Redirector and mail gremlin in residence

Been a LONG time since anything significant got past our defenses but something has. For about a week or so the wife has complained about Google searches being redirected to Asklots and other sites I'm sure are affiliated it. It seemed annoying at most until the other day when something mailed out adspam using our Hotmail contact list. It happened again last night. I have emptied the contacts list to prevent any further outbound mail. Haven't found anything using HJT but I hear it's less effective than it used to be. Here's a ComboFix log for starters, would appreciate an objective look:

ComboFix 10-07-21.04 - Frank 07/22/2010 12:17:10.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1460 [GMT -4:00]
Running from: c:\documents and settings\Frank\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Frank\LinksysFW_WRT54GSv7_7.50.7.013_EN_20090727.bin
c:\documents and settings\Micah\Local Settings\Application Data\{DFF6824F-F9F1-4E7F-9B58-F4B603124FF3}
c:\documents and settings\Micah\Local Settings\Application Data\{DFF6824F-F9F1-4E7F-9B58-F4B603124FF3}\chrome.manifest
c:\documents and settings\Micah\Local Settings\Application Data\{DFF6824F-F9F1-4E7F-9B58-F4B603124FF3}\chrome\content\_cfg.js
c:\documents and settings\Micah\Local Settings\Application Data\{DFF6824F-F9F1-4E7F-9B58-F4B603124FF3}\chrome\content\overlay.xul
c:\documents and settings\Micah\Local Settings\Application Data\{DFF6824F-F9F1-4E7F-9B58-F4B603124FF3}\install.rdf

.
((((((((((((((((((((((((( Files Created from 2010-06-22 to 2010-07-22 )))))))))))))))))))))))))))))))
.

2010-07-17 21:40 . 2010-07-17 21:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-16 14:44 . 2010-07-16 14:44 -------- d-----w- c:\documents and settings\Frank\Application Data\Malwarebytes
2010-07-16 14:44 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-16 14:44 . 2010-07-18 15:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-16 14:44 . 2010-07-16 14:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-16 14:44 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-12 20:08 . 2010-07-12 20:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-11 16:48 . 2010-07-11 16:48 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-07-11 16:45 . 2010-07-11 16:48 -------- d-----w- c:\windows\ShellNew
2010-07-11 15:48 . 2010-07-11 15:48 -------- d-----w- c:\program files\Common Files\Java
2010-07-11 15:48 . 2010-07-11 15:48 503808 ----a-w- c:\documents and settings\Frank\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-53db4305-n\msvcp71.dll
2010-07-11 15:48 . 2010-07-11 15:48 499712 ----a-w- c:\documents and settings\Frank\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-53db4305-n\jmc.dll
2010-07-11 15:48 . 2010-07-11 15:48 348160 ----a-w- c:\documents and settings\Frank\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-53db4305-n\msvcr71.dll
2010-07-11 15:48 . 2010-07-11 15:48 61440 ----a-w- c:\documents and settings\Frank\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5484e00e-n\decora-sse.dll
2010-07-11 15:48 . 2010-07-11 15:48 12800 ----a-w- c:\documents and settings\Frank\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5484e00e-n\decora-d3d.dll
2010-07-11 15:48 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-11 15:45 . 2010-07-11 15:45 503808 ----a-w- c:\documents and settings\Frank\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7220ae4a-n\msvcp71.dll
2010-07-11 15:45 . 2010-07-11 15:45 499712 ----a-w- c:\documents and settings\Frank\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7220ae4a-n\jmc.dll
2010-07-11 15:45 . 2010-07-11 15:45 348160 ----a-w- c:\documents and settings\Frank\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7220ae4a-n\msvcr71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-22 16:27 . 2009-05-31 15:44 -------- d-----w- c:\documents and settings\Frank\Application Data\Skype
2010-07-22 12:07 . 2009-05-31 15:46 -------- d-----w- c:\documents and settings\Frank\Application Data\skypePM
2010-07-21 18:32 . 2007-04-01 15:45 -------- d-----w- c:\program files\Lx_cats
2010-07-21 12:26 . 2008-05-26 13:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-18 22:30 . 2007-04-01 16:32 -------- d-----w- c:\program files\Opera
2010-07-18 20:11 . 2007-04-01 14:01 -------- d-----w- c:\program files\Troubleshooting
2010-07-18 20:10 . 2003-03-31 12:00 24064 ----a-w- c:\windows\system32\ctfmon.exe
2010-07-17 15:29 . 2009-02-21 11:48 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-11 15:53 . 2010-07-17 15:29 142716 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2010-07-11 15:47 . 2007-04-07 18:27 -------- d-----w- c:\program files\Java
2010-07-11 15:35 . 2009-10-30 01:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-11 15:35 . 2009-05-31 15:44 -------- d-----r- c:\program files\Skype
2010-07-11 15:35 . 2008-06-30 16:07 -------- d-----w- c:\program files\RivaTuner v2.09
2010-07-11 15:30 . 2007-09-01 17:53 -------- d-----w- c:\program files\Coupons
2010-07-07 18:46 . 2008-01-28 13:48 -------- d-----w- c:\program files\Microsoft Home Publishing 2000
2010-06-20 01:42 . 2010-06-20 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-04 17:20 . 2003-03-31 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2007-04-01 13:16 78336 ------w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2003-03-31 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2007-11-21 20:07 . 2007-11-21 20:07 2945816 ----a-w- c:\program files\dotnetfx3setup.exe
2007-04-10 18:05 . 2007-04-10 18:05 1037312 ----a-w- c:\program files\iview399.exe
.

Code:

---

<pre>
c:\program files\Free PDF to Word Doc Converter\pdfinfo .exe
</pre>

---

------- Sigcheck -------

[-] 2010-07-18 20:10 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\system32\dllcache\ctfmon.exe
[-] 2010-07-18 20:10 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2010-07-18 20:10 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\system32\ctfmon.exe
[7] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 77824]
"LXBSCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBStime.dll" [2004-03-17 65536]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-17 06:24 40368 ----a-w- d:\adobe\AcrobatReader 8.1\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2010-07-18 20:10 24064 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EM_EXEC]
2001-12-20 13:42 35328 ----a-w- c:\progra~1\Logitech\MOUSEW~1\system\EM_EXEC.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KMCONFIG]
c:\program files\Micro Innovations\Wireless Keyboard & Mouse Driver\StartAutorun.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryCardManager]
2004-02-02 18:58 139264 ----a-w- c:\program files\Lexmark\Lexmark Precision Photo\memcard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nitro PDF Printer Monitor]
c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RivaTunerStartupDaemon]
c:\program files\RivaTuner v2.09\RivaTuner.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-07-01 10:23 67584 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
c:\program files\Java\jre6\bin\jusched.exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Troubleshooting\\SpywareBlaster\\spywareblaster.exe"=
"c:\documents and settings\Frank\Application Data\Facebook\facebook.exe"= c:\documents and settings\Frank\Application Data\Facebook\facebook.exe:127.0.0.1/255.255.255.255:Enabled:Facebook
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\lmabcoms.exe"=
"c:\\Program Files\\Lexmark\\MarkVision Professional\\jre\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [8/11/2004 12:22 PM 77312]
R1 Ndisprot;RawPacket NDIS Protocol Driver;c:\windows\system32\drivers\Ndisprot.sys [10/24/2003 6:05 PM 22016]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/29/2009 7:31 AM 108289]
R3 GETND5BV;VIA Networking Velocity-Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5bv.sys [4/1/2007 9:32 AM 46080]
R3 SunkFilt62;Alcor Micro Corp - 6362;c:\windows\system32\drivers\sunkfilt62.sys [7/23/2004 3:55 PM 46536]
S3 SunkFilt6;Alcor Micro Corp - 6360;\??\c:\windows\System32\Drivers\sunkfilt6.sys --> c:\windows\System32\Drivers\sunkfilt6.sys [?]
S3 Usblink;Usblink Driver;c:\windows\system32\Drivers\ulink.sys --> c:\windows\system32\Drivers\ulink.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\Shutdown.job
- c:\windows\system32\shutdown.exe [2003-03-31 18:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - hxxp://aerial.leepa.org/ecwplugins/NCS.cab
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe
AddRemove-NVIDIA nView Desktop Manager - c:\program files\NVIDIA Corporation\nView\nViewSetup.exe
AddRemove-SpywareBlaster_is1 - c:\program files\SpywareBlaster\unins000.exe
AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper.dll
AddRemove-Image Web Server IE Plugin - c:\docume~1\Frank\LOCALS~1\APPLIC~1\EARTHR~1\IMAGEW~1\Client\CABInst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-22 12:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBSCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(880)
c:\windows\system32\WININET.dll
.
Completion time: 2010-07-22 12:29:54
ComboFix-quarantined-files.txt 2010-07-22 16:29

