1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Need help with possible malware infection

Discussion in 'Malware and Virus Removal Archive' started by BillB, 2010/09/13.

  1. 2010/09/13
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    [Resolved] Need help with possible malware infection

    A friend of mine asked me to have a look at his PC. He complained about emails being sent from his PC that he didn't send, he was afraid someone had hijacked his internet connection. He has Malwarebytes and Superantispyware installed, as well as Norton360. All are up to date, and I have run scans with them. They cleaned up a few things, but nothing that looked that bad to me. I'm posting the DDS logs for someone to look at, hopefully the machine is clean but want to make sure.


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 8/30/2009 6:09:46 PM
    System Uptime: 9/13/2010 2:25:07 PM (2 hours ago)

    Motherboard: MICRO-STAR INTERNATIONAL CO.,LTD | | 770-C45 (MS-7599)
    Processor: AMD Athlon(tm) II X2 250 Processor | CPU 1 | 3007/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 298 GiB total, 287.425 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP305: 6/15/2010 5:53:42 AM - System Checkpoint
    RP306: 6/16/2010 6:56:56 AM - System Checkpoint
    RP307: 6/17/2010 7:53:12 AM - System Checkpoint
    RP308: 6/18/2010 8:51:46 AM - System Checkpoint
    RP309: 6/19/2010 9:27:42 AM - System Checkpoint
    RP310: 6/20/2010 9:59:57 AM - System Checkpoint
    RP311: 6/21/2010 10:27:37 AM - System Checkpoint
    RP312: 6/22/2010 11:51:37 AM - System Checkpoint
    RP313: 6/23/2010 4:02:27 PM - System Checkpoint
    RP314: 6/24/2010 3:00:13 AM - Software Distribution Service 3.0
    RP315: 6/25/2010 3:03:40 AM - System Checkpoint
    RP316: 6/26/2010 3:51:10 AM - System Checkpoint
    RP317: 6/27/2010 4:03:35 AM - System Checkpoint
    RP318: 6/28/2010 4:19:45 AM - System Checkpoint
    RP319: 6/29/2010 4:28:41 AM - System Checkpoint
    RP320: 6/30/2010 5:28:41 AM - System Checkpoint
    RP321: 7/1/2010 6:28:41 AM - System Checkpoint
    RP322: 7/2/2010 7:28:41 AM - System Checkpoint
    RP323: 7/3/2010 8:28:45 AM - System Checkpoint
    RP324: 7/4/2010 9:34:26 AM - System Checkpoint
    RP325: 7/5/2010 10:28:41 AM - System Checkpoint
    RP326: 7/6/2010 10:36:44 AM - System Checkpoint
    RP327: 7/7/2010 11:36:44 AM - System Checkpoint
    RP328: 7/8/2010 12:36:44 PM - System Checkpoint
    RP329: 7/9/2010 1:36:44 PM - System Checkpoint
    RP330: 7/10/2010 2:36:48 PM - System Checkpoint
    RP331: 7/11/2010 2:50:40 PM - System Checkpoint
    RP332: 7/12/2010 3:50:40 PM - System Checkpoint
    RP333: 7/13/2010 4:50:35 PM - System Checkpoint
    RP334: 7/14/2010 5:00:10 PM - System Checkpoint
    RP335: 7/15/2010 3:00:13 AM - Software Distribution Service 3.0
    RP336: 7/16/2010 3:50:36 AM - System Checkpoint
    RP337: 7/17/2010 4:50:40 AM - System Checkpoint
    RP338: 7/18/2010 5:50:35 AM - System Checkpoint
    RP339: 7/19/2010 6:50:35 AM - System Checkpoint
    RP340: 7/20/2010 7:00:22 AM - System Checkpoint
    RP341: 7/21/2010 8:33:00 AM - System Checkpoint
    RP342: 7/22/2010 9:00:22 AM - System Checkpoint
    RP343: 7/23/2010 10:00:22 AM - System Checkpoint
    RP344: 7/24/2010 11:00:27 AM - System Checkpoint
    RP345: 7/25/2010 12:00:22 PM - System Checkpoint
    RP346: 7/26/2010 1:00:22 PM - System Checkpoint
    RP347: 7/27/2010 2:00:17 PM - System Checkpoint
    RP348: 7/28/2010 2:32:32 PM - System Checkpoint
    RP349: 7/29/2010 3:32:31 PM - System Checkpoint
    RP350: 7/30/2010 4:32:32 PM - System Checkpoint
    RP351: 7/31/2010 5:32:32 PM - System Checkpoint
    RP352: 8/2/2010 7:44:27 PM - System Checkpoint
    RP353: 8/3/2010 3:00:13 AM - Software Distribution Service 3.0
    RP354: 8/4/2010 3:20:27 AM - System Checkpoint
    RP355: 8/5/2010 4:34:52 AM - System Checkpoint
    RP356: 8/6/2010 5:20:27 AM - System Checkpoint
    RP357: 8/7/2010 6:20:27 AM - System Checkpoint
    RP358: 8/8/2010 7:20:27 AM - System Checkpoint
    RP359: 8/9/2010 8:20:31 AM - System Checkpoint
    RP360: 8/10/2010 9:20:21 AM - System Checkpoint
    RP361: 8/11/2010 10:01:41 AM - System Checkpoint
    RP362: 8/12/2010 11:01:37 AM - System Checkpoint
    RP363: 8/13/2010 3:00:13 AM - Software Distribution Service 3.0
    RP364: 8/14/2010 3:24:52 AM - System Checkpoint
    RP365: 8/15/2010 4:36:29 AM - System Checkpoint
    RP366: 8/16/2010 5:21:59 AM - System Checkpoint
    RP367: 8/17/2010 6:21:59 AM - System Checkpoint
    RP368: 8/18/2010 7:21:53 AM - System Checkpoint
    RP369: 8/19/2010 8:21:54 AM - System Checkpoint
    RP370: 8/20/2010 9:21:54 AM - System Checkpoint
    RP371: 8/21/2010 10:21:53 AM - System Checkpoint
    RP372: 8/22/2010 11:33:31 AM - System Checkpoint
    RP373: 8/23/2010 12:21:53 PM - System Checkpoint
    RP374: 8/24/2010 1:21:53 PM - System Checkpoint
    RP375: 8/25/2010 2:21:48 PM - System Checkpoint
    RP376: 8/26/2010 3:21:48 PM - System Checkpoint
    RP377: 8/27/2010 4:21:48 PM - System Checkpoint
    RP378: 8/28/2010 5:21:48 PM - System Checkpoint
    RP379: 8/29/2010 6:21:48 PM - System Checkpoint
    RP380: 8/30/2010 7:36:16 PM - System Checkpoint
    RP381: 8/31/2010 8:22:53 PM - System Checkpoint
    RP382: 9/1/2010 9:21:48 PM - System Checkpoint
    RP383: 9/2/2010 9:22:46 PM - System Checkpoint
    RP384: 9/3/2010 9:33:14 PM - System Checkpoint
    RP385: 9/4/2010 10:21:53 PM - System Checkpoint
    RP386: 9/5/2010 11:21:53 PM - System Checkpoint
    RP387: 9/7/2010 12:21:53 AM - System Checkpoint
    RP388: 9/12/2010 11:54:48 AM - System Checkpoint

