ZeroAccess Possible Issues

Holt · Jan 7, 2013

Hi, I was infected with ZeroAccess yesterday, and I have detailed all of my work above as well as findings. If you need any other logs, I would be happy to provide them as well. I just want to make sure that my computer is healthy again and avoid a Windows Reinstallation.

Thanks!

Holt

Fiery · Jan 7, 2013

Hi and welcome to MalwareTips!

My name is Fiery and I would gladly assist you in removing the malware on your computer.

Before we start:

Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
The absence of symptoms does not mean your PC is fully disinfected.
If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>

Download OTL by Old Timer from here and save it to your Desktop.

Double click on OTL.exe to run it.
Click the Scan All Users checkbox.
Change Standard Registry to All
Check the boxes beside LOP Check and Purity Check
Click on Quick Scan at the top left hand corner.
When done, two Notepad files will open.
- OTListIt.txt <-- Will be opened
- Extra.txt <-- Will be minimized
Please post the contents of these 2 Notepad files in your next reply.

Holt · Jan 7, 2013

Hi Fiery, and thanks for your willingness to help with my computer issues!

I would like you to know that the desktop logs that I have posted might also have a possible Google Redirect TDSS Virus. I have been having trouble with my Internet connections from time to time in the last couple of months on both this desktop and my laptop. Both computers have the same result when scanning with RKILL.

Checking Windows Service Integrity:
* RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [Incorrect ImagePath]

It is possible that I have removed the ZeroAccess problem but had an underlying svchost problem all along. Hopefully, we can figure everything out with these 2 logs and whatever other info you need. Thanks!

Below are the OTL and Extras text files you requested:

OTL logfile created on: 1/7/2013 11:02:06 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\David\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.40 Gb Available Physical Memory | 70.24% Memory free
3.85 Gb Paging File | 3.49 Gb Available in Paging File | 90.71% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.32 Gb Total Space | 44.74 Gb Free Space | 65.48% Space Free | Partition Type: NTFS

Computer Name: YADDLE | User Name: David | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/01/07 19:38:05 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\David\Desktop\OTL.exe
PRC - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012/12/05 11:12:02 | 000,916,960 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/11/28 17:04:52 | 001,695,816 | ---- | M] (InternetSafety.com, Inc.) -- C:\Program Files\Internet Content Filter\UpdateService.exe
PRC - [2012/11/28 17:03:46 | 003,267,072 | ---- | M] (InternetSafety.com, Inc.) -- C:\Program Files\Internet Content Filter\SafeEyes.exe
PRC - [2012/09/12 17:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2012/09/12 17:19:44 | 000,947,176 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/10/28 19:02:02 | 000,056,952 | ---- | M] (Ipswitch) -- C:\Program Files\Ipswitch\WS_FTP 12\WsftpCOMHelper.exe
PRC - [2009/11/11 10:21:38 | 000,583,640 | ---- | M] (PC Tools) -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/03/11 23:00:30 | 000,135,168 | ---- | M] (Dell Inc.) -- c:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe
PRC - [2004/03/11 23:00:30 | 000,090,112 | ---- | M] (Dell Inc.) -- c:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe
PRC - [2003/12/11 11:30:00 | 000,049,152 | ---- | M] (ATI Technologies, Inc.) -- C:\Program Files\ATI Technologies\Fire GL Control Panel\atiisrgl.exe
PRC - [2002/08/07 06:34:26 | 000,221,184 | ---- | M] (Intel Corporation) -- C:\Program Files\intel\ASF Agent\ASFAgent.exe

========== Modules (No Company Name) ==========

MOD - [2012/12/05 11:10:56 | 002,397,152 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2012/02/17 19:55:35 | 000,166,912 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2010/10/28 18:55:42 | 006,551,672 | ---- | M] () -- C:\Program Files\Ipswitch\WS_FTP 12\res0409.dll
MOD - [2010/10/28 18:52:36 | 000,948,496 | ---- | M] () -- C:\Program Files\Ipswitch\WS_FTP 12\libeay32.dll
MOD - [2010/10/28 18:52:36 | 000,153,360 | ---- | M] () -- C:\Program Files\Ipswitch\WS_FTP 12\ssleay32.dll

========== Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/12/14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/12/11 17:50:36 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/12/05 11:12:01 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/11/28 17:04:52 | 001,695,816 | ---- | M] (InternetSafety.com, Inc.) [Auto | Running] -- C:\Program Files\Internet Content Filter\UpdateService.exe -- (seUpdateSvc)
SRV - [2012/11/28 17:04:52 | 001,695,816 | ---- | M] (InternetSafety.com, Inc.) [Auto | Running] -- C:\Program Files\Internet Content Filter\UpdateService.exe -- (mfeicfupdate)
SRV - [2012/09/12 17:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/11/11 10:21:38 | 000,583,640 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe -- (PCToolsSSDMonitorSvc)
SRV - [2004/10/15 09:12:38 | 000,131,072 | ---- | M] (SonicWALL, Inc.) [On_Demand | Stopped] -- C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe -- (RampartSvc)
SRV - [2004/03/11 23:00:30 | 000,135,168 | ---- | M] (Dell Inc.) [Auto | Running] -- c:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe -- (DLSDB)
SRV - [2004/03/11 23:00:30 | 000,090,112 | ---- | M] (Dell Inc.) [Auto | Running] -- c:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe -- (DLPWD)
SRV - [2003/12/11 11:30:00 | 000,049,152 | ---- | M] (ATI Technologies, Inc.) [Auto | Running] -- C:\Program Files\ATI Technologies\Fire GL Control Panel\atiisrgl.exe -- (FGLRYUtil)
SRV - [2002/08/07 06:34:26 | 000,221,184 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\intel\ASF Agent\ASFAgent.exe -- (ASFAgent)
SRV - [2002/07/30 17:15:24 | 001,118,208 | ---- | M] (Intel Corporation) [On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\NMSSvc.Exe -- (NMSSvc)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RkPavproc3.sys -- (RkPavproc3)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RkPavproc2.sys -- (RkPavproc2)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RkPavproc1.sys -- (RkPavproc1)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | Boot | Stopped] -- System32\drivers\egus.sys -- (nstnxxc)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\DRIVERS\wATV03nt.sys -- (iAimTV2)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\David\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys -- (cpuz134)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\David\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\BW2NDIS5.sys -- (BW2NDIS5)
DRV - [2013/01/07 23:00:02 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0F872536-F906-4EB4-A6FE-AA2F4F0C1067}\MpKsl4e240d2f.sys -- (MpKsl4e240d2f)
DRV - [2012/12/14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys -- (MBAMProtector)
DRV - [2010/11/09 13:56:12 | 000,098,392 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\SBREDrv.sys -- (SBRE)
DRV - [2008/04/13 13:40:51 | 000,008,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\dlttape.sys -- (dlttape)
DRV - [2008/01/26 06:50:20 | 000,194,320 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\klif.sys -- (KLIF)
DRV - [2004/10/15 09:46:12 | 000,091,136 | ---- | M] (SonicWALL, Inc.) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\RCFOX.SYS -- (RCFOX)
DRV - [2004/08/04 00:29:49 | 000,019,455 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/04 00:29:47 | 000,012,063 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/04 00:29:45 | 000,023,615 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/04 00:29:43 | 000,033,599 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/04 00:29:42 | 000,019,551 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/04 00:29:41 | 000,029,311 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/04 00:29:37 | 000,012,415 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/04 00:29:37 | 000,012,127 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/04 00:29:37 | 000,011,775 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2)
DRV - [2004/08/04 00:29:36 | 000,161,020 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)
DRV - [2004/05/14 16:15:22 | 000,147,236 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\dne2000.sys -- (DNE)
DRV - [2004/01/22 01:54:23 | 000,206,464 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2004/01/22 01:54:23 | 000,143,834 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2004/01/22 01:54:23 | 000,030,630 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2004/01/22 01:54:23 | 000,025,898 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2003/12/11 08:56:40 | 000,630,272 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys -- (ati2mtag)
DRV - [2003/11/20 12:03:06 | 000,009,728 | ---- | M] (Quantum Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\QntmDLT.sys -- (QntmDLT)
DRV - [2003/08/20 13:01:22 | 000,023,180 | ---- | M] (SonicWALL, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\rcvpn.sys -- (rcvpn)
DRV - [2003/03/27 11:58:56 | 000,287,920 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctdvda2k.sys -- (ctdvda2k)
DRV - [2003/03/26 16:33:58 | 000,498,688 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctaud2k.sys -- (ctaud2k)
DRV - [2003/03/26 16:32:32 | 000,189,504 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctoss2k.sys -- (ossrv)
DRV - [2003/03/26 16:32:02 | 000,141,536 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\hap16v2k.sys -- (hap16v2k)
DRV - [2003/03/26 16:31:40 | 000,823,616 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ha10kx2k.sys -- (ha10kx2k)
DRV - [2003/03/06 10:10:34 | 000,015,840 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\pfmodnt.sys -- (PfModNT)
DRV - [2003/02/20 17:24:46 | 000,116,000 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\emupia2k.sys -- (emupia)
DRV - [2003/02/20 17:24:34 | 000,135,248 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctsfm2k.sys -- (ctsfm2k)
DRV - [2003/02/20 17:24:18 | 000,006,144 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctprxy2k.sys -- (ctprxy2k)
DRV - [2003/02/20 17:22:38 | 000,135,040 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctac32k.sys -- (ctac32k)
DRV - [2002/12/17 13:32:58 | 000,061,424 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2002/12/17 13:32:46 | 000,023,436 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2002/12/17 13:27:32 | 000,241,152 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_xp)
DRV - [2002/11/08 14:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2002/08/29 14:29:12 | 000,036,096 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\SYMMPI.SYS -- (symmpi)
DRV - [2002/07/30 17:15:40 | 000,009,868 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\NMSCFG.SYS -- (NMSCFG)
DRV - [2002/05/07 17:06:36 | 000,023,744 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\platalrt.sys -- (PlatAlrt)
DRV - [2002/05/07 17:05:56 | 000,039,680 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\Netalrt.sys -- (NetAlrt)
DRV - [2001/08/17 13:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
IE - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..\SearchScopes,DefaultScope = {C1046C13-D6E3-4AA1-ADF6-319BB623E49D}
IE - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..\SearchScopes\{C1046C13-D6E3-4AA1-ADF6-319BB623E49D}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.christcenteredmall.com/stores/art/"
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0.1
FF - prefs.js..keyword.URL: "http://search.babylon.com/?babsrc=adbartrp&affID=101067&mntrId=00fd53e7000000000000000d56c1db42&q="
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.6.14: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.6.14: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.6.14: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.6.14: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.6.14: C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.124\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.124\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.3: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{0153E448-190B-4987-BDE1-F256CADA672F}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/09/14 22:42:51 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/12/05 11:12:03 | 000,000,000 | ---D | M]

[2011/03/22 16:31:40 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\David\Application Data\Mozilla\Extensions
[2012/12/15 15:34:25 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\extensions
[2012/12/15 15:34:25 | 000,804,627 | ---- | M] () (No name found) -- C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2012/12/05 11:10:41 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/12/05 11:12:03 | 000,262,112 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/08/30 14:25:05 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/10/21 09:26:34 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - homepage: http://www.google.com/
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google

riginalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}
CHR - homepage: http://www.google.com/
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\23.0.1271.97\PepperFlash\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_4_402_287.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\23.0.1271.97\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\23.0.1271.97\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: RealNetworks(tm) Chrome Background Extension Plug-In (32-bit) (Enabled) = C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
CHR - plugin: RealPlayer(tm) HTML5VideoShim Plug-In (32-bit) (Enabled) = C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
CHR - plugin: RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
CHR - plugin: RealPlayer Download Plugin (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.124\npGoogleUpdate3.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
CHR - plugin: VLC Web Plugin (Enabled) = C:\Program Files\VideoLAN\VLC\npvlc.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: YouTube = C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_1\
CHR - Extension: Google Search = C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_1\
CHR - Extension: RealPlayer HTML5Video Downloader Extension = C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0\
CHR - Extension: Gmail = C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\