Pre-Run: 17,558,392,832 bytes free
Post-Run: 21,905,051,648 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 1428051B98C35D7227C8B86A43D5651E

Hey pop. Off to work now, but do the following and I'll look in when I can.

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

---

KillAll::

RENV::
c:\program files\Free PDF to Word Doc Converter\pdfinfo .exe

---

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

https://discussions.virtualdr.com/im.../2010/07/1.gif


7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

• Combofix.txt .

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

===========

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

Here's the Combofix.txt; I'll post the two OTL files in a bit.
**********************************************

ComboFix 10-07-21.04 - Frank 07/22/2010 20:24:28.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1367 [GMT -4:00]
Running from: c:\documents and settings\Frank\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Frank\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-06-23 to 2010-07-23 )))))))))))))))))))))))))))))))
.

2010-07-17 21:40 . 2010-07-17 21:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-16 14:44 . 2010-07-16 14:44 -------- d-----w- c:\documents and settings\Frank\Application Data\Malwarebytes
2010-07-16 14:44 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-16 14:44 . 2010-07-18 15:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-16 14:44 . 2010-07-16 14:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-16 14:44 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-12 20:08 . 2010-07-12 20:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-11 16:48 . 2010-07-11 16:48 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-07-11 16:45 . 2010-07-11 16:48 -------- d-----w- c:\windows\ShellNew
2010-07-11 15:48 . 2010-07-11 15:48 -------- d-----w- c:\program files\Common Files\Java
2010-07-11 15:48 . 2010-07-11 15:48 503808 ----a-w- c:\documents and settings\Frank\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-53db4305-n\msvcp71.dll
2010-07-11 15:48 . 2010-07-11 15:48 499712 ----a-w- c:\documents and settings\Frank\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-53db4305-n\jmc.dll
2010-07-11 15:48 . 2010-07-11 15:48 348160 ----a-w- c:\documents and settings\Frank\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-53db4305-n\msvcr71.dll
2010-07-11 15:48 . 2010-07-11 15:48 61440 ----a-w- c:\documents and settings\Frank\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5484e00e-n\decora-sse.dll
2010-07-11 15:48 . 2010-07-11 15:48 12800 ----a-w- c:\documents and settings\Frank\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5484e00e-n\decora-d3d.dll
2010-07-11 15:48 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-11 15:45 . 2010-07-11 15:45 503808 ----a-w- c:\documents and settings\Frank\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7220ae4a-n\msvcp71.dll
2010-07-11 15:45 . 2010-07-11 15:45 499712 ----a-w- c:\documents and settings\Frank\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7220ae4a-n\jmc.dll
2010-07-11 15:45 . 2010-07-11 15:45 348160 ----a-w- c:\documents and settings\Frank\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7220ae4a-n\msvcr71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-23 00:36 . 2009-05-31 15:46 -------- d-----w- c:\documents and settings\Frank\Application Data\skypePM
2010-07-23 00:36 . 2009-05-31 15:44 -------- d-----w- c:\documents and settings\Frank\Application Data\Skype
2010-07-23 00:24 . 2008-10-25 12:55 -------- d-----w- c:\program files\Free PDF to Word Doc Converter
2010-07-21 18:32 . 2007-04-01 15:45 -------- d-----w- c:\program files\Lx_cats
2010-07-21 12:26 . 2008-05-26 13:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-18 22:30 . 2007-04-01 16:32 -------- d-----w- c:\program files\Opera
2010-07-18 20:11 . 2007-04-01 14:01 -------- d-----w- c:\program files\Troubleshooting
2010-07-18 20:10 . 2003-03-31 12:00 24064 ----a-w- c:\windows\system32\ctfmon.exe
2010-07-17 15:29 . 2009-02-21 11:48 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-11 15:53 . 2010-07-17 15:29 142716 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2010-07-11 15:47 . 2007-04-07 18:27 -------- d-----w- c:\program files\Java
2010-07-11 15:35 . 2009-10-30 01:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-11 15:35 . 2009-05-31 15:44 -------- d-----r- c:\program files\Skype
2010-07-11 15:35 . 2008-06-30 16:07 -------- d-----w- c:\program files\RivaTuner v2.09
2010-07-11 15:30 . 2007-09-01 17:53 -------- d-----w- c:\program files\Coupons
2010-07-07 18:46 . 2008-01-28 13:48 -------- d-----w- c:\program files\Microsoft Home Publishing 2000
2010-06-20 01:42 . 2010-06-20 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-04 17:20 . 2003-03-31 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2007-04-01 13:16 78336 ------w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2003-03-31 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2007-11-21 20:07 . 2007-11-21 20:07 2945816 ----a-w- c:\program files\dotnetfx3setup.exe
2007-04-10 18:05 . 2007-04-10 18:05 1037312 ----a-w- c:\program files\iview399.exe
.