    ==== Installed Programs ======================

    Adobe Flash Player 10 ActiveX
    Adobe Reader 8.1.3
    Agere Systems PCI-SV92PP Soft Modem
    America Online (Choose which version to remove)
    AOL Coach Version 1.0(Build:20040229.1 en)
    AOL Connectivity Services
    AOL Spyware Protection
    AOL Toolbar
    AOL You've Got Pictures Screensaver
    ATI - Software Uninstall Utility
    ATI AVIVO Codecs
    AzureBay Screen Saver
    AzureBay Screen Saver 3.5
    Brother MFL-Pro Suite MFC-495CW
    BRPSS_Setup.SCR
    Comcast Desktop Software (v1.2.0.9)
    Coupon Printer for Windows
    Desktop Doctor
    DocProc
    DocProcQFolder
    FaxTalk Communicator SE 4.7
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    J2SE Runtime Environment 5.0 Update 17
    Learn2 Player (Uninstall Only)
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2000 Disc 2
    Microsoft Office 2000 Small Business
    Microsoft Visual C++ 2005 Redistributable
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB954459)
    Nero 7 Essentials
    neroxml
    Norton 360
    NVIDIA Drivers
    OCR Software by I.R.I.S 7.0
    PaperPort Image Printer
    Pure Networks Port Magic
    QuickTime
    RealPlayer Basic
    REALTEK GbE & FE Ethernet PCI-E NIC Driver
    Realtek High Definition Audio Driver
    ScanSoft PaperPort 11
    Security Update for Windows Internet Explorer 7 (KB2183461)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    SpywareBlaster 4.2
    SUPERAntiSpyware Free Edition
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB976749)
    Viewpoint Media Player
    WebFldrs XP
    WebReg
    Windows Imaging Component
    Windows Internet Explorer 7
    Windows Media Format Runtime
    Windows XP Service Pack 3
    WinZip

    ==== Event Viewer Messages From Past Week ========

    9/13/2010 1:34:10 PM, error: Dhcp [1002] - The IP address lease 98.249.1.48 for the Network

    Card with network address 002421A5186B has been denied by the DHCP server 0.0.0.0 (The DHCP

    Server sent a DHCPNACK message).

    ==== End Of File ===========================



    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Patrick at 16:05:50.12 on Mon 09/13/2010
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.5.0_17
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1405 [GMT -4:00]

    AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FAPIEXE.EXE
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    C:\Program Files\Java\jre1.5.0_17\bin\jusched.exe
    C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\AzureBay\AzureBay Screen Saver\WPChanger.exe
    svchost.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
    C:\Program Files\Java\jre1.5.0_17\bin\jucheck.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Patrick\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.comcast.net/
    uInternet Connection Wizard,ShellNext = hxxp://www.symantec.com/norton/products/toolbar/popup.jsp?pvid=n360v3_ss
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

    files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton

    360\engine\3.8.0.41\IPSBHO.DLL
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_17\bin\ssv.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
    TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [CallControl 4.7] "c:\program files\faxtalk communicator\FTCtrl32.exe" /autoload
    mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
    mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
    mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe "
    mRun: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run
    mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
    mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
    mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe "
    mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe "
    mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all

    users\application data\scansoft\paperport\11\config\ereg\Ereg.ini "
    mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
    mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_17\bin\jusched.exe "
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft

    office\office\OSA9.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\register.lnk - c:\program files\azurebay\azurebay screen

    saver\Register.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wallpa~1.lnk - c:\program files\azurebay\azurebay screen

    saver\WPChanger.exe
    IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBC} - c:\program

    files\java\jre1.5.0_17\bin\ssv.dll
    IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol

    toolbar\toolbar.dll
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www5.snapfish.com/SnapfishActivia.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ============= SERVICES / DRIVERS ===============

    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-1-27 310320]
    R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-1-27 259632]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-1-27 482432]
    R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application

    data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100909.001\IDSXpx86.sys [2010-9-12 331640]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
    R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-1-27 117640]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys

    [2010-6-12 102448]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application

    data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100913.004\NAVENG.SYS [2010-9-13 85424]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application

    data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100913.004\NAVEX15.SYS [2010-9-13 1362608]
    R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-30 1684736]

    =============== Created Last 30 ================


    ==================== Find3M ====================

    2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:15:28 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-06-24 12:15:26 78336 ------w- c:\windows\system32\ieencode.dll
    2010-06-24 12:15:26 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll

    ============= FINISH: 16:05:57.62 ===============
     
  2. 2010/09/13
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,889
    Likes Received:
    386
    If the computer is clean the most likely scenario is that one of your friend's contacts has your friends's email address in his address book and that computer (the contact's) is compromised.
     

  3. to hide this advert.

  4. 2010/09/13
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Hi PeteC,

    I was thinking kind of the same thing, but want to make sure there isn't any malware that the spyware programs missed.
     
  5. 2010/09/13
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    We'll check, especially since MBAM apparently found something.
    Both possible culprits are valid: someone else computer is infected and this one as well.

    Please, disable "word wrap" in Notepad, because logs are hard to read.

    STEP 1. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt


    STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.


    STEP 3. Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.



    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  6. 2010/09/14
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Hi Broni,

    Here are the mbr and malwarebytes logs, the GMER program just stopped executing after a while, not sure why.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4614

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    9/14/2010 5:20:45 PM
    mbam-log-2010-09-14 (17-20-45).txt