O1 HOSTS File: ([2008/04/14 14:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..\Toolbar\ShellBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..\Toolbar\WebBrowser: (no name) - {430DDB4F-38CC-4E91-AF33-4157334EC937} - No CLSID value found.
O3 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..\Toolbar\WebBrowser: (no name) - {C7768536-96F8-4001-B1A2-90EE21279187} - No CLSID value found.
O3 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..\Toolbar\WebBrowser: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No CLSID value found.
O4 - HKLM..\Run: [ICF] C:\Program Files\Internet Content Filter\SafeEyes.exe (InternetSafety.com, Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Download with &Media Finder - C:\Program Files\VideoLAN\Media Finder\hook.html File not found
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..Trusted Domains: ([]msn in My Computer)
O15 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..Trusted Domains: cj.com ([members] https in Trusted sites)
O15 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..Trusted Domains: cj.com ([signup] https in Trusted sites)
O15 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..Trusted Domains: cj.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..Trusted Domains: findwhat.com ([secure] https in Trusted sites)
O15 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..Trusted Domains: kanoodle.com ([safe] https in Trusted sites)
O15 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..Trusted Domains: linkshare.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..Trusted Domains: overture.com ([secure] https in Trusted sites)
O15 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..Trusted Domains: shareasale.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..Trusted Ranges: Range32 ([https] in Trusted sites)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} http://housecall60.trendmicro.com/housecall/xscan60.cab (HouseCall Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1345029211828 (WUWebControl Class)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1348617615734 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} http://www.microsoft.com/security/controls/SassCln.CAB (SassCln Object)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab (Java Plug-in 1.5.0_04)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab (Java Plug-in 1.5.0_05)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C20CC9F1-1414-49A9-9A3A-122B89C617F6}: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\SYSTEM32\userinit.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 14:36:02 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/01/07 19:37:44 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\David\Desktop\OTL.exe
[2013/01/07 19:22:05 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2013/01/07 16:05:27 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2013/01/07 14:24:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2013/01/07 03:33:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David\Application Data\ElevatedDiagnostics
[2013/01/07 03:32:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows PowerShell 1.0
[2013/01/07 03:32:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\windowspowershell
[2013/01/07 02:38:33 | 000,000,000 | ---D | C] -- C:\ReimageUndo
[2013/01/06 23:58:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Reimage Repair
[2013/01/06 23:58:39 | 000,000,000 | ---D | C] -- C:\rei
[2013/01/06 23:58:16 | 000,000,000 | ---D | C] -- C:\Program Files\Reimage
[2013/01/06 23:09:30 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2013/01/06 21:38:28 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2013/01/06 21:33:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\HitmanPro
[2013/01/06 21:33:41 | 000,000,000 | ---D | C] -- C:\Program Files\HitmanPro
[2013/01/06 21:33:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2013/01/06 21:32:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David\Desktop\roigguer
[2013/01/06 20:29:15 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2013/01/06 20:27:44 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/01/06 20:27:44 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/01/06 20:27:44 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/01/06 20:27:44 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/01/06 20:27:30 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2013/01/06 20:27:30 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Pictures
[2013/01/06 20:26:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2013/01/06 20:25:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David\Desktop\fffu
[2013/01/06 17:57:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\01014CE1ACC253E7000001014BE457DE
[2013/01/06 04:20:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\David\Recent
[2012/12/13 05:26:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David\Desktop\web page patches
[2012/12/10 12:21:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Ipswitch WS_FTP 12
[2012/12/10 12:21:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Ipswitch
[2012/12/10 12:21:20 | 000,000,000 | ---D | C] -- C:\Program Files\Ipswitch
[2012/12/09 20:22:09 | 001,754,528 | ---- | C] (Bleeping Computer, LLC) -- C:\Documents and Settings\David\Desktop\rkill.com
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/01/07 22:59:50 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-989678199-2234712002-1868543911-1006.job
[2013/01/07 22:59:46 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-989678199-2234712002-1868543911-1006.job
[2013/01/07 22:59:43 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/01/07 22:59:42 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2013/01/07 22:50:02 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/01/07 22:24:05 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/01/07 19:38:05 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\David\Desktop\OTL.exe
[2013/01/07 14:46:51 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/01/07 14:36:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2013/01/07 14:36:37 | 2146,508,800 | -HS- | M] () -- C:\hiberfil.sys
[2013/01/07 03:32:46 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/01/07 03:22:26 | 000,546,744 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/01/07 03:08:38 | 000,000,550 | ---- | M] () -- C:\WINDOWS\System32\reimage.rep
[2013/01/07 03:08:33 | 000,000,734 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.bak
[2013/01/07 03:00:42 | 000,000,179 | ---- | M] () -- C:\WINDOWS\reimage.ini
[2013/01/07 02:38:34 | 000,009,216 | ---- | M] () -- C:\WINDOWS\System32\Native.exe
[2013/01/06 23:58:48 | 000,001,749 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PC Scan & Repair by Reimage.lnk
[2013/01/06 23:09:49 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2013/01/06 21:48:20 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2013/01/06 21:33:42 | 000,001,610 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk
[2013/01/06 20:29:19 | 000,000,327 | RHS- | M] () -- C:\BOOT.INI
[2013/01/05 20:57:50 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\David\Application Data\Microsoft\Internet Explorer\Quick Launch\Word.lnk
[2013/01/03 01:58:22 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes.lnk
[2012/12/21 02:04:30 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2012/12/16 15:06:03 | 000,444,870 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.old
[2012/12/14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/12/13 12:59:44 | 000,027,584 | ---- | M] () -- C:\Documents and Settings\David\Desktop\kissing-the-face-of-god-pewter-frame.jpg
[2012/12/13 05:28:40 | 000,002,359 | ---- | M] () -- C:\Documents and Settings\David\Desktop\Notepad.lnk
[2012/12/11 18:59:06 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\David\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2012/12/11 18:35:54 | 000,002,347 | ---- | M] () -- C:\Documents and Settings\David\Application Data\Microsoft\Internet Explorer\Quick Launch\Memorize His Word.lnk
[2012/12/11 01:04:00 | 002,359,350 | ---- | M] () -- C:\Documents and Settings\David\Desktop\ideass.bmp
[2012/12/10 15:52:34 | 002,359,350 | ---- | M] () -- C:\Documents and Settings\David\Desktop\idea-buttons.bmp
[2012/12/10 12:21:34 | 000,001,612 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\FTP.lnk
[2012/12/10 11:16:34 | 000,053,016 | ---- | M] () -- C:\Documents and Settings\David\Desktop\kissing-the-face-of-god-gold-frame.jpg
[2012/12/09 19:27:36 | 001,754,528 | ---- | M] (Bleeping Computer, LLC) -- C:\Documents and Settings\David\Desktop\rkill.com
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/01/07 13:53:53 | 2146,508,800 | -HS- | C] () -- C:\hiberfil.sys
[2013/01/07 03:08:33 | 000,000,550 | ---- | C] () -- C:\WINDOWS\System32\reimage.rep
[2013/01/07 03:03:18 | 000,001,992 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\MSN.lnk
[2013/01/07 03:03:18 | 000,001,605 | ---- | C] () -- C:\Documents and Settings\David\Start Menu\Programs\Remote Assistance.lnk
[2013/01/07 03:03:18 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
[2013/01/07 03:03:18 | 000,000,744 | ---- | C] () -- C:\Documents and Settings\David\Start Menu\Programs\Outlook Express.lnk
[2013/01/07 03:00:46 | 000,001,355 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2013/01/07 02:38:34 | 000,009,216 | ---- | C] () -- C:\WINDOWS\System32\Native.exe
[2013/01/06 23:58:49 | 000,000,179 | ---- | C] () -- C:\WINDOWS\reimage.ini
[2013/01/06 23:58:48 | 000,001,749 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PC Scan & Repair by Reimage.lnk
[2013/01/06 23:19:42 | 000,000,384 | -H-- | C] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/01/06 23:09:43 | 000,001,698 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2013/01/06 21:33:42 | 000,001,610 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk
[2013/01/06 20:29:19 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2013/01/06 20:29:16 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2013/01/06 20:27:44 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013/01/06 20:27:44 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013/01/06 20:27:44 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013/01/06 20:27:44 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013/01/06 20:27:44 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/12/13 12:59:44 | 000,027,584 | ---- | C] () -- C:\Documents and Settings\David\Desktop\kissing-the-face-of-god-pewter-frame.jpg
[2012/12/11 01:04:00 | 002,359,350 | ---- | C] () -- C:\Documents and Settings\David\Desktop\ideass.bmp
[2012/12/10 15:52:33 | 002,359,350 | ---- | C] () -- C:\Documents and Settings\David\Desktop\idea-buttons.bmp
[2012/12/10 12:21:34 | 000,001,612 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\FTP.lnk
[2012/12/10 11:16:30 | 000,053,016 | ---- | C] () -- C:\Documents and Settings\David\Desktop\kissing-the-face-of-god-gold-frame.jpg
[2012/04/26 16:50:30 | 000,178,257 | ---- | C] () -- C:\Documents and Settings\David\Local Settings\Application Data\census.cache
[2012/04/26 16:50:28 | 000,199,016 | ---- | C] () -- C:\Documents and Settings\David\Local Settings\Application Data\ars.cache
[2012/04/26 16:31:27 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\David\Local Settings\Application Data\housecall.guid.cache
[2012/02/16 11:52:51 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/09 08:33:07 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\vincqb.sys
[2012/02/07 11:59:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\RussSqr.INI
[2012/01/18 12:24:32 | 000,107,280 | ---- | C] () -- C:\WINDOWS\System32\zlib1.dll
[2012/01/02 02:49:08 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2011/03/22 16:31:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/01/28 01:02:42 | 000,003,072 | ---- | C] () -- C:\Documents and Settings\David\Cache.db
[2009/10/03 11:04:19 | 000,008,627 | ---- | C] () -- C:\Documents and Settings\David\PAV_FOG.OPC
[2005/09/06 15:49:09 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\David\WebProxy.ini
[2004/02/03 11:27:42 | 000,017,920 | ---- | C] () -- C:\Documents and Settings\David\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2009/05/31 18:59:08 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 19:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 19:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2013/01/06 17:57:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\01014CE1ACC253E7000001014BE457DE
[2008/01/28 11:52:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Backup
[2013/01/06 21:38:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2012/12/06 17:13:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Internet Content Filter
[2008/01/28 11:54:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\sentinel
[2012/09/26 18:55:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
[2012/09/26 18:53:58 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\{32364CEA-7855-4A3C-B674-53D8E9B97936}
[2011/11/24 03:00:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David\Application Data\Desktop Maestro
[2013/01/07 03:33:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David\Application Data\ElevatedDiagnostics
[2011/04/14 08:03:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David\Application Data\Neuratron
[2006/07/07 18:35:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David\Application Data\OurPictures
[2004/03/23 21:52:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David\Application Data\The Labyrinth Plus! Edition
[2012/09/26 18:54:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David\Application Data\TuneUp Software
[2012/09/25 19:25:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David\Application Data\Windows Desktop Search
[2012/09/28 07:51:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David\Application Data\Windows Search

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 514 bytes -> C:\WINDOWS\System32\drivers\vzdcafwp.sys:changelist

< End of report >

OTL logfile created on: 1/7/2013 11:02:06 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\David\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.40 Gb Available Physical Memory | 70.24% Memory free
3.85 Gb Paging File | 3.49 Gb Available in Paging File | 90.71% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.32 Gb Total Space | 44.74 Gb Free Space | 65.48% Space Free | Partition Type: NTFS

