Jump to content

Helped by Forum to Delete Rootkit.0Access.H - now what?


Recommended Posts

After running MalwareBytes several times, the sticky Rootkit.0Access.H trojan stuck on my Dad's Windows XP computer.

In safety mode, MalwareBytes came up clean, after running and deleting four trojans. I have all the Logs, and screenshots.

Following instructions here for the Rootkit.0Access.H trojan, first, I ran MalwareBytes with everything checked: A drive, C drive, D drive. I took out the usb part for the keyboard/mouse, but need it to click on things.

The virus was still there.

Also, I tried RogueKiller. It brought up a page in French, with Rootkit Max++ on the page.

I tried TDSSKiller, and ComboFix, as per these instructions:

http://forums.malwarebytes.org/index.php?showtopic=106088

ComboFix took over 20 minutes, including 2 boot ups where the resolution came up 600 X 480 and kept going . . .

Then I did a quick scan of Malware bytes, which took 3 minutes, and it came up 0 infected files - yay! But the D drive disappeared from the choices, so it appears to have been disconnected.

But I can still access the internet.

When I did Combofix, I followed the instructions to create the Windows restore feature.

Now, on my Dad's desktop is a file folder of RK_Quarantine, TDSSKiller, and ComboFix.

Should I run anything a 2nd time?

Should I delete the above, before running Malwarebytes?

Should I run anything in Safety mode?

In all the online advice about Rootkit.0Access.H, it never mentioned, Safety mode.

Thanx! :)

Link to post
Share on other sites

  • Replies 50
  • Created
  • Last Reply

Top Posters In This Topic

Hello and :welcome:

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explaination about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results.

    [*]Follow the instructions that pop up for posting the results.

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Link to post
Share on other sites

Hi Elise,

Thanx so much for quick response! This is my father's computer - I am concerned to do it right!

Here follows the dds text report, with the attach zipped attached.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by William Timmons at 17:13:14 on 2012-04-14

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1116 [GMT -7:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\astsrv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE

C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nlssrv32.exe

C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe

C:\Program Files\iPod\bin\iPodService.exe

svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

mURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [TClockEx] c:\program files\tclockex\TCLOCKEX.EXE

uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [soundMan] SOUNDMAN.EXE

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [Acronis True Image Monitor] "c:\program files\acronis\trueimage\TrueImageMonitor.exe"

mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctOTIwMjgwMTM0LUZQOSs2LU4xRisxLUJBUjlHKzEtVEI5KzItRkwrOS1GMTBNKzUtWDIwMTArMi1RSVgxKzQtRjEwTTEwRCsyLVNUMTBGQVBQKzEtRkwxMCsxLUREVCswLVRVRysz"&"prod=90"&"ver=10.0.1415

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\willia~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ecco32.lnk - c:\documents and settings\william timmons\my documents\computer\ecco installation\ecco pro\ecco\ecco32.exe

uPolicies-explorer: NoInstrumentation = 1

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1266928257656

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: intelUsb3Sevices - usbniw32.dll

Notify: usbniw32 - usbniw32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

============= SERVICES / DRIVERS ===============

.

R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [2010-11-16 66560]

R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2011-12-4 793048]

S1 vxstwucp;vxstwucp;\??\c:\windows\system32\drivers\vxstwucp.sys --> c:\windows\system32\drivers\vxstwucp.sys [?]

S1 xcvtdxyv;xcvtdxyv;\??\c:\windows\system32\drivers\xcvtdxyv.sys --> c:\windows\system32\drivers\xcvtdxyv.sys [?]

S2 DivisCTS;CoachAud;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]

S2 GV600_4;Tfsnudf;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]

S2 mferkdk;Mbr;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]

S2 NEC Usb3;NEC USB3 Service;c:\windows\system32\svchost.exe -k NECUsb3s [2003-3-31 14336]

S2 pctfw1;Symantecantibotwatcher;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]

S2 regdefend;SE2Bobex;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]

S2 savrtpel;Dlbt_device;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]

S2 Slpsvdr;Diskperf;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-7 253600]

S3 maa950c;maa950c;c:\windows\system32\drivers\maa950c.sys [2010-2-23 24784]

S3 maa950m;maa950m;c:\windows\system32\drivers\maa950m.sys [2010-2-23 25044]

S3 maa950u;maa950u;c:\windows\system32\drivers\maa950u.sys [2010-2-23 49237]

.

=============== Created Last 30 ================

.

2012-04-13 23:17:31 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2012-04-13 23:15:42 -------- d-sha-r- C:\cmdcons

2012-04-13 23:14:08 98816 ----a-w- c:\windows\sed.exe

2012-04-13 23:14:08 518144 ----a-w- c:\windows\SWREG.exe

2012-04-13 23:14:08 256000 ----a-w- c:\windows\PEV.exe

2012-04-13 23:14:08 208896 ----a-w- c:\windows\MBR.exe

2012-04-13 22:11:51 -------- d-----w- C:\TDSSKiller_Quarantine

2012-04-11 13:27:22 38400 ----a-w- c:\windows\system32\usbniw32.dll

2012-04-10 18:18:35 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-04-10 18:18:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-04-07 09:10:13 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-04-04 05:53:56 182160 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

2012-03-19 20:07:19 -------- d-sh--w- c:\documents and settings\william timmons\IECompatCache

.