    Scan type: Quick scan
    Objects scanned: 131173
    Time elapsed: 3 minute(s), 0 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 122):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E4000 \WINDOWS\system32\hal.dll
    0xB85A8000 \WINDOWS\system32\KDCOM.DLL
    0xB84B8000 \WINDOWS\system32\BOOTVID.dll
    0xB7F79000 ACPI.sys
    0xB85AA000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
    0xB7F68000 pci.sys
    0xB80A8000 isapnp.sys
    0xB8670000 pciide.sys
    0xB8328000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
    0xB80B8000 MountMgr.sys
    0xB7F49000 ftdisk.sys
    0xB8330000 PartMgr.sys
    0xB80C8000 VolSnap.sys
    0xB7F31000 atapi.sys
    0xB80D8000 disk.sys
    0xB80E8000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
    0xB7F11000 fltmgr.sys
    0xB7EFF000 sr.sys
    0xB7EB0000 SYMEFA.SYS
    0xB7E99000 KSecDD.sys
    0xB7E0C000 Ntfs.sys
    0xB7DDF000 NDIS.sys
    0xB7DC5000 Mup.sys
    0xB82D8000 \SystemRoot\System32\DRIVERS\processr.sys
    0xB373C000 \SystemRoot\System32\DRIVERS\nv4_mini.sys
    0xB3728000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
    0xB3708000 \SystemRoot\System32\DRIVERS\Rtenicxp.sys
    0xB82E8000 \SystemRoot\System32\DRIVERS\imapi.sys
    0xB82F8000 \SystemRoot\System32\DRIVERS\cdrom.sys
    0xB8308000 \SystemRoot\System32\DRIVERS\redbook.sys
    0xB36E5000 \SystemRoot\System32\DRIVERS\ks.sys
    0xB8400000 \SystemRoot\System32\DRIVERS\usbohci.sys
    0xB36C1000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
    0xB8408000 \SystemRoot\System32\DRIVERS\usbehci.sys
    0xB369C000 \SystemRoot\System32\DRIVERS\HDAudBus.sys
    0xB8318000 \SystemRoot\System32\DRIVERS\serial.sys
    0xB8598000 \SystemRoot\System32\DRIVERS\serenum.sys
    0xB8128000 \SystemRoot\System32\DRIVERS\i8042prt.sys
    0xB8410000 \SystemRoot\System32\DRIVERS\kbdclass.sys
    0xB8418000 \SystemRoot\System32\DRIVERS\mouclass.sys
    0xB3583000 \SystemRoot\system32\DRIVERS\AGRSM.sys
    0xB85F2000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xB8420000 \SystemRoot\System32\Drivers\Modem.SYS
    0xB85A4000 \SystemRoot\System32\DRIVERS\wmiacpi.sys
    0xB8714000 \SystemRoot\System32\DRIVERS\audstub.sys
    0xB8138000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
    0xB3DA1000 \SystemRoot\System32\DRIVERS\ndistapi.sys
    0xB356C000 \SystemRoot\System32\DRIVERS\ndiswan.sys
    0xB8148000 \SystemRoot\System32\DRIVERS\raspppoe.sys
    0xB8158000 \SystemRoot\System32\DRIVERS\raspptp.sys
    0xB8428000 \SystemRoot\System32\DRIVERS\TDI.SYS
    0xB355B000 \SystemRoot\System32\DRIVERS\psched.sys
    0xB8168000 \SystemRoot\System32\DRIVERS\msgpc.sys
    0xB8430000 \SystemRoot\System32\DRIVERS\ptilink.sys
    0xB8438000 \SystemRoot\System32\DRIVERS\raspti.sys
    0xB8440000 \SystemRoot\system32\DRIVERS\wanatw4.sys
    0xB8178000 \SystemRoot\System32\DRIVERS\termdd.sys
    0xB8448000 \SystemRoot\system32\DRIVERS\SymIM.sys
    0xB85F4000 \SystemRoot\System32\DRIVERS\swenum.sys
    0xB34D5000 \SystemRoot\System32\DRIVERS\update.sys
    0xB3D8D000 \SystemRoot\System32\DRIVERS\mssmbios.sys
    0xB8188000 \SystemRoot\System32\DRIVERS\usbhub.sys
    0xB8198000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xB0DD3000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xB0DAF000 \SystemRoot\system32\drivers\portcls.sys
    0xB81E8000 \SystemRoot\system32\drivers\drmk.sys
    0xB8608000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xB87D0000 \SystemRoot\System32\Drivers\Null.SYS
    0xB860A000 \SystemRoot\System32\Drivers\Beep.SYS
    0xB8470000 \SystemRoot\System32\drivers\vga.sys
    0xB860C000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xB860E000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xB8478000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xB8480000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB8590000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0xB0D54000 \SystemRoot\System32\DRIVERS\ipsec.sys
    0xB0CFB000 \SystemRoot\System32\DRIVERS\tcpip.sys
    0xB0C9F000 \SystemRoot\System32\Drivers\N360\0308000.029\SYMTDI.SYS
    0xB0C79000 \SystemRoot\System32\DRIVERS\ipnat.sys
    0xB0C54000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    0xB8218000 \SystemRoot\System32\DRIVERS\wanarp.sys
    0xB8488000 \SystemRoot\System32\Drivers\N360\0308000.029\SYMNDIS.SYS
    0xB0C3F000 \SystemRoot\System32\Drivers\N360\0308000.029\SYMFW.SYS
    0xB8490000 \SystemRoot\System32\Drivers\N360\0308000.029\SYMIDS.SYS
    0xB0BEA000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100910.001\IDSxpx86.sys
    0xB0BC2000 \SystemRoot\System32\DRIVERS\netbt.sys
    0xB0BA0000 \SystemRoot\System32\drivers\afd.sys
    0xB8268000 \SystemRoot\System32\DRIVERS\netbios.sys
    0xB8278000 \SystemRoot\system32\drivers\N360\0308000.029\SRTSPX.SYS
    0xB0B7F000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    0xB8498000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    0xB0B54000 \SystemRoot\System32\DRIVERS\rdbss.sys
    0xB0AE4000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
    0xB8288000 \SystemRoot\System32\Drivers\Fips.SYS
    0xB0A86000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    0xB0A69000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    0xB09EE000 \SystemRoot\System32\Drivers\N360\0308000.029\ccHPx86.sys
    0xB09AC000 \SystemRoot\System32\Drivers\N360\0308000.029\BHDrvx86.sys
    0xB82A8000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xB096C000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xB8616000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xB0DA3000 \SystemRoot\System32\drivers\Dxapi.sys
    0xB8368000 \SystemRoot\System32\watchdog.sys
    0xBD000000 \SystemRoot\System32\drivers\dxg.sys
    0xB8717000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBD012000 \SystemRoot\System32\nv4_disp.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xB05C0000 \SystemRoot\System32\DRIVERS\ndisuio.sys
    0xB036F000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB061C000 \SystemRoot\system32\drivers\sysaudio.sys
    0xAFDA2000 \SystemRoot\System32\DRIVERS\mrxdav.sys
    0xB8662000 \SystemRoot\System32\Drivers\ASCTRM.SYS
    0xAFCFB000 \SystemRoot\System32\DRIVERS\srv.sys
    0xAF6A2000 \SystemRoot\System32\Drivers\HTTP.sys
    0xAF5FF000 \SystemRoot\System32\Drivers\N360\0308000.029\SRTSP.SYS
    0xAF48B000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100913.048\NAVEX15.SYS
    0xAF3D7000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100913.048\NAVENG.SYS
    0xB83C0000 \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
    0xAF133000 \??\C:\DOCUME~1\Patrick\LOCALS~1\Temp\awadikod.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 41):
    0 System Idle Process
    4 System
    848 C:\WINDOWS\system32\smss.exe
    956 csrss.exe
    980 C:\WINDOWS\system32\winlogon.exe
    1024 C:\WINDOWS\system32\services.exe
    1060 C:\WINDOWS\system32\lsass.exe
    1216 C:\WINDOWS\system32\svchost.exe
    1284 svchost.exe
    1408 C:\WINDOWS\system32\svchost.exe
    1528 svchost.exe
    1656 svchost.exe
    1836 C:\WINDOWS\system32\spoolsv.exe
    208 C:\WINDOWS\explorer.exe
    336 C:\WINDOWS\system32\rundll32.exe
    344 C:\WINDOWS\RTHDCPL.EXE
    360 C:\Program Files\FaxTalk Communicator\FTCtrl32.EXE
    372 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    400 C:\Program Files\FaxTalk Communicator\fapiexe.exe
    412 C:\Program Files\Real\RealPlayer\realplay.exe
    572 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    688 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    752 C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    1184 C:\Program Files\Java\jre1.5.0_17\bin\jusched.exe
    544 C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
    1388 C:\WINDOWS\system32\ctfmon.exe
    284 svchost.exe
    1568 C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    640 C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
    808 C:\WINDOWS\system32\nvsvc32.exe
    1592 C:\WINDOWS\system32\HPZipm12.exe
    2124 C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    2244 C:\WINDOWS\system32\svchost.exe
    2272 wdfmgr.exe
    3932 C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
    4020 wmiprvse.exe
    424 alg.exe
    1176 C:\WINDOWS\system32\wscntfy.exe
    132 C:\Program Files\Java\jre1.5.0_17\bin\jucheck.exe
    3184 C:\Program Files\Norton 360\Engine\3.8.0.41\CLTLMH.EXE
    884 C:\Documents and Settings\Patrick\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: WDCWD3200AAKS-00M9A0, Rev: 05.01D05

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     
  7. 2010/09/14
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    So far, all good :)

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  8. 2010/09/15
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Here's the combofix log;

    ComboFix 10-09-14.04 - Patrick 09/15/2010 9:05.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1303 [GMT -4:00]
    Running from: c:\documents and settings\Patrick\Desktop\ComboFix.exe
    AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Start Menu\AV7

    .
    ((((((((((((((((((((((((( Files Created from 2010-08-15 to 2010-09-15 )))))))))))))))))))))))))))))))
    .