Computer Name: YADDLE | User Name: David | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/01/07 19:38:05 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\David\Desktop\OTL.exe
PRC - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012/12/05 11:12:02 | 000,916,960 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/11/28 17:04:52 | 001,695,816 | ---- | M] (InternetSafety.com, Inc.) -- C:\Program Files\Internet Content Filter\UpdateService.exe
PRC - [2012/11/28 17:03:46 | 003,267,072 | ---- | M] (InternetSafety.com, Inc.) -- C:\Program Files\Internet Content Filter\SafeEyes.exe
PRC - [2012/09/12 17:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2012/09/12 17:19:44 | 000,947,176 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/10/28 19:02:02 | 000,056,952 | ---- | M] (Ipswitch) -- C:\Program Files\Ipswitch\WS_FTP 12\WsftpCOMHelper.exe
PRC - [2009/11/11 10:21:38 | 000,583,640 | ---- | M] (PC Tools) -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/03/11 23:00:30 | 000,135,168 | ---- | M] (Dell Inc.) -- c:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe
PRC - [2004/03/11 23:00:30 | 000,090,112 | ---- | M] (Dell Inc.) -- c:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe
PRC - [2003/12/11 11:30:00 | 000,049,152 | ---- | M] (ATI Technologies, Inc.) -- C:\Program Files\ATI Technologies\Fire GL Control Panel\atiisrgl.exe
PRC - [2002/08/07 06:34:26 | 000,221,184 | ---- | M] (Intel Corporation) -- C:\Program Files\intel\ASF Agent\ASFAgent.exe

========== Modules (No Company Name) ==========

MOD - [2012/12/05 11:10:56 | 002,397,152 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2012/02/17 19:55:35 | 000,166,912 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2010/10/28 18:55:42 | 006,551,672 | ---- | M] () -- C:\Program Files\Ipswitch\WS_FTP 12\res0409.dll
MOD - [2010/10/28 18:52:36 | 000,948,496 | ---- | M] () -- C:\Program Files\Ipswitch\WS_FTP 12\libeay32.dll
MOD - [2010/10/28 18:52:36 | 000,153,360 | ---- | M] () -- C:\Program Files\Ipswitch\WS_FTP 12\ssleay32.dll

========== Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/12/14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/12/11 17:50:36 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/12/05 11:12:01 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/11/28 17:04:52 | 001,695,816 | ---- | M] (InternetSafety.com, Inc.) [Auto | Running] -- C:\Program Files\Internet Content Filter\UpdateService.exe -- (seUpdateSvc)
SRV - [2012/11/28 17:04:52 | 001,695,816 | ---- | M] (InternetSafety.com, Inc.) [Auto | Running] -- C:\Program Files\Internet Content Filter\UpdateService.exe -- (mfeicfupdate)
SRV - [2012/09/12 17:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/11/11 10:21:38 | 000,583,640 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe -- (PCToolsSSDMonitorSvc)
SRV - [2004/10/15 09:12:38 | 000,131,072 | ---- | M] (SonicWALL, Inc.) [On_Demand | Stopped] -- C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe -- (RampartSvc)
SRV - [2004/03/11 23:00:30 | 000,135,168 | ---- | M] (Dell Inc.) [Auto | Running] -- c:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe -- (DLSDB)
SRV - [2004/03/11 23:00:30 | 000,090,112 | ---- | M] (Dell Inc.) [Auto | Running] -- c:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe -- (DLPWD)
SRV - [2003/12/11 11:30:00 | 000,049,152 | ---- | M] (ATI Technologies, Inc.) [Auto | Running] -- C:\Program Files\ATI Technologies\Fire GL Control Panel\atiisrgl.exe -- (FGLRYUtil)
SRV - [2002/08/07 06:34:26 | 000,221,184 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\intel\ASF Agent\ASFAgent.exe -- (ASFAgent)
SRV - [2002/07/30 17:15:24 | 001,118,208 | ---- | M] (Intel Corporation) [On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\NMSSvc.Exe -- (NMSSvc)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RkPavproc3.sys -- (RkPavproc3)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RkPavproc2.sys -- (RkPavproc2)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RkPavproc1.sys -- (RkPavproc1)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | Boot | Stopped] -- System32\drivers\egus.sys -- (nstnxxc)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\DRIVERS\wATV03nt.sys -- (iAimTV2)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\David\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys -- (cpuz134)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\David\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\BW2NDIS5.sys -- (BW2NDIS5)
DRV - [2013/01/07 23:00:02 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0F872536-F906-4EB4-A6FE-AA2F4F0C1067}\MpKsl4e240d2f.sys -- (MpKsl4e240d2f)
DRV - [2012/12/14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys -- (MBAMProtector)
DRV - [2010/11/09 13:56:12 | 000,098,392 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\SBREDrv.sys -- (SBRE)
DRV - [2008/04/13 13:40:51 | 000,008,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\dlttape.sys -- (dlttape)
DRV - [2008/01/26 06:50:20 | 000,194,320 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\klif.sys -- (KLIF)
DRV - [2004/10/15 09:46:12 | 000,091,136 | ---- | M] (SonicWALL, Inc.) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\RCFOX.SYS -- (RCFOX)
DRV - [2004/08/04 00:29:49 | 000,019,455 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/04 00:29:47 | 000,012,063 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/04 00:29:45 | 000,023,615 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/04 00:29:43 | 000,033,599 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/04 00:29:42 | 000,019,551 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/04 00:29:41 | 000,029,311 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/04 00:29:37 | 000,012,415 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/04 00:29:37 | 000,012,127 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/04 00:29:37 | 000,011,775 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2)
DRV - [2004/08/04 00:29:36 | 000,161,020 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)
DRV - [2004/05/14 16:15:22 | 000,147,236 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\dne2000.sys -- (DNE)
DRV - [2004/01/22 01:54:23 | 000,206,464 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2004/01/22 01:54:23 | 000,143,834 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2004/01/22 01:54:23 | 000,030,630 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2004/01/22 01:54:23 | 000,025,898 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2003/12/11 08:56:40 | 000,630,272 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys -- (ati2mtag)
DRV - [2003/11/20 12:03:06 | 000,009,728 | ---- | M] (Quantum Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\QntmDLT.sys -- (QntmDLT)
DRV - [2003/08/20 13:01:22 | 000,023,180 | ---- | M] (SonicWALL, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\rcvpn.sys -- (rcvpn)
DRV - [2003/03/27 11:58:56 | 000,287,920 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctdvda2k.sys -- (ctdvda2k)
DRV - [2003/03/26 16:33:58 | 000,498,688 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctaud2k.sys -- (ctaud2k)
DRV - [2003/03/26 16:32:32 | 000,189,504 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctoss2k.sys -- (ossrv)
DRV - [2003/03/26 16:32:02 | 000,141,536 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\hap16v2k.sys -- (hap16v2k)
DRV - [2003/03/26 16:31:40 | 000,823,616 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ha10kx2k.sys -- (ha10kx2k)
DRV - [2003/03/06 10:10:34 | 000,015,840 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\pfmodnt.sys -- (PfModNT)
DRV - [2003/02/20 17:24:46 | 000,116,000 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\emupia2k.sys -- (emupia)
DRV - [2003/02/20 17:24:34 | 000,135,248 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctsfm2k.sys -- (ctsfm2k)
DRV - [2003/02/20 17:24:18 | 000,006,144 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctprxy2k.sys -- (ctprxy2k)
DRV - [2003/02/20 17:22:38 | 000,135,040 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctac32k.sys -- (ctac32k)
DRV - [2002/12/17 13:32:58 | 000,061,424 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2002/12/17 13:32:46 | 000,023,436 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2002/12/17 13:27:32 | 000,241,152 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_xp)
DRV - [2002/11/08 14:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2002/08/29 14:29:12 | 000,036,096 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\SYMMPI.SYS -- (symmpi)
DRV - [2002/07/30 17:15:40 | 000,009,868 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\NMSCFG.SYS -- (NMSCFG)
DRV - [2002/05/07 17:06:36 | 000,023,744 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\platalrt.sys -- (PlatAlrt)
DRV - [2002/05/07 17:05:56 | 000,039,680 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\Netalrt.sys -- (NetAlrt)
DRV - [2001/08/17 13:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)

====

Fiery · Jan 7, 2013

Hi,

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
DRV - File not found [Kernel | Boot | Stopped] -- System32\drivers\egus.sys -- (nstnxxc)
FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..keyword.URL: "http://search.babylon.com/?babsrc=adbartrp&affID=101067&mntrId=00fd53e7000000000000000d56c1db42&q="
O15 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..Trusted Domains: findwhat.com ([secure] https in Trusted sites)
O15 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..Trusted Domains: kanoodle.com ([safe] https in Trusted sites)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C20CC9F1-1414-49A9-9A3A-122B89C617F6}: DhcpNameServer = 209.18.47.61 209.18.47.62
@Alternate Data Stream - 514 bytes -> C:\WINDOWS\System32\drivers\vzdcafwp.sys:changelist

:Files
c:\windows\system32\drivers\egus.sys
C:\WINDOWS\System32\drivers\vincqb.sys
C:\WINDOWS\System32\drivers\vzdcafwp.sys
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]
[RESETHOSTS]
[reboot]

Then click Run Fix. Post the log afterwards.

Please download AdwCleaner by Xplode onto your desktop.

Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
Click delete
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt

Then, download a new copy of combofix from <a title="External link" href="http://download.bleepingcomputer.com/sUBs/ComboFix.exe" rel="external"><>Link 1</></a> <a title="External link" href="http://www.infospyware.net/antimalware/combofix/" rel="external"><>Link 2</></a> and do a scan. Attach the logs in the next reply.

Holt · Jan 8, 2013

Fiery,

Below are the 3 log files you requested:

All processes killed
========== OTL ==========
Service nstnxxc stopped successfully!
Service nstnxxc deleted successfully!
File System32\drivers\egus.sys not found.
Prefs.js: "Search the web (Babylon)" removed from browser.search.defaultenginename
Prefs.js: "Search the web (Babylon)" removed from browser.search.order.1
Prefs.js: "http://search.babylon.com/?babsrc=adbartrp&affID=101067&mntrId=00fd53e7000000000000000d56c1db42&q=" removed from keyword.URL
Registry key HKEY_USERS\S-1-5-21-989678199-2234712002-1868543911-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\findwhat.com\secure\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-989678199-2234712002-1868543911-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\kanoodle.com\safe\ deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer| /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C20CC9F1-1414-49A9-9A3A-122B89C617F6}\\DhcpNameServer| /E : value set successfully!
ADS C:\WINDOWS\System32\drivers\vzdcafwp.sys:changelist deleted successfully.
========== FILES ==========
File\Folder c:\windows\system32\drivers\egus.sys not found.
C:\WINDOWS\System32\drivers\vincqb.sys moved successfully.
C:\WINDOWS\System32\drivers\vzdcafwp.sys moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\David\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\David\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: David
->Temp folder emptied: 745675 bytes
->Temporary Internet Files folder emptied: 12324785 bytes
->Java cache emptied: 196586850 bytes
->FireFox cache emptied: 89900603 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1523671 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 56504 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 5782 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4797 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 1398942 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 289.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.69.0 log created on 01082013_020004

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

# AdwCleaner v2.104 - Logfile created 01/08/2013 at 02:26:33
# Updated 29/12/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : David - YADDLE
# Boot Mode : Normal
# Running from : C:\Documents and Settings\David\Desktop\adzz\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\David\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\gencrawler@some.com

***** [Registry] *****

Key Deleted : HKCU\Software\MediaFinder
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\MenuExt\Download with &Media Finder
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{3F39D17D-50C7-4AC4-A63A-CDF6CDBD0C61}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\IEPlugin.DLL
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AE9908C1-3400-4B10-9061-C6C04D96E3D2}
Key Deleted : HKLM\SOFTWARE\Classes\MF

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v17.0.1 (en-US)

File : C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\prefs.js

C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\user.js ... Deleted !