==================== Find3M ====================

.

2012-04-13 22:13:09 64512 ----a-w- c:\windows\system32\drivers\serial.sys

2012-04-07 09:10:13 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-03-10 00:29:33 544256 ----a-w- c:\windows\system32\AutoPartNt.exe

2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll

2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll

2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll

2012-02-29 12:17:40 385024 ----a-w- c:\windows\system32\html.iec

2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys

2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe

.

============= FINISH: 17:13:48.70 ===============

Thank you again! :D

attach.zip

Link to post
Share on other sites

Hi again, lets do also an additional scan here.

OTL

-----

Please download OTL from one of the following mirrors:

[*]Save it to your desktop.

[*]Double click on the otlicon.png icon on your desktop.

[*]Click the "Scan All Users" checkbox.

[*]Copy and Paste the following code into the customscanfix.png textbox.

netsvcs

[*]Push runscan.png

[*]A report will open. Copy and Paste that report in your next reply.

Link to post
Share on other sites

Hi, Thanx. Here is the report:

OTL logfile created on: 4/16/2012 12:30:35 PM - Run 1

OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\William Timmons\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 1.01 Gb Available Physical Memory | 67.57% Memory free

3.35 Gb Paging File | 2.99 Gb Available in Paging File | 89.20% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 232.88 Gb Total Space | 211.93 Gb Free Space | 91.00% Space Free | Partition Type: NTFS

Computer Name: BILL_DESKTOP | User Name: William Timmons | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/04/16 12:29:28 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\William Timmons\Desktop\OTL.exe

PRC - [2011/10/25 11:44:42 | 000,793,048 | ---- | M] (PC Tools) -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe

PRC - [2010/11/22 15:50:26 | 000,066,560 | ---- | M] (Nalpeiron Ltd.) -- C:\WINDOWS\system32\nlssrv32.exe

PRC - [2010/02/24 00:00:13 | 000,069,632 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

PRC - [2010/02/24 00:00:12 | 000,419,408 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe

PRC - [2010/02/24 00:00:12 | 000,151,552 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2008/01/07 11:04:10 | 000,057,344 | ---- | M] (Nalpeiron Ltd.) -- C:\WINDOWS\system32\ASTSRV.EXE

PRC - [2007/12/16 20:00:00 | 000,143,872 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE

PRC - [2007/01/19 20:13:32 | 000,344,064 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe

PRC - [2007/01/10 20:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

PRC - [2004/09/16 05:39:44 | 000,069,632 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE

========== Modules (No Company Name) ==========

MOD - [2012/04/11 06:27:22 | 000,038,400 | ---- | M] () -- C:\WINDOWS\system32\usbniw32.dll

MOD - [2009/11/03 16:51:42 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll

MOD - [2009/11/03 16:51:26 | 000,039,712 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\ASL.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\ss_mdm.dll -- (winpowermonitor)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\btaudio.dll -- (vxsvc)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\eeyeevnt.dll -- (vds)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\OEM02Afx.dll -- (tversitymediaserver)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\pdscheduler.dll -- (tabletservice)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\alcxwdm.dll -- (StickyMesger)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\Epiusb.dll -- (spcsutilityservice)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\iSMBIOS.dll -- (Slpsvdr)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\wltrysvc.dll -- (Sk99202k)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\mspqm.dll -- (sffp_sd)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\ctljystk.dll -- (sbpci)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\Amsmpu4p.dll -- (savrtpel)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\ctxhttp.dll -- (s117unic)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\rtl8023.dll -- (ROB_V)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\pdlndldl.dll -- (regdefend)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\upperdev.dll -- (QWAVE)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\AmdLLD.dll -- (prohlp02)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\SE2Cmdfl.dll -- (prism_a02)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\SecureStorageService.dll -- (pdiddcci)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\cpqfws2e.dll -- (pctfw1)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\bc_filter.dll -- (pcidrv)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\qbreminderflash.dll -- (ntrtscan)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\dot4scan.dll -- (nmwcdc)

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\system32\usbnaw32.dll -- (NEC Usb3)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\padfsvr.dll -- (mxssvr)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\lxcd_device.dll -- (mferkdk)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\WUSB54GCSVC.dll -- (M2500)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\amdk7.dll -- (issvc)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\winvnc4.dll -- (iPassPeriodicUpdateService)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\symc810.dll -- (incdpass)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\ZuneWlanCfgSvc.dll -- (GV600_4)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\pdlnsv25.dll -- (DivisCTS)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\s616unic.dll -- (digirefresh)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\ichaud.dll -- (cfosspeeds)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\ibmfilter.dll -- (cebdaldr)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\mlkkbdntdriver.dll -- (carboniteservice)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\cwafadmincontroller.dll -- (bmwebcfg)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\tfsncofs.dll -- (bc_ngn)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\MegaSR.dll -- (AVerBDA)