    2010-08-27 00:45 . 2010-08-27 00:45 -------- d-----w- c:\documents and settings\Patrick\Local Settings\Application Data\Snapfish

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-13 19:07 . 2009-10-28 01:29 -------- d-----w- c:\documents and settings\Patrick\Application Data\MSN6
    2010-09-13 18:09 . 2010-03-31 19:24 117760 ----a-w- c:\documents and settings\Patrick\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-09-12 21:18 . 2010-03-31 19:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-08 18:56 . 2009-08-30 23:29 60920 ----a-w- c:\documents and settings\Patrick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-06-30 12:31 . 2002-08-29 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:15 . 2002-08-29 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-06-24 12:15 . 2009-08-30 23:26 78336 ------w- c:\windows\system32\ieencode.dll
    2010-06-24 12:15 . 2002-08-29 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-06-23 13:44 . 2002-08-29 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27 . 2002-08-29 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03 . 2002-08-29 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "c:\windows\System32\NvCpl.dll" [2008-05-16 13529088]
    "nwiz "= "nwiz.exe" [2008-05-16 1630208]
    "NvMediaCenter "= "c:\windows\System32\NvMcTray.dll" [2008-05-16 86016]
    "RTHDCPL "= "RTHDCPL.EXE" [2009-03-27 17567744]
    "CallControl 4.7 "= "c:\program files\FAXTALK COMMUNICATOR\FTCtrl32.exe" [2007-06-26 180224]
    "NeroFilterCheck "= "c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-07-14 570664]
    "AOLDialer "= "c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 496752]
    "RealTray "= "c:\program files\Real\RealPlayer\RealPlay.exe" [2009-09-10 26112]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2009-09-10 98304]
    "AOL Spyware Protection "= "c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 79448]
    "Pure Networks Port Magic "= "c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 99480]
    "ddoctorv2 "= "c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
    "SSBkgdUpdate "= "c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
    "PaperPort PTD "= "c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
    "IndexSearch "= "c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]
    "PPort11reminder "= "c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
    "BrMfcWnd "= "c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-01-19 1150976]
    "ControlCenter3 "= "c:\program files\Brother\ControlCenter3\brctrcen.exe" [2009-01-09 114688]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "SunJavaUpdateSched "= "c:\program files\Java\jre1.5.0_17\bin\jusched.exe" [2008-11-10 75264]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2009-9-10 156784]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
    Register.lnk - c:\program files\AzureBay\AzureBay Screen Saver\Register.exe [2006-8-10 323584]
    Wallpaper Changer.lnk - c:\program files\AzureBay\AzureBay Screen Saver\WPChanger.exe [2007-3-8 57344]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 18:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
    @= "FSFilter Activity Monitor "

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe "=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe "=
    "c:\\Program Files\\America Online 9.0\\waol.exe "=

    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [1/27/2010 11:25 PM 310320]
    R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [1/27/2010 11:25 PM 259632]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [1/27/2010 11:25 PM 482432]
    R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100910.001\IDSXpx86.sys [9/14/2010 12:51 PM 331640]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
    R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [1/27/2010 11:25 PM 117640]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/12/2010 2:39 AM 102448]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/30/2009 6:52 PM 1684736]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.comcast.net/
    uInternet Connection Wizard,ShellNext = hxxp://www.symantec.com/norton/products/toolbar/popup.jsp?pvid=n360v3_ss
    IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-15 09:08
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
    "ImagePath "= "\ "c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \ "N360\" /m \ "c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1 "
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:õwjY*]
    "DisplayName "= "??\08\17?\11\09 "
    "DeviceDesc "= "??\08\17?\11\09 "
    "ProviderName "= "???\11?\17?\11?? "
    "MFG "= "??????? "
    "ReinstallString "= ".10.1000.8 "
    "DeviceInstanceIds "=multi: "d:\\chipset\\amd\\xp\\sbdrv\\smbus\\smbusati.inf\00 "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(976)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(2880)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    .
    Completion time: 2010-09-15 09:09:03
    ComboFix-quarantined-files.txt 2010-09-15 13:09

    Pre-Run: 308,573,888,512 bytes free
    Post-Run: 308,616,445,952 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug= "do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

    - - End Of File - - 3646FB7046B4811758EC4C03BC44024A
     
  9. 2010/09/15
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Looks good :)

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  10. 2010/09/16
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Here are the new logs;

    OTL logfile created on: 9/16/2010 9:55:13 AM - Run 1
    OTL by OldTimer - Version 3.2.12.1 Folder = C:\Documents and Settings\Patrick\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.5730.13)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 73.00% Memory free
    4.00 Gb Paging File | 3.00 Gb Available in Paging File | 91.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 298.08 Gb Total Space | 287.44 Gb Free Space | 96.43% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: N-F17JR8N32TRA0
    Current User Name: Patrick
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 90 Days
    Output = Standard
    Quick Scan