Deleted : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");
Deleted : user_pref("extensions.BabylonToolbar.admin", false);
Deleted : user_pref("extensions.BabylonToolbar.aflt", "babsst");
Deleted : user_pref("extensions.BabylonToolbar.babExt", "");
Deleted : user_pref("extensions.BabylonToolbar.babTrack", "affID=101067");
Deleted : user_pref("extensions.BabylonToolbar.bbDpng", 30);
Deleted : user_pref("extensions.BabylonToolbar.dfltSrch", false);
Deleted : user_pref("extensions.BabylonToolbar.hmpg", false);
Deleted : user_pref("extensions.BabylonToolbar.id", "00fd53e7000000000000000d56c1db42");
Deleted : user_pref("extensions.BabylonToolbar.instlDay", "15338");
Deleted : user_pref("extensions.BabylonToolbar.instlRef", "sst");
Deleted : user_pref("extensions.BabylonToolbar.lastDP", 30);
Deleted : user_pref("extensions.BabylonToolbar.lastVrsnTs", "1.5.3.170:46:10");
Deleted : user_pref("extensions.BabylonToolbar.mntrFFxVrsn", "8.0");
Deleted : user_pref("extensions.BabylonToolbar.newTab", true);
Deleted : user_pref("extensions.BabylonToolbar.newTabUrl", "hxxp://search.babylon.com/?babsrc=NT_bb");
Deleted : user_pref("extensions.BabylonToolbar.noFFXTlbr", false);
Deleted : user_pref("extensions.BabylonToolbar.prdct", "BabylonToolbar");
Deleted : user_pref("extensions.BabylonToolbar.propectorlck", 63785591);
Deleted : user_pref("extensions.BabylonToolbar.prtkDS", 1);
Deleted : user_pref("extensions.BabylonToolbar.prtkHmpg", 1);
Deleted : user_pref("extensions.BabylonToolbar.prtnrId", "babylon");
Deleted : user_pref("extensions.BabylonToolbar.ptch_0717", true);
Deleted : user_pref("extensions.BabylonToolbar.smplGrp", "none");
Deleted : user_pref("extensions.BabylonToolbar.srcExt", "ss");
Deleted : user_pref("extensions.BabylonToolbar.tlbrId", "base");
Deleted : user_pref("extensions.BabylonToolbar.vrsn", "1.5.3.17");
Deleted : user_pref("extensions.BabylonToolbar.vrsnTs", "1.5.3.170:46:10");
Deleted : user_pref("extensions.BabylonToolbar.vrsni", "1.5.3.17");
Deleted : user_pref("extensions.BabylonToolbar_i.aflt", "babsst");
Deleted : user_pref("extensions.BabylonToolbar_i.babExt", "");
Deleted : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=101067");
Deleted : user_pref("extensions.BabylonToolbar_i.hardId", "00fd53e7000000000000000d56c1db42");
Deleted : user_pref("extensions.BabylonToolbar_i.id", "00fd53e7000000000000000d56c1db42");
Deleted : user_pref("extensions.BabylonToolbar_i.instlDay", "15338");
Deleted : user_pref("extensions.BabylonToolbar_i.instlRef", "sst");
Deleted : user_pref("extensions.BabylonToolbar_i.newTab", false);
Deleted : user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");
Deleted : user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");
Deleted : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
Deleted : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
Deleted : user_pref("extensions.BabylonToolbar_i.tlbrId", "base");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.170:46:10");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");

-\\ Google Chrome v23.0.1271.97

File : C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [4635 octets] - [08/01/2013 02:24:25]
AdwCleaner[S1].txt - [4786 octets] - [08/01/2013 02:26:33]

########## EOF - C:\AdwCleaner[S1].txt - [4846 octets] ##########

ComboFix 13-01-06.01 - David 01/08/2013 2:44.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1593 [GMT -5:00]
Running from: c:\documents and settings\David\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2012-12-08 to 2013-01-08 )))))))))))))))))))))))))))))))
.
.
2013-01-08 07:37 . 2013-01-08 07:37 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0F872536-F906-4EB4-A6FE-AA2F4F0C1067}\MpKsl7987e8b9.sys
2013-01-08 07:00 . 2013-01-08 07:00 -------- d-----w- C:\_OTL
2013-01-07 21:06 . 2012-11-08 15:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0F872536-F906-4EB4-A6FE-AA2F4F0C1067}\mpengine.dll
2013-01-07 17:44 . 2013-01-07 17:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ipswitch
2013-01-07 08:33 . 2013-01-07 08:33 -------- d-----w- c:\documents and settings\David\Application Data\ElevatedDiagnostics
2013-01-07 08:03 . 2013-01-07 08:03 -------- d-----w- c:\documents and settings\Administrator\PrivacIE
2013-01-07 08:02 . 2008-04-14 07:06 13952 ----a-w- c:\windows\system32\drivers\CmBatt.sys
2013-01-07 08:02 . 2008-04-14 07:06 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys
2013-01-07 08:02 . 2008-04-14 07:06 14208 ----a-w- c:\windows\system32\drivers\battc.sys
2013-01-07 08:02 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2013-01-07 08:02 . 2001-08-17 16:11 35328 ----a-w- c:\windows\system32\drivers\pcntpci5.sys
2013-01-07 07:38 . 2013-01-07 07:38 9216 ----a-w- c:\windows\system32\Native.exe
2013-01-07 07:38 . 2013-01-07 08:06 -------- d-----w- C:\ReimageUndo
2013-01-07 04:58 . 2013-01-07 08:06 -------- d-----w- C:\rei
2013-01-07 04:58 . 2013-01-07 04:58 -------- d-----w- c:\program files\Reimage
2013-01-07 04:14 . 2012-11-08 15:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-01-07 04:09 . 2013-01-07 04:09 -------- d-----w- c:\program files\Microsoft Security Client
2013-01-07 02:38 . 2013-01-07 02:48 12872 ----a-w- c:\windows\system32\bootdelete.exe
2013-01-07 02:33 . 2013-01-07 02:33 -------- d-----w- c:\program files\HitmanPro
2013-01-07 02:33 . 2013-01-07 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2013-01-06 22:57 . 2013-01-06 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\01014CE1ACC253E7000001014BE457DE
2012-12-10 17:21 . 2012-12-10 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Ipswitch
2012-12-10 17:21 . 2012-12-10 17:21 -------- d-----w- c:\program files\Ipswitch
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-16 12:23 . 2002-08-29 11:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-12-14 21:49 . 2011-12-11 01:51 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-11 22:50 . 2012-07-15 01:53 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-11 22:50 . 2011-05-21 16:01 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-28 22:04 . 2010-10-13 18:26 1699936 ----a-w- c:\windows\SERecat.exe
2012-11-28 22:04 . 2010-09-06 17:16 1761760 ----a-w- c:\windows\system32\seinst.dll
2012-11-28 22:03 . 2010-09-06 17:16 341360 ----a-w- c:\windows\system32\ICF.dll
2012-11-28 22:03 . 2010-09-06 17:16 1715392 ----a-w- c:\windows\sediag.exe
2012-11-13 01:25 . 2002-08-29 11:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-02 02:02 . 2002-08-29 11:00 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2004-02-06 22:05 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2002-08-29 11:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2002-08-29 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec
2012-12-05 16:12 . 2012-12-05 16:10 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-01-31 01:33 . 051B1BDECD6DEE18C771B5D5EC7F044D . 27136 . . [11.0.5721.5262] . . c:\windows\SYSTEM32\mspmsnsv.dll
[7] 2008-04-14 00:12 . C7E39EA41233E9F5B86C8DA3A9F1E4A8 . 52224 . . [9.0.1.56] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
[7] 2006-10-19 01:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\erdnt\cache\mspmsnsv.dll
[7] 2006-10-19 01:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\SYSTEM32\DLLCACHE\mspmsnsv.dll
[7] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\$NtServicePackUninstall$\mspmsnsv.dll
[7] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\ServicePackFiles\i386\mspmsnsv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ICF"="c:\program files\Internet Content Filter\SafeEyes.exe" [2012-11-28 3267072]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu]
/L:ENG [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
2003-02-20 22:27 110592 ----a-w- c:\windows\SYSTEM32\CTASIO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
2002-09-30 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2003-02-20 22:45 28672 ----a-w- c:\windows\SYSTEM32\CTHELPER.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2002-10-29 14:18 49152 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopMaestro]
2009-11-11 15:22 3401688 ----a-w- c:\program files\Desktop Maestro\DeskMech.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2002-05-18 17:04 327680 ------w- c:\progra~1\VERIZO~1\SMARTB~1\MotiveSB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 08:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-09-15 03:42 296096 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SDhelper"=2 (0x2)
"PNMSRV"=2 (0x2)
"AVP"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 MpKsl7987e8b9;MpKsl7987e8b9;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0F872536-F906-4EB4-A6FE-AA2F4F0C1067}\MpKsl7987e8b9.sys [1/8/2013 2:37 AM 29904]
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\SYSTEM32\DRIVERS\RCFOX.SYS [4/14/2006 3:02 PM 91136]
R1 SBRE;SBRE;c:\windows\SYSTEM32\DRIVERS\SBREDrv.sys [10/30/2009 10:35 AM 98392]
R2 ASFAgent;ASF Agent;c:\program files\intel\ASF Agent\ASFAgent.exe [8/7/2002 6:34 AM 221184]
R2 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe [10/14/2004 3:09 AM 135168]
R2 FGLRYUtil;FGLRYUTIL;c:\program files\ATI Technologies\Fire GL Control Panel\atiisrgl.exe [2/11/2004 12:35 AM 49152]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/24/2012 7:31 PM 398184]
R2 mfeicfupdate;McAfee Internet Content Filter Update Service;c:\program files\Internet Content Filter\UpdateService.exe [9/6/2010 12:16 PM 1695816]
R2 NetAlrt;NetAlrt;c:\windows\SYSTEM32\DRIVERS\Netalrt.sys [5/7/2002 5:05 PM 39680]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [1/20/2010 4:56 PM 583640]
R2 PlatAlrt;PlatAlrt;c:\windows\SYSTEM32\DRIVERS\platalrt.sys [5/7/2002 5:06 PM 23744]
R2 seUpdateSvc;Safe Eyes Update Service;c:\program files\Internet Content Filter\UpdateService.exe [9/6/2010 12:16 PM 1695816]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [12/10/2011 8:51 PM 21104]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/10/2011 8:52 PM 682344]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 cpuz134;cpuz134;\??\c:\docume~1\David\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\David\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 dlttape;dlttape;c:\windows\SYSTEM32\DRIVERS\dlttape.sys [2/3/2004 9:10 AM 8320]
S3 QntmDLT;QntmDLT;c:\windows\SYSTEM32\DRIVERS\QntmDLT.sys [11/20/2003 12:03 PM 9728]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\SYSTEM32\DRIVERS\rcvpn.sys [4/14/2006 3:01 PM 23180]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
S3 RkPavproc2;RkPavproc2;\??\c:\windows\system32\drivers\RkPavproc2.sys --> c:\windows\system32\drivers\RkPavproc2.sys [?]
S3 RkPavproc3;RkPavproc3;\??\c:\windows\system32\drivers\RkPavproc3.sys --> c:\windows\system32\drivers\RkPavproc3.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL7987E8B9
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-15 22:50]
.
2013-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-05 15:19]
.
2013-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-05 15:19]
.
2013-01-08 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 22:25]
.
2013-01-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-989678199-2234712002-1868543911-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27]
.
2013-01-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-989678199-2234712002-1868543911-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: cj.com\members
Trusted Zone: cj.com\signup
Trusted Zone: cj.com\www
Trusted Zone: linkshare.com
Trusted Zone: overture.com\secure
Trusted Zone: shareasale.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.christcenteredmall.com/stores/art/
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-12-15 15:34; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-08 02:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\wbem\\fastprox.dll"
"ThreadingModel"="Free"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3020)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-01-08 02:52:41
ComboFix-quarantined-files.txt 2013-01-08 07:52
ComboFix2.txt 2013-01-07 19:24
ComboFix3.txt 2013-01-07 01:37
.
Pre-Run: 48,399,671,296 bytes free
Post-Run: 48,364,589,056 bytes free
.
- - End Of File - - A8FCF8C53AFE51B165FAC1217B3D3109

Fiery said:
Hi,

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
DRV - File not found [Kernel | Boot | Stopped] -- System32\drivers\egus.sys -- (nstnxxc)
FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..keyword.URL: "http://search.babylon.com/?babsrc=adbartrp&affID=101067&mntrId=00fd53e7000000000000000d56c1db42&q="
O15 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..Trusted Domains: findwhat.com ([secure] https in Trusted sites)
O15 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..Trusted Domains: kanoodle.com ([safe] https in Trusted sites)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C20CC9F1-1414-49A9-9A3A-122B89C617F6}: DhcpNameServer = 209.18.47.61 209.18.47.62
@Alternate Data Stream - 514 bytes -> C:\WINDOWS\System32\drivers\vzdcafwp.sys:changelist

:Files
c:\windows\system32\drivers\egus.sys
C:\WINDOWS\System32\drivers\vincqb.sys
C:\WINDOWS\System32\drivers\vzdcafwp.sys
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]
[RESETHOSTS]
[reboot]

Click to expand...