------- Sigcheck -------

[-] 2010-07-18 20:10 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\system32\dllcache\ctfmon.exe
[-] 2010-07-18 20:10 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2010-07-18 20:10 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\system32\ctfmon.exe
[7] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-07-22_16.27.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-23 00:32 . 2010-07-23 00:32 16384 c:\windows\temp\Perflib_Perfdata_740.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 77824]
"LXBSCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBStime.dll" [2004-03-17 65536]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-17 06:24 40368 ----a-w- d:\adobe\AcrobatReader 8.1\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2010-07-18 20:10 24064 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EM_EXEC]
2001-12-20 13:42 35328 ----a-w- c:\progra~1\Logitech\MOUSEW~1\system\EM_EXEC.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryCardManager]
2004-02-02 18:58 139264 ----a-w- c:\program files\Lexmark\Lexmark Precision Photo\memcard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-07-01 10:23 67584 ----a-w- c:\windows\soundman.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Troubleshooting\\SpywareBlaster\\spywareblaster.exe"=
"c:\documents and settings\Frank\Application Data\Facebook\facebook.exe"= c:\documents and settings\Frank\Application Data\Facebook\facebook.exe:127.0.0.1/255.255.255.255:Enabled:Facebook
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\lmabcoms.exe"=
"c:\\Program Files\\Lexmark\\MarkVision Professional\\jre\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [8/11/2004 12:22 PM 77312]
R1 Ndisprot;RawPacket NDIS Protocol Driver;c:\windows\system32\drivers\Ndisprot.sys [10/24/2003 6:05 PM 22016]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/29/2009 7:31 AM 108289]
R3 GETND5BV;VIA Networking Velocity-Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5bv.sys [4/1/2007 9:32 AM 46080]
R3 SunkFilt62;Alcor Micro Corp - 6362;c:\windows\system32\drivers\sunkfilt62.sys [7/23/2004 3:55 PM 46536]
S3 SunkFilt6;Alcor Micro Corp - 6360;\??\c:\windows\System32\Drivers\sunkfilt6.sys --> c:\windows\System32\Drivers\sunkfilt6.sys [?]
S3 Usblink;Usblink Driver;c:\windows\system32\Drivers\ulink.sys --> c:\windows\system32\Drivers\ulink.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\Shutdown.job
- c:\windows\system32\shutdown.exe [2003-03-31 18:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - hxxp://aerial.leepa.org/ecwplugins/NCS.cab
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-KMCONFIG - c:\program files\Micro Innovations\Wireless Keyboard & Mouse Driver\StartAutorun.exe
MSConfigStartUp-Nitro PDF Printer Monitor - c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
MSConfigStartUp-RivaTunerStartupDaemon - c:\program files\RivaTuner v2.09\RivaTuner.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-22 20:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBSCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(872)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3340)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\nvwddi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\netdde.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\system32\msiexec.exe
c:\program files\Lexmark\MarkVision Server\jre\bin\lexmvservice.exe
c:\program files\Lexmark\MarkVision Server\jre\bin\lexwebservice.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\sessmgr.exe
c:\windows\System32\locator.exe
c:\windows\System32\wbem\wmiapsrv.exe
c:\windows\system32\rundll32.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-07-22 20:41:08 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-23 00:41
ComboFix2.txt 2010-07-22 16:29

Pre-Run: 21,925,081,088 bytes free
Post-Run: 21,959,925,760 bytes free

- - End Of File - - E11B41F79B0DB84A8BAF84A7292029FE

Part one:

OTL logfile created on: 7/22/2010 8:52:17 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Frank\Desktop\OTL
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 72.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 20.49 Gb Free Space | 54.98% Space Free | Partition Type: NTFS
Drive D: | 111.78 Gb Total Space | 99.86 Gb Free Space | 89.34% Space Free | Partition Type: NTFS
Drive E: | 19.08 Gb Total Space | 8.68 Gb Free Space | 45.48% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FAMILYROOM
Current User Name: Frank
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/22 20:51:22 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Frank\Desktop\OTL\OTL.exe
PRC - [2009/09/29 05:08:04 | 000,081,920 | ---- | M] () -- C:\Program Files\Lexmark\MarkVision Server\jre\bin\LexWebService.exe
PRC - [2009/09/29 05:08:02 | 000,073,728 | ---- | M] () -- C:\Program Files\Lexmark\MarkVision Server\jre\bin\LexMvService.exe
PRC - [2009/08/05 07:05:39 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/06/09 07:38:41 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 12:08:47 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/03/31 08:00:00 | 000,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tcpsvcs.exe


========== Modules (SafeList) ==========

MOD - [2010/07/22 20:51:22 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Frank\Desktop\OTL\OTL.exe
MOD - [2008/04/14 05:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2006/10/22 13:22:00 | 001,470,464 | ---- | M] () -- C:\WINDOWS\system32\nview.dll
MOD - [2006/10/22 13:22:00 | 000,081,920 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvwddi.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2009/09/29 05:08:04 | 000,081,920 | ---- | M] () [Auto | Running] -- C:\Program Files\Lexmark\MarkVision Server\jre\bin\LexWebService.exe -- (MvWebServer)
SRV - [2009/09/29 05:08:02 | 000,073,728 | ---- | M] () [Auto | Running] -- C:\Program Files\Lexmark\MarkVision Server\jre\bin\LexMvService.exe -- (MvServer)
SRV - [2009/08/05 07:05:39 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/06/09 07:38:41 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/04/14 05:42:38 | 000,033,280 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\snmp.exe -- (SNMP)
SRV - [2006/12/16 08:05:38 | 000,508,848 | ---- | M] ( ) [Disabled | Stopped] -- C:\WINDOWS\System32\LMabcoms.exe -- (lmab_device)
SRV - [2004/02/20 15:04:24 | 000,421,888 | ---- | M] (Lexmark International, Inc.) [On_Demand | Stopped] -- C:\WINDOWS\System32\lxbscoms.exe -- (lxbs_device)
SRV - [2003/03/31 08:00:00 | 000,019,456 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\tcpsvcs.exe -- (LPDSVC)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\ulink.sys -- (Usblink)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\sunkfiltp.sys -- (Sunkfiltp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\sunkfilt6.sys -- (SunkFilt6)
DRV - File not found [Kernel | On_Demand | Running] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2010/02/11 08:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2009/12/08 08:03:16 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/06/09 07:38:41 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/04/30 07:32:25 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/02/13 11:35:05 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2007/03/29 15:00:16 | 000,017,024 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\KMWDFilter.SYS -- (KMWDFilter)
DRV - [2006/11/01 14:42:14 | 000,033,280 | ---- | M] (AMD, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AmdLLD.sys -- (AmdLLD)
DRV - [2006/10/22 13:22:00 | 003,994,624 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/08/19 18:31:52 | 003,644,800 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/02/14 19:30:14 | 000,046,080 | ---- | M] (VIA Networking Technologies, Inc. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\getnd5bv.sys -- (GETND5BV)
DRV - [2004/07/23 15:55:50 | 000,046,536 | ---- | M] (Alcor Micro, Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sunkfilt62.sys -- (SunkFilt62)
DRV - [2004/02/23 23:08:52 | 000,400,384 | ---- | M] (Sensaura) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\alcxsens.sys -- (ALCXSENS)
DRV - [2003/10/31 07:22:38 | 000,077,312 | ---- | M] (VIA Technologies inc,.ltd) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\viasraid.sys -- (viasraid)
DRV - [2003/10/24 18:05:58 | 000,022,016 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Ndisprot.sys -- (Ndisprot)
DRV - [2003/07/02 05:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2001/12/19 06:12:00 | 000,067,694 | ---- | M] (Logitech) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFlt2.sys -- (LMouFlt2)
DRV - [2001/12/19 06:12:00 | 000,050,990 | ---- | M] (Logitech) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042Pr2.sys -- (l8042pr2)
DRV - [2001/12/19 06:12:00 | 000,022,206 | ---- | M] (Logitech) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHIDFLT2.SYS -- (LHidFlt2)
DRV - [2001/12/19 06:12:00 | 000,005,838 | ---- | M] (Logitech) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LKbdFlt2.sys -- (LKbdFlt2)
DRV - [2001/07/18 14:52:18 | 000,145,184 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ICAM3D2.SYS -- (ICAM3NT5) Intel(r)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{F5E292AC-1E06-4F38-9052-D401A3C6C74B}: C:\Documents and Settings\Frank\Local Settings\Application Data\{F5E292AC-1E06-4F38-9052-D401A3C6C74B}
FF - HKLM\software\mozilla\Firefox\Extensions\\{EAB0A9B2-98CC-404D-8C6D-F01CCDC6749B}: C:\Documents and Settings\Brea\Local Settings\Application Data\{EAB0A9B2-98CC-404D-8C6D-F01CCDC6749B}\