    ========== Processes (SafeList) ==========

    PRC - [2010/09/16 09:52:38 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Patrick\Desktop\OTL.exe
    PRC - [2009/09/10 19:37:10 | 000,026,112 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\realplay.exe
    PRC - [2009/08/22 04:14:09 | 000,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
    PRC - [2009/01/19 09:37:10 | 001,150,976 | R--- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    PRC - [2008/11/26 11:25:36 | 000,221,184 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
    PRC - [2008/11/10 03:47:30 | 000,251,392 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0_17\bin\jucheck.exe
    PRC - [2008/11/10 03:47:30 | 000,075,264 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0_17\bin\jusched.exe
    PRC - [2008/10/24 12:44:34 | 000,872,448 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe
    PRC - [2008/07/10 00:07:00 | 000,029,984 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    PRC - [2008/04/24 14:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    PRC - [2008/04/24 14:25:22 | 000,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
    PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2007/06/26 12:02:12 | 000,180,224 | ---- | M] (Thought Communications, Inc.) -- C:\Program Files\FaxTalk Communicator\FTCtrl32.EXE
    PRC - [2007/06/25 23:13:56 | 000,025,088 | R--- | M] (Thought Communications, Inc.) -- C:\Program Files\FaxTalk Communicator\fapiexe.exe
    PRC - [2007/03/08 16:36:28 | 000,057,344 | ---- | M] (AzureBay) -- C:\Program Files\AzureBay\AzureBay Screen Saver\WPChanger.exe
    PRC - [2006/03/03 21:03:10 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
    PRC - [2004/10/18 16:42:18 | 000,079,448 | ---- | M] () -- C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe
    PRC - [2004/05/07 16:53:52 | 000,156,784 | -H-- | M] (America Online, Inc.) -- C:\Program Files\America Online 9.0\aoltray.exe
    PRC - [2004/04/07 12:07:34 | 000,496,752 | ---- | M] (America Online, Inc) -- C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    PRC - [2004/04/07 12:07:32 | 001,135,728 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/09/16 09:52:38 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Patrick\Desktop\OTL.exe
    MOD - [2009/08/22 04:14:06 | 000,419,696 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.8.0.41\asOEHook.dll
    MOD - [2008/04/13 20:12:01 | 000,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp60.dll
    MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
    MOD - [2007/04/19 15:21:40 | 000,116,264 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprthook.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
    SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
    SRV - [2009/08/22 04:14:09 | 000,117,640 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe -- (N360)
    SRV - [2008/04/24 14:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe -- (sprtsvc_ddoctorv2) SupportSoft Sprocket Service (ddoctorv2)
    SRV - [2006/03/03 21:03:10 | 000,069,632 | ---- | M] (HP) [Unknown | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
    SRV - [2004/06/29 08:29:30 | 000,184,373 | ---- | M] () [Auto | Stopped] -- C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe -- (AOLService)
    SRV - [2004/04/07 12:07:32 | 001,135,728 | ---- | M] (America Online, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -- (AOL ACS)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Patrick\LOCALS~1\Temp\catchme.sys -- (catchme)
    DRV - [2010/07/13 04:00:00 | 001,362,608 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100914.052\NAVEX15.SYS -- (NAVEX15)
    DRV - [2010/07/13 04:00:00 | 000,085,424 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100914.052\NAVENG.SYS -- (NAVENG)
    DRV - [2010/05/28 15:33:19 | 000,331,640 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100910.001\IDSXpx86.sys -- (IDSxpx86)
    DRV - [2010/05/26 04:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
    DRV - [2010/05/26 04:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
    DRV - [2010/02/17 10:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
    DRV - [2010/02/17 10:15:58 | 000,066,632 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
    DRV - [2010/02/17 10:15:58 | 000,012,872 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
    DRV - [2009/10/08 20:08:14 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
    DRV - [2009/09/10 19:37:12 | 000,008,552 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
    DRV - [2009/08/22 04:14:09 | 000,482,432 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\ccHPx86.sys -- (ccHP)
    DRV - [2009/08/22 04:14:09 | 000,310,320 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0308000.029\SYMEFA.SYS -- (SymEFA)
    DRV - [2009/08/22 04:14:09 | 000,308,272 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SRTSP.SYS -- (SRTSP)
    DRV - [2009/08/22 04:14:09 | 000,259,632 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\BHDrvx86.sys -- (BHDrvx86)
    DRV - [2009/08/22 04:14:09 | 000,217,136 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMTDI.SYS -- (SYMTDI)
    DRV - [2009/08/22 04:14:09 | 000,089,904 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMFW.SYS -- (SYMFW)
    DRV - [2009/08/22 04:14:09 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0308000.029\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
    DRV - [2009/08/22 04:14:09 | 000,036,400 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMNDIS.SYS -- (SYMNDIS)
    DRV - [2009/08/22 04:14:09 | 000,033,072 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMIDS.SYS -- (SYMIDS)
    DRV - [2009/08/22 04:13:59 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP)
    DRV - [2009/08/22 04:13:59 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM)
    DRV - [2009/03/30 05:13:30 | 005,063,168 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
    DRV - [2009/03/27 02:33:42 | 000,130,816 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
    DRV - [2009/01/23 14:59:06 | 000,052,224 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrSerIf.sys -- (BrSerIf)
    DRV - [2008/08/05 08:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
    DRV - [2008/05/16 14:31:00 | 006,557,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
    DRV - [2006/09/03 10:53:54 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrUsbSer.sys -- (BrUsbSer)
    DRV - [2006/01/25 04:24:30 | 001,149,888 | R--- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
    DRV - [2006/01/04 03:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
    DRV - [2005/01/07 17:07:18 | 000,138,752 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
    DRV - [2004/10/15 13:50:20 | 000,015,295 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb)
    DRV - [2003/01/10 16:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    FF - HKLM\software\mozilla\Firefox\Extensions\\{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\ [2010/04/14 03:18:26 | 000,000,000 | ---D | M]


    O1 HOSTS File: ([2002/08/29 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
    O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.8.0.41\IPSBHO.dll (Symantec Corporation)
    O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_17\bin\ssv.dll (Sun Microsystems, Inc.)
    O3 - HKLM\..\Toolbar: (AOL Toolbar) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (IE Toolbar)
    O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
    O3 - HKCU\..\Toolbar\WebBrowser: (AOL Toolbar) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (IE Toolbar)
    O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
    O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [AOL Spyware Protection] C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe ()
    O4 - HKLM..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe (America Online, Inc)
    O4 - HKLM..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe (Brother Industries, Ltd.)
    O4 - HKLM..\Run: [CallControl 4.7] C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe (Thought Communications, Inc.)
    O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.)
    O4 - HKLM..\Run: [ddoctorv2] C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe (SupportSoft, Inc.)
    O4 - HKLM..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe (Nuance Communications, Inc.)
    O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
    O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
    O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
    O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
    O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe (Nuance Communications, Inc.)
    O4 - HKLM..\Run: [PPort11reminder] C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe (Nuance Communications, Inc.)
    O4 - HKLM..\Run: [Pure Networks Port Magic] C:\Program Files\Pure Networks\Port Magic\PortAOL.exe (Pure Networks, Inc.)
    O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.)
    O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)
    O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_17\bin\jusched.exe (Sun Microsystems, Inc.)
    O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe (America Online, Inc.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Register.lnk = C:\Program Files\AzureBay\AzureBay Screen Saver\Register.exe (AzureBay)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wallpaper Changer.lnk = C:\Program Files\AzureBay\AzureBay Screen Saver\WPChanger.exe (AzureBay)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll (IE Toolbar)
    O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_17\bin\NPJPI150_17.dll (Sun Microsystems, Inc.)
    O9 - Extra Button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (IE Toolbar)
    O9 - Extra 'Tools' menuitem : AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - Reg Error: Value error. File not found
    O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
    O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www5.snapfish.com/SnapfishActivia.cab (Snapfish Activia)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab (Java Plug-in 1.5.0_17)
    O16 - DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab (Java Plug-in 1.5.0_17)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab (Java Plug-in 1.5.0_17)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 71.252.0.12
    O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/08/30 18:08:52 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
    NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point (16902053519425536)

    ========== Files/Folders - Created Within 90 Days ==========

    [2010/09/16 09:52:37 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Patrick\Desktop\OTL.exe
    [2010/09/16 09:51:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
    [2010/09/15 09:05:21 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2010/09/15 09:04:52 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2010/09/15 09:04:52 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2010/09/15 09:04:52 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2010/09/15 09:04:52 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2010/09/15 09:04:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2010/09/15 09:04:41 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/09/14 16:04:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
    [2010/08/26 20:45:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Patrick\Local Settings\Application Data\Snapfish
    [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 90 Days ==========