Then click Run Fix. Post the log afterwards.

Please download AdwCleaner by Xplode onto your desktop.

Close all open programs and internet browsers.

Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)

Click delete

Please post the content of that logfile with your next answer.

You can find the logfile at C:\AdwCleaner[S1].txt

Then, download a new copy of combofix from <a title="External link" href="http://download.bleepingcomputer.com/sUBs/ComboFix.exe" rel="external"><>Link 1</></a> <a title="External link" href="http://www.infospyware.net/antimalware/combofix/" rel="external"><>Link 2</></a> and do a scan. Attach the logs in the next reply.

Fiery · Jan 8, 2013

Hi,

Goto www.virustotal.com and upload the file: c:\windows\SYSTEM32\mspmsnsv.dll and scan it. Copy the link of the analysis pageand paste it in your next reply

Fiery

Holt · Jan 8, 2013

SHA256: e9d4870c7e4e6119b274cf788d564be9c48ea63790f5d6a2e987eb6df7c93200
File name: mspmsnsv.dll
Detection ratio: 0 / 46
Analysis date: 2013-01-08 18:18:14 UTC ( 0 minutes ago )

https://www.virustotal.com/file/e9d4870c7e4e6119b274cf788d564be9c48ea63790f5d6a2e987eb6df7c93200/analysis/1357669094/

Fiery said:
Hi,

Goto www.virustotal.com and upload the file: c:\windows\SYSTEM32\mspmsnsv.dll and scan it. Copy the link of the analysis pageand paste it in your next reply

Fiery

Fiery · Jan 8, 2013

Download Malwarebytes Anti-Rootkit from here to your Desktop

Unzip the contents to a folder on your Desktop.
Open the folder where the contents were unzipped and run mbar.exe
Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

Update Malwarebytes Pro and do a quick scan

Holt · Jan 8, 2013

No issues detected.

MBAR-LOG

Malwarebytes Anti-Rootkit 1.01.0.1011
www.malwarebytes.org

Database version: v2013.01.09.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
David :: YADDLE [administrator]

1/8/2013 8:28:38 PM
mbar-log-2013-01-08 (20-28-38).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 25794
Time elapsed: 17 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

SYSTEM-LOG

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1011

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.056000 GHz
Memory total: 2146435072, free: 1453129728

------------ Kernel report ------------
01/08/2013 20:09:00
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\System32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
VolSnap.sys
atapi.sys
\WINDOWS\System32\DRIVERS\SCSIPORT.SYS
symmpi.sys
disk.sys
\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
MpFilter.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
ohci1394.sys
\WINDOWS\System32\DRIVERS\1394BUS.SYS
Mup.sys
agp440.sys
\SystemRoot\System32\DRIVERS\nic1394.sys
\SystemRoot\System32\DRIVERS\intelppm.sys
\SystemRoot\System32\DRIVERS\nv4_mini.sys
\SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\e1000325.sys
\SystemRoot\System32\DRIVERS\usbuhci.sys
\SystemRoot\System32\DRIVERS\USBPORT.SYS
\SystemRoot\System32\DRIVERS\usbehci.sys
\SystemRoot\System32\DRIVERS\fdc.sys
\SystemRoot\System32\DRIVERS\i8042prt.sys
\SystemRoot\System32\DRIVERS\kbdclass.sys
\SystemRoot\System32\DRIVERS\mouclass.sys
\SystemRoot\System32\DRIVERS\serial.sys
\SystemRoot\System32\DRIVERS\serenum.sys
\SystemRoot\System32\DRIVERS\parport.sys
\SystemRoot\System32\Drivers\Cdr4_xp.SYS
\SystemRoot\System32\DRIVERS\cdrom.sys
\SystemRoot\System32\DRIVERS\redbook.sys
\SystemRoot\System32\DRIVERS\ks.sys
\SystemRoot\System32\Drivers\pwd_2k.SYS
\SystemRoot\System32\Drivers\Cdralw2k.SYS
\SystemRoot\System32\DRIVERS\imapi.sys
\SystemRoot\system32\drivers\smwdm.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\aeaudio.sys
\SystemRoot\system32\DRIVERS\dne2000.sys
\SystemRoot\System32\DRIVERS\audstub.sys
\SystemRoot\System32\DRIVERS\rasl2tp.sys
\SystemRoot\System32\DRIVERS\ndistapi.sys
\SystemRoot\System32\DRIVERS\ndiswan.sys
\SystemRoot\System32\DRIVERS\raspppoe.sys
\SystemRoot\System32\DRIVERS\raspptp.sys
\SystemRoot\System32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\psched.sys
\SystemRoot\System32\DRIVERS\msgpc.sys
\SystemRoot\System32\DRIVERS\ptilink.sys
\SystemRoot\System32\DRIVERS\raspti.sys
\SystemRoot\System32\DRIVERS\rdpdr.sys
\SystemRoot\System32\DRIVERS\termdd.sys
\SystemRoot\System32\DRIVERS\swenum.sys
\SystemRoot\System32\DRIVERS\update.sys
\SystemRoot\System32\DRIVERS\omci.sys
\SystemRoot\System32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\mmc_2K.SYS
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\DRIVERS\usbhub.sys
\SystemRoot\System32\DRIVERS\USBD.SYS
\SystemRoot\System32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\i2omgmt.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\??\C:\WINDOWS\system32\drivers\SBREdrv.sys
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\cdudf_xp.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\Drivers\UdfReadr_xp.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\??\C:\WINDOWS\system32\Drivers\RCFOX.sys
\SystemRoot\System32\DRIVERS\tcpip.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbios.sys
\SystemRoot\System32\DRIVERS\rdbss.sys
\SystemRoot\System32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\System32\DRIVERS\ipnat.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\System32\DRIVERS\arp1394.sys
\SystemRoot\System32\DRIVERS\usbprint.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_symmpi.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\nv4_disp.dll
\SystemRoot\System32\ATMFD.DLL
\??\C:\WINDOWS\system32\drivers\mbam.sys
\SystemRoot\System32\DRIVERS\ndisuio.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\DRIVERS\mrxdav.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\SystemRoot\System32\DRIVERS\srv.sys
\??\C:\WINDOWS\System32\drivers\NetAlrt.sys
\??\C:\WINDOWS\system32\drivers\PfModNT.sys
\??\C:\WINDOWS\System32\drivers\PlatAlrt.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3CB9FCA4-7012-4FA8-90E9-47842A0B2B31}\MpKslc1a099c7.sys
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\SYSTEM32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8acb5030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Scsi\symmpi1Port1Path0Target0Lun0\
Lower Device Object: 0xffffffff8aceb030
Lower Device Driver Name: \Driver\symmpi\
Driver name found: symmpi
DriverEntry returned 0x0
Function returned 0x0
Downloaded database version: v2013.01.09.01
Canceled update
Downloaded database version: v2013.01.09.01
Downloaded database version: v2013.01.04.01
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8acb5030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8acb3e08, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8acb5030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8aceb030, DeviceName: \Device\Scsi\symmpi1Port1Path0Target0Lun0\, DriverName: \Driver\symmpi\
------------ End ----------
Upper DeviceData: 0xffffffffe273d120, 0xffffffff8acb5030, 0xffffffff89bda6a0
Lower DeviceData: 0xffffffffe1ad2610, 0xffffffff8aceb030, 0xffffffff89f2ac80
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\WINDOWS\system32\drivers...
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: D8000000

Partition information:

Partition 0 type is Other (0xde)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 80262

Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 80325 Numsec = 143283735
Partition file system is NTFS
Partition is bootable

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 73407820800 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-143354650-143374650)...
Done!
Performing system, memory and registry scan...
Done!
Scan finished
=======================================

Fiery said:
Download Malwarebytes Anti-Rootkit from here to your Desktop

Unzip the contents to a folder on your Desktop.

Open the folder where the contents were unzipped and run mbar.exe

Follow the instructions in the wizard to update and allow the program to scan your computer for threats.

Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.

After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.

When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

Update Malwarebytes Pro and do a quick scan

Fiery · Jan 8, 2013

Hi, let's do one last scan before we clean up.

Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
Click Start
Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
- Scan unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
Click Scan
Wait for the scan to finish
Re-enable your antivirus software.
A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Holt · Jan 9, 2013

Hi Fiery,

The scan came out clean; however, I am still concerned about the following log in RKill:

Checking Windows Service Integrity:

* RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [Incorrect ImagePath]

[I have this post on both computers. Could this be from ReImage? or is it a service host virus/rootkit?]

Checking for processes to terminate:

* C:\WINDOWS\system32\CTsvcCDA.exe (PID: 864) [WD-HEUR]
* C:\WINDOWS\system32\MsPMSPSv.exe (PID: 1940) [WD-HEUR]
2 proccesses terminated!

Searching for Missing Digital Signatures:

* C:\WINDOWS\System32\mspmsnsv.dll [NoSig]
+-> C:\WINDOWS\$NtServicePackUninstall$\mspmsnsv.dll : 52,224 : 08/04/2004 00:56 AM : c086483e3dba8c1c0a687ec8d5b3d4c1 [Pos Repl]
+-> C:\WINDOWS\$NtUninstallWMFDist11$\mspmsnsv.dll : 52,224 : 04/13/2008 08:12 PM : c7e39ea41233e9f5b86c8da3a9f1e4a8 [Pos Repl]
+-> C:\WINDOWS\erdnt\cache\mspmsnsv.dll : 27,136 : 10/18/2006 09:47 PM : c51b4a5c05a5475708e3c81c7765b71d [Pos Repl]
+-> C:\WINDOWS\ServicePackFiles\i386\mspmsnsv.dll : 52,224 : 08/04/2004 09:56 AM : c086483e3dba8c1c0a687ec8d5b3d4c1 [Pos Repl]
+-> C:\WINDOWS\SYSTEM32\DLLCACHE\mspmsnsv.dll : 27,136 : 10/18/2006 09:47 PM : c51b4a5c05a5475708e3c81c7765b71d [Pos Repl]
[I think this is because Reimage replaced some damaged or missing files. Should I run my installation XP service pack 3 disk to replace files?]

Also, after running the OTL registry patch, I now get some weird text on the end of my RKill show below:

Checking HOSTS File:

* HOSTS file entries found:

ÿþ1 2 7 . 0 . 0 . 1 l o c a l h o s t

: : 1 l o c a l h o s t

[Any ideas or suggestions?]

Thanks!

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=8
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6844
# api_version=3.0.2
# EOSSerial=488ebcf1d3b76549a3599a7c3f762d1e
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-01-09 05:05:38
# local_time=2013-01-09 12:05:38 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5892 16777213 88 94 0 10447310 0 0
# scanned=71012
# found=0
# cleaned=0
# scan_time=2026

Fiery said:
Hi, let's do one last scan before we clean up.

Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the activex control to install

Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.

Click Start

Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked

Scan unwanted applications

Scan for potentially unsafe applications

Enable Anti-Stealth Technology

Click Scan

Wait for the scan to finish

Re-enable your antivirus software.

A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Fiery · Jan 9, 2013

Hi, let's try this first.

Download Windows Repair (all in one) from this site

Install the program then run it.

Go to step 2 and allow it to run Disc check by clicking Do It

Go to step 3 and allow it to run SFC

Go to start repairs tab select advanced mode and click start.

Check the box next to "Restart/Shutdown system when finished" and ensure the following is checked along with the default checks

Reset File Permissions
Register System Files
Repair WMI
Remove Policies Set By Infections
Remove Temp Files

then click Start.

Afterwards, do a new OTL scan with the same instructions as before.