O1 HOSTS File: ([2010/07/22 20:36:06 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe (AMD)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [LXBSCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.DLL (Lexmark International, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/...oUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www1.snapfish.com/SnapfishActivia.cab (Snapfish Activia)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsof...?1175446167015 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/micr...?1270150183796 (MUWebControl Class)
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} http://aerial.leepa.org/ecwplugins/NCS.cab (Reg Error: Key error.)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/...Uploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} https://oca.microsoft.com/en/secure/ocarpt.CAB (OcarptMain Class)
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} https://ediagnostics.lexmark.com/serval.cab (Lexmark eDiagnostics Class)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/s...sh/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx2.hotmail.com/mail/w4/pr01...l/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/01 00:59:33 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2002/08/10 12:37:45 | 000,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (69819349141028864)

========== Files/Folders - Created Within 90 Days ==========

[2010/07/22 20:51:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Desktop\OTL
[2010/07/22 20:30:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/07/22 12:16:21 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/07/22 12:01:37 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/07/22 12:01:37 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/07/22 12:01:37 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/07/22 12:01:37 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/07/22 12:01:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/22 12:00:59 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/07/20 08:12:50 | 003,103,640 | ---- | C] (Javacool Software LLC ) -- C:\Documents and Settings\Frank\Desktop\spywareblastersetup43.exe
[2010/07/17 11:29:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/07/16 10:44:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Application Data\Malwarebytes
[2010/07/16 10:44:02 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/07/16 10:44:00 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/07/16 10:44:00 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/07/16 10:44:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/07/16 10:42:21 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Frank\Desktop\mbam-setup-1.46.exe
[2010/07/12 16:08:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/07/11 12:48:26 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft ActiveSync
[2010/07/11 12:47:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Designer
[2010/07/11 12:45:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\ShellNew
[2010/07/11 11:48:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/07/11 11:48:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/07/11 09:12:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/07/11 07:52:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/07/11 07:52:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/06/30 17:57:29 | 000,000,000 | ---D | C] -- D:\Config.Msi
[2010/06/25 15:50:33 | 000,000,000 | ---D | C] -- D:\Home Insurance
[2010/06/19 21:45:40 | 027,386,256 | ---- | C] ( ) -- D:\AdbeRdr930_en_US.exe
[2010/06/19 21:42:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/05/22 18:39:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Desktop\Brea Photos
[2010/05/22 18:20:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Desktop\Lucas, Brea & Kids Visit 5-22-2010
[2010/02/16 23:51:00 | 000,368,640 | ---- | C] ( ) -- C:\WINDOWS\System32\lexlog.dll
[2010/01/21 01:32:22 | 001,204,224 | ---- | C] ( ) -- C:\WINDOWS\System32\lmabserv.dll
[2010/01/21 01:32:22 | 001,056,768 | ---- | C] ( ) -- C:\WINDOWS\System32\lmabip1.dll
[2010/01/21 01:32:22 | 000,987,136 | ---- | C] ( ) -- C:\WINDOWS\System32\lmabusb1.dll
[2010/01/21 01:32:22 | 000,675,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lmabpmui.dll
[2010/01/21 01:32:22 | 000,614,400 | ---- | C] ( ) -- C:\WINDOWS\System32\lmabcomc.dll
[2010/01/21 01:32:22 | 000,561,152 | ---- | C] ( ) -- C:\WINDOWS\System32\lmablmpm.dll
[2010/01/21 01:32:22 | 000,532,480 | ---- | C] ( ) -- C:\WINDOWS\System32\lmabpar1.dll
[2010/01/21 01:32:22 | 000,507,904 | ---- | C] ( ) -- C:\WINDOWS\System32\lmabhcp.dll
[2010/01/21 01:32:22 | 000,425,984 | ---- | C] ( ) -- C:\WINDOWS\System32\lmabcomm.dll
[2010/01/21 01:32:22 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lmabinpa.dll
[2010/01/21 01:32:22 | 000,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lmabprox.dll
[2010/01/21 01:32:22 | 000,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\lmabpplc.dll
[2007/04/01 11:44:56 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxbslmpm(9).dll
[2007/04/01 11:44:56 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxbslmpm(8).dll
[2007/04/01 11:44:56 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxbslmpm(7).dll
[2007/04/01 11:44:56 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxbslmpm(6).dll
[2007/04/01 11:44:56 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxbslmpm(5).dll
[2007/04/01 11:44:56 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxbslmpm(4).dll
[2007/04/01 11:44:56 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxbslmpm(3).dll
[2007/04/01 11:44:56 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxbslmpm(2).dll
[2007/04/01 11:44:56 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxbslmpm(11).dll
[2007/04/01 11:44:56 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxbslmpm(10).dll
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/07/22 20:45:17 | 000,088,624 | ---- | M] () -- C:\Documents and Settings\Frank\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/07/22 20:36:43 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/22 20:36:11 | 000,088,601 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/07/22 20:36:06 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/07/22 20:32:08 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/22 20:32:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/22 20:30:52 | 008,650,752 | ---- | M] () -- C:\Documents and Settings\Frank\ntuser.dat
[2010/07/22 20:30:50 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Frank\ntuser.ini
[2010/07/22 12:16:26 | 000,000,271 | RHS- | M] () -- C:\boot.ini
[2010/07/22 11:54:32 | 003,741,002 | R--- | M] () -- C:\Documents and Settings\Frank\Desktop\ComboFix.exe
[2010/07/21 08:25:40 | 003,103,640 | ---- | M] (Javacool Software LLC ) -- C:\Documents and Settings\Frank\Desktop\spywareblastersetup43.exe
[2010/07/20 08:58:51 | 000,236,878 | ---- | M] () -- C:\untitled.JPG
[2010/07/19 15:53:23 | 000,000,177 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\OTL Malware Remover.url
[2010/07/19 12:22:26 | 000,333,872 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/07/18 16:10:47 | 000,024,064 | ---- | M] (Gerhard Schlager) -- C:\WINDOWS\System32\dllcache\ctfmon.exe
[2010/07/18 16:10:47 | 000,024,064 | ---- | M] (Gerhard Schlager) -- C:\WINDOWS\System32\ctfmon.exe
[2010/07/18 16:08:44 | 000,000,879 | ---- | M] () -- C:\Documents and Settings\Frank\Application Data\Microsoft\Internet Explorer\Quick Launch\Hey.exe.lnk
[2010/07/18 11:57:05 | 000,000,839 | ---- | M] () -- C:\Documents and Settings\Frank\Application Data\Microsoft\Internet Explorer\Quick Launch\HiThere.exe.lnk
[2010/07/18 11:55:23 | 000,000,839 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\Shortcut to HiThere.exe.lnk
[2010/07/17 11:29:11 | 000,001,984 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/17 07:39:13 | 000,013,756 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/16 19:57:40 | 000,001,599 | ---- | M] () -- C:\Documents and Settings\Frank\Application Data\Microsoft\Internet Explorer\Quick Launch\Command Prompt.lnk
[2010/07/16 10:42:47 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Frank\Desktop\mbam-setup-1.46.exe
[2010/07/11 12:48:50 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2010/07/11 12:37:29 | 000,000,481 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\lucasj24's photos and albums on webshots.url
[2010/07/11 11:21:43 | 000,000,679 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/07/11 11:21:43 | 000,000,201 | ---- | M] () -- C:\Boot.bak
[2010/07/07 15:14:46 | 000,030,208 | ---- | M] () -- D:\Doc3.doc
[2010/06/30 17:57:38 | 000,001,569 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
[2010/06/27 08:35:12 | 000,012,663 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\G&T house.jpg
[2010/06/25 16:36:02 | 000,024,064 | ---- | M] () -- D:\BirthCertificateRequest.doc
[2010/06/23 08:36:50 | 000,501,230 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/23 08:36:50 | 000,441,124 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/23 08:36:50 | 000,071,060 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/20 14:07:09 | 000,029,696 | ---- | M] () -- D:\GENERAL INFORMATION.doc
[2010/06/19 21:45:40 | 027,386,256 | ---- | M] ( ) -- D:\AdbeRdr930_en_US.exe
[2010/06/12 06:40:33 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/28 16:49:56 | 003,492,112 | ---- | M] () -- D:\APPLICATION.pdf
[2010/05/28 08:57:22 | 000,000,067 | ---- | M] () -- C:\WINDOWS\System32\everest_cpl.ini
[2010/05/09 11:55:44 | 002,748,300 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\Pooltime May 2010.JPG
[2010/05/09 11:54:38 | 000,000,431 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\Shortcut to DSCF4331.JPG.lnk
[2010/05/08 10:57:44 | 001,335,391 | ---- | M] () -- D:\DSCF4331.JPG
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/22 12:16:25 | 000,000,201 | ---- | C] () -- C:\Boot.bak
[2010/07/22 12:16:21 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/07/22 12:01:37 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/07/22 12:01:37 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/07/22 12:01:37 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/07/22 12:01:37 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/07/22 12:01:37 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/07/22 11:54:18 | 003,741,002 | R--- | C] () -- C:\Documents and Settings\Frank\Desktop\ComboFix.exe
[2010/07/20 08:58:51 | 000,236,878 | ---- | C] () -- C:\untitled.JPG
[2010/07/19 15:53:01 | 000,000,177 | ---- | C] () -- C:\Documents and Settings\Frank\Desktop\OTL Malware Remover.url
[2010/07/18 11:57:05 | 000,000,839 | ---- | C] () -- C:\Documents and Settings\Frank\Application Data\Microsoft\Internet Explorer\Quick Launch\HiThere.exe.lnk
[2010/07/18 11:55:23 | 000,000,839 | ---- | C] () -- C:\Documents and Settings\Frank\Desktop\Shortcut to HiThere.exe.lnk
[2010/07/16 10:38:49 | 000,000,879 | ---- | C] () -- C:\Documents and Settings\Frank\Application Data\Microsoft\Internet Explorer\Quick Launch\Hey.exe.lnk
[2010/07/07 15:03:37 | 000,030,208 | ---- | C] () -- D:\Doc3.doc
[2010/06/27 08:36:11 | 000,012,663 | ---- | C] () -- C:\Documents and Settings\Frank\Desktop\G&T house.jpg
[2010/06/25 16:36:02 | 000,024,064 | ---- | C] () -- D:\BirthCertificateRequest.doc
[2010/06/20 14:07:08 | 000,029,696 | ---- | C] () -- D:\GENERAL INFORMATION.doc
[2010/05/28 16:49:46 | 003,492,112 | ---- | C] () -- D:\APPLICATION.pdf
[2010/05/09 11:55:43 | 002,748,300 | ---- | C] () -- C:\Documents and Settings\Frank\Desktop\Pooltime May 2010.JPG
[2010/05/09 11:54:38 | 000,000,431 | ---- | C] () -- C:\Documents and Settings\Frank\Desktop\Shortcut to DSCF4331.JPG.lnk
[2010/05/09 11:54:25 | 001,335,391 | ---- | C] () -- D:\DSCF4331.JPG
[2009/11/02 19:13:28 | 000,399,872 | ---- | C] () -- C:\WINDOWS\c4dstand.dll
[2009/11/02 19:13:28 | 000,000,050 | ---- | C] () -- C:\WINDOWS\app.ini
[2009/11/02 19:12:46 | 000,003,362 | ---- | C] () -- C:\WINDOWS\LKMHDemo.ini
[2009/11/02 19:12:46 | 000,000,304 | ---- | C] () -- C:\WINDOWS\LKMH_Demo_Cfg.ini
[2009/03/24 19:15:21 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2009/03/24 19:14:46 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2009/03/24 19:14:46 | 000,000,142 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2009/02/17 19:53:47 | 000,001,456 | R--- | C] () -- C:\WINDOWS\System32\lxbsprod.ini
[2009/02/17 19:53:38 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbsvs.dll
[2008/10/25 08:56:53 | 000,000,327 | ---- | C] () -- C:\WINDOWS\System32\winpdf.ini
[2008/08/19 14:12:10 | 000,000,075 | ---- | C] () -- C:\WINDOWS\USBBC.ini
[2008/08/19 14:12:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MDI.INI
[2007/08/01 20:37:11 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/07/22 17:55:44 | 000,000,074 | ---- | C] () -- C:\WINDOWS\MPLAYER.INI
[2007/06/02 15:46:31 | 000,000,371 | ---- | C] () -- C:\WINDOWS\LEXSTAT.INI
[2007/04/03 15:10:30 | 000,000,067 | ---- | C] () -- C:\WINDOWS\System32\everest_cpl.ini
[2007/04/03 09:08:53 | 000,006,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\ALLOW-IO.SYS
[2007/04/02 06:47:46 | 000,109,056 | ---- | C] () -- C:\WINDOWS\System32\LGUICOM.DLL
[2007/04/02 06:47:46 | 000,000,488 | ---- | C] () -- C:\WINDOWS\Cmousecc.ini
[2007/04/01 11:06:14 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/04/01 10:39:16 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\vusetup.dll
[2007/04/01 10:14:27 | 000,000,204 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2007/04/01 09:32:38 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2007/04/01 09:25:55 | 000,156,672 | R--- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2007/04/01 09:25:50 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2006/10/22 13:22:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/22 13:22:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/10/22 13:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/10/22 13:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/22 13:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/10/22 13:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/10/22 13:22:00 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/03/01 15:30:20 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini

========== LOP Check ==========

[2008/10/25 09:31:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nitro PDF
[2009/03/24 19:15:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2009/07/05 19:25:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TaxCut
[2010/07/21 08:26:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/11/22 14:51:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Facebook
[2008/10/25 09:32:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Nitro PDF
[2008/09/07 11:09:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Opera
[2009/03/24 19:15:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\pdf995
[2007/10/14 10:41:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Snapfish
[2009/07/05 19:29:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\TaxCut
[2007/12/23 11:29:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\TERMINAL Studio
[2008/02/15 18:48:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Walgreens
[2009/09/24 08:48:56 | 000,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\Shutdown.job

========== Purity Check ==========



========== Custom Scans ==========


< &#37;SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/14 00:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/14 00:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/14 00:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

Here's the third half of OTL.txt :D

< MD5 for: ATAPI.SYS >
[2003/03/31 08:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 05:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 05:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 05:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 00:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 05:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/14 05:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 05:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 00:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 00:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 05:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 05:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 05:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: VIASRAID.SYS >
[2003/10/31 07:22:38 | 000,077,312 | ---- | M] (VIA Technologies inc,.ltd) MD5=EBE101C01D80A42868F57B327BE1B564 -- C:\WINDOWS\OemDir\viasraid.sys
[2003/10/31 07:22:38 | 000,077,312 | ---- | M] (VIA Technologies inc,.ltd) MD5=EBE101C01D80A42868F57B327BE1B564 -- C:\WINDOWS\system32\drivers\viasraid.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\System32\config\*.sav >
[2007/03/31 19:38:24 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007/03/31 19:38:24 | 000,602,112 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007/03/31 19:38:24 | 000,421,888 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\shutdown.exe:SummaryInformation
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8BB2EC84
< End of report >

I've tried four times to post Extras.txt in both Opera and IE, but each time I click Post Quick Reply the browser crashes - don't know if there's code in it the browser has trouble swallowing. I'm attaching it in .zip format instead. FYI.