    [2010/09/16 09:53:21 | 000,508,956 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
    [2010/09/16 09:53:21 | 000,432,356 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/09/16 09:53:21 | 000,067,312 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/09/16 09:52:38 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Patrick\Desktop\OTL.exe
    [2010/09/16 09:49:07 | 005,760,054 | ---- | M] () -- C:\Documents and Settings\Patrick\Local Settings\Application Data\sswpprep.bmp
    [2010/09/16 09:49:07 | 002,359,350 | ---- | M] () -- C:\Documents and Settings\Patrick\Local Settings\Application Data\AzureBay.bmp
    [2010/09/16 09:49:07 | 000,092,406 | ---- | M] () -- C:\Documents and Settings\Patrick\Local Settings\Application Data\cal.bmp
    [2010/09/16 09:49:07 | 000,000,582 | ---- | M] () -- C:\Documents and Settings\Patrick\Local Settings\Application Data\ScreenSaver.ini
    [2010/09/16 09:49:04 | 000,186,097 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
    [2010/09/16 09:49:03 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/09/16 09:49:03 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2010/09/16 09:49:02 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/09/15 09:21:13 | 003,670,016 | -H-- | M] () -- C:\Documents and Settings\Patrick\NTUSER.DAT
    [2010/09/15 09:21:13 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Patrick\ntuser.ini
    [2010/09/15 09:21:06 | 004,313,314 | -H-- | M] () -- C:\Documents and Settings\Patrick\Local Settings\Application Data\IconCache.db
    [2010/09/15 09:08:08 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
    [2010/09/15 09:05:25 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2010/09/15 08:27:01 | 003,845,170 | R--- | M] () -- C:\Documents and Settings\Patrick\Desktop\ComboFix.exe
    [2010/09/14 16:06:17 | 002,359,350 | ---- | M] () -- C:\Documents and Settings\Patrick\Local Settings\Application Data\ssprep.bmp
    [2010/09/14 12:43:50 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Patrick\Desktop\MBRCheck.exe
    [2010/09/14 12:43:40 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Patrick\Desktop\fo67osws.exe
    [2010/09/13 16:03:35 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Patrick\Desktop\dds.scr
    [2010/09/13 15:14:02 | 000,000,729 | ---- | M] () -- C:\WINDOWS\win.ini
    [2010/09/12 11:32:36 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\Patrick\My Documents\Malwarebytes.doc
    [2010/09/12 11:31:59 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Patrick\Desktop\Microsoft Word.lnk
    [2010/08/28 17:35:31 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Patrick\My Documents\August 28.docpersonal day.doc
    [2010/08/20 19:18:05 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Patrick\My Documents\AUGUST 2010.doc Merchandiser.doc
    [2010/08/13 03:21:03 | 000,233,576 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2010/08/13 03:04:32 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2010/08/08 20:53:57 | 000,128,000 | ---- | M] () -- C:\Documents and Settings\Patrick\My Documents\My Rental QuoteTruck Rental Home.doc
    [2010/08/08 14:56:52 | 000,060,920 | ---- | M] () -- C:\Documents and Settings\Patrick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    [2010/07/28 08:42:45 | 000,029,696 | ---- | M] () -- C:\Documents and Settings\Patrick\My Documents\Atkinson,Patrick RESUME'1.doc
    [2010/07/24 20:05:05 | 000,226,728 | R--- | M] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2.cid
    [2010/06/27 18:20:33 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Patrick\My Documents\atkinsonpatrick54.doc
    [2010/06/27 18:02:25 | 000,030,208 | ---- | M] () -- C:\Documents and Settings\Patrick\My Documents\Atkinson,Patrick RESUME'.doc
    [2010/06/27 12:32:42 | 000,000,899 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wallpaper Changer.lnk
    [2010/06/27 12:32:42 | 000,000,894 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Register.lnk
    [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2010/09/15 09:05:24 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2010/09/15 09:05:22 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2010/09/15 09:04:52 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2010/09/15 09:04:52 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2010/09/15 09:04:52 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2010/09/15 09:04:52 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2010/09/15 09:04:52 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2010/09/15 08:26:47 | 003,845,170 | R--- | C] () -- C:\Documents and Settings\Patrick\Desktop\ComboFix.exe
    [2010/09/14 12:43:50 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Patrick\Desktop\MBRCheck.exe
    [2010/09/14 12:43:38 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Patrick\Desktop\fo67osws.exe
    [2010/09/13 16:03:34 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Patrick\Desktop\dds.scr
    [2010/09/12 11:32:36 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Patrick\My Documents\Malwarebytes.doc
    [2010/08/28 17:35:30 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Patrick\My Documents\August 28.docpersonal day.doc
    [2010/08/20 19:16:24 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Patrick\My Documents\AUGUST 2010.doc Merchandiser.doc
    [2010/08/08 20:53:56 | 000,128,000 | ---- | C] () -- C:\Documents and Settings\Patrick\My Documents\My Rental QuoteTruck Rental Home.doc
    [2010/06/27 18:20:33 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Patrick\My Documents\atkinsonpatrick54.doc
    [2010/06/27 18:02:47 | 000,029,696 | ---- | C] () -- C:\Documents and Settings\Patrick\My Documents\Atkinson,Patrick RESUME'1.doc
    [2010/06/27 18:01:06 | 000,030,208 | ---- | C] () -- C:\Documents and Settings\Patrick\My Documents\Atkinson,Patrick RESUME'.doc
    [2009/12/13 12:51:36 | 005,760,054 | ---- | C] () -- C:\Documents and Settings\Patrick\Local Settings\Application Data\sswpprep.bmp
    [2009/12/13 12:51:36 | 002,359,350 | ---- | C] () -- C:\Documents and Settings\Patrick\Local Settings\Application Data\AzureBay.bmp
    [2009/12/13 12:51:36 | 000,092,406 | ---- | C] () -- C:\Documents and Settings\Patrick\Local Settings\Application Data\cal.bmp
    [2009/12/13 12:51:12 | 002,359,350 | ---- | C] () -- C:\Documents and Settings\Patrick\Local Settings\Application Data\ssprep.bmp
    [2009/12/13 12:50:52 | 000,000,981 | ---- | C] () -- C:\Documents and Settings\Patrick\Local Settings\Application Data\AzureBay.ini
    [2009/12/13 12:49:53 | 000,000,582 | ---- | C] () -- C:\Documents and Settings\Patrick\Local Settings\Application Data\ScreenSaver.ini
    [2009/11/26 17:18:13 | 000,000,242 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
    [2009/11/26 17:18:13 | 000,000,093 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
    [2009/11/26 17:17:57 | 000,000,419 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
    [2009/11/26 17:16:57 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
    [2009/11/26 17:16:56 | 000,000,086 | ---- | C] () -- C:\WINDOWS\Brfaxrx.ini
    [2009/11/26 17:14:54 | 000,031,767 | ---- | C] () -- C:\WINDOWS\maxlink.ini
    [2009/09/10 20:09:09 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
    [2009/09/10 20:05:49 | 000,004,809 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
    [2009/08/31 13:01:38 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2009/08/30 18:58:35 | 000,073,728 | R--- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
    [2009/08/30 18:46:44 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
    [2009/08/30 18:46:44 | 001,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
    [2009/08/30 18:46:44 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
    [2009/08/30 18:46:44 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
    [2009/08/30 18:46:44 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
    [2004/05/27 18:22:46 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\3dlWinMn.dll
    [2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
    [1999/01/22 21:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
    [1998/01/12 11:00:00 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL

    ========== LOP Check ==========

    [2009/08/31 13:04:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBT
    [2009/11/26 17:14:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
    [2009/11/18 11:01:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
    [2010/03/31 15:47:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2009/08/31 12:43:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Thought Communications
    [2009/09/10 19:38:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
    [2009/10/08 20:08:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2009/08/30 18:08:52 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2009/08/30 19:26:29 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2010/09/15 09:05:25 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2010/09/15 09:09:04 | 000,009,101 | ---- | M] () -- C:\ComboFix.txt
    [2009/08/30 18:08:52 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2009/08/30 18:08:52 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2010/09/12 17:18:44 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
    [2009/08/30 18:08:52 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2009/08/30 19:25:33 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2009/09/08 16:13:56 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2010/09/16 09:49:00 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys

    < %systemroot%\Fonts\*.com >
    [2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2009/08/30 18:08:43 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2006/04/10 14:02:32 | 000,074,240 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp054.dll
    [2008/07/06 06:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2007/03/08 19:12:30 | 000,782,412 | ---- | M] (AzureBay) -- C:\WINDOWS\AzureBay.scr
    [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2009/08/30 12:55:18 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2009/08/30 12:55:18 | 000,602,112 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2009/08/30 12:55:18 | 000,409,600 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2009/09/08 16:17:27 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2009/09/08 16:22:26 | 000,000,177 | -HS- | M] () -- C:\Documents and Settings\Patrick\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2009/08/30 18:11:02 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Patrick\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2010/09/15 08:27:01 | 003,845,170 | R--- | M] () -- C:\Documents and Settings\Patrick\Desktop\ComboFix.exe
    [2010/09/14 12:43:40 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Patrick\Desktop\fo67osws.exe
    [2010/09/14 12:43:50 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Patrick\Desktop\MBRCheck.exe
    [2010/09/16 09:52:38 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Patrick\Desktop\OTL.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >
    [2010/02/14 14:40:20 | 001,068,544 | ---- | M] (Coupons.com Incorporated) -- C:\Documents and Settings\Patrick\My Documents\CouponPrinter.exe
    [2009/04/07 21:09:10 | 074,949,944 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Patrick\My Documents\N360S300EN.exe