Holt · Jan 9, 2013

Fiery,

I've got a new problem! I haven't done the step below yet because Hitman Pro now is telling me that I have a hosts attack with BOM Obfuscation, and it crashes at 98%. I tried running it in safe mode with networking, but it still crashes. Emsisoft, MES, Malware Bytes, and Spybot aren't finding it. I used RogueKiller again and reset the hosts file. The BOM obfuscation attack appeared to be gone when scanning with RogueKiller again, but it still crashed at 98% after showing about 27 tracking cookies. Uggh! What can I do now?

Fiery said:
Hi, let's try this first.

Download Windows Repair (all in one) from this site

Install the program then run it.

Go to step 2 and allow it to run Disc check by clicking Do It

Go to step 3 and allow it to run SFC

Go to start repairs tab select advanced mode and click start.

Check the box next to "Restart/Shutdown system when finished" and ensure the following is checked along with the default checks

Reset File Permissions
Register System Files
Repair WMI
Remove Policies Set By Infections
Remove Temp Files

then click Start.

Afterwards, do a new OTL scan with the same instructions as before.

Fiery · Jan 9, 2013

Hi,

Don't run hitmanPro or any other scans for now except the ones I recommend as it will slow down our removal process. Perform the scans I listed above.

Holt · Jan 9, 2013

The Tweaking program told me that my drive was dirty on disc check, but hopefully it fixed the errors on restart. Then I tried to run SFC, but it wanted by original WINDOWS disk. Unfortunately, all I can find was my Dell Drivers and Utilities Resource CD Backup Information disk which tells me that the software is already installed on my computer and to only use this CD to reinstall the software. I cannot find my Windows XP disk since moving. It is packed in a box somewhere. What can I do?

Fiery said:
Hi,

Don't run hitmanPro or any other scans for now except the ones I recommend as it will slow down our removal process. Perform the scans I listed above.

Fiery · Jan 9, 2013

Hi,

Ok, skip that and do a new OTL scan and post the log

Holt · Jan 9, 2013

Oops, I skipped the SFC scan but did the system scan with check boxes. I thought that was what you meant when you said skip that, but now I think you meant skip the entire scan altogether. Well, I did do a system restore and registry backup however per their suggestion.

OTL Scan Results:

OTL logfile created on: 1/9/2013 10:50:02 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\David\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.33 Gb Available Physical Memory | 66.77% Memory free
3.85 Gb Paging File | 3.37 Gb Available in Paging File | 87.42% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.32 Gb Total Space | 44.24 Gb Free Space | 64.75% Space Free | Partition Type: NTFS

Computer Name: YADDLE | User Name: David | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/01/09 12:50:52 | 000,251,400 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\SYSTEM32\Macromed\Flash\FlashPlayerUpdateService.exe
PRC - [2013/01/07 19:38:05 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\David\Desktop\OTL.exe
PRC - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012/12/05 11:12:02 | 000,916,960 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/11/28 17:04:52 | 001,695,816 | ---- | M] (InternetSafety.com, Inc.) -- C:\Program Files\Internet Content Filter\UpdateService.exe
PRC - [2012/11/28 17:03:46 | 003,267,072 | ---- | M] (InternetSafety.com, Inc.) -- C:\Program Files\Internet Content Filter\SafeEyes.exe
PRC - [2012/09/12 17:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2012/09/12 17:19:44 | 000,947,176 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2009/11/11 10:21:38 | 000,583,640 | ---- | M] (PC Tools) -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/03/11 23:00:30 | 000,135,168 | ---- | M] (Dell Inc.) -- c:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe
PRC - [2004/03/11 23:00:30 | 000,090,112 | ---- | M] (Dell Inc.) -- c:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe
PRC - [2003/12/11 11:30:00 | 000,049,152 | ---- | M] (ATI Technologies, Inc.) -- C:\Program Files\ATI Technologies\Fire GL Control Panel\atiisrgl.exe
PRC - [2002/08/07 06:34:26 | 000,221,184 | ---- | M] (Intel Corporation) -- C:\Program Files\intel\ASF Agent\ASFAgent.exe

========== Modules (No Company Name) ==========

MOD - [2012/12/05 11:10:56 | 002,397,152 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll

========== Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2013/01/09 12:50:52 | 000,251,400 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/12/14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/12/05 11:12:01 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/11/28 17:04:52 | 001,695,816 | ---- | M] (InternetSafety.com, Inc.) [Auto | Running] -- C:\Program Files\Internet Content Filter\UpdateService.exe -- (seUpdateSvc)
SRV - [2012/11/28 17:04:52 | 001,695,816 | ---- | M] (InternetSafety.com, Inc.) [Auto | Running] -- C:\Program Files\Internet Content Filter\UpdateService.exe -- (mfeicfupdate)
SRV - [2012/09/12 17:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/11/11 10:21:38 | 000,583,640 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe -- (PCToolsSSDMonitorSvc)
SRV - [2004/10/15 09:12:38 | 000,131,072 | ---- | M] (SonicWALL, Inc.) [On_Demand | Stopped] -- C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe -- (RampartSvc)
SRV - [2004/03/11 23:00:30 | 000,135,168 | ---- | M] (Dell Inc.) [Auto | Running] -- c:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe -- (DLSDB)
SRV - [2004/03/11 23:00:30 | 000,090,112 | ---- | M] (Dell Inc.) [Auto | Running] -- c:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe -- (DLPWD)
SRV - [2003/12/11 11:30:00 | 000,049,152 | ---- | M] (ATI Technologies, Inc.) [Auto | Running] -- C:\Program Files\ATI Technologies\Fire GL Control Panel\atiisrgl.exe -- (FGLRYUtil)
SRV - [2002/08/07 06:34:26 | 000,221,184 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\intel\ASF Agent\ASFAgent.exe -- (ASFAgent)
SRV - [2002/07/30 17:15:24 | 001,118,208 | ---- | M] (Intel Corporation) [On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\NMSSvc.Exe -- (NMSSvc)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RkPavproc3.sys -- (RkPavproc3)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RkPavproc2.sys -- (RkPavproc2)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RkPavproc1.sys -- (RkPavproc1)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\DRIVERS\wATV03nt.sys -- (iAimTV2)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\David\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys -- (cpuz134)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\David\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\BW2NDIS5.sys -- (BW2NDIS5)
DRV - [2013/01/09 22:46:51 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6AD2FE11-17BD-46FD-8337-9B7911339CD9}\MpKsl79637bf9.sys -- (MpKsl79637bf9)
DRV - [2013/01/07 00:17:16 | 000,017,904 | ---- | M] (Emsi Software GmbH) [Kernel | System | Running] -- C:\Documents and Settings\David\Desktop\fffu\EmsisoftEmergencyKit\Run\a2ddax86.sys -- (A2DDA)
DRV - [2012/12/14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys -- (MBAMProtector)
DRV - [2010/11/09 13:56:12 | 000,098,392 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\SBREDrv.sys -- (SBRE)
DRV - [2008/04/13 13:40:51 | 000,008,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\dlttape.sys -- (dlttape)
DRV - [2008/01/26 06:50:20 | 000,194,320 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\klif.sys -- (KLIF)
DRV - [2004/10/15 09:46:12 | 000,091,136 | ---- | M] (SonicWALL, Inc.) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\RCFOX.SYS -- (RCFOX)
DRV - [2004/08/04 00:29:49 | 000,019,455 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/04 00:29:47 | 000,012,063 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/04 00:29:45 | 000,023,615 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/04 00:29:43 | 000,033,599 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/04 00:29:42 | 000,019,551 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/04 00:29:41 | 000,029,311 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/04 00:29:37 | 000,012,415 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/04 00:29:37 | 000,012,127 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/04 00:29:37 | 000,011,775 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2)
DRV - [2004/08/04 00:29:36 | 000,161,020 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)
DRV - [2004/05/14 16:15:22 | 000,147,236 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\dne2000.sys -- (DNE)
DRV - [2004/01/22 01:54:23 | 000,206,464 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2004/01/22 01:54:23 | 000,143,834 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2004/01/22 01:54:23 | 000,030,630 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2004/01/22 01:54:23 | 000,025,898 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2003/12/11 08:56:40 | 000,630,272 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys -- (ati2mtag)
DRV - [2003/11/20 12:03:06 | 000,009,728 | ---- | M] (Quantum Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\QntmDLT.sys -- (QntmDLT)
DRV - [2003/08/20 13:01:22 | 000,023,180 | ---- | M] (SonicWALL, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\rcvpn.sys -- (rcvpn)
DRV - [2003/03/27 11:58:56 | 000,287,920 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctdvda2k.sys -- (ctdvda2k)
DRV - [2003/03/26 16:33:58 | 000,498,688 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctaud2k.sys -- (ctaud2k)
DRV - [2003/03/26 16:32:32 | 000,189,504 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctoss2k.sys -- (ossrv)
DRV - [2003/03/26 16:32:02 | 000,141,536 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\hap16v2k.sys -- (hap16v2k)
DRV - [2003/03/26 16:31:40 | 000,823,616 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ha10kx2k.sys -- (ha10kx2k)
DRV - [2003/03/06 10:10:34 | 000,015,840 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\pfmodnt.sys -- (PfModNT)
DRV - [2003/02/20 17:24:46 | 000,116,000 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\emupia2k.sys -- (emupia)
DRV - [2003/02/20 17:24:34 | 000,135,248 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctsfm2k.sys -- (ctsfm2k)
DRV - [2003/02/20 17:24:18 | 000,006,144 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctprxy2k.sys -- (ctprxy2k)
DRV - [2003/02/20 17:22:38 | 000,135,040 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctac32k.sys -- (ctac32k)
DRV - [2002/12/17 13:32:58 | 000,061,424 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2002/12/17 13:32:46 | 000,023,436 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2002/12/17 13:27:32 | 000,241,152 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_xp)
DRV - [2002/11/08 14:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2002/08/29 14:29:12 | 000,036,096 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\SYMMPI.SYS -- (symmpi)
DRV - [2002/07/30 17:15:40 | 000,009,868 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\NMSCFG.SYS -- (NMSCFG)
DRV - [2002/05/07 17:06:36 | 000,023,744 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\platalrt.sys -- (PlatAlrt)
DRV - [2002/05/07 17:05:56 | 000,039,680 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\Netalrt.sys -- (NetAlrt)
DRV - [2001/08/17 13:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
IE - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..\SearchScopes,DefaultScope = {C1046C13-D6E3-4AA1-ADF6-319BB623E49D}
IE - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..\SearchScopes\{C1046C13-D6E3-4AA1-ADF6-319BB623E49D}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: ""
FF - prefs.js..browser.search.order.1: ""
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.christcenteredmall.com/stores/art/"
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0.1
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_146.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.6.14: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.6.14: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.6.14: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.6.14: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.6.14: C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.124\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.124\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.3: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{0153E448-190B-4987-BDE1-F256CADA672F}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/09/14 22:42:51 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/12/05 11:12:03 | 000,000,000 | ---D | M]

[2011/03/22 16:31:40 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\David\Application Data\Mozilla\Extensions
[2012/12/15 15:34:25 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\extensions
[2012/12/15 15:34:25 | 000,804,627 | ---- | M] () (No name found) -- C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2012/12/05 11:10:41 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/12/05 11:12:03 | 000,262,112 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/08/30 14:25:05 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/10/21 09:26:34 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - homepage: http://www.google.com/
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google

riginalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}
CHR - homepage: http://www.google.com/
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\23.0.1271.97\PepperFlash\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_4_402_287.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\23.0.1271.97\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\23.0.1271.97\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: RealNetworks(tm) Chrome Background Extension Plug-In (32-bit) (Enabled) = C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
CHR - plugin: RealPlayer(tm) HTML5VideoShim Plug-In (32-bit) (Enabled) = C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
CHR - plugin: RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
CHR - plugin: RealPlayer Download Plugin (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.124\npGoogleUpdate3.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
CHR - plugin: VLC Web Plugin (Enabled) = C:\Program Files\VideoLAN\VLC\npvlc.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: YouTube = C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_1\
CHR - Extension: Google Search = C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_1\
CHR - Extension: RealPlayer HTML5Video Downloader Extension = C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0\
CHR - Extension: Gmail = C:\Documents and Settings\David\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\