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\mxserver.dll -- (ar5211)

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)

SRV - [2012/04/07 02:10:13 | 000,253,600 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)

SRV - [2011/10/25 11:44:42 | 000,793,048 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe -- (PCToolsSSDMonitorSvc)

SRV - [2010/11/22 15:50:26 | 000,066,560 | ---- | M] (Nalpeiron Ltd.) [Auto | Running] -- C:\WINDOWS\system32\nlssrv32.exe -- (nlsX86cc)

SRV - [2010/02/24 00:00:12 | 000,151,552 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)

SRV - [2008/01/07 11:04:10 | 000,057,344 | ---- | M] (Nalpeiron Ltd.) [Auto | Running] -- C:\WINDOWS\system32\ASTSRV.EXE -- (astcc)

SRV - [2007/12/16 20:00:00 | 000,143,872 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE -- (EPSON_EB_RPCV4_01) EPSON V5 Service4(01)

SRV - [2007/01/10 20:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE -- (EPSON_PM_RPCV4_01) EPSON V3 Service4(01)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\xcvtdxyv.sys -- (xcvtdxyv)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)

DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\vxstwucp.sys -- (vxstwucp)

DRV - File not found [Kernel | Boot | Stopped] -- System32\DRIVERS\viamraid.sys -- (viamraid)

DRV - File not found [Kernel | Boot | Stopped] -- system32\Drivers\PxHelp20.sys -- (PxHelp20)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)

DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)

DRV - File not found [Kernel | On_Demand | Stopped] -- System32\DRIVERS\nv4_mini.sys -- (nv)

DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)

DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)

DRV - File not found [Kernel | On_Demand | Stopped] -- System32\DRIVERS\fetnd5.sys -- (FETNDIS)

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\cmuda.sys -- (cmuda)

DRV - File not found [Kernel | System | Stopped] -- -- (Changer)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\WILLIA~1\LOCALS~1\Temp\catchme.sys -- (catchme)

DRV - [2010/02/24 00:00:11 | 000,211,520 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\timntr.sys -- (timounter)

DRV - [2010/02/24 00:00:11 | 000,082,464 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\snapman.sys -- (snapman)

DRV - [2010/02/24 00:00:11 | 000,028,896 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)

DRV - [2009/05/03 20:32:16 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)

DRV - [2007/04/16 22:46:00 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)

DRV - [2007/01/17 20:03:18 | 000,049,237 | R--- | M] (Mobile Action Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\maa950u.sys -- (maa950u)

DRV - [2007/01/15 20:44:46 | 000,011,986 | R--- | M] (Mobile Action Technology Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\MaVc2K.sys -- (MaVctrl)

DRV - [2005/08/17 20:44:50 | 000,049,867 | R--- | M] (Mobile Action Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mardp2k.sys -- (MaRdPnp)

DRV - [2005/06/16 03:13:12 | 000,025,044 | R--- | M] (Mobile Action Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\maa950m.sys -- (maa950m)

DRV - [2005/06/16 03:11:58 | 000,024,784 | R--- | M] (Mobile Action Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\maa950c.sys -- (maa950c)

DRV - [2004/09/21 04:53:18 | 002,278,784 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)

DRV - [2003/07/02 05:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\VIAAGP1.SYS -- (viaagp1)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-796845957-1275210071-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKU\S-1-5-21-796845957-1275210071-839522115-1003\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKU\S-1-5-21-796845957-1275210071-839522115-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC

IE - HKU\S-1-5-21-796845957-1275210071-839522115-1003\..\SearchScopes\{C475A1DF-29EE-4CBC-8E82-1314365DC409}: "URL" = http://search.avg.com/route/?d=4b3d2cf0&i=23&tp=chrome&q={searchTerms}&lng={language}&ychte=us&nt=1

IE - HKU\S-1-5-21-796845957-1275210071-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-796845957-1275210071-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

O1 HOSTS File: ([2012/04/13 16:33:58 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)

O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)

O3 - HKU\S-1-5-21-796845957-1275210071-839522115-1003\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.

O3 - HKU\S-1-5-21-796845957-1275210071-839522115-1003\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - No CLSID value found.

O3 - HKU\S-1-5-21-796845957-1275210071-839522115-1003\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)

O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)

O4 - HKLM..\Run: [Acronis True Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe (Acronis)

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)

O4 - HKLM..\Run: [soundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)

O4 - HKU\S-1-5-21-796845957-1275210071-839522115-1003..\Run: [NvMediaCenter] C:\WINDOWS\System32\NVMCTRAY.DLL (NVIDIA Corporation)

O4 - HKU\S-1-5-21-796845957-1275210071-839522115-1003..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE (Dale Nurden)

O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ecco32.lnk = C:\Documents and Settings\William Timmons\My Documents\Computer\ECCO Installation\Ecco Pro\ECCO\ecco32.exe (NetManage, Inc.)