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2009/09/08 16:22:26 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Patrick\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2010/09/16 09:54:07 | 000,425,984 | ---- | M] () -- C:\Documents and Settings\Patrick\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2008/04/13 20:12:38 | 000,208,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008/04/13 20:11:51 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2002/08/29 08:00:00 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2002/08/20 12:32:18 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2002/08/20 12:32:22 | 000,000,807 | ---- | M] () -- C:\Program Files\Messenger\mailtmpl.txt
    [2008/05/02 10:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2008/04/13 13:30:28 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008/04/13 20:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2002/08/20 15:08:38 | 000,069,663 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgsin.exe
    [2002/08/29 08:00:00 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2002/08/29 08:00:00 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2002/08/29 08:00:00 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2002/08/20 12:32:20 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2004/07/17 11:41:06 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >

    < End of report >
     
  11. 2010/09/16
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    OTL Extras logfile created on: 9/16/2010 9:55:13 AM - Run 1
    OTL by OldTimer - Version 3.2.12.1 Folder = C:\Documents and Settings\Patrick\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.5730.13)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 73.00% Memory free
    4.00 Gb Paging File | 3.00 Gb Available in Paging File | 91.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 298.08 Gb Total Space | 287.44 Gb Free Space | 96.43% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: N-F17JR8N32TRA0
    Current User Name: Patrick
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 90 Days
    Output = Standard
    Quick Scan

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .html [@ = aolfile_HTM] -- C:\Program Files\America Online 9.0\aol.exe (America Online, Inc.)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
    https [open] -- C:\PROGRA~1\AMERIC~1.0\aol.exe -u "%1" (America Online, Inc.)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1 "
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0
    "DoNotAllowExceptions" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- (America Online, Inc)
    "C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- (America Online, Inc.)
    "C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- (America Online, Inc.)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- (America Online, Inc)
    "C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- (America Online, Inc.)
    "C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- (America Online, Inc.)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{00030409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Small Business
    "{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Disc 2
    "{02570AE0-BEE0-4A6C-BE3F-D806E9F2EA17}" = ScanSoft PaperPort 11
    "{0A02D347-5E53-48A5-BC49-1469393103FA}" = Brother MFL-Pro Suite MFC-495CW
    "{2BC2781A-F7F6-452E-95EB-018A522F1B2C}" = PaperPort Image Printer
    "{3248F0A8-6813-11D6-A77B-00B0D0150170}" = J2SE Runtime Environment 5.0 Update 17
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{4477B161-C8F1-42D3-85B0-2037760CA86C}" = FaxTalk Communicator SE 4.7
    "{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
    "{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg
    "{66B6D13A-9CC1-417D-B6F2-58AA539D1033}" = Nero 7 Essentials
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
    "{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}" = ATI AVIVO Codecs
    "{8A4CE7FD-9657-4B06-9943-E1819F3D5D67}" = DocProc
    "{958A793F-F1D2-4A90-B6A5-C52E2D74E8FE}" = AzureBay Screen Saver 3.5
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
    "{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{CEF7211D-CE3A-44C4-B321-D84A2099AE94}" = Comcast Desktop Software (v1.2.0.9)
    "{D87149B3-7A1D-4548-9CBF-032B791E5908}" = Desktop Doctor
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Agere Systems Soft Modem" = Agere Systems PCI-SV92PP Soft Modem
    "All ATI Software" = ATI - Software Uninstall Utility
    "America Online us" = America Online (Choose which version to remove)
    "AOL Connectivity Services" = AOL Connectivity Services
    "AOL Spyware Protection" = AOL Spyware Protection
    "AOL Toolbar" = AOL Toolbar
    "AOL YGP Screensaver" = AOL You've Got Pictures Screensaver
    "AOLCoach" = AOL Coach Version 1.0(Build:20040229.1 en)
    "AzureBay" = AzureBay Screen Saver
    "BRPSS_Setup.SCR" = BRPSS_Setup.SCR
    "Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
    "HPOCR" = OCR Software by I.R.I.S 7.0
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "N360" = Norton 360
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "NVIDIA Drivers" = NVIDIA Drivers
    "Port Magic" = Pure Networks Port Magic
    "QuickTime" = QuickTime
    "RealPlayer 6.0" = RealPlayer Basic
    "SpywareBlaster_is1" = SpywareBlaster 4.2
    "StreetPlugin" = Learn2 Player (Uninstall Only)
    "ViewpointMediaPlayer" = Viewpoint Media Player
    "WIC" = Windows Imaging Component
    "Windows Media Format Runtime" = Windows Media Format Runtime
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WinZip" = WinZip

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 9/12/2010 5:54:24 PM | Computer Name = N-F17JR8N32TRA0 | Source = Brother BrLog | ID = 1001
    Description = WDLMW BrtWDLMW: [2010/09/12 17:54:24.390]: [00001256]: lperrcode->api
    = 1 , lperrcode->code = 2

    Error - 9/12/2010 5:54:25 PM | Computer Name = N-F17JR8N32TRA0 | Source = Brother BrLog | ID = 1001
    Description = WDLMW BrtWDLMW: [2010/09/12 17:54:25.890]: [00001256]: lperrcode->api
    = 1 , lperrcode->code = 2

    Error - 9/12/2010 5:54:27 PM | Computer Name = N-F17JR8N32TRA0 | Source = Brother BrLog | ID = 1001
    Description = WDLMW BrtWDLMW: [2010/09/12 17:54:27.390]: [00001256]: lperrcode->api
    = 1 , lperrcode->code = 2

    Error - 9/12/2010 5:54:28 PM | Computer Name = N-F17JR8N32TRA0 | Source = Brother BrLog | ID = 1001
    Description = WDLMW BrtWDLMW: [2010/09/12 17:54:28.890]: [00001256]: lperrcode->api
    = 1 , lperrcode->code = 2

    Error - 9/12/2010 5:54:30 PM | Computer Name = N-F17JR8N32TRA0 | Source = Brother BrLog | ID = 1001
    Description = WDLMW BrtWDLMW: [2010/09/12 17:54:30.390]: [00001256]: lperrcode->api
    = 1 , lperrcode->code = 2

    Error - 9/12/2010 5:54:31 PM | Computer Name = N-F17JR8N32TRA0 | Source = Brother BrLog | ID = 1001
    Description = WDLMW BrtWDLMW: [2010/09/12 17:54:31.890]: [00001256]: lperrcode->api
    = 1 , lperrcode->code = 2

    Error - 9/12/2010 5:54:33 PM | Computer Name = N-F17JR8N32TRA0 | Source = Brother BrLog | ID = 1001
    Description = WDLMW BrtWDLMW: [2010/09/12 17:54:33.390]: [00001256]: lperrcode->api
    = 1 , lperrcode->code = 2

    Error - 9/12/2010 5:54:34 PM | Computer Name = N-F17JR8N32TRA0 | Source = Brother BrLog | ID = 1001
    Description = WDLMW BrtWDLMW: [2010/09/12 17:54:34.890]: [00001256]: lperrcode->api
    = 1 , lperrcode->code = 2

    Error - 9/12/2010 5:54:36 PM | Computer Name = N-F17JR8N32TRA0 | Source = Brother BrLog | ID = 1001
    Description = WDLMW BrtWDLMW: [2010/09/12 17:54:36.390]: [00001256]: lperrcode->api
    = 1 , lperrcode->code = 2

    Error - 9/12/2010 5:54:37 PM | Computer Name = N-F17JR8N32TRA0 | Source = Brother BrLog | ID = 1001
    Description = WDLMW BrtWDLMW: [2010/09/12 17:54:37.890]: [00001256]: lperrcode->api
    = 1 , lperrcode->code = 2

    [ System Events ]
    Error - 8/15/2010 5:26:46 PM | Computer Name = N-F17JR8N32TRA0 | Source = Dhcp | ID = 1000
    Description = Your computer has lost the lease to its IP address 192.168.100.20
    on the Network Card with network address 002421A5186B.

