.

The ImagePath of EventSystem: "C:\WINDOWS\system32\svchost.exe -k netsvcs".

The ServiceDll of EventSystem: "C:\WINDOWS\system32\Es.dll".

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\wscsvc.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\wuauserv.dll => MD5 is legit

C:\WINDOWS\system32\qmgr.dll => MD5 is legit

C:\WINDOWS\system32\es.dll => MD5 is legit

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)

0x0A000000040000000100000002000000030000000A0000000900000005000000060000000700000008000000

IpSec Tag value is correct.

**** End of log ****

Thank you for your help!

Link to post
Share on other sites

Avira had no detections. A number of warnings that I have not had time to go through.

MBAM came up clean but took about twice as long to complete. (7+ minutes). Not a complaint, just an observations.

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.02.29.01

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Owner :: YOUR-5E03CF73DE [administrator]

2/28/2012 8:18:50 PM

mbam-log-2012-02-28 (20-18-50).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 191990

Time elapsed: 7 minute(s), 13 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

**********************************************************************************

Farbar Service Scanner Version: 22-02-2012

Ran by Owner (administrator) on 28-02-2012 at 20:26:37

Running from "C:\Documents and Settings\Owner\Desktop"

Microsoft Windows XP Home Edition Service Pack 3 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Yahoo IP is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

Windows Update:

============

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\wscsvc.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\wuauserv.dll => MD5 is legit

C:\WINDOWS\system32\qmgr.dll => MD5 is legit

C:\WINDOWS\system32\es.dll => MD5 is legit

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)

0x0A000000040000000100000002000000030000000A0000000900000005000000060000000700000008000000

IpSec Tag value is correct.

**** End of log ****

Gosh this is aggravating. We do appreciate the continued help!

Won't be back tonight. Not sure I can get to this computer tomorrow.

Link to post
Share on other sites

Well, the desktop icons are all a bit smaller than they used to be and the font sizes are about 4 pt. MBAM used to be on the desktop but no longer is visible but IE and some other programs are. The contents of websites (MBAM and bleepingcomputer) are all visible and "full screen" but really small and difficult to read.

I ran unhide in Normal Mode with Avira Free enabled and it detected a FakeHDD in the registry although MBAM and Avira Free scan came up clean prior to this. So maybe there is still something there??? It also took 29 minutes which seemed unusually long.

I ran it again with the internet connection and Avira Free real time protection disabled and it came up clean (no registry detection) but no temp file found. It only took 1+ minute this time. Unfortunately the new log seems to have written over the old one so I can't tell you what bad registry key was found.

I don't think Avira is functioning properly as it doesn't seem the access to the program is the same. I don't really know exactly how to explain that. It seems less user friendly and not the same accessibility to set it up.

The taskbar has changed. Some icons are missing, some are not. As the temp folder cannot be found (I guess ComboFix deleted the shortcuts), why are some still there?

Link to post
Share on other sites

I just ran another ESET w/Avira disabled and it came up clean. I closed out of the Internet, re-enabled Avira, and now when I go back on the Internet the web pages come up displayed normally. But I did not make any changes other than what I just wrote.

Please disregard the "I don't think Avira is functioning properly as it doesn't seem the access to the program is the same. I don't really know exactly how to explain that. It seems less user friendly and not the same accessibility to set it up." I have been staring at this too long :blush:

Should we considered this thread closed and I should contact bleepingcomputer with my unhide questions/how to regain access to their programs?

Thank you for your help!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.