O4 - Startup: C:\Documents and Settings\William Timmons\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (Sony Corporation)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon: DisableCAD = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-796845957-1275210071-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-796845957-1275210071-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-796845957-1275210071-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 0

O7 - HKU\S-1-5-21-796845957-1275210071-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-21-796845957-1275210071-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1266928257656 (MUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)

O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5090652B-9888-4256-BA59-CA694EEC5FC9}: DhcpNameServer = 192.168.1.1

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O20 - Winlogon\Notify\intelUsb3Sevices: DllName - (usbniw32.dll) - C:\WINDOWS\System32\usbniw32.dll ()

O20 - Winlogon\Notify\usbniw32: DllName - (usbniw32.dll) - C:\WINDOWS\System32\usbniw32.dll ()

O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2010/02/21 08:35:12 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found

NetSvcs: Ias - File not found

NetSvcs: Iprip - File not found

NetSvcs: Irmon - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: cfosspeeds - %systemroot%\system32\ichaud.dll File not found

NetSvcs: spcsutilityservice - %systemroot%\system32\Epiusb.dll File not found

NetSvcs: sbpci - %systemroot%\system32\ctljystk.dll File not found

NetSvcs: pdiddcci - %systemroot%\system32\SecureStorageService.dll File not found

NetSvcs: ar5211 - %systemroot%\system32\mxserver.dll File not found

NetSvcs: Slpsvdr - %systemroot%\system32\iSMBIOS.dll File not found

NetSvcs: StickyMesger - %systemroot%\system32\alcxwdm.dll File not found

NetSvcs: ntrtscan - %systemroot%\system32\qbreminderflash.dll File not found

NetSvcs: bc_ngn - %systemroot%\system32\tfsncofs.dll File not found

NetSvcs: s117unic - %systemroot%\system32\ctxhttp.dll File not found

NetSvcs: AVerBDA - %systemroot%\system32\MegaSR.dll File not found

NetSvcs: tabletservice - %systemroot%\system32\pdscheduler.dll File not found

NetSvcs: nmwcdc - %systemroot%\system32\dot4scan.dll File not found

NetSvcs: ROB_V - %systemroot%\system32\rtl8023.dll File not found

NetSvcs: sffp_sd - %systemroot%\system32\mspqm.dll File not found

NetSvcs: prohlp02 - %systemroot%\system32\AmdLLD.dll File not found

NetSvcs: iPassPeriodicUpdateService - %systemroot%\system32\winvnc4.dll File not found

NetSvcs: cebdaldr - %systemroot%\system32\ibmfilter.dll File not found

NetSvcs: prism_a02 - %systemroot%\system32\SE2Cmdfl.dll File not found

NetSvcs: M2500 - %systemroot%\system32\WUSB54GCSVC.dll File not found

NetSvcs: incdpass - %systemroot%\system32\symc810.dll File not found

NetSvcs: pcidrv - %systemroot%\system32\bc_filter.dll File not found

NetSvcs: DivisCTS - %systemroot%\system32\pdlnsv25.dll File not found

NetSvcs: vds - %systemroot%\system32\eeyeevnt.dll File not found

NetSvcs: carboniteservice - %systemroot%\system32\mlkkbdntdriver.dll File not found

NetSvcs: savrtpel - %systemroot%\system32\Amsmpu4p.dll File not found

NetSvcs: mxssvr - %systemroot%\system32\padfsvr.dll File not found

NetSvcs: issvc - %systemroot%\system32\amdk7.dll File not found

NetSvcs: mferkdk - %systemroot%\system32\lxcd_device.dll File not found

NetSvcs: regdefend - %systemroot%\system32\pdlndldl.dll File not found

NetSvcs: vxsvc - %systemroot%\system32\btaudio.dll File not found

NetSvcs: tversitymediaserver - %systemroot%\system32\OEM02Afx.dll File not found

NetSvcs: bmwebcfg - %systemroot%\system32\cwafadmincontroller.dll File not found

NetSvcs: pctfw1 - %systemroot%\system32\cpqfws2e.dll File not found

NetSvcs: digirefresh - %systemroot%\system32\s616unic.dll File not found

NetSvcs: Sk99202k - %systemroot%\system32\wltrysvc.dll File not found

NetSvcs: QWAVE - %systemroot%\system32\upperdev.dll File not found

NetSvcs: GV600_4 - %systemroot%\system32\ZuneWlanCfgSvc.dll File not found

NetSvcs: winpowermonitor - %systemroot%\system32\ss_mdm.dll File not found

NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/04/16 12:29:26 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\William Timmons\Desktop\OTL.exe

[2012/04/13 16:15:42 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2012/04/13 16:14:08 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2012/04/13 16:14:08 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2012/04/13 16:14:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2012/04/13 16:14:08 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2012/04/13 16:14:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2012/04/13 16:13:58 | 000,000,000 | ---D | C] -- C:\Qoobox

[2012/04/13 16:13:54 | 000,000,000 | R--D | C] -- C:\Documents and Settings\William Timmons\Start Menu\Programs\Administrative Tools

[2012/04/13 16:11:41 | 004,461,135 | R--- | C] (Swearware) -- C:\Documents and Settings\William Timmons\Desktop\ComboFix.exe

[2012/04/13 15:11:51 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine

[2012/04/13 14:54:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\William Timmons\Desktop\MalwareBytesReports