In case I didn't already mention it, system is XP Home w/SP3, all updates through last week. Have not been able to update anything Windows since this started, although Avira indicates it has updated today.. Also, I didn't install SteelWerX on the computer. From what I have seen so far about it, that might be my bad boy right there.

Feel free to ask any questions about the system configuration I haven't already answered.

Those logs look ok. Just do the following and then see how the pc is.

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  Code:

  ---

  
:Commands
[emptyflash]
[emptytemp]
[resethosts]
[Reboot]

  ---

• Then click the Run Fix button at the top.
• Let the program run unhindered, reboot the PC when it is done.
• Post the log from this run.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Might want to do a Kaspersky on-line scan too pop.

Quote:

---

Originally Posted by lgbpop

In case I didn't already mention it, system is XP Home w/SP3, all updates through last week. Have not been able to update anything Windows since this started, although Avira indicates it has updated today.. Also, I didn't install SteelWerX on the computer. From what I have seen so far about it, that might be my bad boy right there.

Feel free to ask any questions about the system configuration I haven't already answered.

---

Can you uninstall steelwerx from add/remove?

No. If it's actually present I bet it's loaded each boot from a Registry entry. No uninstaller and no shortcut to it in the Startup folder.

Add this to the OTL fix pop;

:OTL
[2010/07/22 12:01:37 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/07/22 12:01:37 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/07/22 12:01:37 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe


Put it above the other entries.

EDIT. Looks to be a registry tool written by an anti-malware software writer.

I already moved those executables to the Recycle Bin so I could see what happens on the next boot. If need be I can restore them and let OTL do the moving, but it should work this way I bet. Here's the Fix log; new scan log will follow. BTW, just got two popup pages on new windows as I write this....:(

All processes killed
========== COMMANDS ==========

[EMPTYFLASH]

User: Administrator

User: All Users

User: Brea
->Flash cache emptied: 6051 bytes

User: Default User
->Flash cache emptied: 41 bytes

User: Frank
->Flash cache emptied: 154064 bytes

User: LocalService
->Flash cache emptied: 7646 bytes

User: Micah

User: NetworkService
->Flash cache emptied: 29356 bytes

Total Flash Files Cleaned = 0.00 mb


[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes

User: All Users

User: Brea
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->Java cache emptied: 29001 bytes
->Opera cache emptied: 10524761 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Frank
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 15364779 bytes
->Java cache emptied: 40996004 bytes
->Opera cache emptied: 74358880 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 884870 bytes
->Flash cache emptied: 0 bytes

User: Micah
->Temp folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 2429 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1138887 bytes
%systemroot%\System32 .tmp files removed: 1162769 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 542208 bytes

Total Files Cleaned = 139.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.9.1 log created on 07222010_230820
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...

latest scan log:

OTL logfile created on: 7/22/2010 11:24:05 PM - Run 3
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Frank\Desktop\OTL
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 71.00&#37; Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 20.59 Gb Free Space | 55.26% Space Free | Partition Type: NTFS
Drive D: | 111.78 Gb Total Space | 99.86 Gb Free Space | 89.34% Space Free | Partition Type: NTFS
Drive E: | 19.08 Gb Total Space | 8.68 Gb Free Space | 45.49% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FAMILYROOM
Current User Name: Frank
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/22 20:51:22 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Frank\Desktop\OTL\OTL.exe
PRC - [2009/09/29 05:08:04 | 000,081,920 | ---- | M] () -- C:\Program Files\Lexmark\MarkVision Server\jre\bin\LexWebService.exe
PRC - [2009/09/29 05:08:02 | 000,073,728 | ---- | M] () -- C:\Program Files\Lexmark\MarkVision Server\jre\bin\LexMvService.exe
PRC - [2009/08/05 07:05:39 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/06/09 07:38:41 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 12:08:47 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/03/31 08:00:00 | 000,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tcpsvcs.exe


========== Modules (SafeList) ==========

MOD - [2010/07/22 20:51:22 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Frank\Desktop\OTL\OTL.exe
MOD - [2008/04/14 05:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2006/10/22 13:22:00 | 001,470,464 | ---- | M] () -- C:\WINDOWS\system32\nview.dll
MOD - [2006/10/22 13:22:00 | 000,081,920 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvwddi.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2009/09/29 05:08:04 | 000,081,920 | ---- | M] () [Auto | Running] -- C:\Program Files\Lexmark\MarkVision Server\jre\bin\LexWebService.exe -- (MvWebServer)
SRV - [2009/09/29 05:08:02 | 000,073,728 | ---- | M] () [Auto | Running] -- C:\Program Files\Lexmark\MarkVision Server\jre\bin\LexMvService.exe -- (MvServer)
SRV - [2009/08/05 07:05:39 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/06/09 07:38:41 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/04/14 05:42:38 | 000,033,280 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\snmp.exe -- (SNMP)
SRV - [2006/12/16 08:05:38 | 000,508,848 | ---- | M] ( ) [Disabled | Stopped] -- C:\WINDOWS\System32\LMabcoms.exe -- (lmab_device)
SRV - [2004/02/20 15:04:24 | 000,421,888 | ---- | M] (Lexmark International, Inc.) [On_Demand | Stopped] -- C:\WINDOWS\System32\lxbscoms.exe -- (lxbs_device)
SRV - [2003/03/31 08:00:00 | 000,019,456 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\tcpsvcs.exe -- (LPDSVC)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\ulink.sys -- (Usblink)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\sunkfiltp.sys -- (Sunkfiltp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\sunkfilt6.sys -- (SunkFilt6)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2010/02/11 08:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2009/12/08 08:03:16 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/06/09 07:38:41 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/04/30 07:32:25 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/02/13 11:35:05 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2007/03/29 15:00:16 | 000,017,024 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\KMWDFilter.SYS -- (KMWDFilter)
DRV - [2006/11/01 14:42:14 | 000,033,280 | ---- | M] (AMD, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AmdLLD.sys -- (AmdLLD)
DRV - [2006/10/22 13:22:00 | 003,994,624 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/08/19 18:31:52 | 003,644,800 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/02/14 19:30:14 | 000,046,080 | ---- | M] (VIA Networking Technologies, Inc. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\getnd5bv.sys -- (GETND5BV)
DRV - [2004/07/23 15:55:50 | 000,046,536 | ---- | M] (Alcor Micro, Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sunkfilt62.sys -- (SunkFilt62)
DRV - [2004/02/23 23:08:52 | 000,400,384 | ---- | M] (Sensaura) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\alcxsens.sys -- (ALCXSENS)
DRV - [2003/10/31 07:22:38 | 000,077,312 | ---- | M] (VIA Technologies inc,.ltd) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\viasraid.sys -- (viasraid)
DRV - [2003/10/24 18:05:58 | 000,022,016 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Ndisprot.sys -- (Ndisprot)
DRV - [2003/07/02 05:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2001/12/19 06:12:00 | 000,067,694 | ---- | M] (Logitech) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFlt2.sys -- (LMouFlt2)
DRV - [2001/12/19 06:12:00 | 000,050,990 | ---- | M] (Logitech) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042Pr2.sys -- (l8042pr2)
DRV - [2001/12/19 06:12:00 | 000,022,206 | ---- | M] (Logitech) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHIDFLT2.SYS -- (LHidFlt2)
DRV - [2001/12/19 06:12:00 | 000,005,838 | ---- | M] (Logitech) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LKbdFlt2.sys -- (LKbdFlt2)
DRV - [2001/07/18 14:52:18 | 000,145,184 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ICAM3D2.SYS -- (ICAM3NT5) Intel(r)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={sear...e=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{F5E292AC-1E06-4F38-9052-D401A3C6C74B}: C:\Documents and Settings\Frank\Local Settings\Application Data\{F5E292AC-1E06-4F38-9052-D401A3C6C74B}
FF - HKLM\software\mozilla\Firefox\Extensions\\{EAB0A9B2-98CC-404D-8C6D-F01CCDC6749B}: C:\Documents and Settings\Brea\Local Settings\Application Data\{EAB0A9B2-98CC-404D-8C6D-F01CCDC6749B}\