O1 HOSTS File: ([2013/01/09 22:43:06 | 000,000,855 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..\Toolbar\ShellBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..\Toolbar\WebBrowser: (no name) - {430DDB4F-38CC-4E91-AF33-4157334EC937} - No CLSID value found.
O3 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..\Toolbar\WebBrowser: (no name) - {C7768536-96F8-4001-B1A2-90EE21279187} - No CLSID value found.
O3 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..\Toolbar\WebBrowser: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No CLSID value found.
O4 - HKLM..\Run: [ICF] C:\Program Files\Internet Content Filter\SafeEyes.exe (InternetSafety.com, Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000044 - %SystemRoot%\System32\mswsock.dll File not found
O15 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..Trusted Domains: ([]msn in My Computer)
O15 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..Trusted Domains: cj.com ([members] https in Trusted sites)
O15 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..Trusted Domains: cj.com ([signup] https in Trusted sites)
O15 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..Trusted Domains: cj.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..Trusted Domains: linkshare.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..Trusted Domains: overture.com ([secure] https in Trusted sites)
O15 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..Trusted Domains: shareasale.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-989678199-2234712002-1868543911-1006\..Trusted Ranges: Range32 ([https] in Trusted sites)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} http://housecall60.trendmicro.com/housecall/xscan60.cab (HouseCall Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1345029211828 (WUWebControl Class)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1348617615734 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} http://www.microsoft.com/security/controls/SassCln.CAB (SassCln Object)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab (Java Plug-in 1.5.0_04)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab (Java Plug-in 1.5.0_05)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C20CC9F1-1414-49A9-9A3A-122B89C617F6}: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\SYSTEM32\userinit.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 14:36:02 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/01/09 21:06:20 | 000,181,064 | ---- | C] (Sysinternals) -- C:\WINDOWS\PSEXESVC.EXE
[2013/01/09 21:05:03 | 000,000,000 | ---D | C] -- C:\RegBackup
[2013/01/09 21:01:27 | 000,000,000 | ---D | C] -- C:\Tweaking.com_Windows_Repair_Logs
[2013/01/09 21:00:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David\Desktop\tweaking.com_windows_repair_aio
[2013/01/09 17:09:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2013/01/09 16:46:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David\Desktop\RK_Quarantine
[2013/01/08 20:08:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David\Desktop\mbar-1.01.0.1011
[2013/01/08 05:48:13 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\David\Recent
[2013/01/08 05:48:08 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2013/01/08 02:52:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2013/01/08 02:21:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David\Desktop\adzz
[2013/01/08 02:00:04 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/01/07 19:37:44 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\David\Desktop\OTL.exe
[2013/01/07 03:33:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David\Application Data\ElevatedDiagnostics
[2013/01/07 03:32:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows PowerShell 1.0
[2013/01/07 03:32:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\windowspowershell
[2013/01/07 02:38:33 | 000,000,000 | ---D | C] -- C:\ReimageUndo
[2013/01/06 23:58:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Reimage Repair
[2013/01/06 23:58:39 | 000,000,000 | ---D | C] -- C:\rei
[2013/01/06 23:58:16 | 000,000,000 | ---D | C] -- C:\Program Files\Reimage
[2013/01/06 23:09:30 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2013/01/06 21:38:28 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2013/01/06 21:33:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\HitmanPro
[2013/01/06 21:33:41 | 000,000,000 | ---D | C] -- C:\Program Files\HitmanPro
[2013/01/06 21:33:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2013/01/06 21:32:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David\Desktop\roigguer
[2013/01/06 20:29:15 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2013/01/06 20:27:44 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/01/06 20:27:44 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/01/06 20:27:44 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/01/06 20:27:44 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/01/06 20:27:30 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2013/01/06 20:27:30 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Pictures
[2013/01/06 20:26:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2013/01/06 20:25:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David\Desktop\fffu
[2013/01/06 20:15:17 | 005,019,547 | R--- | C] (Swearware) -- C:\Documents and Settings\David\Desktop\ComboFix.exe
[2013/01/06 17:57:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\01014CE1ACC253E7000001014BE457DE
[2012/12/13 05:26:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David\Desktop\web page patches

========== Files - Modified Within 30 Days ==========

[2013/01/09 22:50:15 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/01/09 22:47:00 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-989678199-2234712002-1868543911-1006.job
[2013/01/09 22:46:58 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-989678199-2234712002-1868543911-1006.job
[2013/01/09 22:46:55 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2013/01/09 22:46:45 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/01/09 22:46:23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2013/01/09 22:46:22 | 2146,508,800 | -HS- | M] () -- C:\hiberfil.sys
[2013/01/09 22:43:28 | 000,181,064 | ---- | M] (Sysinternals) -- C:\WINDOWS\PSEXESVC.EXE
[2013/01/09 22:43:06 | 000,000,855 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\Hosts
[2013/01/09 22:24:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/01/09 21:23:06 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/01/09 20:45:23 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/01/09 18:05:53 | 003,293,002 | ---- | M] () -- C:\Documents and Settings\David\Desktop\tweaking.com_windows_repair_aio.zip
[2013/01/09 13:02:28 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\David\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2013/01/08 21:48:18 | 000,397,390 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/01/08 21:48:18 | 000,059,736 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/01/08 20:07:38 | 013,485,902 | ---- | M] () -- C:\Documents and Settings\David\Desktop\mbar-1.01.0.1011.zip
[2013/01/07 19:38:05 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\David\Desktop\OTL.exe
[2013/01/07 03:22:26 | 000,546,744 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/01/07 03:08:38 | 000,000,550 | ---- | M] () -- C:\WINDOWS\System32\reimage.rep
[2013/01/07 03:08:33 | 000,000,734 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.bak
[2013/01/07 03:00:42 | 000,000,179 | ---- | M] () -- C:\WINDOWS\reimage.ini
[2013/01/07 02:38:34 | 000,009,216 | ---- | M] () -- C:\WINDOWS\System32\Native.exe
[2013/01/06 23:58:48 | 000,001,749 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PC Scan & Repair by Reimage.lnk
[2013/01/06 23:09:49 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2013/01/06 21:48:20 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2013/01/06 21:33:42 | 000,001,610 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk
[2013/01/06 20:29:19 | 000,000,327 | RHS- | M] () -- C:\BOOT.INI
[2013/01/06 20:15:42 | 005,019,547 | R--- | M] (Swearware) -- C:\Documents and Settings\David\Desktop\ComboFix.exe
[2013/01/05 20:57:50 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\David\Application Data\Microsoft\Internet Explorer\Quick Launch\Word.lnk
[2013/01/03 01:58:22 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes.lnk
[2012/12/21 02:04:30 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2012/12/16 15:06:03 | 000,444,870 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.old
[2012/12/14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/12/13 12:59:44 | 000,027,584 | ---- | M] () -- C:\Documents and Settings\David\Desktop\kissing-the-face-of-god-pewter-frame.jpg
[2012/12/13 05:28:40 | 000,002,359 | ---- | M] () -- C:\Documents and Settings\David\Desktop\Notepad.lnk
[2012/12/11 18:35:54 | 000,002,347 | ---- | M] () -- C:\Documents and Settings\David\Application Data\Microsoft\Internet Explorer\Quick Launch\Memorize His Word.lnk
[2012/12/11 01:04:00 | 002,359,350 | ---- | M] () -- C:\Documents and Settings\David\Desktop\ideass.bmp

========== Files Created - No Company Name ==========

[2013/01/09 20:59:34 | 2146,508,800 | -HS- | C] () -- C:\hiberfil.sys
[2013/01/09 18:05:10 | 003,293,002 | ---- | C] () -- C:\Documents and Settings\David\Desktop\tweaking.com_windows_repair_aio.zip
[2013/01/09 16:42:53 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/01/08 20:04:37 | 013,485,902 | ---- | C] () -- C:\Documents and Settings\David\Desktop\mbar-1.01.0.1011.zip
[2013/01/07 03:08:33 | 000,000,550 | ---- | C] () -- C:\WINDOWS\System32\reimage.rep
[2013/01/07 03:03:18 | 000,001,992 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\MSN.lnk
[2013/01/07 03:03:18 | 000,001,605 | ---- | C] () -- C:\Documents and Settings\David\Start Menu\Programs\Remote Assistance.lnk
[2013/01/07 03:03:18 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
[2013/01/07 03:03:18 | 000,000,744 | ---- | C] () -- C:\Documents and Settings\David\Start Menu\Programs\Outlook Express.lnk
[2013/01/07 02:38:34 | 000,009,216 | ---- | C] () -- C:\WINDOWS\System32\Native.exe
[2013/01/06 23:58:49 | 000,000,179 | ---- | C] () -- C:\WINDOWS\reimage.ini
[2013/01/06 23:58:48 | 000,001,749 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PC Scan & Repair by Reimage.lnk
[2013/01/06 23:19:42 | 000,000,384 | -H-- | C] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/01/06 23:09:43 | 000,001,698 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2013/01/06 21:33:42 | 000,001,610 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HitmanPro.lnk
[2013/01/06 20:29:19 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2013/01/06 20:29:16 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2013/01/06 20:27:44 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013/01/06 20:27:44 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013/01/06 20:27:44 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013/01/06 20:27:44 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013/01/06 20:27:44 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/12/13 12:59:44 | 000,027,584 | ---- | C] () -- C:\Documents and Settings\David\Desktop\kissing-the-face-of-god-pewter-frame.jpg
[2012/12/11 01:04:00 | 002,359,350 | ---- | C] () -- C:\Documents and Settings\David\Desktop\ideass.bmp
[2012/04/26 16:50:30 | 000,178,257 | ---- | C] () -- C:\Documents and Settings\David\Local Settings\Application Data\census.cache
[2012/04/26 16:50:28 | 000,199,016 | ---- | C] () -- C:\Documents and Settings\David\Local Settings\Application Data\ars.cache
[2012/04/26 16:31:27 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\David\Local Settings\Application Data\housecall.guid.cache
[2012/02/16 11:52:51 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/07 11:59:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\RussSqr.INI
[2012/01/18 12:24:32 | 000,107,280 | ---- | C] () -- C:\WINDOWS\System32\zlib1.dll
[2012/01/02 02:49:08 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2011/03/22 16:31:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/01/28 01:02:42 | 000,003,072 | ---- | C] () -- C:\Documents and Settings\David\Cache.db
[2009/10/03 11:04:19 | 000,008,627 | ---- | C] () -- C:\Documents and Settings\David\PAV_FOG.OPC
[2005/09/06 15:49:09 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\David\WebProxy.ini
[2004/02/03 11:27:42 | 000,017,920 | ---- | C] () -- C:\Documents and Settings\David\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2009/05/31 18:59:08 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 19:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 19:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2013/01/06 17:57:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\01014CE1ACC253E7000001014BE457DE
[2008/01/28 11:52:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Backup
[2013/01/06 21:38:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2012/12/06 17:13:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Internet Content Filter
[2008/01/28 11:54:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\sentinel
[2013/01/09 17:09:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/09/26 18:55:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
[2012/09/26 18:53:58 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\{32364CEA-7855-4A3C-B674-53D8E9B97936}
[2011/11/24 03:00:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David\Application Data\Desktop Maestro
[2013/01/07 03:33:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David\Application Data\ElevatedDiagnostics
[2011/04/14 08:03:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David\Application Data\Neuratron
[2006/07/07 18:35:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David\Application Data\OurPictures
[2004/03/23 21:52:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David\Application Data\The Labyrinth Plus! Edition
[2012/09/26 18:54:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David\Application Data\TuneUp Software
[2012/09/25 19:25:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David\Application Data\Windows Desktop Search
[2012/09/28 07:51:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David\Application Data\Windows Search

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0D786AE3

< End of report >

Fiery said:
Hi,

Ok, skip that and do a new OTL scan and post the log

Fiery · Jan 9, 2013

Hi,

The localhost and svchost from rkill is find, your host file is not modified, based on your OTL log. We can fix the mspmsnsv.dll below. Delete the old combofix.exe and download a new version. (Don't run it just yet)

Open up Notepad and paste the following:

FCOPY::
C:\WINDOWS\ServicePackFiles\i386\mspmsnsv.dll | C:\WINDOWS\System32\mspmsnsv.dll

ClearJavaCache::

DirLook::
C:\Documents and Settings\All Users\Application Data\01014CE1ACC253E7000001014BE457DE
C:\Documents and Settings\All Users\Application Data\{32364CEA-7855-4A3C-B674-53D8E9B97936}

Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
Now use your mouse to drag CFscript.txt on top of ComboFix.exe
Follow the prompts.
When it finishes, a log will be produced named c:\combofix.txt
I will ask for this log below

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0D786AE3

:Files
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]
[RESETHOSTS]
[reboot]

Then click Run Fix. Post the log afterwards.