[2012/04/13 14:52:10 | 002,071,600 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\William Timmons\Desktop\tdsskiller.exe

[2012/04/13 14:47:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\William Timmons\Desktop\RK_Quarantine

[2012/04/11 01:45:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer

[2012/04/10 23:55:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun

[2012/04/10 12:29:51 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\William Timmons\Recent

[2012/04/10 11:18:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware

[2012/04/10 11:18:35 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2012/04/10 11:18:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2012/04/09 23:23:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2012/04/09 23:23:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2012/04/07 02:10:13 | 000,418,464 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe

[2012/04/02 16:19:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\William Timmons\Application Data\FileZilla

[2012/03/31 17:47:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple

[2012/03/25 07:31:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\William Timmons\My Documents\Forum

[2012/03/19 13:07:19 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\William Timmons\IECompatCache

========== Files - Modified Within 30 Days ==========

[2012/04/16 12:29:28 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\William Timmons\Desktop\OTL.exe

[2012/04/16 12:28:52 | 000,001,516 | ---- | M] () -- C:\WINDOWS\ECCO.CFX

[2012/04/16 12:28:52 | 000,001,356 | ---- | M] () -- C:\WINDOWS\ecco.fdb

[2012/04/16 12:28:45 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2012/04/16 12:27:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2012/04/16 11:06:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job

[2012/04/15 12:53:48 | 000,571,060 | ---- | M] () -- C:\WINDOWS\ecco.alm

[2012/04/14 17:26:28 | 000,004,265 | ---- | M] () -- C:\Documents and Settings\William Timmons\Desktop\attach.zip

[2012/04/14 17:08:36 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2012/04/13 16:33:58 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2012/04/13 16:15:46 | 000,000,327 | RHS- | M] () -- C:\boot.ini

[2012/04/13 16:11:41 | 004,461,135 | R--- | M] (Swearware) -- C:\Documents and Settings\William Timmons\Desktop\ComboFix.exe

[2012/04/13 15:27:02 | 000,000,536 | ---- | M] () -- C:\WINDOWS\tasks\RMSmartUpdate.job

[2012/04/13 14:52:10 | 002,071,600 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\William Timmons\Desktop\tdsskiller.exe

[2012/04/11 06:31:57 | 000,115,686 | ---- | M] () -- C:\WINDOWS\System32\itldvupd.dat

[2012/04/11 06:31:57 | 000,000,198 | ---- | M] () -- C:\WINDOWS\System32\itlsvc.dat

[2012/04/11 06:27:22 | 000,038,400 | ---- | M] () -- C:\WINDOWS\System32\usbniw32.dll

[2012/04/10 22:37:43 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\William Timmons\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003.lnk

[2012/04/10 22:01:42 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif

[2012/04/10 16:58:01 | 000,462,156 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2012/04/10 16:58:01 | 000,078,484 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2012/04/10 12:05:31 | 000,000,300 | ---- | M] () -- C:\Documents and Settings\William Timmons\Desktop\FNB.url

[2012/04/10 11:43:10 | 000,000,195 | ---- | M] () -- C:\Documents and Settings\William Timmons\Desktop\Juniper.url

[2012/04/10 11:18:42 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk

[2012/04/10 11:15:51 | 000,000,211 | ---- | M] () -- C:\Documents and Settings\William Timmons\Application Data\Microsoft\Internet Explorer\Quick Launch\Google.url

[2012/04/09 23:39:16 | 000,000,206 | ---- | M] () -- C:\Documents and Settings\William Timmons\Desktop\CNN.url

[2012/04/09 21:14:59 | 000,000,731 | ---- | M] () -- C:\Documents and Settings\William Timmons\Desktop\Jetnet.url

[2012/04/09 21:13:54 | 000,000,183 | ---- | M] () -- C:\Documents and Settings\William Timmons\Desktop\NOAA's Weather.url

[2012/04/09 16:20:20 | 000,000,244 | ---- | M] () -- C:\Documents and Settings\William Timmons\Desktop\UAL Reservation.url

[2012/04/09 15:36:16 | 000,000,193 | ---- | M] () -- C:\Documents and Settings\William Timmons\Desktop\UAL Interline Listing.url

[2012/04/09 12:05:24 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini

[2012/04/07 02:10:13 | 000,418,464 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe

[2012/04/07 02:10:13 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl

[2012/04/06 19:20:29 | 000,000,200 | ---- | M] () -- C:\Documents and Settings\William Timmons\Desktop\Netflix.url

[2012/04/06 00:21:11 | 000,000,158 | ---- | M] () -- C:\Documents and Settings\William Timmons\Desktop\CME Group Holiday Calendar.url

[2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2012/04/04 14:59:02 | 000,000,194 | ---- | M] () -- C:\Documents and Settings\William Timmons\Desktop\Science News - The New York Times.url

[2012/04/04 14:11:29 | 000,000,322 | ---- | M] () -- C:\Documents and Settings\William Timmons\Desktop\U.S. Surface Weather.url