    Error - 9/2/2010 4:24:39 PM | Computer Name = N-F17JR8N32TRA0 | Source = Dhcp | ID = 1002
    Description = The IP address lease 71.63.56.78 for the Network Card with network
    address 002421A5186B has been denied by the DHCP server 192.168.100.1 (The DHCP
    Server sent a DHCPNACK message).

    Error - 9/2/2010 4:24:45 PM | Computer Name = N-F17JR8N32TRA0 | Source = W32Time | ID = 39452689
    Description = Time Provider NtpClient: An error occurred during DNS lookup of the
    manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
    again in 15 minutes. The error was: A socket operation was attempted to an unreachable
    host. (0x80072751)

    Error - 9/2/2010 4:24:45 PM | Computer Name = N-F17JR8N32TRA0 | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 14 minutes. NtpClient has no source of accurate
    time.

    Error - 9/2/2010 4:25:59 PM | Computer Name = N-F17JR8N32TRA0 | Source = W32Time | ID = 39452689
    Description = Time Provider NtpClient: An error occurred during DNS lookup of the
    manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
    again in 15 minutes. The error was: A socket operation was attempted to an unreachable
    host. (0x80072751)

    Error - 9/2/2010 4:25:59 PM | Computer Name = N-F17JR8N32TRA0 | Source = W32Time | ID = 39452701
    Description = The time provider NtpClient is configured to acquire time from one
    or more time sources, however none of the sources are currently accessible. No attempt
    to contact a source will be made for 15 minutes. NtpClient has no source of accurate
    time.

    Error - 9/2/2010 4:26:46 PM | Computer Name = N-F17JR8N32TRA0 | Source = Dhcp | ID = 1000
    Description = Your computer has lost the lease to its IP address 192.168.100.20
    on the Network Card with network address 002421A5186B.

    Error - 9/13/2010 1:34:10 PM | Computer Name = N-F17JR8N32TRA0 | Source = Dhcp | ID = 1002
    Description = The IP address lease 98.249.1.48 for the Network Card with network
    address 002421A5186B has been denied by the DHCP server 0.0.0.0 (The DHCP Server
    sent a DHCPNACK message).

    Error - 9/14/2010 4:04:26 PM | Computer Name = N-F17JR8N32TRA0 | Source = Service Control Manager | ID = 7017
    Description = Detected circular dependencies demand starting Remote Access Connection
    Manager.

    Error - 9/14/2010 5:06:15 PM | Computer Name = N-F17JR8N32TRA0 | Source = Service Control Manager | ID = 7011
    Description = Timeout (30000 milliseconds) waiting for a transaction response from
    the N360 service.


    < End of report >
     
  12. 2010/09/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    =================================================================

    Run OTL
    • Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following

      Code:
      :OTL
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
      O9 - Extra 'Tools' menuitem : AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - Reg Error: Value error. File not found
      O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
      O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
      [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
      [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
      [2009/09/10 19:38:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the [color= "#FF0000"]Run Fix[/color] button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ===============================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Go to Kaspersky website and perform an online antivirus scan.

    • Disable your active antivirus program.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
      • Archives
      • Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  13. 2010/09/16
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Updated Java and removed old version. Here are the logs you requested;

    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
    Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4982D40A-C53B-4615-B15B-B5B5E98D167C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4982D40A-C53B-4615-B15B-B5B5E98D167C}\ deleted successfully.
    File Animation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab not found.
    Starting removal of ActiveX control DirectAnimation Java Classes
    Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\DownloadInformation\\INF .
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\DirectAnimation Java Classes\ not found.
    File oft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab not found.
    Starting removal of ActiveX control Microsoft XML Parser for Java
    Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
    C:\WINDOWS\002058_.tmp deleted successfully.
    C:\WINDOWS\005139_.tmp deleted successfully.
    C:\WINDOWS\SET3.tmp deleted successfully.
    C:\WINDOWS\SETA.tmp deleted successfully.
    C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell\AOL9Plus folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell\AOL9 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\Welcome\BH00 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\Welcome folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00 folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology folder moved successfully.
    C:\Documents and Settings\All Users\Application Data\Viewpoint folder moved successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Patrick
    ->Temp folder emptied: 10242259 bytes
    ->Temporary Internet Files folder emptied: 13872744 bytes
    ->Java cache emptied: 6532011 bytes
    ->Flash cache emptied: 20530 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 16384 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 29.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default User

    User: LocalService

    User: NetworkService

    User: Patrick
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.12.1 log created on 09162010_204709

    Files\Folders moved on Reboot...
    File\Folder C:\WINDOWS\temp\JET82EB.tmp not found!
    File\Folder C:\WINDOWS\temp\Perflib_Perfdata_1b4.dat not found!

    Registry entries deleted on Reboot...


    Results of screen317's Security Check version 0.99.5
    Windows XP Service Pack 3
    Internet Explorer 7 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    Norton 360
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 21
    Adobe Flash Player
    Adobe Reader 8.1.3
    Out of date Adobe Reader installed!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Norton ccSvcHst.exe
    America Online 9.0 aoltray.exe
    ````````````````````````````````
    DNS Vulnerability Check:

    GREAT! (Not vulnerable to DNS cache poisoning)

    ``````````End of Log````````````


    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Thursday, September 16, 2010
    Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Thursday, September 16, 2010 22:28:32
    Records in database: 4216728
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\

    Scan statistics:
    Objects scanned: 44901
    Threats found: 0
    Infected objects found: 0
    Suspicious objects found: 0
    Scan duration: 00:34:55

    No threats found. Scanned area is clean.

    Selected area has been scanned.
     
  14. 2010/09/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.
    On this page:

    [​IMG]

    make sure, you have both boxes UN-checked AND (important!) click on Decline button

    ===============================================================

    Your computer is clean :)

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how is your computer doing.
     
  15. 2010/09/16
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Here's the latest OTL log. The machine is doing a lot better. I've opened his email client and received and sent email and it seems to be working fine. His biggest complaint seemed to be problems with email. I'm going to run the defrag and install WOT as well. It is much improved over when I first booted it up. Appreciate the help.

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Patrick
    ->Temp folder emptied: 108971129 bytes
    ->Temporary Internet Files folder emptied: 3033803 bytes
    ->Java cache emptied: 128101 bytes
    ->Flash cache emptied: 405 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 32768 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 107.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default User

    User: LocalService

    User: NetworkService

    User: Patrick
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb

    Restore points cleared and new OTL Restore Point set!

    OTL by OldTimer - Version 3.2.12.1 log created on 09162010_224236

    Files\Folders moved on Reboot...
    File\Folder C:\WINDOWS\temp\JET85BA.tmp not found!
    C:\WINDOWS\temp\Perflib_Perfdata_2d8.dat moved successfully.

    Registry entries deleted on Reboot...
     
  16. 2010/09/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're very welcome :)

    Good luck to your friend with better working computer :)
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.