Holt · Jan 10, 2013

I uninstalled and reinstalled combofix via the C prompt. The scan results are below:

ComboFix 13-01-08.01 - David 01/10/2013 4:29.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1582 [GMT -5:00]
Running from: c:\documents and settings\David\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\David\Desktop\CFscript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\mspmsnsv.dll --> c:\windows\System32\mspmsnsv.dll
.
((((((((((((((((((((((((( Files Created from 2012-12-10 to 2013-01-10 )))))))))))))))))))))))))))))))
.
.
2013-01-10 09:16 . 2012-11-08 15:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D3AE0307-1561-4DFF-8B74-AB46AA95EFDE}\mpengine.dll
2013-01-10 03:42 . 2004-06-11 23:33 290304 ----a-w- C:\subinacl.exe
2013-01-10 02:06 . 2013-01-10 03:43 181064 ----a-w- c:\windows\PSEXESVC.EXE
2013-01-10 02:05 . 2013-01-10 02:05 -------- d-----w- C:\RegBackup
2013-01-10 02:01 . 2013-01-10 03:43 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs
2013-01-08 15:01 . 2012-11-08 15:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-01-08 07:00 . 2013-01-08 07:00 -------- d-----w- C:\_OTL
2013-01-07 17:44 . 2013-01-07 17:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ipswitch
2013-01-07 08:33 . 2013-01-07 08:33 -------- d-----w- c:\documents and settings\David\Application Data\ElevatedDiagnostics
2013-01-07 08:03 . 2013-01-07 08:03 -------- d-----w- c:\documents and settings\Administrator\PrivacIE
2013-01-07 08:02 . 2008-04-14 07:06 13952 ----a-w- c:\windows\system32\drivers\CmBatt.sys
2013-01-07 08:02 . 2008-04-14 07:06 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys
2013-01-07 08:02 . 2008-04-14 07:06 14208 ----a-w- c:\windows\system32\drivers\battc.sys
2013-01-07 08:02 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2013-01-07 08:02 . 2001-08-17 16:11 35328 ----a-w- c:\windows\system32\drivers\pcntpci5.sys
2013-01-07 07:38 . 2013-01-07 07:38 9216 ----a-w- c:\windows\system32\Native.exe
2013-01-07 07:38 . 2013-01-07 08:06 -------- d-----w- C:\ReimageUndo
2013-01-07 04:58 . 2013-01-07 08:06 -------- d-----w- C:\rei
2013-01-07 04:58 . 2013-01-07 04:58 -------- d-----w- c:\program files\Reimage
2013-01-07 04:09 . 2013-01-07 04:09 -------- d-----w- c:\program files\Microsoft Security Client
2013-01-07 02:38 . 2013-01-07 02:48 12872 ----a-w- c:\windows\system32\bootdelete.exe
2013-01-07 02:33 . 2013-01-07 02:33 -------- d-----w- c:\program files\HitmanPro
2013-01-07 02:33 . 2013-01-07 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2013-01-06 22:57 . 2013-01-06 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\01014CE1ACC253E7000001014BE457DE
2012-12-12 21:13 . 2012-12-12 21:13 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Jasc Software Inc
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-09 17:50 . 2012-07-15 01:53 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-09 17:50 . 2011-05-21 16:01 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-16 12:23 . 2002-08-29 11:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-12-14 21:49 . 2011-12-11 01:51 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-28 22:04 . 2010-10-13 18:26 1699936 ----a-w- c:\windows\SERecat.exe
2012-11-28 22:04 . 2010-09-06 17:16 1761760 ----a-w- c:\windows\system32\seinst.dll
2012-11-28 22:03 . 2010-09-06 17:16 341360 ----a-w- c:\windows\system32\ICF.dll
2012-11-28 22:03 . 2010-09-06 17:16 1715392 ----a-w- c:\windows\sediag.exe
2012-11-13 01:25 . 2002-08-29 11:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 02:01 . 2008-09-03 19:52 1371648 ----a-w- c:\windows\system32\msxml6.dll
2012-11-02 02:02 . 2002-08-29 11:00 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2004-02-06 22:05 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2002-08-29 11:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2002-08-29 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec
2012-12-05 16:12 . 2012-12-05 16:10 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\{32364CEA-7855-4A3C-B674-53D8E9B97936} ----
.
2012-09-26 23:53 . 2012-09-26 23:54 24039424 ----a-w- c:\documents and settings\All Users\Application Data\{32364CEA-7855-4A3C-B674-53D8E9B97936}\{D3742F82-1C1A-4DCC-ABBD-0E831C0185CC}.msi
.
---- Directory of c:\documents and settings\All Users\Application Data\01014CE1ACC253E7000001014BE457DE ----
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ICF"="c:\program files\Internet Content Filter\SafeEyes.exe" [2012-11-28 3267072]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu]
/L:ENG [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
2003-02-20 22:27 110592 ----a-w- c:\windows\SYSTEM32\CTASIO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
2002-09-30 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2003-02-20 22:45 28672 ----a-w- c:\windows\SYSTEM32\CTHELPER.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2002-10-29 14:18 49152 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopMaestro]
2009-11-11 15:22 3401688 ----a-w- c:\program files\Desktop Maestro\DeskMech.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2002-05-18 17:04 327680 ------w- c:\progra~1\VERIZO~1\SMARTB~1\MotiveSB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 08:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-09-15 03:42 296096 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SDhelper"=2 (0x2)
"PNMSRV"=2 (0x2)
"AVP"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\documents and settings\David\Desktop\fffu\EmsisoftEmergencyKit\Run\a2ddax86.sys [1/7/2013 11:04 AM 17904]
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\SYSTEM32\DRIVERS\RCFOX.SYS [4/14/2006 3:02 PM 91136]
R1 SBRE;SBRE;c:\windows\SYSTEM32\DRIVERS\SBREDrv.sys [10/30/2009 10:35 AM 98392]
R2 ASFAgent;ASF Agent;c:\program files\intel\ASF Agent\ASFAgent.exe [8/7/2002 6:34 AM 221184]
R2 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe [10/14/2004 3:09 AM 135168]
R2 FGLRYUtil;FGLRYUTIL;c:\program files\ATI Technologies\Fire GL Control Panel\atiisrgl.exe [2/11/2004 12:35 AM 49152]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/24/2012 7:31 PM 398184]
R2 mfeicfupdate;McAfee Internet Content Filter Update Service;c:\program files\Internet Content Filter\UpdateService.exe [9/6/2010 12:16 PM 1695816]
R2 NetAlrt;NetAlrt;c:\windows\SYSTEM32\DRIVERS\Netalrt.sys [5/7/2002 5:05 PM 39680]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [1/20/2010 4:56 PM 583640]
R2 PlatAlrt;PlatAlrt;c:\windows\SYSTEM32\DRIVERS\platalrt.sys [5/7/2002 5:06 PM 23744]
R2 seUpdateSvc;Safe Eyes Update Service;c:\program files\Internet Content Filter\UpdateService.exe [9/6/2010 12:16 PM 1695816]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [12/10/2011 8:51 PM 21104]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/10/2011 8:52 PM 682344]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 cpuz134;cpuz134;\??\c:\docume~1\David\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\David\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 dlttape;dlttape;c:\windows\SYSTEM32\DRIVERS\dlttape.sys [2/3/2004 9:10 AM 8320]
S3 QntmDLT;QntmDLT;c:\windows\SYSTEM32\DRIVERS\QntmDLT.sys [11/20/2003 12:03 PM 9728]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\SYSTEM32\DRIVERS\rcvpn.sys [4/14/2006 3:01 PM 23180]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
S3 RkPavproc2;RkPavproc2;\??\c:\windows\system32\drivers\RkPavproc2.sys --> c:\windows\system32\drivers\RkPavproc2.sys [?]
S3 RkPavproc3;RkPavproc3;\??\c:\windows\system32\drivers\RkPavproc3.sys --> c:\windows\system32\drivers\RkPavproc3.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-15 17:50]
.
2013-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-05 15:19]
.
2013-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-05 15:19]
.
2013-01-10 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 22:25]
.
2013-01-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-989678199-2234712002-1868543911-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27]
.
2013-01-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-989678199-2234712002-1868543911-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: ICF.dll
Trusted Zone: cj.com\members
Trusted Zone: cj.com\signup
Trusted Zone: cj.com\www
Trusted Zone: linkshare.com
Trusted Zone: overture.com\secure
Trusted Zone: shareasale.com
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.christcenteredmall.com/stores/art/
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-12-15 15:34; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-10 04:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
@DACL=(02 0010)
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@DACL=(02 0010)
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1124)
c:\windows\system32\ICF.dll
.
- - - - - - - > 'explorer.exe'(3840)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-01-10 04:37:09
ComboFix-quarantined-files.txt 2013-01-10 09:37
.
Pre-Run: 48,035,827,712 bytes free
Post-Run: 48,035,979,264 bytes free
.
- - End Of File - - C1D2C3D1611DFB5C3441B615CC939BE4

Regarding the OTL scan, I did not disable Microsoft Security Essentials like I did with the ComboFix scan. After starting the scan, I saw the green logo go to red and then shut down. I'm not sure if there was a conflict or not. Anyway, here is the log:

All processes killed
========== OTL ==========
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:0D786AE3 .
File PTYTEMP] not found.
File SETHOSTS] not found.
File boot] not found.

OTL by OldTimer - Version 3.2.69.0 log created on 01102013_044107

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Fiery said:
Hi,

The localhost and svchost from rkill is find, your host file is not modified, based on your OTL log. We can fix the mspmsnsv.dll below. Delete the old combofix.exe and download a new version. (Don't run it just yet)

Open up Notepad and paste the following:

FCOPY::
C:\WINDOWS\ServicePackFiles\i386\mspmsnsv.dll | C:\WINDOWS\System32\mspmsnsv.dll

ClearJavaCache::

DirLook::
C:\Documents and Settings\All Users\Application Data\01014CE1ACC253E7000001014BE457DE
C:\Documents and Settings\All Users\Application Data\{32364CEA-7855-4A3C-B674-53D8E9B97936}

Click to expand...

Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe

Follow the prompts.

When it finishes, a log will be produced named c:\combofix.txt

I will ask for this log below

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0D786AE3

:Files
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]
[RESETHOSTS]
[reboot]

Click to expand...

Then click Run Fix. Post the log afterwards.

I'm still worried about seeing that BOM rootkit yesterday when I ran a scan with HitmanPro and wondered why the scan locks up at 98%. I have not run anymore scans since you told me not to.

Fiery · Jan 10, 2013

Nothing is showing up in your combofix log. The BOM detection could be a false positive since hitmanpro uses multiple engines.

Download aswmbr.exe from the below link:
aswMBR DOWNLOAD LINK <em>(This link will automatically download aswMBR on your computer)</em>
Double click the aswMBR.exe to run it.
Click the [Scan] button to start scan
On completion of the scan click [Save log], save it to your desktop and post in your next reply.

<hr>

Can you try the OTL script again? I don't think you copied and pasted the script correctly.

Now do a hitmanPro scan and see if it crashes. Write down the directory of the BOM detection and post it in your next reply

ZeroAccess Possible Issues

New Member

Level 1

New Member

Level 1

New Member

Level 1

New Member

Level 1

New Member

Level 1

New Member

Level 1

New Member

Level 1

New Member

Level 1

New Member

Level 1

New Member

Level 1

Similar threads