[2012/04/02 17:17:50 | 000,000,151 | ---- | M] () -- C:\WINDOWS\PhotoSnapViewer.INI

[2012/03/31 19:02:40 | 001,179,233 | ---- | M] () -- C:\Documents and Settings\William Timmons\My Documents\Gmail - Inbox - espressocloud@gmail_com.mht

[2012/03/31 17:47:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2012/03/27 11:10:01 | 000,000,285 | ---- | M] () -- C:\Documents and Settings\William Timmons\Desktop\Sigalert.com Los Angeles Traffic Map.url

[2012/03/21 22:28:50 | 000,000,210 | ---- | M] () -- C:\Documents and Settings\William Timmons\Desktop\Powerball Wed Sat.url

[2012/03/20 16:30:05 | 000,000,264 | ---- | M] () -- C:\Documents and Settings\William Timmons\Desktop\Chase.url

[2012/03/20 09:34:19 | 000,000,379 | ---- | M] () -- C:\Documents and Settings\William Timmons\Desktop\switch box.url

[2012/03/19 21:31:11 | 000,000,282 | ---- | M] () -- C:\Documents and Settings\William Timmons\Desktop\Current night sky LA.url

[2012/03/19 17:52:45 | 000,008,192 | ---- | M] () -- C:\Documents and Settings\William Timmons\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== Files Created - No Company Name ==========

[2012/04/14 17:26:28 | 000,004,265 | ---- | C] () -- C:\Documents and Settings\William Timmons\Desktop\attach.zip

[2012/04/13 16:15:46 | 000,000,211 | ---- | C] () -- C:\Boot.bak

[2012/04/13 16:15:42 | 000,260,272 | RHS- | C] () -- C:\cmldr

[2012/04/13 16:14:08 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2012/04/13 16:14:08 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2012/04/13 16:14:08 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2012/04/13 16:14:08 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2012/04/13 16:14:08 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2012/04/11 06:31:57 | 000,115,686 | ---- | C] () -- C:\WINDOWS\System32\itldvupd.dat

[2012/04/11 06:31:57 | 000,000,198 | ---- | C] () -- C:\WINDOWS\System32\itlsvc.dat

[2012/04/11 06:27:22 | 000,038,400 | ---- | C] () -- C:\WINDOWS\System32\usbniw32.dll

[2012/04/10 11:18:42 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk

[2012/04/09 23:37:09 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2012/04/07 02:10:14 | 000,000,830 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job

[2012/04/06 00:21:11 | 000,000,158 | ---- | C] () -- C:\Documents and Settings\William Timmons\Desktop\CME Group Holiday Calendar.url

[2012/04/04 14:51:31 | 000,000,194 | ---- | C] () -- C:\Documents and Settings\William Timmons\Desktop\Science News - The New York Times.url

[2012/03/31 19:02:35 | 001,179,233 | ---- | C] () -- C:\Documents and Settings\William Timmons\My Documents\Gmail - Inbox - espressocloud@gmail_com.mht

[2012/03/22 20:09:55 | 000,000,200 | ---- | C] () -- C:\Documents and Settings\William Timmons\Desktop\Netflix.url

[2012/03/21 22:28:30 | 000,000,210 | ---- | C] () -- C:\Documents and Settings\William Timmons\Desktop\Powerball Wed Sat.url

[2012/03/20 14:32:13 | 000,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2012/03/20 09:34:19 | 000,000,379 | ---- | C] () -- C:\Documents and Settings\William Timmons\Desktop\switch box.url

[2012/02/14 14:44:36 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll

[2011/12/04 08:26:54 | 000,037,336 | ---- | C] () -- C:\WINDOWS\System32\CleanMFT32.exe

[2011/11/14 19:28:12 | 000,119,384 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

[2011/11/14 18:53:07 | 000,000,272 | ---- | C] () -- C:\Documents and Settings\William Timmons\Application Data\.backup.dm

[2010/09/13 06:44:36 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat

[2010/07/20 11:39:58 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\William Timmons\Local Settings\Application Data\prvlcl.dat

[2010/07/02 15:10:33 | 000,000,000 | ---- | C] () -- C:\WINDOWS\FileMgrExe.INI

< End of report >

Link to post
Share on other sites

Here is a 2nd text file which opened, called: Extras.Txt:

OTL Extras logfile created on: 4/16/2012 12:30:35 PM - Run 1

OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\William Timmons\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 1.01 Gb Available Physical Memory | 67.57% Memory free

3.35 Gb Paging File | 2.99 Gb Available in Paging File | 89.20% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 232.88 Gb Total Space | 211.93 Gb Free Space | 91.00% Space Free | Partition Type: NTFS

Computer Name: BILL_DESKTOP | User Name: William Timmons | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\TeamViewer\Version7\TeamViewer.exe" = C:\Program Files\TeamViewer\Version7\TeamViewer.exe:*:Enabled:Teamviewer Remote Control Application -- (TeamViewer GmbH)

"C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe" = C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe:*:Enabled:Teamviewer Remote Control Service -- (TeamViewer GmbH)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour

"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime

"{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java 6 Update 29

"{30BB4D60-81DB-11D5-BB77-00400536ABAC}" = OLYMPUS CAMEDIA Master 4.1

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}" = Sony USB Driver

"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{81063354-9060-42B2-A000-1EBE96778AA9}" = iTunes

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In

"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A918DE8A-98C8-0920-0001-000000000000}" = Multimedia Samples

"{A918DE8A-98C8-0950-0000-000000320129}" = Samsung R500 Hue USB - Handset Manager V9.5

"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support

"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)

"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CE2121C6-C94D-4A73-8EA4-6943F33EE335}" = Picture Package Music Transfer

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility

"{E9AE9A91-AB45-4321-87BD-AD34855D944F}" = Chessmaster 10th Edition

"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio

"7-Zip" = 7-Zip 9.20

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX

"ATCTrader Demo_is1" = ATCTrader Demo 3.5

"ATCTrader_is1" = ATCTrader 3.5

"CCleaner" = CCleaner

"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com

"ECCO Pro" = NetManage ECCO Pro

"ECCO Pro Documentation" = NetManage ECCO Pro Documentation

"EPSON Scanner" = EPSON Scan

"EPSON Stylus NX400 Series" = EPSON Stylus NX400 Series Printer Uninstall

"Icon Restore_is1" = Icon Restore 1.0

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"ie8" = Windows Internet Explorer 8

"InstallShield_{E9AE9A91-AB45-4321-87BD-AD34855D944F}" = Chessmaster 10th Edition

"Logitech Unifying" = Logitech Unifying Software 2.00

"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"NeroMultiInstaller!UninstallKey" = Nero Suite

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers

"OEC Chart Package Demo_is1" = OEC Chart Package Demo 3.5

"OEC Chart Package_is1" = OEC Chart Package 3.5

"OEC Excel Add-In_is1" = OEC Excel Add-In 3.3

"OEC Market Replay Demo_is1" = OEC Market Replay Demo 3.5

"OEC Market Replay_is1" = OEC Market Replay 3.5

"OEC RSS News Feed Demo_is1" = OEC RSS News Feed Demo 3.5

"OEC RSS News Feed_is1" = OEC RSS News Feed 3.5

"Registry Mechanic_is1" = PC Tools Registry Mechanic 11.0

"TClockEx_is1" = TClockEx

"TeamViewer 7" = TeamViewer 7

"TrueImage" = Acronis True Image

"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast-Ethernet Adapter

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 4/16/2012 1:43:44 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description =

Error - 4/16/2012 1:43:54 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description =

Error - 4/16/2012 1:44:04 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description =

Error - 4/16/2012 1:44:14 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description =

Error - 4/16/2012 1:44:24 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description =

Error - 4/16/2012 1:44:34 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description =

Error - 4/16/2012 1:44:45 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description =

Error - 4/16/2012 1:44:54 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description =

Error - 4/16/2012 1:45:05 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description =

Error - 4/16/2012 2:06:23 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description =

[ Application Events ]

Error - 4/16/2012 1:43:44 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description =

Error - 4/16/2012 1:43:54 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description =

Error - 4/16/2012 1:44:04 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description =

Error - 4/16/2012 1:44:14 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description =

Error - 4/16/2012 1:44:24 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description =

Error - 4/16/2012 1:44:34 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description =

Error - 4/16/2012 1:44:45 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description =

Error - 4/16/2012 1:44:54 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description =

Error - 4/16/2012 1:45:05 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description =

Error - 4/16/2012 2:06:23 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description =

[ System Events ]

Error - 4/16/2012 1:43:44 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description = The NEC USB3 Service service terminated with the following error:

%%126

Error - 4/16/2012 1:43:54 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description = The NEC USB3 Service service terminated with the following error:

%%126

Error - 4/16/2012 1:44:04 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description = The NEC USB3 Service service terminated with the following error:

%%126

Error - 4/16/2012 1:44:14 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description = The NEC USB3 Service service terminated with the following error:

%%126

Error - 4/16/2012 1:44:24 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description = The NEC USB3 Service service terminated with the following error:

%%126

Error - 4/16/2012 1:44:34 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description = The NEC USB3 Service service terminated with the following error:

%%126

Error - 4/16/2012 1:44:45 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description = The NEC USB3 Service service terminated with the following error:

%%126

Error - 4/16/2012 1:44:54 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description = The NEC USB3 Service service terminated with the following error:

%%126

Error - 4/16/2012 1:45:05 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description = The NEC USB3 Service service terminated with the following error:

%%126

Error - 4/16/2012 2:06:23 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description = The NEC USB3 Service service terminated with the following error:

%%126

[ System Events ]

Error - 4/16/2012 1:43:44 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description = The NEC USB3 Service service terminated with the following error:

%%126

Error - 4/16/2012 1:43:54 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description = The NEC USB3 Service service terminated with the following error:

%%126

Error - 4/16/2012 1:44:04 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description = The NEC USB3 Service service terminated with the following error:

%%126

Error - 4/16/2012 1:44:14 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description = The NEC USB3 Service service terminated with the following error:

%%126

Error - 4/16/2012 1:44:24 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description = The NEC USB3 Service service terminated with the following error:

%%126

Error - 4/16/2012 1:44:34 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description = The NEC USB3 Service service terminated with the following error:

%%126

Error - 4/16/2012 1:44:45 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description = The NEC USB3 Service service terminated with the following error:

%%126

Error - 4/16/2012 1:44:54 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description = The NEC USB3 Service service terminated with the following error:

%%126

Error - 4/16/2012 1:45:05 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description = The NEC USB3 Service service terminated with the following error:

%%126

Error - 4/16/2012 2:06:23 PM | Computer Name = BILL_DESKTOP | Source = Service Control Manager | ID = 7023

Description = The NEC USB3 Service service terminated with the following error:

%%126

< End of report >

Link to post
Share on other sites

Hi again, lets do some additional cleanup. :)

OTL FIX

------------

We need to run an OTL Fix

  1. Please reopen otlicon.png on your desktop.
  2. Copy and Paste the following code into the customscanfix.png textbox.
    :otl
    DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\xcvtdxyv.sys -- (xcvtdxyv)
    DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\vxstwucp.sys -- (vxstwucp)
    SRV - File not found [Auto | Stopped] -- C:\WINDOWS\system32\usbnaw32.dll -- (NEC Usb3)
    O20 - Winlogon\Notify\intelUsb3Sevices: DllName - (usbniw32.dll) - C:\WINDOWS\System32\usbniw32.dll ()
    O20 - Winlogon\Notify\usbniw32: DllName - (usbniw32.dll) - C:\WINDOWS\System32\usbniw32.dll ()

    :commands
    [emptytemp]


  3. Push runfix.png
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click the OK button.
  6. A report will open. Copy and Paste that report in your next reply.

Let me know how things are running afterwards (its late here, so I'll reply back to you tomorrow morning my time zone :)).

Link to post
Share on other sites

OK. I'll expect to hear from you in the middle of my night! LOL. Here is the report:

All processes killed

========== OTL ==========

Service xcvtdxyv stopped successfully!

Service xcvtdxyv deleted successfully!

File C:\WINDOWS\system32\drivers\xcvtdxyv.sys not found.

Service vxstwucp stopped successfully!

Service vxstwucp deleted successfully!

File C:\WINDOWS\system32\drivers\vxstwucp.sys not found.

Service NEC Usb3 stopped successfully!

Service NEC Usb3 deleted successfully!

File C:\WINDOWS\system32\usbnaw32.dll not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\intelUsb3Sevices\ deleted successfully.

C:\WINDOWS\system32\usbniw32.dll moved successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\usbniw32\ deleted successfully.

File C:\WINDOWS\System32\usbniw32.dll not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 41620 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 49286 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

->Java cache emptied: 13309 bytes

->Flash cache emptied: 47052 bytes

User: William Timmons

->Temp folder emptied: 1396 bytes

->Temporary Internet Files folder emptied: 3178322 bytes

->Java cache emptied: 2319948 bytes

->Flash cache emptied: 42761 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 483 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 246831 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 6.00 mb

OTL by OldTimer - Version 3.2.39.2 log created on 04162012_132141

Files\Folders moved on Reboot...

C:\Documents and Settings\William Timmons\Local Settings\Temporary Internet Files\Content.IE5\QAG9C02N\fastbutton[1].htm moved successfully.

C:\Documents and Settings\William Timmons\Local Settings\Temporary Internet Files\Content.IE5\E1N0GAM8\index[1].php moved successfully.

C:\Documents and Settings\William Timmons\Local Settings\Temporary Internet Files\Content.IE5\1JGXA6BY\s-BiyweUPV0v-yRb-cjciFQlYEbsez9cZjKsNMjLOwM[1].eot moved successfully.

Registry entries deleted on Reboot...

Link to post
Share on other sites

Hi, Thanx so much!

Good News: the "D" drive is back.

Bad News: when I scroll on the browser window, a ripple floats from the direction of scroll all the way down, just like water. It is distracting. You can't read like that, that a wave works its way, distorting the page like a wave, every time you scroll up or down.

Link to post
Share on other sites

Oh! It took only 27 minutes! That was fast! Here is a screen grab of the one infection, attached, and the log:

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.04.10.08

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

William Timmons :: BILL_DESKTOP [administrator]

4/17/2012 6:47:13 AM

mbam-log-2012-04-17 (06-47-13).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 286830

Time elapsed: 26 minute(s), 54 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\TDSSKiller_Quarantine\13.04.2012_15.10.05\rtkt0000\zafs0000\tsk0002.dta (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

post-96106-0-27666600-1334672561.jpg

Link to post
Share on other sites

Thats nothing to worry about! :)

What about the browser scroll problem (see my question in last post)?

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
  2. Click the esetonlinebtn.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetsmartinstaller_enu.png
      icon on your desktop.

    3. Check "YES, I accept the Terms of Use."
    4. Click the Start button.
    5. Accept any security warnings from your browser.
    6. Under scan settings, check "Scan Archives" and "Remove found threats"
    7. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, click List Threats

[*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Click the Back button.

[*]Click the Finish button.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.