O1 HOSTS File: ([2010/07/22 23:09:11 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O4 - HKLM..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe (AMD)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [LXBSCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.DLL (Lexmark International, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/...oUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www1.snapfish.com/SnapfishActivia.cab (Snapfish Activia)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsof...?1175446167015 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/micr...?1270150183796 (MUWebControl Class)
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} http://aerial.leepa.org/ecwplugins/NCS.cab (Reg Error: Key error.)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/...Uploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} https://oca.microsoft.com/en/secure/ocarpt.CAB (OcarptMain Class)
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} https://ediagnostics.lexmark.com/serval.cab (Lexmark eDiagnostics Class)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/s...sh/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx2.hotmail.com/mail/w4/pr01...l/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/01 00:59:33 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2002/08/10 12:37:45 | 000,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/07/22 23:08:20 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/07/22 22:56:04 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/07/22 20:51:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Desktop\OTL
[2010/07/22 20:30:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/07/22 12:16:21 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/07/22 12:01:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/22 12:00:59 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/07/20 08:12:50 | 003,103,640 | ---- | C] (Javacool Software LLC ) -- C:\Documents and Settings\Frank\Desktop\spywareblastersetup43.exe
[2010/07/17 11:29:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/07/16 10:44:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Application Data\Malwarebytes
[2010/07/16 10:44:02 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/07/16 10:44:00 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/07/16 10:44:00 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/07/16 10:44:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/07/16 10:42:21 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Frank\Desktop\mbam-setup-1.46.exe
[2010/07/12 16:08:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/07/11 12:48:26 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft ActiveSync
[2010/07/11 12:47:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Designer
[2010/07/11 12:45:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\ShellNew
[2010/07/11 11:48:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/07/11 11:48:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/07/11 09:12:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/07/11 07:52:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/07/11 07:52:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/06/30 17:57:29 | 000,000,000 | ---D | C] -- D:\Config.Msi
[2010/06/25 15:50:33 | 000,000,000 | ---D | C] -- D:\Home Insurance
[2010/06/19 21:45:40 | 027,386,256 | ---- | C] ( ) -- D:\AdbeRdr930_en_US.exe
[2010/06/19 21:42:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/05/22 18:39:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Desktop\Brea Photos
[2010/05/22 18:20:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Desktop\Lucas, Brea & Kids Visit 5-22-2010
[2010/02/16 23:51:00 | 000,368,640 | ---- | C] ( ) -- C:\WINDOWS\System32\lexlog.dll
[2010/01/21 01:32:22 | 001,204,224 | ---- | C] ( ) -- C:\WINDOWS\System32\lmabserv.dll
[2010/01/21 01:32:22 | 001,056,768 | ---- | C] ( ) -- C:\WINDOWS\System32\lmabip1.dll
[2010/01/21 01:32:22 | 000,987,136 | ---- | C] ( ) -- C:\WINDOWS\System32\lmabusb1.dll
[2010/01/21 01:32:22 | 000,675,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lmabpmui.dll
[2010/01/21 01:32:22 | 000,614,400 | ---- | C] ( ) -- C:\WINDOWS\System32\lmabcomc.dll
[2010/01/21 01:32:22 | 000,561,152 | ---- | C] ( ) -- C:\WINDOWS\System32\lmablmpm.dll
[2010/01/21 01:32:22 | 000,532,480 | ---- | C] ( ) -- C:\WINDOWS\System32\lmabpar1.dll
[2010/01/21 01:32:22 | 000,507,904 | ---- | C] ( ) -- C:\WINDOWS\System32\lmabhcp.dll
[2010/01/21 01:32:22 | 000,425,984 | ---- | C] ( ) -- C:\WINDOWS\System32\lmabcomm.dll
[2010/01/21 01:32:22 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lmabinpa.dll
[2010/01/21 01:32:22 | 000,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lmabprox.dll
[2010/01/21 01:32:22 | 000,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\lmabpplc.dll
[2007/04/01 11:44:56 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxbslmpm(9).dll
[2007/04/01 11:44:56 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxbslmpm(8).dll
[2007/04/01 11:44:56 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxbslmpm(7).dll
[2007/04/01 11:44:56 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxbslmpm(6).dll
[2007/04/01 11:44:56 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxbslmpm(5).dll
[2007/04/01 11:44:56 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxbslmpm(4).dll
[2007/04/01 11:44:56 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxbslmpm(3).dll
[2007/04/01 11:44:56 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxbslmpm(2).dll
[2007/04/01 11:44:56 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxbslmpm(11).dll
[2007/04/01 11:44:56 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxbslmpm(10).dll

========== Files - Modified Within 90 Days ==========

[2010/07/22 23:26:32 | 008,912,896 | ---- | M] () -- C:\Documents and Settings\Frank\ntuser.dat
[2010/07/22 23:18:47 | 000,088,601 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/07/22 23:10:43 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/22 23:10:42 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/22 23:09:25 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Frank\ntuser.ini
[2010/07/22 23:09:11 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2010/07/22 20:45:17 | 000,088,624 | ---- | M] () -- C:\Documents and Settings\Frank\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/07/22 20:36:43 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/22 12:16:26 | 000,000,271 | RHS- | M] () -- C:\boot.ini
[2010/07/22 11:54:32 | 003,741,002 | R--- | M] () -- C:\Documents and Settings\Frank\Desktop\ComboFix.exe
[2010/07/21 08:25:40 | 003,103,640 | ---- | M] (Javacool Software LLC ) -- C:\Documents and Settings\Frank\Desktop\spywareblastersetup43.exe
[2010/07/20 08:58:51 | 000,236,878 | ---- | M] () -- C:\untitled.JPG
[2010/07/19 15:53:23 | 000,000,177 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\OTL Malware Remover.url
[2010/07/19 12:22:26 | 000,333,872 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/07/18 16:10:47 | 000,024,064 | ---- | M] (Gerhard Schlager) -- C:\WINDOWS\System32\dllcache\ctfmon.exe
[2010/07/18 16:10:47 | 000,024,064 | ---- | M] (Gerhard Schlager) -- C:\WINDOWS\System32\ctfmon.exe
[2010/07/18 16:08:44 | 000,000,879 | ---- | M] () -- C:\Documents and Settings\Frank\Application Data\Microsoft\Internet Explorer\Quick Launch\Hey.exe.lnk
[2010/07/18 11:57:05 | 000,000,839 | ---- | M] () -- C:\Documents and Settings\Frank\Application Data\Microsoft\Internet Explorer\Quick Launch\HiThere.exe.lnk
[2010/07/18 11:55:23 | 000,000,839 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\Shortcut to HiThere.exe.lnk
[2010/07/17 11:29:11 | 000,001,984 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/17 07:39:13 | 000,013,756 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/16 19:57:40 | 000,001,599 | ---- | M] () -- C:\Documents and Settings\Frank\Application Data\Microsoft\Internet Explorer\Quick Launch\Command Prompt.lnk
[2010/07/16 10:42:47 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Frank\Desktop\mbam-setup-1.46.exe
[2010/07/11 12:48:50 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2010/07/11 12:37:29 | 000,000,481 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\lucasj24's photos and albums on webshots.url
[2010/07/11 11:21:43 | 000,000,679 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/07/11 11:21:43 | 000,000,201 | ---- | M] () -- C:\Boot.bak
[2010/07/07 15:14:46 | 000,030,208 | ---- | M] () -- D:\Doc3.doc
[2010/06/30 17:57:38 | 000,001,569 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
[2010/06/27 08:35:12 | 000,012,663 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\G&T house.jpg
[2010/06/25 16:36:02 | 000,024,064 | ---- | M] () -- D:\BirthCertificateRequest.doc
[2010/06/23 08:36:50 | 000,501,230 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/23 08:36:50 | 000,441,124 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/23 08:36:50 | 000,071,060 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/20 14:07:09 | 000,029,696 | ---- | M] () -- D:\GENERAL INFORMATION.doc
[2010/06/19 21:45:40 | 027,386,256 | ---- | M] ( ) -- D:\AdbeRdr930_en_US.exe
[2010/06/12 06:40:33 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/28 16:49:56 | 003,492,112 | ---- | M] () -- D:\APPLICATION.pdf
[2010/05/28 08:57:22 | 000,000,067 | ---- | M] () -- C:\WINDOWS\System32\everest_cpl.ini
[2010/05/09 11:55:44 | 002,748,300 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\Pooltime May 2010.JPG
[2010/05/09 11:54:38 | 000,000,431 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\Shortcut to DSCF4331.JPG.lnk
[2010/05/08 10:57:44 | 001,335,391 | ---- | M] () -- D:\DSCF4331.JPG
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe

========== Files Created - No Company Name ==========

[2010/07/22 12:16:25 | 000,000,201 | ---- | C] () -- C:\Boot.bak
[2010/07/22 12:16:21 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/07/22 12:01:37 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/07/22 12:01:37 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/07/22 12:01:37 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/07/22 12:01:37 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/07/22 12:01:37 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/07/22 11:54:18 | 003,741,002 | R--- | C] () -- C:\Documents and Settings\Frank\Desktop\ComboFix.exe
[2010/07/20 08:58:51 | 000,236,878 | ---- | C] () -- C:\untitled.JPG
[2010/07/19 15:53:01 | 000,000,177 | ---- | C] () -- C:\Documents and Settings\Frank\Desktop\OTL Malware Remover.url
[2010/07/18 11:57:05 | 000,000,839 | ---- | C] () -- C:\Documents and Settings\Frank\Application Data\Microsoft\Internet Explorer\Quick Launch\HiThere.exe.lnk
[2010/07/18 11:55:23 | 000,000,839 | ---- | C] () -- C:\Documents and Settings\Frank\Desktop\Shortcut to HiThere.exe.lnk
[2010/07/16 10:38:49 | 000,000,879 | ---- | C] () -- C:\Documents and Settings\Frank\Application Data\Microsoft\Internet Explorer\Quick Launch\Hey.exe.lnk
[2010/07/07 15:03:37 | 000,030,208 | ---- | C] () -- D:\Doc3.doc
[2010/06/27 08:36:11 | 000,012,663 | ---- | C] () -- C:\Documents and Settings\Frank\Desktop\G&T house.jpg
[2010/06/25 16:36:02 | 000,024,064 | ---- | C] () -- D:\BirthCertificateRequest.doc
[2010/06/20 14:07:08 | 000,029,696 | ---- | C] () -- D:\GENERAL INFORMATION.doc
[2010/05/28 16:49:46 | 003,492,112 | ---- | C] () -- D:\APPLICATION.pdf
[2010/05/09 11:55:43 | 002,748,300 | ---- | C] () -- C:\Documents and Settings\Frank\Desktop\Pooltime May 2010.JPG
[2010/05/09 11:54:38 | 000,000,431 | ---- | C] () -- C:\Documents and Settings\Frank\Desktop\Shortcut to DSCF4331.JPG.lnk
[2010/05/09 11:54:25 | 001,335,391 | ---- | C] () -- D:\DSCF4331.JPG
[2009/11/02 19:13:28 | 000,399,872 | ---- | C] () -- C:\WINDOWS\c4dstand.dll
[2009/11/02 19:13:28 | 000,000,050 | ---- | C] () -- C:\WINDOWS\app.ini
[2009/11/02 19:12:46 | 000,003,362 | ---- | C] () -- C:\WINDOWS\LKMHDemo.ini
[2009/11/02 19:12:46 | 000,000,304 | ---- | C] () -- C:\WINDOWS\LKMH_Demo_Cfg.ini
[2009/03/24 19:15:21 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2009/03/24 19:14:46 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2009/03/24 19:14:46 | 000,000,142 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2009/02/17 19:53:47 | 000,001,456 | R--- | C] () -- C:\WINDOWS\System32\lxbsprod.ini
[2009/02/17 19:53:38 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbsvs.dll
[2008/10/25 08:56:53 | 000,000,327 | ---- | C] () -- C:\WINDOWS\System32\winpdf.ini
[2008/08/19 14:12:10 | 000,000,075 | ---- | C] () -- C:\WINDOWS\USBBC.ini
[2008/08/19 14:12:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MDI.INI
[2007/08/01 20:37:11 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/07/22 17:55:44 | 000,000,074 | ---- | C] () -- C:\WINDOWS\MPLAYER.INI
[2007/06/02 15:46:31 | 000,000,371 | ---- | C] () -- C:\WINDOWS\LEXSTAT.INI
[2007/04/03 15:10:30 | 000,000,067 | ---- | C] () -- C:\WINDOWS\System32\everest_cpl.ini
[2007/04/03 09:08:53 | 000,006,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\ALLOW-IO.SYS
[2007/04/02 06:47:46 | 000,109,056 | ---- | C] () -- C:\WINDOWS\System32\LGUICOM.DLL
[2007/04/02 06:47:46 | 000,000,488 | ---- | C] () -- C:\WINDOWS\Cmousecc.ini
[2007/04/01 11:06:14 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/04/01 10:39:16 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\vusetup.dll
[2007/04/01 10:14:27 | 000,000,204 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2007/04/01 09:32:38 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2007/04/01 09:25:55 | 000,156,672 | R--- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2007/04/01 09:25:50 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2006/10/22 13:22:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/22 13:22:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/10/22 13:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/10/22 13:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/22 13:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/10/22 13:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/10/22 13:22:00 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/03/01 15:30:20 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini

========== LOP Check ==========

[2008/10/25 09:31:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nitro PDF
[2009/03/24 19:15:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2009/07/05 19:25:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TaxCut
[2010/07/21 08:26:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/11/22 14:51:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Facebook
[2008/10/25 09:32:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Nitro PDF
[2008/09/07 11:09:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Opera
[2009/03/24 19:15:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\pdf995
[2007/10/14 10:41:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Snapfish
[2009/07/05 19:29:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\TaxCut
[2007/12/23 11:29:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\TERMINAL Studio
[2008/02/15 18:48:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Walgreens
[2009/09/24 08:48:56 | 000,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\Shutdown.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\shutdown.exe:SummaryInformation
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8BB2EC84
< End of report >